[selinux-policy/f18] - Fix MCS Constraints to control ingres and egres controls on the network. - Change name of svirt_no
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Dec 11 12:04:44 UTC 2012
commit be81e550ba486ef59931106f9dd54fa7576430ea
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Dec 11 13:03:28 2012 +0100
- Fix MCS Constraints to control ingres and egres controls on the network.
- Change name of svirt_nokvm_t to svirt_tcg_t
- Allow tuned to request the kernel to load kernel modules
policy-rawhide.patch | 36 ++++++++++++++++++++++++------------
policy_contrib-rawhide.patch | 27 ++++++++++++++-------------
selinux-policy.spec | 7 ++++++-
3 files changed, 44 insertions(+), 26 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 70a2712..3f5a7bb 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -110349,7 +110349,7 @@ index 4705ab6..11a1ae6 100644
+gen_tunable(selinuxuser_tcp_server,false)
+
diff --git a/policy/mcs b/policy/mcs
-index f477c7f..4e59b42 100644
+index f477c7f..ff7369c 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -1,4 +1,6 @@
@@ -110425,7 +110425,7 @@ index f477c7f..4e59b42 100644
#
# MCS policy for SELinux-enabled databases
#
-@@ -144,4 +169,21 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
+@@ -144,4 +169,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
( h1 dom h2 );
@@ -110435,20 +110435,22 @@ index f477c7f..4e59b42 100644
+# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
+# because the subject in this particular case is the remote domain which is
+# writing data out the network node which is acting as the object
-+mlsconstrain { node } { recvfrom }
-+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
-+ ( t1 == mcsnetwrite ) or
-+ ( t1 == unlabeled_t ));
-+mlsconstrain { node } { sendto }
-+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
-+ ( t1 == mcsnetwrite ));
++mlsconstrain { node } { recvfrom sendto }
++ (( l1 dom l2 ) or (t1 != mcsuntrustedproc));
+
-+mlsconstrain packet { send recv }
-+ (( h1 dom h2 ) or ( t1 == mcsnetwrite ));
++mlsconstrain { packet peer } { recv }
++ (( l1 dom l2 ) or
++ ((t1 != mcsuntrustedproc) and (t2 != mcsuntrustedproc)));
++
++# the netif ingress/egress ops, the ingress permission is a "write" operation
++# because the subject in this particular case is the remote domain which is
++# writing data out the network interface which is acting as the object
++mlsconstrain { netif } { egress ingress }
++ (( l1 dom l2 ) or (t1 != mcsuntrustedproc));
+
') dnl end enable_mcs
diff --git a/policy/mls b/policy/mls
-index d218387..c406594 100644
+index d218387..c2541c2 100644
--- a/policy/mls
+++ b/policy/mls
@@ -195,7 +195,8 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
@@ -110461,6 +110463,16 @@ index d218387..c406594 100644
# used by netlabel to restrict normal domains to same level connections
mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
+@@ -361,9 +362,6 @@ mlsconstrain { peer packet } { recv }
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ));
+
+-
+-
+-
+ #
+ # MLS policy for the process class
+ #
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index 7a6f06f..bf04b0a 100644
--- a/policy/modules/admin/bootloader.fc
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 8f424d4..adfc825 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -68427,7 +68427,7 @@ index 54b8605..a04f013 100644
admin_pattern($1, tuned_var_run_t)
')
diff --git a/tuned.te b/tuned.te
-index db9d2a5..0c1d7e7 100644
+index db9d2a5..edfe6ba 100644
--- a/tuned.te
+++ b/tuned.te
@@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
@@ -68443,7 +68443,7 @@ index db9d2a5..0c1d7e7 100644
type tuned_log_t;
logging_log_file(tuned_log_t)
-@@ -22,43 +28,84 @@ files_pid_file(tuned_var_run_t)
+@@ -22,43 +28,85 @@ files_pid_file(tuned_var_run_t)
#
# tuned local policy
#
@@ -68477,6 +68477,7 @@ index db9d2a5..0c1d7e7 100644
kernel_read_network_state(tuned_t)
-
+kernel_read_kernel_sysctls(tuned_t)
++kernel_request_load_module(tuned_t)
+kernel_rw_kernel_sysctl(tuned_t)
+kernel_rw_hotplug_sysctls(tuned_t)
+kernel_rw_vm_sysctls(tuned_t)
@@ -70731,7 +70732,7 @@ index 6f0736b..2e6c056 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..08c7bcb 100644
+index 947bbc6..3b2df69 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,104 @@ policy_module(virt, 1.5.0)
@@ -70837,8 +70838,8 @@ index 947bbc6..08c7bcb 100644
-type svirt_cache_t;
-files_type(svirt_cache_t)
-+virt_domain_template(svirt_nokvm)
-+role system_r types svirt_nokvm_t;
++virt_domain_template(svirt_tcg)
++role system_r types svirt_tcg_t;
-attribute virt_domain;
-attribute virt_image_type;
@@ -71024,14 +71025,14 @@ index 947bbc6..08c7bcb 100644
+# svirt_prot_exec local policy
+#
+
-+allow svirt_nokvm_t self:process { execmem execstack };
-+corenet_udp_sendrecv_generic_if(svirt_nokvm_t)
-+corenet_udp_sendrecv_generic_node(svirt_nokvm_t)
-+corenet_udp_sendrecv_all_ports(svirt_nokvm_t)
-+corenet_udp_bind_generic_node(svirt_nokvm_t)
-+corenet_udp_bind_all_ports(svirt_nokvm_t)
-+corenet_tcp_bind_all_ports(svirt_nokvm_t)
-+corenet_tcp_connect_all_ports(svirt_nokvm_t)
++allow svirt_tcg_t self:process { execmem execstack };
++corenet_udp_sendrecv_generic_if(svirt_tcg_t)
++corenet_udp_sendrecv_generic_node(svirt_tcg_t)
++corenet_udp_sendrecv_all_ports(svirt_tcg_t)
++corenet_udp_bind_generic_node(svirt_tcg_t)
++corenet_udp_bind_all_ports(svirt_tcg_t)
++corenet_tcp_bind_all_ports(svirt_tcg_t)
++corenet_tcp_connect_all_ports(svirt_tcg_t)
+
########################################
#
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f92d641..2addea8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 61%{?dist}
+Release: 62%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -524,6 +524,11 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Dec 11 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-62
+- Fix MCS Constraints to control ingres and egres controls on the network.
+- Change name of svirt_nokvm_t to svirt_tcg_t
+- Allow tuned to request the kernel to load kernel modules
+
* Mon Dec 10 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-61
- Label /var/lib/pgsql/.ssh as ssh_home_t
- Add labeling for /usr/bin/pg_ctl
More information about the scm-commits
mailing list