[selinux-policy/f18] - Fix MCS Constraints to control ingres and egres controls on the network. - Change name of svirt_no

Miroslav Grepl mgrepl at fedoraproject.org
Tue Dec 11 12:04:44 UTC 2012 

commit be81e550ba486ef59931106f9dd54fa7576430ea
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Tue Dec 11 13:03:28 2012 +0100

    - Fix MCS Constraints to control ingres and egres controls on the network.
    - Change name of svirt_nokvm_t to svirt_tcg_t
    - Allow tuned to request the kernel to load kernel modules

 policy-rawhide.patch         |   36 ++++++++++++++++++++++++------------
 policy_contrib-rawhide.patch |   27 ++++++++++++++-------------
 selinux-policy.spec          |    7 ++++++-
 3 files changed, 44 insertions(+), 26 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 70a2712..3f5a7bb 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -110349,7 +110349,7 @@ index 4705ab6..11a1ae6 100644
 +gen_tunable(selinuxuser_tcp_server,false)
 +
 diff --git a/policy/mcs b/policy/mcs
-index f477c7f..4e59b42 100644
+index f477c7f..ff7369c 100644
 --- a/policy/mcs
 +++ b/policy/mcs
 @@ -1,4 +1,6 @@
@@ -110425,7 +110425,7 @@ index f477c7f..4e59b42 100644
  #
  # MCS policy for SELinux-enabled databases
  #
-@@ -144,4 +169,21 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
+@@ -144,4 +169,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
  mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
  	( h1 dom h2 );
  
@@ -110435,20 +110435,22 @@ index f477c7f..4e59b42 100644
 +# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
 +# because the subject in this particular case is the remote domain which is
 +# writing data out the network node which is acting as the object
-+mlsconstrain { node } { recvfrom }
-+	((( l1 dom l2 ) and ( l1 domby h2 )) or
-+	 ( t1 == mcsnetwrite ) or
-+	 ( t1 == unlabeled_t ));
-+mlsconstrain { node } { sendto }
-+	((( l1 dom l2 ) and ( l1 domby h2 )) or
-+	 ( t1 == mcsnetwrite ));
++mlsconstrain { node } { recvfrom sendto }
++	(( l1 dom l2 ) or (t1 != mcsuntrustedproc));
 +
-+mlsconstrain packet { send recv }
-+	(( h1 dom h2 ) or ( t1 == mcsnetwrite ));
++mlsconstrain { packet peer } { recv }
++	(( l1 dom l2 ) or
++	 ((t1 != mcsuntrustedproc) and (t2 != mcsuntrustedproc)));
++
++# the netif ingress/egress ops, the ingress permission is a "write" operation
++# because the subject in this particular case is the remote domain which is
++# writing data out the network interface which is acting as the object
++mlsconstrain { netif } { egress ingress }
++	     	(( l1 dom l2 ) or (t1 != mcsuntrustedproc));
 +
  ') dnl end enable_mcs
 diff --git a/policy/mls b/policy/mls
-index d218387..c406594 100644
+index d218387..c2541c2 100644
 --- a/policy/mls
 +++ b/policy/mls
 @@ -195,7 +195,8 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
@@ -110461,6 +110463,16 @@ index d218387..c406594 100644
  
  # used by netlabel to restrict normal domains to same level connections
  mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
+@@ -361,9 +362,6 @@ mlsconstrain { peer packet } { recv }
+ 	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ 	 ( t1 == mlsnetread ));
+ 
+-
+-
+-
+ #
+ # MLS policy for the process class
+ #
 diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
 index 7a6f06f..bf04b0a 100644
 --- a/policy/modules/admin/bootloader.fc
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 8f424d4..adfc825 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -68427,7 +68427,7 @@ index 54b8605..a04f013 100644
  	admin_pattern($1, tuned_var_run_t)
  ')
 diff --git a/tuned.te b/tuned.te
-index db9d2a5..0c1d7e7 100644
+index db9d2a5..edfe6ba 100644
 --- a/tuned.te
 +++ b/tuned.te
 @@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
@@ -68443,7 +68443,7 @@ index db9d2a5..0c1d7e7 100644
  type tuned_log_t;
  logging_log_file(tuned_log_t)
  
-@@ -22,43 +28,84 @@ files_pid_file(tuned_var_run_t)
+@@ -22,43 +28,85 @@ files_pid_file(tuned_var_run_t)
  #
  # tuned local policy
  #
@@ -68477,6 +68477,7 @@ index db9d2a5..0c1d7e7 100644
  kernel_read_network_state(tuned_t)
 -
 +kernel_read_kernel_sysctls(tuned_t)
++kernel_request_load_module(tuned_t)
 +kernel_rw_kernel_sysctl(tuned_t)
 +kernel_rw_hotplug_sysctls(tuned_t)
 +kernel_rw_vm_sysctls(tuned_t)
@@ -70731,7 +70732,7 @@ index 6f0736b..2e6c056 100644
 +	allow svirt_lxc_domain $1:process sigchld;
  ')
 diff --git a/virt.te b/virt.te
-index 947bbc6..08c7bcb 100644
+index 947bbc6..3b2df69 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -5,56 +5,104 @@ policy_module(virt, 1.5.0)
@@ -70837,8 +70838,8 @@ index 947bbc6..08c7bcb 100644
  
 -type svirt_cache_t;
 -files_type(svirt_cache_t)
-+virt_domain_template(svirt_nokvm)
-+role system_r types svirt_nokvm_t;
++virt_domain_template(svirt_tcg)
++role system_r types svirt_tcg_t;
  
 -attribute virt_domain;
 -attribute virt_image_type;
@@ -71024,14 +71025,14 @@ index 947bbc6..08c7bcb 100644
 +# svirt_prot_exec local policy
 +#
 +
-+allow svirt_nokvm_t self:process { execmem execstack };
-+corenet_udp_sendrecv_generic_if(svirt_nokvm_t)
-+corenet_udp_sendrecv_generic_node(svirt_nokvm_t)
-+corenet_udp_sendrecv_all_ports(svirt_nokvm_t)
-+corenet_udp_bind_generic_node(svirt_nokvm_t)
-+corenet_udp_bind_all_ports(svirt_nokvm_t)
-+corenet_tcp_bind_all_ports(svirt_nokvm_t)
-+corenet_tcp_connect_all_ports(svirt_nokvm_t)
++allow svirt_tcg_t self:process { execmem execstack };
++corenet_udp_sendrecv_generic_if(svirt_tcg_t)
++corenet_udp_sendrecv_generic_node(svirt_tcg_t)
++corenet_udp_sendrecv_all_ports(svirt_tcg_t)
++corenet_udp_bind_generic_node(svirt_tcg_t)
++corenet_udp_bind_all_ports(svirt_tcg_t)
++corenet_tcp_bind_all_ports(svirt_tcg_t)
++corenet_tcp_connect_all_ports(svirt_tcg_t)
 +
  ########################################
  #
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f92d641..2addea8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.11.1
-Release: 61%{?dist}
+Release: 62%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -524,6 +524,11 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Tue Dec 11 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-62
+- Fix MCS Constraints to control ingres and egres controls on the network.
+- Change name of svirt_nokvm_t to svirt_tcg_t
+- Allow tuned to request the kernel to load kernel modules
+
 * Mon Dec 10 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-61
 - Label /var/lib/pgsql/.ssh as ssh_home_t
 - Add labeling for /usr/bin/pg_ctl

More information about the scm-commits mailing list