[selinux-policy] - Merge systemd patch - systemd-tmpfiles wants to relabel /sys/devices/system/cpu/online - Allow del
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Jan 16 09:56:32 UTC 2012
commit 153cc80f8760a5e05cf1d5245a369e2da485e52a
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Jan 16 10:56:19 2012 +0100
- Merge systemd patch
- systemd-tmpfiles wants to relabel /sys/devices/system/cpu/online
- Allow deltacloudd dac_override, setuid, setgid caps
- Allow aisexec to execute shell
- Add use_nfs_home_dirs boolean for ssh-keygen
policy-F16.patch | 358 ++++++++++++++++++++++++++++++++++++---------------
selinux-policy.spec | 11 +-
2 files changed, 260 insertions(+), 109 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index bb24888..e205a61 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -14902,23 +14902,31 @@ index 6cf8784..2354089 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index f820f3b..d5892cc 100644
+index f820f3b..85b04c0 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
-@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
- relabelfrom_dirs_pattern($1, device_t, device_node)
- relabelfrom_files_pattern($1, device_t, device_node)
- relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
+@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
+ type device_t;
+ ')
+
+- relabelfrom_dirs_pattern($1, device_t, device_node)
+- relabelfrom_files_pattern($1, device_t, device_node)
+- relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
- relabelfrom_fifo_files_pattern($1, device_t, device_node)
- relabelfrom_sock_files_pattern($1, device_t, device_node)
-+ relabel_fifo_files_pattern($1, device_t, { device_t device_node })
-+ relabel_sock_files_pattern($1, device_t, { device_t device_node })
- relabel_blk_files_pattern($1, device_t, { device_t device_node })
- relabel_chr_files_pattern($1, device_t, { device_t device_node })
- ')
-
- ########################################
- ## <summary>
+- relabel_blk_files_pattern($1, device_t, { device_t device_node })
+- relabel_chr_files_pattern($1, device_t, { device_t device_node })
++ relabel_dirs_pattern($1, device_t, device_node)
++ relabel_files_pattern($1, device_t, device_node)
++ relabel_lnk_files_pattern($1, device_t, device_node)
++ relabel_fifo_files_pattern($1, device_t, device_node)
++ relabel_sock_files_pattern($1, device_t, device_node)
++ relabel_blk_files_pattern($1, device_t, device_node)
++ relabel_chr_files_pattern($1, device_t, device_node)
++')
++
++########################################
++## <summary>
+## Allow full relabeling (to and from) of all device files.
+## </summary>
+## <param name="domain">
@@ -14934,13 +14942,9 @@ index f820f3b..d5892cc 100644
+ ')
+
+ relabel_files_pattern($1, device_t, device_t)
-+')
-+
-+########################################
-+## <summary>
- ## List all of the device nodes in a device directory.
- ## </summary>
- ## <param name="domain">
+ ')
+
+ ########################################
@@ -209,6 +228,24 @@ interface(`dev_dontaudit_list_all_dev_nodes',`
########################################
@@ -15416,7 +15420,7 @@ index f820f3b..d5892cc 100644
list_dirs_pattern($1, sysfs_t, sysfs_t)
')
-@@ -3902,21 +4177,26 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3902,23 +4177,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
## <summary>
@@ -15437,18 +15441,40 @@ index f820f3b..d5892cc 100644
#
-interface(`dev_manage_sysfs_dirs',`
+interface(`dev_read_cpu_online',`
++ gen_require(`
++ type cpu_online_t;
++ ')
++
++ dev_search_sysfs($1)
++ read_files_pattern($1, cpu_online_t, cpu_online_t)
++')
++
++########################################
++## <summary>
++## Relabel cpu online hardware state information.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_relabel_cpu_online',`
gen_require(`
-- type sysfs_t;
+ type cpu_online_t;
+ type sysfs_t;
')
- manage_dirs_pattern($1, sysfs_t, sysfs_t)
+ dev_search_sysfs($1)
-+ read_files_pattern($1, cpu_online_t, cpu_online_t)
++ allow $1 cpu_online_t:file relabel_file_perms;
')
++
########################################
-@@ -3972,6 +4252,42 @@ interface(`dev_rw_sysfs',`
+ ## <summary>
+ ## Read hardware state information.
+@@ -3972,6 +4273,62 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -15470,6 +15496,26 @@ index f820f3b..d5892cc 100644
+
+########################################
+## <summary>
++## Relabel hardware state files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_relabel_all_sysfs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++ relabel_files_pattern($1, sysfs_t, sysfs_t)
++ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++## <summary>
+## Allow caller to modify hardware state information.
+## </summary>
+## <param name="domain">
@@ -15491,7 +15537,7 @@ index f820f3b..d5892cc 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
-@@ -4069,6 +4385,25 @@ interface(`dev_write_urand',`
+@@ -4069,6 +4426,25 @@ interface(`dev_write_urand',`
########################################
## <summary>
@@ -15517,7 +15563,7 @@ index f820f3b..d5892cc 100644
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
-@@ -4103,6 +4438,24 @@ interface(`dev_setattr_generic_usb_dev',`
+@@ -4103,6 +4479,24 @@ interface(`dev_setattr_generic_usb_dev',`
setattr_chr_files_pattern($1, device_t, usb_device_t)
')
@@ -15542,7 +15588,7 @@ index f820f3b..d5892cc 100644
########################################
## <summary>
## Read generic the USB devices.
-@@ -4495,6 +4848,24 @@ interface(`dev_rw_vhost',`
+@@ -4495,6 +4889,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@@ -15567,7 +15613,7 @@ index f820f3b..d5892cc 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4695,6 +5066,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4695,6 +5107,26 @@ interface(`dev_rw_xserver_misc',`
########################################
## <summary>
@@ -15594,7 +15640,7 @@ index f820f3b..d5892cc 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
-@@ -4784,3 +5175,822 @@ interface(`dev_unconfined',`
+@@ -4784,3 +5216,822 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -21894,7 +21940,7 @@ index be4de58..7e8b6ec 100644
init_exec(secadm_t)
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..8ea3385 100644
+index 2be17d2..cdcc621 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,55 @@ policy_module(staff, 2.2.0)
@@ -21953,7 +21999,7 @@ index 2be17d2..8ea3385 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -23,23 +66,115 @@ optional_policy(`
+@@ -23,23 +66,119 @@ optional_policy(`
')
optional_policy(`
@@ -21961,6 +22007,10 @@ index 2be17d2..8ea3385 100644
+')
+
+optional_policy(`
++ bluetooth_role(staff_r, staff_t)
++')
++
++optional_policy(`
dbadm_role_change(staff_r)
')
@@ -22071,7 +22121,7 @@ index 2be17d2..8ea3385 100644
')
optional_policy(`
-@@ -48,10 +183,52 @@ optional_policy(`
+@@ -48,10 +187,52 @@ optional_policy(`
')
optional_policy(`
@@ -22124,6 +22174,17 @@ index 2be17d2..8ea3385 100644
xserver_role(staff_r, staff_t)
')
+@@ -61,10 +242,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- bluetooth_role(staff_r, staff_t)
+- ')
+-
+- optional_policy(`
+ cdrecord_role(staff_r, staff_t)
+ ')
+
@@ -89,18 +266,10 @@ ifndef(`distro_redhat',`
')
@@ -23672,10 +23733,10 @@ index 0000000..692ef0d
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..77967bd 100644
+index e5bfdd4..7e0ea58 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
-@@ -12,15 +12,101 @@ role user_r;
+@@ -12,15 +12,105 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -23702,6 +23763,10 @@ index e5bfdd4..77967bd 100644
+')
+
+optional_policy(`
++ bluetooth_role(user_r, user_t)
++')
++
++optional_policy(`
+ colord_dbus_chat(user_t)
+')
+
@@ -23777,7 +23842,7 @@ index e5bfdd4..77967bd 100644
vlock_run(user_t, user_r)
')
-@@ -62,19 +148,11 @@ ifndef(`distro_redhat',`
+@@ -62,19 +152,11 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -23798,7 +23863,7 @@ index e5bfdd4..77967bd 100644
')
optional_policy(`
-@@ -98,10 +176,6 @@ ifndef(`distro_redhat',`
+@@ -98,10 +180,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -23809,7 +23874,7 @@ index e5bfdd4..77967bd 100644
postgresql_role(user_r, user_t)
')
-@@ -118,11 +192,7 @@ ifndef(`distro_redhat',`
+@@ -118,11 +196,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -23822,7 +23887,7 @@ index e5bfdd4..77967bd 100644
')
optional_policy(`
-@@ -157,3 +227,4 @@ ifndef(`distro_redhat',`
+@@ -157,3 +231,4 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
@@ -24945,10 +25010,18 @@ index 0370dba..feea7e5 100644
domain_system_change_exemption($1)
role_transition $2 aisexec_initrc_exec_t system_r;
diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te
-index 64953f7..99a750b 100644
+index 64953f7..244259f 100644
--- a/policy/modules/services/aisexec.te
+++ b/policy/modules/services/aisexec.te
-@@ -89,6 +89,10 @@ optional_policy(`
+@@ -64,6 +64,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file })
+ kernel_read_system_state(aisexec_t)
+
+ corecmd_exec_bin(aisexec_t)
++corecmd_exec_shell(aisexec_t)
+
+ corenet_udp_bind_netsupport_port(aisexec_t)
+ corenet_tcp_bind_reserved_port(aisexec_t)
+@@ -89,6 +90,10 @@ optional_policy(`
')
optional_policy(`
@@ -25227,7 +25300,7 @@ index deca9d3..ae8c579 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..90a9e33 100644
+index 9e39aa5..13de2fb 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,13 +1,18 @@
@@ -25348,7 +25421,7 @@ index 9e39aa5..90a9e33 100644
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
-@@ -104,8 +127,24 @@ ifdef(`distro_debian', `
+@@ -104,8 +127,26 @@ ifdef(`distro_debian', `
/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -25366,6 +25439,8 @@ index 9e39aa5..90a9e33 100644
+
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
++/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -28307,10 +28382,10 @@ index 0000000..d694c0a
+')
diff --git a/policy/modules/services/blueman.te b/policy/modules/services/blueman.te
new file mode 100644
-index 0000000..12ef44c
+index 0000000..bccefc9
--- /dev/null
+++ b/policy/modules/services/blueman.te
-@@ -0,0 +1,38 @@
+@@ -0,0 +1,42 @@
+policy_module(blueman, 1.0.0)
+
+########################################
@@ -28349,6 +28424,10 @@ index 0000000..12ef44c
+optional_policy(`
+ avahi_domtrans(blueman_t)
+')
++
++optional_policy(`
++ gnome_search_gconf(blueman_t)
++')
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index 3e45431..a726c09 100644
--- a/policy/modules/services/bluetooth.if
@@ -31022,10 +31101,10 @@ index 0000000..7f55959
+')
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
new file mode 100644
-index 0000000..4f0bd8d
+index 0000000..2be12fd
--- /dev/null
+++ b/policy/modules/services/cloudform.te
-@@ -0,0 +1,218 @@
+@@ -0,0 +1,220 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -31098,6 +31177,8 @@ index 0000000..4f0bd8d
+# deltacloudd local policy
+#
+
++allow deltacloudd_t self:capability { dac_override setuid setgid };
++
+allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms;
+allow deltacloudd_t self:udp_socket create_socket_perms;
+
@@ -36170,7 +36251,7 @@ index 5e2cea8..8eec089 100644
+ dhcpd_systemctl($1)
')
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
-index d4424ad..f90959a 100644
+index d4424ad..5d01064 100644
--- a/policy/modules/services/dhcp.te
+++ b/policy/modules/services/dhcp.te
@@ -12,6 +12,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
@@ -36188,7 +36269,7 @@ index d4424ad..f90959a 100644
#
-allow dhcpd_t self:capability { net_raw sys_resource };
-+allow dhcpd_t self:capability { sys_chroot net_raw setgid setuid sys_resource };
++allow dhcpd_t self:capability { dac_override sys_chroot net_raw setgid setuid sys_resource };
dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
-allow dhcpd_t self:process signal_perms;
+allow dhcpd_t self:process { getcap setcap signal_perms };
@@ -38336,10 +38417,10 @@ index 0000000..67906f0
+## <summary>Generate entropy from audio input</summary>
diff --git a/policy/modules/services/entropyd.te b/policy/modules/services/entropyd.te
new file mode 100644
-index 0000000..b6ac808
+index 0000000..053caed
--- /dev/null
+++ b/policy/modules/services/entropyd.te
-@@ -0,0 +1,80 @@
+@@ -0,0 +1,82 @@
+policy_module(entropyd, 1.7.0)
+
+########################################
@@ -38394,6 +38475,8 @@ index 0000000..b6ac808
+
+logging_send_syslog_msg(entropyd_t)
+
++auth_use_nsswitch(entropyd_t)
++
+miscfiles_read_localization(entropyd_t)
+
+userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
@@ -62492,7 +62575,7 @@ index 22adaca..6ec295a 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..12ad27c 100644
+index 2dad3c8..cf94c2b 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,44 @@ policy_module(ssh, 2.2.0)
@@ -62897,22 +62980,25 @@ index 2dad3c8..12ad27c 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -351,15 +408,86 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -351,9 +408,11 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
+userdom_use_user_terminals(ssh_keygen_t)
- optional_policy(`
+-optional_policy(`
- nscd_socket_use(ssh_keygen_t)
-+ seutil_sigchld_newrole(ssh_keygen_t)
++tunable_policy(`use_nfs_home_dirs',`
++ fs_manage_nfs_files(ssh_keygen_t)
++ fs_manage_nfs_dirs(ssh_keygen_t)
')
optional_policy(`
-- seutil_sigchld_newrole(ssh_keygen_t)
-+ udev_read_db(ssh_keygen_t)
+@@ -363,3 +422,77 @@ optional_policy(`
+ optional_policy(`
+ udev_read_db(ssh_keygen_t)
')
-
++
+####################################
+#
+# ssh_dyntransition domain local policy
@@ -62922,8 +63008,7 @@ index 2dad3c8..12ad27c 100644
+
+allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms;
+
- optional_policy(`
-- udev_read_db(ssh_keygen_t)
++optional_policy(`
+ ssh_rw_stream_sockets(ssh_dyntransition_domain)
+ ssh_rw_tcp_sockets(ssh_dyntransition_domain)
+')
@@ -62986,7 +63071,7 @@ index 2dad3c8..12ad27c 100644
+
+optional_policy(`
+ ssh_rw_dgram_sockets(chroot_user_t)
- ')
++')
diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
index 941380a..e1095f0 100644
--- a/policy/modules/services/sssd.if
@@ -64641,7 +64726,7 @@ index 32a3c13..e3d91ad 100644
optional_policy(`
diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
-index 2124b6a..49c15d1 100644
+index 2124b6a..246df1a 100644
--- a/policy/modules/services/virt.fc
+++ b/policy/modules/services/virt.fc
@@ -1,5 +1,6 @@
@@ -64653,7 +64738,7 @@ index 2124b6a..49c15d1 100644
HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
-@@ -12,18 +13,39 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+@@ -12,18 +13,43 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
@@ -64696,6 +64781,10 @@ index 2124b6a..49c15d1 100644
+
+# support for nova-stack
+/usr/bin/nova-compute -- gen_context(system_u:object_r:virtd_exec_t,s0)
++/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
++/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
++/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
++/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
index 7c5d8d8..e6bb21e 100644
--- a/policy/modules/services/virt.if
@@ -74729,7 +74818,7 @@ index a0b379d..2291a13 100644
- nscd_socket_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 02f4c97..170e2e0 100644
+index 02f4c97..3bdf89f 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -17,12 +17,27 @@
@@ -74770,7 +74859,15 @@ index 02f4c97..170e2e0 100644
/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
-@@ -66,6 +81,7 @@ ifdef(`distro_redhat',`
+@@ -46,6 +61,7 @@ ifdef(`distro_suse', `
+ /var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+ /var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
++/var/run/log(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+
+ ifndef(`distro_gentoo',`
+ /var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+@@ -66,6 +82,7 @@ ifdef(`distro_redhat',`
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
@@ -74778,7 +74875,7 @@ index 02f4c97..170e2e0 100644
/var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-@@ -73,4 +89,9 @@ ifdef(`distro_redhat',`
+@@ -73,4 +90,9 @@ ifdef(`distro_redhat',`
/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
@@ -75044,7 +75141,7 @@ index 831b909..118f708 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index b6ec597..5684c8a 100644
+index b6ec597..688f59a 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -5,6 +5,13 @@ policy_module(logging, 1.17.2)
@@ -75162,7 +75259,7 @@ index b6ec597..5684c8a 100644
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
-+allow syslogd_t self:capability { dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid };
++allow syslogd_t self:capability { dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid setuid setgid };
dontaudit syslogd_t self:capability sys_tty_config;
+allow syslogd_t self:capability2 syslog;
# setpgid for metalog
@@ -75196,7 +75293,7 @@ index b6ec597..5684c8a 100644
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -426,10 +466,20 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -426,10 +466,21 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -75208,6 +75305,7 @@ index b6ec597..5684c8a 100644
dev_filetrans(syslogd_t, devlog_t, sock_file)
dev_read_sysfs(syslogd_t)
+dev_read_rand(syslogd_t)
++dev_read_urand(syslogd_t)
+# relating to systemd-kmsg-syslogd
+dev_write_kmsg(syslogd_t)
@@ -75217,15 +75315,17 @@ index b6ec597..5684c8a 100644
files_read_etc_files(syslogd_t)
files_read_usr_files(syslogd_t)
-@@ -448,6 +498,7 @@ term_write_console(syslogd_t)
+@@ -447,7 +498,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and
+ term_write_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)
++term_use_generic_ptys(syslogd_t)
+init_stream_connect(syslogd_t)
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -459,6 +510,7 @@ init_use_fds(syslogd_t)
+@@ -459,6 +512,7 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -75233,7 +75333,7 @@ index b6ec597..5684c8a 100644
miscfiles_read_localization(syslogd_t)
-@@ -496,11 +548,20 @@ optional_policy(`
+@@ -496,11 +550,20 @@ optional_policy(`
')
optional_policy(`
@@ -78272,7 +78372,7 @@ index ff80d0a..22c9f0d 100644
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 34d0ec5..8aa3908 100644
+index 34d0ec5..58f8e6e 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
@@ -78381,9 +78481,12 @@ index 34d0ec5..8aa3908 100644
domain_use_interactive_fds(dhcpc_t)
domain_dontaudit_read_all_domains_state(dhcpc_t)
-@@ -130,13 +151,14 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t)
+@@ -129,14 +150,17 @@ term_dontaudit_use_all_ptys(dhcpc_t)
+ term_dontaudit_use_unallocated_ttys(dhcpc_t)
term_dontaudit_use_generic_ptys(dhcpc_t)
++auth_use_nsswitch(dhcpc_t)
++
init_rw_utmp(dhcpc_t)
+init_stream_connect(dhcpc_t)
+init_stream_send(dhcpc_t)
@@ -78398,7 +78501,7 @@ index 34d0ec5..8aa3908 100644
userdom_use_user_terminals(dhcpc_t)
userdom_dontaudit_search_user_home_dirs(dhcpc_t)
-@@ -151,7 +173,18 @@ ifdef(`distro_ubuntu',`
+@@ -151,7 +175,18 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -78418,7 +78521,7 @@ index 34d0ec5..8aa3908 100644
')
optional_policy(`
-@@ -171,6 +204,8 @@ optional_policy(`
+@@ -171,6 +206,8 @@ optional_policy(`
optional_policy(`
hal_dontaudit_rw_dgram_sockets(dhcpc_t)
@@ -78427,7 +78530,7 @@ index 34d0ec5..8aa3908 100644
')
optional_policy(`
-@@ -192,17 +227,31 @@ optional_policy(`
+@@ -192,17 +229,31 @@ optional_policy(`
')
optional_policy(`
@@ -78459,7 +78562,7 @@ index 34d0ec5..8aa3908 100644
')
optional_policy(`
-@@ -213,6 +262,11 @@ optional_policy(`
+@@ -213,6 +264,11 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -78471,7 +78574,7 @@ index 34d0ec5..8aa3908 100644
')
optional_policy(`
-@@ -255,6 +309,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -255,6 +311,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -78479,24 +78582,34 @@ index 34d0ec5..8aa3908 100644
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -276,8 +331,11 @@ dev_read_urand(ifconfig_t)
+@@ -276,8 +333,12 @@ dev_read_urand(ifconfig_t)
domain_use_interactive_fds(ifconfig_t)
+read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t)
+
++files_dontaudit_read_root_files(ifconfig_t)
files_read_etc_files(ifconfig_t)
files_read_etc_runtime_files(ifconfig_t)
+files_read_usr_files(ifconfig_t)
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -301,11 +359,12 @@ logging_send_syslog_msg(ifconfig_t)
+@@ -290,7 +351,7 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+ term_dontaudit_use_ptmx(ifconfig_t)
+ term_dontaudit_use_generic_ptys(ifconfig_t)
+
+-files_dontaudit_read_root_files(ifconfig_t)
++auth_use_nsswitch(ifconfig_t)
+
+ init_use_fds(ifconfig_t)
+ init_use_script_ptys(ifconfig_t)
+@@ -301,11 +362,11 @@ logging_send_syslog_msg(ifconfig_t)
miscfiles_read_localization(ifconfig_t)
-modutils_domtrans_insmod(ifconfig_t)
-
+-
seutil_use_runinit_fds(ifconfig_t)
-userdom_use_user_terminals(ifconfig_t)
@@ -78506,7 +78619,7 @@ index 34d0ec5..8aa3908 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -314,7 +373,18 @@ ifdef(`distro_ubuntu',`
+@@ -314,7 +375,18 @@ ifdef(`distro_ubuntu',`
')
')
@@ -78525,7 +78638,7 @@ index 34d0ec5..8aa3908 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -325,8 +395,14 @@ ifdef(`hide_broken_symptoms',`
+@@ -325,8 +397,14 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -78540,10 +78653,11 @@ index 34d0ec5..8aa3908 100644
')
optional_policy(`
-@@ -335,6 +411,18 @@ optional_policy(`
+@@ -335,7 +413,15 @@ optional_policy(`
')
optional_policy(`
+- nis_use_ypbind(ifconfig_t)
+ kdump_dontaudit_read_config(ifconfig_t)
+')
+
@@ -78553,13 +78667,10 @@ index 34d0ec5..8aa3908 100644
+
+optional_policy(`
+ netutils_domtrans(dhcpc_t)
-+')
-+
-+optional_policy(`
- nis_use_ypbind(ifconfig_t)
')
-@@ -356,3 +444,9 @@ optional_policy(`
+ optional_policy(`
+@@ -356,3 +442,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -78605,10 +78716,10 @@ index 0000000..0d3e625
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..7581e7d
+index 0000000..19ba4e1
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,543 @@
+@@ -0,0 +1,546 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -78662,6 +78773,9 @@ index 0000000..7581e7d
+ init_list_pid_dirs($1)
+ init_read_state($1)
+ init_stream_send($1)
++
++ systemd_login_list_pid_dirs($1)
++ systemd_login_read_pid_files($1)
+')
+
+#######################################
@@ -79154,10 +79268,10 @@ index 0000000..7581e7d
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..9e08125
+index 0000000..115f05e
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,381 @@
+@@ -0,0 +1,387 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -79271,6 +79385,7 @@ index 0000000..9e08125
+init_dbus_chat_script(systemd_logind_t)
+init_read_script_state(systemd_logind_t)
+init_read_state(systemd_logind_t)
++init_rw_stream_sockets(systemd_logind_t)
+
+logging_send_syslog_msg(systemd_logind_t)
+
@@ -79358,6 +79473,9 @@ index 0000000..9e08125
+files_delete_kernel_modules(systemd_tmpfiles_t)
+
+dev_write_kmsg(systemd_tmpfiles_t)
++dev_relabel_all_sysfs(systemd_tmpfiles_t)
++dev_relabel_cpu_online(systemd_tmpfiles_t)
++dev_read_cpu_online(systemd_tmpfiles_t)
+
+domain_obj_id_change_exemption(systemd_tmpfiles_t)
+
@@ -79482,6 +79600,8 @@ index 0000000..9e08125
+
+auth_use_nsswitch(systemd_notify_t)
+
++init_rw_stream_sockets(systemd_notify_t)
++
+miscfiles_read_localization(systemd_notify_t)
+
+optional_policy(`
@@ -79780,7 +79900,7 @@ index 025348a..c15e57c 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index d88f7c3..6a93c64 100644
+index d88f7c3..5ff6beb 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -79990,6 +80110,14 @@ index d88f7c3..6a93c64 100644
unconfined_signal(udev_t)
')
+@@ -285,6 +333,7 @@ optional_policy(`
+ kernel_read_xen_state(udev_t)
+ xen_manage_log(udev_t)
+ xen_read_image_files(udev_t)
++ xen_stream_connect_xenstore(udev_t)
+ ')
+
+ optional_policy(`
diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc
index ce2fbb9..8b34dbc 100644
--- a/policy/modules/system/unconfined.fc
@@ -84528,7 +84656,7 @@ index 9b4a930..ced52ff 100644
+')
+
diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
-index a865da7..a5ed06e 100644
+index a865da7..f22f770 100644
--- a/policy/modules/system/xen.fc
+++ b/policy/modules/system/xen.fc
@@ -1,12 +1,10 @@
@@ -84541,7 +84669,7 @@ index a865da7..a5ed06e 100644
/usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0)
-/usr/lib(64)?/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
-+/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
++#/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
ifdef(`distro_debian',`
/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
@@ -84657,7 +84785,7 @@ index 77d41b6..138efd8 100644
files_search_pids($1)
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
-index 4350ba0..5d6dbad 100644
+index 4350ba0..9ab107b 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -4,6 +4,7 @@ policy_module(xen, 1.10.1)
@@ -84688,7 +84816,18 @@ index 4350ba0..5d6dbad 100644
########################################
#
# blktap local policy
-@@ -208,8 +205,7 @@ tunable_policy(`xend_run_qemu',`
+@@ -170,6 +167,10 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
+ #
+ # qemu-dm local policy
+ #
++
++# TODO: This part of policy should be removed
++# qemu-dm should run in xend_t domain
++
+ # Do we need to allow execution of qemu-dm?
+ tunable_policy(`xend_run_qemu',`
+ allow qemu_dm_t self:capability sys_resource;
+@@ -208,9 +209,13 @@ tunable_policy(`xend_run_qemu',`
# xend local policy
#
@@ -84696,9 +84835,15 @@ index 4350ba0..5d6dbad 100644
-dontaudit xend_t self:capability { sys_ptrace };
+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw };
allow xend_t self:process { signal sigkill };
++
++# needed by qemu_dm
++allow xend_t self:capability sys_resource;
++allow xend_t self:process setrlimit;
++
dontaudit xend_t self:process ptrace;
# internal communication is often done using fifo and unix sockets.
-@@ -320,12 +316,9 @@ locallogin_dontaudit_use_fds(xend_t)
+ allow xend_t self:fifo_file rw_fifo_file_perms;
+@@ -320,13 +325,9 @@ locallogin_dontaudit_use_fds(xend_t)
logging_send_syslog_msg(xend_t)
@@ -84708,10 +84853,11 @@ index 4350ba0..5d6dbad 100644
miscfiles_read_hwdata(xend_t)
-mount_domtrans(xend_t)
-
+-
sysnet_domtrans_dhcpc(xend_t)
sysnet_signal_dhcpc(xend_t)
-@@ -339,8 +332,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
+ sysnet_domtrans_ifconfig(xend_t)
+@@ -339,8 +340,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
xen_stream_connect_xenstore(xend_t)
@@ -84720,7 +84866,7 @@ index 4350ba0..5d6dbad 100644
optional_policy(`
brctl_domtrans(xend_t)
')
-@@ -349,6 +340,22 @@ optional_policy(`
+@@ -349,6 +348,22 @@ optional_policy(`
consoletype_exec(xend_t)
')
@@ -84743,7 +84889,7 @@ index 4350ba0..5d6dbad 100644
########################################
#
# Xen console local policy
-@@ -413,9 +420,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+@@ -413,9 +428,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
# pid file
@@ -84755,7 +84901,7 @@ index 4350ba0..5d6dbad 100644
# log files
manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-@@ -442,9 +450,11 @@ files_read_etc_files(xenstored_t)
+@@ -442,9 +458,11 @@ files_read_etc_files(xenstored_t)
files_read_usr_files(xenstored_t)
@@ -84767,7 +84913,7 @@ index 4350ba0..5d6dbad 100644
init_use_fds(xenstored_t)
init_use_script_ptys(xenstored_t)
-@@ -457,96 +467,9 @@ xen_append_log(xenstored_t)
+@@ -457,96 +475,9 @@ xen_append_log(xenstored_t)
########################################
#
@@ -84864,7 +85010,7 @@ index 4350ba0..5d6dbad 100644
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)
files_search_mnt(xend_t)
-@@ -559,8 +482,4 @@ optional_policy(`
+@@ -559,8 +490,4 @@ optional_policy(`
fs_manage_nfs_files(xend_t)
fs_read_nfs_symlinks(xend_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 60ecee4..6b04ce0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -16,13 +16,12 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 74.2%{?dist}
+Release: 75%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
patch: policy-F16.patch
patch1: unconfined_permissive.patch
-patch2: policy-systemd.patch
Source1: modules-targeted.conf
Source2: booleans-targeted.conf
Source3: Makefile.devel
@@ -239,7 +238,6 @@ Based off of reference policy: Checked out revision 2.20091117
%setup -n serefpolicy-%{version} -q
%patch -p1
%patch1 -p1 -b .unconfined
-%patch2 -p1 -b .systemd
%install
mkdir selinux_config
@@ -473,6 +471,13 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Jan 16 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-75
+- Merge systemd patch
+- systemd-tmpfiles wants to relabel /sys/devices/system/cpu/online
+- Allow deltacloudd dac_override, setuid, setgid caps
+- Allow aisexec to execute shell
+- Add use_nfs_home_dirs boolean for ssh-keygen
+
* Fri Jan 13 2012 Dan Walsh <dwalsh at redhat.com> 3.10.0-74.2
- Fixes to make rawhide boot in enforcing mode with latest systemd changes
More information about the scm-commits
mailing list