[selinux-policy/f17] +* Tue Feb 14 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-88 +- Need to add sys_ptrace back in si
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Feb 14 17:44:18 UTC 2012
commit 5551041b16fb0374ff6c1d8425a348dbb8897ef0
Author: Miroslav <mgrepl at redhat.com>
Date: Tue Feb 14 18:44:10 2012 +0100
+* Tue Feb 14 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-88
+- Need to add sys_ptrace back in since reading any content in /proc can cause these accesses
+- Add additional systemd interfaces which are needed fro *_admin interfaces
+- Fix bind_admin() interface
policy-F16.patch | 255 +++++++++++++++++++++++++++------------------------
selinux-policy.spec | 7 +-
2 files changed, 142 insertions(+), 120 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index d70be3f..bbb23fc 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -20223,7 +20223,7 @@ index 6346378..3bfb1f8 100644
')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index d91c62f..8852535 100644
+index d91c62f..d78f93c 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,12 @@
@@ -20256,20 +20256,7 @@ index d91c62f..8852535 100644
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -181,7 +191,11 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
- # kernel local policy
- #
-
--allow kernel_t self:capability *;
-+allow kernel_t self:capability ~{ sys_ptrace };
-+tunable_policy(`deny_ptrace',`',`
-+ allow kernel_t self:capability sys_ptrace;
-+')
-+
- allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow kernel_t self:shm create_shm_perms;
- allow kernel_t self:sem create_sem_perms;
-@@ -242,11 +256,14 @@ dev_search_usbfs(kernel_t)
+@@ -242,11 +252,14 @@ dev_search_usbfs(kernel_t)
# devtmpfs handling:
dev_create_generic_dirs(kernel_t)
dev_delete_generic_dirs(kernel_t)
@@ -20288,7 +20275,7 @@ index d91c62f..8852535 100644
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
-@@ -255,7 +272,8 @@ fs_unmount_all_fs(kernel_t)
+@@ -255,7 +268,8 @@ fs_unmount_all_fs(kernel_t)
selinux_load_policy(kernel_t)
@@ -20298,7 +20285,7 @@ index d91c62f..8852535 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -269,25 +287,47 @@ files_list_root(kernel_t)
+@@ -269,25 +283,47 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -20346,7 +20333,7 @@ index d91c62f..8852535 100644
')
optional_policy(`
-@@ -297,6 +337,19 @@ optional_policy(`
+@@ -297,6 +333,19 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(kernel_t)
@@ -20366,7 +20353,7 @@ index d91c62f..8852535 100644
')
optional_policy(`
-@@ -334,9 +387,7 @@ optional_policy(`
+@@ -334,9 +383,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -20377,7 +20364,7 @@ index d91c62f..8852535 100644
')
tunable_policy(`nfs_export_all_rw',`
-@@ -345,7 +396,7 @@ optional_policy(`
+@@ -345,7 +392,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -20386,7 +20373,7 @@ index d91c62f..8852535 100644
')
')
-@@ -358,6 +409,15 @@ optional_policy(`
+@@ -358,6 +405,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -20402,7 +20389,7 @@ index d91c62f..8852535 100644
########################################
#
# Unlabeled process local policy
-@@ -386,4 +446,17 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+@@ -386,4 +442,17 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
@@ -22160,7 +22147,7 @@ index be4de58..7e8b6ec 100644
init_exec(secadm_t)
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..cdcc621 100644
+index 2be17d2..b6ee027 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,55 @@ policy_module(staff, 2.2.0)
@@ -22341,10 +22328,14 @@ index 2be17d2..cdcc621 100644
')
optional_policy(`
-@@ -48,10 +187,52 @@ optional_policy(`
+@@ -48,10 +187,56 @@ optional_policy(`
')
optional_policy(`
++ systemd_exec_systemctl(staff_t)
++')
++
++optional_policy(`
+ setroubleshoot_stream_connect(staff_t)
+ setroubleshoot_dbus_chat(staff_t)
+ setroubleshoot_dbus_chat_fixit(staff_t)
@@ -22394,7 +22385,7 @@ index 2be17d2..cdcc621 100644
xserver_role(staff_r, staff_t)
')
-@@ -61,10 +242,6 @@ ifndef(`distro_redhat',`
+@@ -61,10 +246,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -22405,7 +22396,7 @@ index 2be17d2..cdcc621 100644
cdrecord_role(staff_r, staff_t)
')
-@@ -89,18 +266,10 @@ ifndef(`distro_redhat',`
+@@ -89,18 +270,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -22424,7 +22415,7 @@ index 2be17d2..cdcc621 100644
java_role(staff_r, staff_t)
')
-@@ -121,10 +290,6 @@ ifndef(`distro_redhat',`
+@@ -121,10 +294,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -22435,7 +22426,7 @@ index 2be17d2..cdcc621 100644
pyzor_role(staff_r, staff_t)
')
-@@ -137,10 +302,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +306,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -22446,7 +22437,7 @@ index 2be17d2..cdcc621 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -172,3 +333,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +337,7 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -28308,7 +28299,7 @@ index 59aa54f..643afce 100644
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
-index 44a1e3d..776e2ed 100644
+index 44a1e3d..7381f07 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
@@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',`
@@ -28465,7 +28456,7 @@ index 44a1e3d..776e2ed 100644
files_list_pids($1)
admin_pattern($1, named_var_run_t)
+
-+ named_systemctl($1)
++ bind_systemctl($1)
')
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 4deca04..7859fa1 100644
@@ -32783,7 +32774,7 @@ index fd15dfe..d33cc41 100644
+ ps_process_pattern($1, consolekit_t)
+')
diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
-index e67a003..f5b76dd 100644
+index e67a003..edd6f6c 100644
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
@@ -15,12 +15,16 @@ logging_log_file(consolekit_log_t)
@@ -32798,8 +32789,7 @@ index e67a003..f5b76dd 100644
# consolekit local policy
#
--allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
-+allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice };
+ allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
+
allow consolekit_t self:process { getsched signal };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
@@ -60483,10 +60473,10 @@ index 46dad1f..6586da0 100644
allow rtkit_daemon_t $1:process { getsched setsched };
rtkit_daemon_dbus_chat($1)
diff --git a/policy/modules/services/rtkit.te b/policy/modules/services/rtkit.te
-index 6f8e268..a53e4f0 100644
+index 6f8e268..7d64285 100644
--- a/policy/modules/services/rtkit.te
+++ b/policy/modules/services/rtkit.te
-@@ -8,13 +8,14 @@ policy_module(rtkit, 1.1.0)
+@@ -8,6 +8,7 @@ policy_module(rtkit, 1.1.0)
type rtkit_daemon_t;
type rtkit_daemon_exec_t;
dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
@@ -60494,14 +60484,6 @@ index 6f8e268..a53e4f0 100644
########################################
#
- # rtkit_daemon local policy
- #
-
--allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace };
-+allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice };
- allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit };
-
- kernel_read_system_state(rtkit_daemon_t)
diff --git a/policy/modules/services/rwho.if b/policy/modules/services/rwho.if
index 71ea0ea..26af97f 100644
--- a/policy/modules/services/rwho.if
@@ -69732,7 +69714,7 @@ index 130ced9..4c198c1 100644
+ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..163158e 100644
+index 143c893..4d1b6f4 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -70533,10 +70515,12 @@ index 143c893..163158e 100644
xfs_stream_connect(xdm_t)
')
-@@ -600,6 +900,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -599,7 +899,8 @@ allow xserver_t input_xevent_t:x_event send;
+ # execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
- allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+-allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
++allow xserver_t self:capability { sys_ptrace dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
@@ -74254,7 +74238,7 @@ index 94fd8dd..5a52670 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..75822e6 100644
+index 29a9565..fef5e99 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -74455,11 +74439,12 @@ index 29a9565..75822e6 100644
+storage_raw_rw_fixed_disk(init_t)
+
-+optional_policy(`
+ optional_policy(`
+- auth_rw_login_records(init_t)
+ modutils_domtrans_insmod(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+ postfix_exec(init_t)
+ postfix_list_spool(init_t)
+ mta_read_aliases(init_t)
@@ -74568,12 +74553,11 @@ index 29a9565..75822e6 100644
+ systemd_filetrans_named_content(init_t)
+')
+
- optional_policy(`
-- auth_rw_login_records(init_t)
++optional_policy(`
+ lvm_rw_pipes(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ consolekit_manage_log(init_t)
+')
+
@@ -74581,18 +74565,18 @@ index 29a9565..75822e6 100644
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
- ')
-
- optional_policy(`
-- nscd_socket_use(init_t)
++')
++
++optional_policy(`
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
+ # The master process of dovecot will manage this file.
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_socket_use(init_t)
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
')
@@ -74616,17 +74600,18 @@ index 29a9565..75822e6 100644
unconfined_domain(init_t)
')
-@@ -212,7 +419,8 @@ optional_policy(`
+@@ -212,8 +419,8 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
-allow initrc_t self:capability ~{ sys_admin sys_module };
+-dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
+allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module };
-+
- dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
++dontaudit initrc_t self:capability { sys_ptrace sys_module }; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +449,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+
+@@ -241,12 +448,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -74642,7 +74627,7 @@ index 29a9565..75822e6 100644
init_write_initctl(initrc_t)
-@@ -258,20 +469,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +468,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -74679,7 +74664,7 @@ index 29a9565..75822e6 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +502,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +501,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -74687,7 +74672,7 @@ index 29a9565..75822e6 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -289,8 +513,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +512,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -74698,7 +74683,7 @@ index 29a9565..75822e6 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,17 +524,16 @@ dev_manage_generic_files(initrc_t)
+@@ -298,17 +523,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -74718,7 +74703,7 @@ index 29a9565..75822e6 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -316,6 +541,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +540,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -74726,7 +74711,7 @@ index 29a9565..75822e6 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +549,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +548,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -74738,7 +74723,7 @@ index 29a9565..75822e6 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +568,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +567,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -74752,7 +74737,7 @@ index 29a9565..75822e6 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,9 +583,12 @@ fs_mount_all_fs(initrc_t)
+@@ -351,9 +582,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -74766,7 +74751,7 @@ index 29a9565..75822e6 100644
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -363,6 +598,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +597,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -74774,7 +74759,7 @@ index 29a9565..75822e6 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +610,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +609,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -74782,7 +74767,7 @@ index 29a9565..75822e6 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +631,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +630,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -74804,7 +74789,7 @@ index 29a9565..75822e6 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +694,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +693,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -74815,7 +74800,7 @@ index 29a9565..75822e6 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +718,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +717,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -74824,7 +74809,7 @@ index 29a9565..75822e6 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +733,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +732,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -74832,7 +74817,7 @@ index 29a9565..75822e6 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +763,35 @@ ifdef(`distro_redhat',`
+@@ -522,8 +762,35 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -74868,7 +74853,7 @@ index 29a9565..75822e6 100644
')
optional_policy(`
-@@ -531,10 +799,22 @@ ifdef(`distro_redhat',`
+@@ -531,10 +798,22 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -74891,7 +74876,7 @@ index 29a9565..75822e6 100644
')
optional_policy(`
-@@ -549,6 +829,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +828,39 @@ ifdef(`distro_suse',`
')
')
@@ -74931,7 +74916,7 @@ index 29a9565..75822e6 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +874,8 @@ optional_policy(`
+@@ -561,6 +873,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -74940,7 +74925,7 @@ index 29a9565..75822e6 100644
')
optional_policy(`
-@@ -577,6 +892,7 @@ optional_policy(`
+@@ -577,6 +891,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -74948,7 +74933,7 @@ index 29a9565..75822e6 100644
')
optional_policy(`
-@@ -589,6 +905,17 @@ optional_policy(`
+@@ -589,6 +904,17 @@ optional_policy(`
')
optional_policy(`
@@ -74966,7 +74951,7 @@ index 29a9565..75822e6 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +932,13 @@ optional_policy(`
+@@ -605,9 +931,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -74980,7 +74965,7 @@ index 29a9565..75822e6 100644
')
optional_policy(`
-@@ -632,6 +963,10 @@ optional_policy(`
+@@ -632,6 +962,10 @@ optional_policy(`
')
optional_policy(`
@@ -74991,7 +74976,7 @@ index 29a9565..75822e6 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -649,6 +984,11 @@ optional_policy(`
+@@ -649,6 +983,11 @@ optional_policy(`
')
optional_policy(`
@@ -75003,7 +74988,7 @@ index 29a9565..75822e6 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1029,7 @@ optional_policy(`
+@@ -689,6 +1028,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -75011,7 +74996,7 @@ index 29a9565..75822e6 100644
')
optional_policy(`
-@@ -706,7 +1047,13 @@ optional_policy(`
+@@ -706,7 +1046,13 @@ optional_policy(`
')
optional_policy(`
@@ -75025,7 +75010,7 @@ index 29a9565..75822e6 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1076,10 @@ optional_policy(`
+@@ -729,6 +1075,10 @@ optional_policy(`
')
optional_policy(`
@@ -75036,7 +75021,7 @@ index 29a9565..75822e6 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1089,20 @@ optional_policy(`
+@@ -738,10 +1088,20 @@ optional_policy(`
')
optional_policy(`
@@ -75057,7 +75042,7 @@ index 29a9565..75822e6 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1111,10 @@ optional_policy(`
+@@ -750,6 +1110,10 @@ optional_policy(`
')
optional_policy(`
@@ -75068,7 +75053,7 @@ index 29a9565..75822e6 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1136,6 @@ optional_policy(`
+@@ -771,8 +1135,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -75077,7 +75062,7 @@ index 29a9565..75822e6 100644
')
optional_policy(`
-@@ -781,6 +1144,10 @@ optional_policy(`
+@@ -781,6 +1143,10 @@ optional_policy(`
')
optional_policy(`
@@ -75088,7 +75073,7 @@ index 29a9565..75822e6 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -790,10 +1157,12 @@ optional_policy(`
+@@ -790,10 +1156,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -75101,7 +75086,7 @@ index 29a9565..75822e6 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1174,6 @@ optional_policy(`
+@@ -805,7 +1173,6 @@ optional_policy(`
')
optional_policy(`
@@ -75109,7 +75094,7 @@ index 29a9565..75822e6 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1183,25 @@ optional_policy(`
+@@ -815,11 +1182,25 @@ optional_policy(`
')
optional_policy(`
@@ -75136,7 +75121,7 @@ index 29a9565..75822e6 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1211,18 @@ optional_policy(`
+@@ -829,6 +1210,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -75155,7 +75140,7 @@ index 29a9565..75822e6 100644
')
optional_policy(`
-@@ -844,6 +1238,10 @@ optional_policy(`
+@@ -844,6 +1237,10 @@ optional_policy(`
')
optional_policy(`
@@ -75166,7 +75151,7 @@ index 29a9565..75822e6 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1252,161 @@ optional_policy(`
+@@ -854,3 +1251,161 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -77027,7 +77012,7 @@ index 831b909..118f708 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index b6ec597..709fc74 100644
+index b6ec597..b365df9 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -5,6 +5,20 @@ policy_module(logging, 1.17.2)
@@ -77152,7 +77137,7 @@ index b6ec597..709fc74 100644
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
-+allow syslogd_t self:capability { dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid setuid setgid };
++allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid setuid setgid };
dontaudit syslogd_t self:capability sys_tty_config;
+allow syslogd_t self:capability2 syslog;
# setpgid for metalog
@@ -80643,10 +80628,10 @@ index 0000000..0d3e625
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..a142bb1
+index 0000000..e2783c7
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,567 @@
+@@ -0,0 +1,603 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -80955,6 +80940,24 @@ index 0000000..a142bb1
+ domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
+')
+
++#######################################
++## <summary>
++## Execute systemd-tty-ask-password-agent in the caller domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_passwd_agent_exec',`
++ gen_require(`
++ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
++ ')
++
++ can_exec($1, systemd_passwd_agent_exec_t)
++')
++
+########################################
+## <summary>
+## Execute a domain transition to run systemd_notify.
@@ -81044,6 +81047,24 @@ index 0000000..a142bb1
+ allow $1 systemd_passwd_agent_t:process signal;
+')
+
++######################################
++## <summary>
++## Allow to domain to read systemd-passwd pipe
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_read_fifo_file_passwd_run',`
++ gen_require(`
++ type systemd_passwd_var_run_t;
++ ')
++
++ read_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
++')
++
+#######################################
+## <summary>
+## Send generic signals to systemd_passwd_agent processes.
@@ -82113,10 +82134,10 @@ index ce2fbb9..8b34dbc 100644
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index 416e668..0515074 100644
+index 416e668..6fc471d 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
-@@ -12,53 +12,63 @@
+@@ -12,53 +12,59 @@
#
interface(`unconfined_domain_noaudit',`
gen_require(`
@@ -82130,11 +82151,7 @@ index 416e668..0515074 100644
- allow $1 self:capability *;
- allow $1 self:fifo_file manage_fifo_file_perms;
+
-+ allow $1 self:capability ~{ sys_module sys_ptrace };
-+ tunable_policy(`deny_ptrace',`',`
-+ allow $1 self:capability sys_ptrace;
-+ ')
-+
++ allow $1 self:capability ~{ sys_module };
+ allow $1 self:capability2 syslog;
+ allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
@@ -82194,7 +82211,7 @@ index 416e668..0515074 100644
# auditallow $1 self:process execstack;
')
-@@ -69,6 +79,7 @@ interface(`unconfined_domain_noaudit',`
+@@ -69,6 +75,7 @@ interface(`unconfined_domain_noaudit',`
optional_policy(`
# Communicate via dbusd.
dbus_system_bus_unconfined($1)
@@ -82202,7 +82219,7 @@ index 416e668..0515074 100644
')
optional_policy(`
-@@ -122,6 +133,10 @@ interface(`unconfined_domain_noaudit',`
+@@ -122,6 +129,10 @@ interface(`unconfined_domain_noaudit',`
## </param>
#
interface(`unconfined_domain',`
@@ -82213,7 +82230,7 @@ index 416e668..0515074 100644
unconfined_domain_noaudit($1)
tunable_policy(`allow_execheap',`
-@@ -150,7 +165,7 @@ interface(`unconfined_domain',`
+@@ -150,7 +161,7 @@ interface(`unconfined_domain',`
## </param>
#
interface(`unconfined_alias_domain',`
@@ -82222,7 +82239,7 @@ index 416e668..0515074 100644
')
########################################
-@@ -176,414 +191,5 @@ interface(`unconfined_alias_domain',`
+@@ -176,414 +187,5 @@ interface(`unconfined_alias_domain',`
## </param>
#
interface(`unconfined_execmem_alias_program',`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index edce966..cb219d6 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 87%{?dist}
+Release: 88%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -481,6 +481,11 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Feb 14 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-88
+- Need to add sys_ptrace back in since reading any content in /proc can cause these accesses
+- Add additional systemd interfaces which are needed fro *_admin interfaces
+- Fix bind_admin() interface
+
* Mon Feb 13 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-87
- Allow firewalld to read urand
- Alias java, execmem_mono to bin_t to allow third parties
More information about the scm-commits
mailing list