[selinux-policy/f16] - Allow systemctl running as logrotate_t to connect to private systemd socket - Allow tmpwatch to re
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Jan 3 11:32:22 UTC 2012
commit b942ea937daedb6e4a9b0423089a597bc1a2bca7
Author: Miroslav <mgrepl at redhat.com>
Date: Tue Jan 3 12:32:10 2012 +0100
- Allow systemctl running as logrotate_t to connect to private systemd socket
- Allow tmpwatch to read meminfo
- Allow rpc.svcgssd to read supported_krb5_enctype
- Allow zarafa domains to read /dev/random and /dev/urandom
- Allow snmpd to read dev_snmp6
- Allow procmail to talk with cyrus
- Add fixes for check_disk and check_nagios plugins
policy-F16.patch | 166 +++++++++++++++++++++++++++++++++-----------------
selinux-policy.spec | 11 +++-
2 files changed, 119 insertions(+), 58 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 78ffd0d..84f4266 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1304,7 +1304,7 @@ index 4f7bd3c..a29af21 100644
- unconfined_domain(kudzu_t)
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..c1ccc06 100644
+index 7090dae..071d66e 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -29,9 +29,9 @@ files_type(logrotate_var_lib_t)
@@ -1351,12 +1351,13 @@ index 7090dae..c1ccc06 100644
# cjp: why is this needed?
init_domtrans_script(logrotate_t)
-@@ -116,17 +120,15 @@ miscfiles_read_localization(logrotate_t)
+@@ -116,17 +120,16 @@ miscfiles_read_localization(logrotate_t)
seutil_dontaudit_read_config(logrotate_t)
-userdom_use_user_terminals(logrotate_t)
+systemd_exec_systemctl(logrotate_t)
++init_stream_connect(logrotate_t)
+
+userdom_use_inherited_user_terminals(logrotate_t)
userdom_list_user_home_dirs(logrotate_t)
@@ -1374,7 +1375,7 @@ index 7090dae..c1ccc06 100644
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
-@@ -138,7 +140,7 @@ ifdef(`distro_debian', `
+@@ -138,7 +141,7 @@ ifdef(`distro_debian', `
')
optional_policy(`
@@ -1383,7 +1384,7 @@ index 7090dae..c1ccc06 100644
')
optional_policy(`
-@@ -154,6 +156,10 @@ optional_policy(`
+@@ -154,6 +157,10 @@ optional_policy(`
')
optional_policy(`
@@ -1394,7 +1395,7 @@ index 7090dae..c1ccc06 100644
asterisk_domtrans(logrotate_t)
')
-@@ -162,10 +168,20 @@ optional_policy(`
+@@ -162,10 +169,20 @@ optional_policy(`
')
optional_policy(`
@@ -1415,7 +1416,7 @@ index 7090dae..c1ccc06 100644
cups_domtrans(logrotate_t)
')
-@@ -200,9 +216,12 @@ optional_policy(`
+@@ -200,9 +217,12 @@ optional_policy(`
')
optional_policy(`
@@ -1429,7 +1430,7 @@ index 7090dae..c1ccc06 100644
optional_policy(`
samba_exec_log(logrotate_t)
-@@ -228,3 +247,14 @@ optional_policy(`
+@@ -228,3 +248,14 @@ optional_policy(`
optional_policy(`
varnishd_manage_log(logrotate_t)
')
@@ -4091,7 +4092,7 @@ index d5aaf0e..6b16aef 100644
optional_policy(`
mta_send_mail(sxid_t)
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
-index 6a5004b..90cf622 100644
+index 6a5004b..70d684a 100644
--- a/policy/modules/admin/tmpreaper.te
+++ b/policy/modules/admin/tmpreaper.te
@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0)
@@ -4102,7 +4103,16 @@ index 6a5004b..90cf622 100644
application_domain(tmpreaper_t, tmpreaper_exec_t)
role system_r types tmpreaper_t;
-@@ -25,11 +26,16 @@ fs_getattr_xattr_fs(tmpreaper_t)
+@@ -18,6 +19,8 @@ role system_r types tmpreaper_t;
+ allow tmpreaper_t self:process { fork sigchld };
+ allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
+
++kernel_read_system_state(tmpreaper_t)
++
+ dev_read_urand(tmpreaper_t)
+
+ fs_getattr_xattr_fs(tmpreaper_t)
+@@ -25,11 +28,16 @@ fs_getattr_xattr_fs(tmpreaper_t)
files_read_etc_files(tmpreaper_t)
files_read_var_lib_files(tmpreaper_t)
files_purge_tmp(tmpreaper_t)
@@ -4119,7 +4129,7 @@ index 6a5004b..90cf622 100644
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
-@@ -38,13 +44,17 @@ logging_send_syslog_msg(tmpreaper_t)
+@@ -38,13 +46,17 @@ logging_send_syslog_msg(tmpreaper_t)
miscfiles_read_localization(tmpreaper_t)
miscfiles_delete_man_pages(tmpreaper_t)
@@ -4141,7 +4151,7 @@ index 6a5004b..90cf622 100644
')
optional_policy(`
-@@ -52,7 +62,9 @@ optional_policy(`
+@@ -52,7 +64,9 @@ optional_policy(`
')
optional_policy(`
@@ -4151,7 +4161,7 @@ index 6a5004b..90cf622 100644
apache_delete_cache_files(tmpreaper_t)
apache_setattr_cache_dirs(tmpreaper_t)
')
-@@ -66,9 +78,13 @@ optional_policy(`
+@@ -66,9 +80,13 @@ optional_policy(`
')
optional_policy(`
@@ -18705,7 +18715,7 @@ index 22821ff..20251b0 100644
########################################
#
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..630ff53 100644
+index 97fcdac..fdb4b09 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -19172,7 +19182,32 @@ index 97fcdac..630ff53 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3958,6 +4217,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3258,6 +3517,24 @@ interface(`fs_getattr_nfsd_files',`
+ getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+ ')
+
++#######################################
++## <summary>
++## read files on an nfsd filesystem
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_read_nfsd_files',`
++ gen_require(`
++ type nfsd_fs_t;
++ ')
++
++ read_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Read and write NFS server files.
+@@ -3958,6 +4235,42 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
## <summary>
@@ -19215,7 +19250,7 @@ index 97fcdac..630ff53 100644
## Create, read, write, and delete
## tmpfs directories
## </summary>
-@@ -4175,6 +4470,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4175,6 +4488,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -19240,7 +19275,7 @@ index 97fcdac..630ff53 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4251,6 +4564,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4251,6 +4582,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@@ -19266,7 +19301,7 @@ index 97fcdac..630ff53 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
-@@ -4457,6 +4789,8 @@ interface(`fs_mount_all_fs',`
+@@ -4457,6 +4807,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -19275,7 +19310,7 @@ index 97fcdac..630ff53 100644
')
########################################
-@@ -4503,7 +4837,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +4855,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -19284,7 +19319,7 @@ index 97fcdac..630ff53 100644
## Example attributes:
## </p>
## <ul>
-@@ -4866,3 +5200,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5218,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -45980,7 +46015,7 @@ index 8581040..2367841 100644
allow $1 nagios_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index bf64a4c..1147e19 100644
+index bf64a4c..9ad9024 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -25,7 +25,10 @@ type nagios_var_run_t;
@@ -46127,14 +46162,24 @@ index bf64a4c..1147e19 100644
')
optional_policy(`
-@@ -363,7 +376,6 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -363,6 +376,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
--kernel_read_system_state(nagios_system_plugin_t)
++read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t)
++
+ kernel_read_system_state(nagios_system_plugin_t)
kernel_read_kernel_sysctls(nagios_system_plugin_t)
- corecmd_exec_bin(nagios_system_plugin_t)
+@@ -376,6 +391,8 @@ domain_read_all_domains_state(nagios_system_plugin_t)
+
+ files_read_etc_files(nagios_system_plugin_t)
+
++fs_getattr_all_fs(nagios_system_plugin_t)
++
+ # needed by check_users plugin
+ optional_policy(`
+ init_read_utmp(nagios_system_plugin_t)
diff --git a/policy/modules/services/nessus.fc b/policy/modules/services/nessus.fc
index 74da57f..b94bb3b 100644
--- a/policy/modules/services/nessus.fc
@@ -51873,7 +51918,7 @@ index b64b02f..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
+')
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
-index 29b9295..6451f82 100644
+index 29b9295..d45c661 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -10,6 +10,9 @@ type procmail_exec_t;
@@ -51927,7 +51972,19 @@ index 29b9295..6451f82 100644
mta_manage_spool(procmail_t)
mta_read_queue(procmail_t)
-@@ -125,6 +138,11 @@ optional_policy(`
+@@ -107,6 +120,11 @@ tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(procmail_t)
+ fs_manage_cifs_files(procmail_t)
+ fs_manage_cifs_symlinks(procmail_t)
++
++optional_policy(`
++ clamav_domtrans_clamscan(procmail_t)
++ clamav_search_lib(procmail_t)
++ cyrus_stream_connect(procmail_t)
+ ')
+
+ optional_policy(`
+@@ -125,6 +143,11 @@ optional_policy(`
postfix_read_spool_files(procmail_t)
postfix_read_local_state(procmail_t)
postfix_read_master_state(procmail_t)
@@ -56059,7 +56116,7 @@ index cda37bb..617e83f 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index b1468ed..372f918 100644
+index b1468ed..4f18830 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
@@ -56210,7 +56267,7 @@ index b1468ed..372f918 100644
fs_list_rpc(gssd_t)
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
-+fs_search_nfsd_fs(gssd_t)
++fs_read_nfsd_files(gssd_t)
fs_list_inotifyfs(gssd_t)
files_list_tmp(gssd_t)
@@ -58422,7 +58479,7 @@ index 275f9fb..2a0e198 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
-index 3d8d1b3..e666122 100644
+index 3d8d1b3..8cd0c85 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0)
@@ -58449,7 +58506,7 @@ index 3d8d1b3..e666122 100644
allow snmpd_t self:tcp_socket create_stream_socket_perms;
allow snmpd_t self:udp_socket connected_stream_socket_perms;
-@@ -41,18 +43,18 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
+@@ -41,18 +43,19 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file)
files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file })
@@ -58465,14 +58522,15 @@ index 3d8d1b3..e666122 100644
kernel_read_kernel_sysctls(snmpd_t)
kernel_read_fs_sysctls(snmpd_t)
kernel_read_net_sysctls(snmpd_t)
- kernel_read_proc_symlinks(snmpd_t)
+-kernel_read_proc_symlinks(snmpd_t)
-kernel_read_system_state(snmpd_t)
--kernel_read_network_state(snmpd_t)
+ kernel_read_network_state(snmpd_t)
++kernel_read_proc_symlinks(snmpd_t)
+kernel_read_all_proc(snmpd_t)
corecmd_exec_bin(snmpd_t)
corecmd_exec_shell(snmpd_t)
-@@ -94,15 +96,19 @@ files_search_home(snmpd_t)
+@@ -94,15 +97,19 @@ files_search_home(snmpd_t)
fs_getattr_all_dirs(snmpd_t)
fs_getattr_all_fs(snmpd_t)
fs_search_auto_mountpoints(snmpd_t)
@@ -58493,7 +58551,7 @@ index 3d8d1b3..e666122 100644
logging_send_syslog_msg(snmpd_t)
-@@ -115,7 +121,7 @@ sysnet_read_config(snmpd_t)
+@@ -115,7 +122,7 @@ sysnet_read_config(snmpd_t)
userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
userdom_dontaudit_search_user_home_dirs(snmpd_t)
@@ -66497,7 +66555,7 @@ index 21ae664..3e448dd 100644
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
+')
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
-index 9fb4747..6e2c42a 100644
+index 9fb4747..92c156b 100644
--- a/policy/modules/services/zarafa.te
+++ b/policy/modules/services/zarafa.te
@@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t)
@@ -66511,16 +66569,7 @@ index 9fb4747..6e2c42a 100644
zarafa_domain_template(monitor)
zarafa_domain_template(server)
-@@ -41,6 +45,8 @@ manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t
- manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
- files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
-
-+dev_read_rand(zarafa_deliver_t)
-+
- ########################################
- #
- # zarafa_gateway local policy
-@@ -57,6 +63,20 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
+@@ -57,6 +61,20 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
corenet_tcp_bind_generic_node(zarafa_gateway_t)
corenet_tcp_bind_pop_port(zarafa_gateway_t)
@@ -66541,7 +66590,7 @@ index 9fb4747..6e2c42a 100644
#######################################
#
# zarafa-ical local policy
-@@ -107,7 +127,6 @@ corenet_tcp_bind_zarafa_port(zarafa_server_t)
+@@ -107,7 +125,6 @@ corenet_tcp_bind_zarafa_port(zarafa_server_t)
files_read_usr_files(zarafa_server_t)
@@ -66549,22 +66598,16 @@ index 9fb4747..6e2c42a 100644
logging_send_audit_msgs(zarafa_server_t)
sysnet_dns_name_resolve(zarafa_server_t)
-@@ -136,6 +155,36 @@ corenet_tcp_sendrecv_generic_node(zarafa_spooler_t)
- corenet_tcp_sendrecv_all_ports(zarafa_spooler_t)
- corenet_tcp_connect_smtp_port(zarafa_spooler_t)
+@@ -138,6 +155,32 @@ corenet_tcp_connect_smtp_port(zarafa_spooler_t)
-+dev_read_rand(zarafa_spooler_t)
-+
-+########################################
-+#
+ ########################################
+ #
+# zarafa_gateway local policy
+#
+
+allow zarafa_gateway_t self:capability { chown kill };
+allow zarafa_gateway_t self:process setrlimit;
+
-+dev_read_rand(zarafa_gateway_t)
-+
+corenet_tcp_bind_pop_port(zarafa_gateway_t)
+
+#######################################
@@ -66583,10 +66626,19 @@ index 9fb4747..6e2c42a 100644
+
+allow zarafa_monitor_t self:capability chown;
+
- ########################################
- #
++########################################
++#
# zarafa domains local policy
-@@ -156,6 +205,6 @@ kernel_read_system_state(zarafa_domain)
+ #
+
+@@ -152,10 +195,13 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var
+
+ read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t)
+
++dev_read_rand(zarafa_domain)
++dev_read_urand(zarafa_domain)
++
+ kernel_read_system_state(zarafa_domain)
files_read_etc_files(zarafa_domain)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 58ec662..a727853 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 69%{?dist}
+Release: 70%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Jan 3 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-70
+- Allow systemctl running as logrotate_t to connect to private systemd socket
+- Allow tmpwatch to read meminfo
+- Allow rpc.svcgssd to read supported_krb5_enctype
+- Allow zarafa domains to read /dev/random and /dev/urandom
+- Allow snmpd to read dev_snmp6
+- Allow procmail to talk with cyrus
+- Add fixes for check_disk and check_nagios plugins
+
* Sun Dec 25 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-69
- Fix bug in the boinc policy
More information about the scm-commits
mailing list