[selinux-policy/f16] * Wed Apr 25 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-87 - More fixes for l2tpd * Allow pppd
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Apr 25 12:02:00 UTC 2012
commit e9371620f32c07af73838ea8970be523f59f29c2
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Apr 25 14:01:24 2012 +0200
* Wed Apr 25 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-87
- More fixes for l2tpd
* Allow pppd to stream connet to l2tpd
* Allow l2tpd to send sigkill to pppd
* Allow l2tpd to use the generic pty
policy-F16.patch | 58 +++++++++++++++++++++++++++++++++++++++++---------
selinux-policy.spec | 8 ++++++-
2 files changed, 54 insertions(+), 12 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index ac7ec1f..57fc850 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -42590,10 +42590,10 @@ index 0000000..6b27066
+/var/run/xl2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0)
diff --git a/policy/modules/services/l2tpd.if b/policy/modules/services/l2tpd.if
new file mode 100644
-index 0000000..cd14d24
+index 0000000..6d046d4
--- /dev/null
+++ b/policy/modules/services/l2tpd.if
-@@ -0,0 +1,153 @@
+@@ -0,0 +1,174 @@
+## <summary>Layer 2 Tunneling Protocol daemons.</summary>
+
+########################################
@@ -42689,6 +42689,27 @@ index 0000000..cd14d24
+ allow $1 l2tpd_var_run_t:file read_file_perms;
+')
+
++#####################################
++## <summary>
++## Connect to l2tpd over a unix domain
++## stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`l2tpd_stream_connect',`
++ gen_require(`
++ type l2tpd_t, l2tpd_var_run_t, l2tpd_tmp_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, l2tpd_tmp_t, l2tpd_tmp_t, l2tpd_t)
++ stream_connect_pattern($1, l2tpd_var_run_t, l2tpd_var_run_t, l2tpd_t)
++')
++
+########################################
+## <summary>
+## Read and write l2tpd unnamed pipes.
@@ -42749,10 +42770,10 @@ index 0000000..cd14d24
+')
diff --git a/policy/modules/services/l2tpd.te b/policy/modules/services/l2tpd.te
new file mode 100644
-index 0000000..5d5f56e
+index 0000000..365eb93
--- /dev/null
+++ b/policy/modules/services/l2tpd.te
-@@ -0,0 +1,97 @@
+@@ -0,0 +1,101 @@
+policy_module(l2tpd, 1.0.0)
+
+########################################
@@ -42829,6 +42850,9 @@ index 0000000..5d5f56e
+# net-pf-24 (pppox)
+kernel_request_load_module(l2tpd_t)
+
++term_use_ptmx(l2tpd_t)
++term_use_generic_ptys(l2tpd_t)
++
+# prol2tpc
+corecmd_exec_bin(l2tpd_t)
+
@@ -42849,6 +42873,7 @@ index 0000000..5d5f56e
+optional_policy(`
+ ppp_domtrans(l2tpd_t)
+ ppp_signal(l2tpd_t)
++ ppp_kill(l2tpd_t)
+')
diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
index c62f23e..8b7e71f 100644
@@ -53028,7 +53053,7 @@ index b524673..921a60f 100644
+ ppp_systemctl($1)
')
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
-index 2af42e7..20f5d6b 100644
+index 2af42e7..f530c23 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
@@ -53112,7 +53137,7 @@ index 2af42e7..20f5d6b 100644
allow pppd_t pptp_t:process signal;
-@@ -143,6 +147,7 @@ fs_getattr_all_fs(pppd_t)
+@@ -143,10 +147,12 @@ fs_getattr_all_fs(pppd_t)
fs_search_auto_mountpoints(pppd_t)
term_use_unallocated_ttys(pppd_t)
@@ -53120,7 +53145,12 @@ index 2af42e7..20f5d6b 100644
term_setattr_unallocated_ttys(pppd_t)
term_ioctl_generic_ptys(pppd_t)
# for pppoe
-@@ -166,6 +171,8 @@ init_dontaudit_write_utmp(pppd_t)
+ term_create_pty(pppd_t, pppd_devpts_t)
++term_use_generic_ptys(pppd_t)
+
+ # allow running ip-up and ip-down scripts and running chat.
+ corecmd_exec_bin(pppd_t)
+@@ -166,6 +172,8 @@ init_dontaudit_write_utmp(pppd_t)
init_signal_script(pppd_t)
auth_use_nsswitch(pppd_t)
@@ -53129,7 +53159,7 @@ index 2af42e7..20f5d6b 100644
logging_send_syslog_msg(pppd_t)
logging_send_audit_msgs(pppd_t)
-@@ -176,7 +183,7 @@ sysnet_exec_ifconfig(pppd_t)
+@@ -176,7 +184,7 @@ sysnet_exec_ifconfig(pppd_t)
sysnet_manage_config(pppd_t)
sysnet_etc_filetrans_config(pppd_t)
@@ -53138,7 +53168,7 @@ index 2af42e7..20f5d6b 100644
userdom_dontaudit_use_unpriv_user_fds(pppd_t)
userdom_search_user_home_dirs(pppd_t)
-@@ -187,13 +194,15 @@ optional_policy(`
+@@ -187,13 +195,21 @@ optional_policy(`
')
optional_policy(`
@@ -53149,13 +53179,19 @@ index 2af42e7..20f5d6b 100644
')
optional_policy(`
++ l2tpd_dgram_send(pppd_t)
++ l2tpd_rw_socket(pppd_t)
++ l2tpd_stream_connect(pppd_t)
++')
++
++optional_policy(`
mta_send_mail(pppd_t)
+ mta_system_content(pppd_etc_t)
+ mta_system_content(pppd_etc_rw_t)
')
optional_policy(`
-@@ -243,14 +252,18 @@ allow pptp_t pppd_log_t:file append_file_perms;
+@@ -243,14 +259,18 @@ allow pptp_t pppd_log_t:file append_file_perms;
allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
@@ -53175,7 +53211,7 @@ index 2af42e7..20f5d6b 100644
dev_read_sysfs(pptp_t)
-@@ -265,9 +278,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t)
+@@ -265,9 +285,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t)
corenet_raw_sendrecv_generic_node(pptp_t)
corenet_tcp_sendrecv_all_ports(pptp_t)
corenet_tcp_bind_generic_node(pptp_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 428dd52..565a4fe 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 86%{?dist}
+Release: 87%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,12 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Apr 25 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-87
+- More fixes for l2tpd
+ * Allow pppd to stream connet to l2tpd
+ * Allow l2tpd to send sigkill to pppd
+ * Allow l2tpd to use the generic pty
+
* Tue Apr 24 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-86
- /var/spool/postfix/lib64 should be labeled lib_t
- Add filename transitions for system conf files to make sure they will have system_conf
More information about the scm-commits
mailing list