[selinux-policy] Add labeling for /var/run/systemd/journal/syslog libvirt sends signals to ifconfig Allow domains tha
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Jan 13 16:52:00 UTC 2012
commit ba7c7aec1560633a96e12139ace24d269dcddee2
Author: Dan Walsh <dwalsh at redhat.com>
Date: Fri Jan 13 11:51:57 2012 -0500
Add labeling for /var/run/systemd/journal/syslog
libvirt sends signals to ifconfig
Allow domains that read logind session files to list them
policy-systemd.patch | 114 +++++++++++++++++++++----------------------------
1 files changed, 49 insertions(+), 65 deletions(-)
---
diff --git a/policy-systemd.patch b/policy-systemd.patch
index 19d4f4d..dc83305 100644
--- a/policy-systemd.patch
+++ b/policy-systemd.patch
@@ -1,7 +1,6 @@
-diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index d5892cc..68b0a8a 100644
---- a/policy/modules/kernel/devices.if
-+++ b/policy/modules/kernel/devices.if
+diff -up serefpolicy-3.10.0/policy/modules/kernel/devices.if.systemd serefpolicy-3.10.0/policy/modules/kernel/devices.if
+--- serefpolicy-3.10.0/policy/modules/kernel/devices.if.systemd 2012-01-13 11:49:49.140435334 -0500
++++ serefpolicy-3.10.0/policy/modules/kernel/devices.if 2012-01-13 11:49:49.236428320 -0500
@@ -143,13 +143,13 @@ interface(`dev_relabel_all_dev_nodes',`
type device_t;
')
@@ -23,24 +22,19 @@ index d5892cc..68b0a8a 100644
')
########################################
-@@ -4201,6 +4201,32 @@ interface(`dev_read_cpu_online',`
+@@ -4201,6 +4201,27 @@ interface(`dev_read_cpu_online',`
########################################
## <summary>
+## Relabel cpu online hardware state information.
+## </summary>
-+## <desc>
-+## <p>
-+## Allow the specified domain to read /sys/devices/system/cpu/online file.
-+## </p>
-+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`dev_read_cpu_online',`
++interface(`dev_relabel_cpu_online',`
+ gen_require(`
+ type cpu_online_t;
+ type sysfs_t;
@@ -56,10 +50,11 @@ index d5892cc..68b0a8a 100644
## Read hardware state information.
## </summary>
## <desc>
-@@ -4270,6 +4296,26 @@ interface(`dev_relabel_sysfs_dirs',`
+@@ -4269,6 +4290,26 @@ interface(`dev_relabel_sysfs_dirs',`
+ ')
########################################
- ## <summary>
++## <summary>
+## Relabel hardware state files
+## </summary>
+## <param name="domain">
@@ -79,14 +74,12 @@ index d5892cc..68b0a8a 100644
+')
+
+########################################
-+## <summary>
+ ## <summary>
## Allow caller to modify hardware state information.
## </summary>
- ## <param name="domain">
-diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 8ea3385..cdcc621 100644
---- a/policy/modules/roles/staff.te
-+++ b/policy/modules/roles/staff.te
+diff -up serefpolicy-3.10.0/policy/modules/roles/staff.te.systemd serefpolicy-3.10.0/policy/modules/roles/staff.te
+--- serefpolicy-3.10.0/policy/modules/roles/staff.te.systemd 2012-01-13 11:49:49.147434822 -0500
++++ serefpolicy-3.10.0/policy/modules/roles/staff.te 2012-01-13 11:49:49.236428320 -0500
@@ -70,6 +70,10 @@ optional_policy(`
')
@@ -109,10 +102,9 @@ index 8ea3385..cdcc621 100644
cdrecord_role(staff_r, staff_t)
')
-diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index 77967bd..7e0ea58 100644
---- a/policy/modules/roles/unprivuser.te
-+++ b/policy/modules/roles/unprivuser.te
+diff -up serefpolicy-3.10.0/policy/modules/roles/unprivuser.te.systemd serefpolicy-3.10.0/policy/modules/roles/unprivuser.te
+--- serefpolicy-3.10.0/policy/modules/roles/unprivuser.te.systemd 2012-01-13 11:49:49.148434749 -0500
++++ serefpolicy-3.10.0/policy/modules/roles/unprivuser.te 2012-01-13 11:49:49.236428320 -0500
@@ -35,6 +35,10 @@ optional_policy(`
')
@@ -124,10 +116,9 @@ index 77967bd..7e0ea58 100644
colord_dbus_chat(user_t)
')
-diff --git a/policy/modules/services/blueman.te b/policy/modules/services/blueman.te
-index 12ef44c..bccefc9 100644
---- a/policy/modules/services/blueman.te
-+++ b/policy/modules/services/blueman.te
+diff -up serefpolicy-3.10.0/policy/modules/services/blueman.te.systemd serefpolicy-3.10.0/policy/modules/services/blueman.te
+--- serefpolicy-3.10.0/policy/modules/services/blueman.te.systemd 2012-01-13 11:49:49.155434238 -0500
++++ serefpolicy-3.10.0/policy/modules/services/blueman.te 2012-01-13 11:49:49.236428320 -0500
@@ -36,3 +36,7 @@ miscfiles_read_localization(blueman_t)
optional_policy(`
avahi_domtrans(blueman_t)
@@ -136,10 +127,9 @@ index 12ef44c..bccefc9 100644
+optional_policy(`
+ gnome_search_gconf(blueman_t)
+')
-diff --git a/policy/modules/services/entropyd.te b/policy/modules/services/entropyd.te
-index b6ac808..053caed 100644
---- a/policy/modules/services/entropyd.te
-+++ b/policy/modules/services/entropyd.te
+diff -up serefpolicy-3.10.0/policy/modules/services/entropyd.te.systemd serefpolicy-3.10.0/policy/modules/services/entropyd.te
+--- serefpolicy-3.10.0/policy/modules/services/entropyd.te.systemd 2012-01-13 11:49:49.169433214 -0500
++++ serefpolicy-3.10.0/policy/modules/services/entropyd.te 2012-01-13 11:49:49.237428247 -0500
@@ -52,6 +52,8 @@ domain_use_interactive_fds(entropyd_t)
logging_send_syslog_msg(entropyd_t)
@@ -149,11 +139,10 @@ index b6ac808..053caed 100644
miscfiles_read_localization(entropyd_t)
userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
-diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
-index 49c15d1..246df1a 100644
---- a/policy/modules/services/virt.fc
-+++ b/policy/modules/services/virt.fc
-@@ -49,3 +49,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+diff -up serefpolicy-3.10.0/policy/modules/services/virt.fc.systemd serefpolicy-3.10.0/policy/modules/services/virt.fc
+--- serefpolicy-3.10.0/policy/modules/services/virt.fc.systemd 2012-01-13 11:49:49.212430073 -0500
++++ serefpolicy-3.10.0/policy/modules/services/virt.fc 2012-01-13 11:49:49.237428247 -0500
+@@ -49,3 +49,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_
# support for nova-stack
/usr/bin/nova-compute -- gen_context(system_u:object_r:virtd_exec_t,s0)
@@ -161,10 +150,10 @@ index 49c15d1..246df1a 100644
+/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
-diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 170e2e0..3bdf89f 100644
---- a/policy/modules/system/logging.fc
-+++ b/policy/modules/system/logging.fc
+diff -up serefpolicy-3.10.0/policy/modules/system/init.te.systemd serefpolicy-3.10.0/policy/modules/system/init.te
+diff -up serefpolicy-3.10.0/policy/modules/system/logging.fc.systemd serefpolicy-3.10.0/policy/modules/system/logging.fc
+--- serefpolicy-3.10.0/policy/modules/system/logging.fc.systemd 2012-01-13 11:49:49.222429343 -0500
++++ serefpolicy-3.10.0/policy/modules/system/logging.fc 2012-01-13 11:49:53.281133673 -0500
@@ -61,6 +61,7 @@ ifdef(`distro_suse', `
/var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
@@ -173,10 +162,9 @@ index 170e2e0..3bdf89f 100644
ifndef(`distro_gentoo',`
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 5684c8a..688f59a 100644
---- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
+diff -up serefpolicy-3.10.0/policy/modules/system/logging.te.systemd serefpolicy-3.10.0/policy/modules/system/logging.te
+--- serefpolicy-3.10.0/policy/modules/system/logging.te.systemd 2012-01-13 11:49:49.223429270 -0500
++++ serefpolicy-3.10.0/policy/modules/system/logging.te 2012-01-13 11:49:53.281133673 -0500
@@ -386,7 +386,7 @@ optional_policy(`
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
@@ -186,7 +174,7 @@ index 5684c8a..688f59a 100644
dontaudit syslogd_t self:capability sys_tty_config;
allow syslogd_t self:capability2 syslog;
# setpgid for metalog
-@@ -474,6 +474,7 @@ tunable_policy(`logging_syslogd_can_sendmail',`
+@@ -474,6 +474,7 @@ tunable_policy(`logging_syslogd_can_send
dev_filetrans(syslogd_t, devlog_t, sock_file)
dev_read_sysfs(syslogd_t)
dev_read_rand(syslogd_t)
@@ -194,7 +182,7 @@ index 5684c8a..688f59a 100644
# relating to systemd-kmsg-syslogd
dev_write_kmsg(syslogd_t)
-@@ -497,6 +498,7 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and
+@@ -497,6 +498,7 @@ mls_file_write_all_levels(syslogd_t) # N
term_write_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)
@@ -202,10 +190,9 @@ index 5684c8a..688f59a 100644
init_stream_connect(syslogd_t)
# for sending messages to logged in users
-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 9e08125..903d3d8 100644
---- a/policy/modules/system/systemd.te
-+++ b/policy/modules/system/systemd.te
+diff -up serefpolicy-3.10.0/policy/modules/system/systemd.te.systemd serefpolicy-3.10.0/policy/modules/system/systemd.te
+--- serefpolicy-3.10.0/policy/modules/system/systemd.te.systemd 2012-01-13 11:49:49.228428904 -0500
++++ serefpolicy-3.10.0/policy/modules/system/systemd.te 2012-01-13 11:49:53.282133606 -0500
@@ -111,6 +111,7 @@ init_dbus_chat(systemd_logind_t)
init_dbus_chat_script(systemd_logind_t)
init_read_script_state(systemd_logind_t)
@@ -214,7 +201,7 @@ index 9e08125..903d3d8 100644
logging_send_syslog_msg(systemd_logind_t)
-@@ -198,6 +199,8 @@ kernel_read_network_state(systemd_tmpfiles_t)
+@@ -198,6 +199,8 @@ kernel_read_network_state(systemd_tmpfil
files_delete_kernel_modules(systemd_tmpfiles_t)
dev_write_kmsg(systemd_tmpfiles_t)
@@ -223,7 +210,7 @@ index 9e08125..903d3d8 100644
domain_obj_id_change_exemption(systemd_tmpfiles_t)
-@@ -322,6 +325,8 @@ fs_getattr_cgroup_files(systemd_notify_t)
+@@ -322,6 +325,8 @@ fs_getattr_cgroup_files(systemd_notify_t
auth_use_nsswitch(systemd_notify_t)
@@ -232,10 +219,9 @@ index 9e08125..903d3d8 100644
miscfiles_read_localization(systemd_notify_t)
optional_policy(`
-diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 6a93c64..5ff6beb 100644
---- a/policy/modules/system/udev.te
-+++ b/policy/modules/system/udev.te
+diff -up serefpolicy-3.10.0/policy/modules/system/udev.te.systemd serefpolicy-3.10.0/policy/modules/system/udev.te
+--- serefpolicy-3.10.0/policy/modules/system/udev.te.systemd 2012-01-13 11:49:49.228428904 -0500
++++ serefpolicy-3.10.0/policy/modules/system/udev.te 2012-01-13 11:49:53.282133606 -0500
@@ -333,6 +333,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
@@ -244,10 +230,9 @@ index 6a93c64..5ff6beb 100644
')
optional_policy(`
-diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
-index a5ed06e..f22f770 100644
---- a/policy/modules/system/xen.fc
-+++ b/policy/modules/system/xen.fc
+diff -up serefpolicy-3.10.0/policy/modules/system/xen.fc.systemd serefpolicy-3.10.0/policy/modules/system/xen.fc
+--- serefpolicy-3.10.0/policy/modules/system/xen.fc.systemd 2012-01-13 11:49:49.231428683 -0500
++++ serefpolicy-3.10.0/policy/modules/system/xen.fc 2012-01-13 11:49:53.282133606 -0500
@@ -4,7 +4,7 @@
/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
/usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0)
@@ -257,11 +242,10 @@ index a5ed06e..f22f770 100644
ifdef(`distro_debian',`
/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
-diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
-index 5d6dbad..9ab107b 100644
---- a/policy/modules/system/xen.te
-+++ b/policy/modules/system/xen.te
-@@ -167,6 +167,10 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
+diff -up serefpolicy-3.10.0/policy/modules/system/xen.te.systemd serefpolicy-3.10.0/policy/modules/system/xen.te
+--- serefpolicy-3.10.0/policy/modules/system/xen.te.systemd 2012-01-13 11:49:49.231428683 -0500
++++ serefpolicy-3.10.0/policy/modules/system/xen.te 2012-01-13 11:49:53.282133606 -0500
+@@ -167,6 +167,10 @@ files_pid_filetrans(evtchnd_t, evtchnd_v
#
# qemu-dm local policy
#
More information about the scm-commits
mailing list