[selinux-policy] - Treat Bip with bitlbee policy * Bip is an IRC proxy - Add port definition for interwise port
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Jan 23 15:15:24 UTC 2012
commit 8cd443307d839fd9c78a5bed3e62606322e8e788
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Jan 23 16:15:05 2012 +0100
- Treat Bip with bitlbee policy
* Bip is an IRC proxy
- Add port definition for interwise port
- Add support for ipa_memcached socket
- systemd_jounald needs to getattr on all processes
- mdadmin fixes
* uses getpw
- amavisd calls getpwnam()
- denyhosts calls getpwall()
policy-F16.patch | 207 ++++++++++++++++++++++++++++++++++-----------------
selinux-policy.spec | 15 +++-
2 files changed, 153 insertions(+), 69 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 2fa1838..918a032 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -14484,7 +14484,7 @@ index 4f3b542..f4e36ee 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..f7cc16e 100644
+index 99b71cb..58a5523 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
@@ -14610,7 +14610,7 @@ index 99b71cb..f7cc16e 100644
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
-@@ -115,11 +157,12 @@ network_port(hddtemp, tcp,7634,s0)
+@@ -115,11 +157,13 @@ network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
@@ -14620,11 +14620,12 @@ index 99b71cb..f7cc16e 100644
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
network_port(innd, tcp,119,s0)
++network_port(interwise, tcp,7778,s0, udp,7778,s0)
+network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0)
network_port(ipmi, udp,623,s0, udp,664,s0)
network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
-@@ -129,20 +172,27 @@ network_port(iscsi, tcp,3260,s0)
+@@ -129,20 +173,27 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -14655,7 +14656,7 @@ index 99b71cb..f7cc16e 100644
network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -152,21 +202,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+@@ -152,21 +203,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -14688,7 +14689,7 @@ index 99b71cb..f7cc16e 100644
network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
-@@ -179,34 +239,40 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
+@@ -179,34 +240,40 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(radsec, tcp,2083,s0)
network_port(razor, tcp,2703,s0)
@@ -14734,7 +14735,7 @@ index 99b71cb..f7cc16e 100644
network_port(traceroute, udp,64000-64010,s0)
network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
-@@ -215,9 +281,11 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,9 +282,11 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -14747,7 +14748,7 @@ index 99b71cb..f7cc16e 100644
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -229,6 +297,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +298,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -14755,7 +14756,7 @@ index 99b71cb..f7cc16e 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -238,6 +307,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +308,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -14768,7 +14769,7 @@ index 99b71cb..f7cc16e 100644
########################################
#
-@@ -282,9 +357,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +358,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -25244,7 +25245,7 @@ index e31d92a..e515cb8 100644
domain_system_change_exemption($1)
role_transition $2 amavis_initrc_exec_t system_r;
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
-index deca9d3..ae8c579 100644
+index deca9d3..ac92fce 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -38,7 +38,7 @@ type amavis_quarantine_t;
@@ -25264,7 +25265,15 @@ index deca9d3..ae8c579 100644
domain_use_interactive_fds(amavis_t)
-@@ -153,24 +154,28 @@ sysnet_use_ldap(amavis_t)
+@@ -137,6 +138,7 @@ files_read_usr_files(amavis_t)
+
+ fs_getattr_xattr_fs(amavis_t)
+
++auth_use_nsswitch(amavis_t)
+ auth_dontaudit_read_shadow(amavis_t)
+
+ # uses uptime which reads utmp - redhat bug 561383
+@@ -153,24 +155,28 @@ sysnet_use_ldap(amavis_t)
userdom_dontaudit_search_user_home_dirs(amavis_t)
@@ -28230,16 +28239,23 @@ index 4deca04..7859fa1 100644
optional_policy(`
diff --git a/policy/modules/services/bitlbee.fc b/policy/modules/services/bitlbee.fc
-index 0197980..f8bce2c 100644
+index 0197980..909ce04 100644
--- a/policy/modules/services/bitlbee.fc
+++ b/policy/modules/services/bitlbee.fc
-@@ -4,3 +4,6 @@
+@@ -1,6 +1,13 @@
+ /etc/rc\.d/init\.d/bitlbee -- gen_context(system_u:object_r:bitlbee_initrc_exec_t,s0)
+ /etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0)
+
++/usr/bin/bip -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
/usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0)
/var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0)
+
++/var/log/bip(/.*)? gen_context(system_u:object_r:bitlbee_log_t,s0)
++
+/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0)
+/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0)
++/var/run/bip(/.*)? gen_context(system_u:object_r:bitlbee_var_run_t,s0)
diff --git a/policy/modules/services/bitlbee.if b/policy/modules/services/bitlbee.if
index de0bd67..1df2048 100644
--- a/policy/modules/services/bitlbee.if
@@ -28260,13 +28276,16 @@ index de0bd67..1df2048 100644
domain_system_change_exemption($1)
role_transition $2 bitlbee_initrc_exec_t system_r;
diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te
-index f4e7ad3..2faf42a 100644
+index f4e7ad3..6b577c2 100644
--- a/policy/modules/services/bitlbee.te
+++ b/policy/modules/services/bitlbee.te
-@@ -22,29 +22,40 @@ files_tmp_file(bitlbee_tmp_t)
+@@ -22,29 +22,47 @@ files_tmp_file(bitlbee_tmp_t)
type bitlbee_var_t;
files_type(bitlbee_var_t)
++type bitlbee_log_t;
++logging_log_file(bitlbee_log_t)
++
+type bitlbee_var_run_t;
+files_type(bitlbee_var_run_t)
+
@@ -28277,7 +28296,7 @@ index f4e7ad3..2faf42a 100644
-allow bitlbee_t self:capability { setgid setuid };
-allow bitlbee_t self:process signal;
-+allow bitlbee_t self:capability { dac_override setgid setuid sys_nice };
++allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice };
+allow bitlbee_t self:process { setsched signal };
+
+allow bitlbee_t self:fifo_file rw_fifo_file_perms;
@@ -28300,6 +28319,10 @@ index f4e7ad3..2faf42a 100644
manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
++# log files
++manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
++manage_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
++
+manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
+manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
+manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
@@ -28308,7 +28331,7 @@ index f4e7ad3..2faf42a 100644
kernel_read_system_state(bitlbee_t)
corenet_all_recvfrom_unlabeled(bitlbee_t)
-@@ -52,6 +63,7 @@ corenet_udp_sendrecv_generic_if(bitlbee_t)
+@@ -52,6 +70,7 @@ corenet_udp_sendrecv_generic_if(bitlbee_t)
corenet_udp_sendrecv_generic_node(bitlbee_t)
corenet_tcp_sendrecv_generic_if(bitlbee_t)
corenet_tcp_sendrecv_generic_node(bitlbee_t)
@@ -28316,13 +28339,15 @@ index f4e7ad3..2faf42a 100644
# Allow bitlbee to connect to jabber servers
corenet_tcp_connect_jabber_client_port(bitlbee_t)
corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
-@@ -69,6 +81,9 @@ corenet_tcp_connect_http_port(bitlbee_t)
+@@ -69,6 +88,11 @@ corenet_tcp_connect_http_port(bitlbee_t)
corenet_tcp_sendrecv_http_port(bitlbee_t)
corenet_tcp_connect_http_cache_port(bitlbee_t)
corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
+corenet_tcp_bind_ircd_port(bitlbee_t)
+corenet_tcp_sendrecv_ircd_port(bitlbee_t)
+corenet_sendrecv_ircd_server_packets(bitlbee_t)
++corenet_tcp_bind_interwise_port(bitlbee_t)
++corenet_tcp_sendrecv_interwise_port(bitlbee_t)
dev_read_rand(bitlbee_t)
dev_read_urand(bitlbee_t)
@@ -35612,7 +35637,7 @@ index 567865f..3a57eb9 100644
admin_pattern($1, denyhosts_var_lock_t)
')
diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te
-index 8ba9425..b10da2c 100644
+index 8ba9425..555058a 100644
--- a/policy/modules/services/denyhosts.te
+++ b/policy/modules/services/denyhosts.te
@@ -25,7 +25,8 @@ logging_log_file(denyhosts_var_log_t)
@@ -35625,7 +35650,7 @@ index 8ba9425..b10da2c 100644
allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
allow denyhosts_t self:tcp_socket create_socket_perms;
allow denyhosts_t self:udp_socket create_socket_perms;
-@@ -53,20 +54,28 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t)
+@@ -53,20 +54,30 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t)
corenet_tcp_sendrecv_generic_node(denyhosts_t)
corenet_tcp_bind_generic_node(denyhosts_t)
corenet_tcp_connect_smtp_port(denyhosts_t)
@@ -35636,6 +35661,8 @@ index 8ba9425..b10da2c 100644
files_read_etc_files(denyhosts_t)
+files_read_usr_files(denyhosts_t)
++
++auth_use_nsswitch(denyhosts_t)
# /var/log/secure
logging_read_generic_logs(denyhosts_t)
@@ -45146,6 +45173,16 @@ index 98d28b4..1c1d012 100644
+
+ delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
+')
+diff --git a/policy/modules/services/memcached.fc b/policy/modules/services/memcached.fc
+index 4d69477..4079870 100644
+--- a/policy/modules/services/memcached.fc
++++ b/policy/modules/services/memcached.fc
+@@ -2,4 +2,5 @@
+
+ /usr/bin/memcached -- gen_context(system_u:object_r:memcached_exec_t,s0)
+
++/var/run/ipa_memcached -s gen_context(system_u:object_r:memcached_var_run_t,s0)
+ /var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0)
diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if
index db4fd6f..ce07b3f 100644
--- a/policy/modules/services/memcached.if
@@ -45194,7 +45231,7 @@ index db4fd6f..ce07b3f 100644
admin_pattern($1, memcached_var_run_t)
')
diff --git a/policy/modules/services/memcached.te b/policy/modules/services/memcached.te
-index b681608..08b1b49 100644
+index b681608..0934c95 100644
--- a/policy/modules/services/memcached.te
+++ b/policy/modules/services/memcached.te
@@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t)
@@ -45206,6 +45243,16 @@ index b681608..08b1b49 100644
dontaudit memcached_t self:capability sys_tty_config;
allow memcached_t self:process { setrlimit signal_perms };
allow memcached_t self:tcp_socket create_stream_socket_perms;
+@@ -42,7 +42,8 @@ corenet_udp_bind_memcache_port(memcached_t)
+
+ manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
+ manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
+-files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir })
++manage_sock_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
++files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir sock_file })
+
+ kernel_read_kernel_sysctls(memcached_t)
+ kernel_read_system_state(memcached_t)
diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc
index 55a3e2f..bc489e0 100644
--- a/policy/modules/services/milter.fc
@@ -60717,7 +60764,7 @@ index bcdd16c..039b0c8 100644
files_list_var_lib($1)
admin_pattern($1, setroubleshoot_var_lib_t)
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
-index 086cd5f..a181f01 100644
+index 086cd5f..6e66656 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -32,6 +32,8 @@ files_pid_file(setroubleshoot_var_run_t)
@@ -60778,7 +60825,7 @@ index 086cd5f..a181f01 100644
seutil_read_config(setroubleshootd_t)
seutil_read_file_contexts(setroubleshootd_t)
seutil_read_bin_policy(setroubleshootd_t)
-@@ -121,6 +128,18 @@ seutil_read_bin_policy(setroubleshootd_t)
+@@ -121,10 +128,23 @@ seutil_read_bin_policy(setroubleshootd_t)
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
optional_policy(`
@@ -60797,7 +60844,12 @@ index 086cd5f..a181f01 100644
dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
')
-@@ -151,7 +170,11 @@ kernel_read_system_state(setroubleshoot_fixit_t)
+ optional_policy(`
++ rpm_exec(setroubleshootd_t)
+ rpm_signull(setroubleshootd_t)
+ rpm_read_db(setroubleshootd_t)
+ rpm_dontaudit_manage_db(setroubleshootd_t)
+@@ -151,7 +171,11 @@ kernel_read_system_state(setroubleshoot_fixit_t)
corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
@@ -60809,7 +60861,7 @@ index 086cd5f..a181f01 100644
files_read_usr_files(setroubleshoot_fixit_t)
files_read_etc_files(setroubleshoot_fixit_t)
-@@ -164,6 +187,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
+@@ -164,6 +188,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
miscfiles_read_localization(setroubleshoot_fixit_t)
@@ -75252,7 +75304,7 @@ index 831b909..118f708 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index b6ec597..688f59a 100644
+index b6ec597..dc551f4 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -5,6 +5,13 @@ policy_module(logging, 1.17.2)
@@ -75404,7 +75456,7 @@ index b6ec597..688f59a 100644
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -426,10 +466,21 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -426,10 +466,22 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -75423,10 +75475,11 @@ index b6ec597..688f59a 100644
+domain_read_all_domains_state(syslogd_t)
domain_use_interactive_fds(syslogd_t)
+domain_read_all_domains_state(syslogd_t)
++domain_getattr_all_domains(syslogd_t)
files_read_etc_files(syslogd_t)
files_read_usr_files(syslogd_t)
-@@ -447,7 +498,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and
+@@ -447,7 +499,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and
term_write_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)
@@ -75436,7 +75489,7 @@ index b6ec597..688f59a 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -459,6 +512,7 @@ init_use_fds(syslogd_t)
+@@ -459,6 +513,7 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -75444,7 +75497,7 @@ index b6ec597..688f59a 100644
miscfiles_read_localization(syslogd_t)
-@@ -496,11 +550,20 @@ optional_policy(`
+@@ -496,11 +551,20 @@ optional_policy(`
')
optional_policy(`
@@ -77105,7 +77158,7 @@ index b1a85b5..db0d815 100644
## </summary>
## <desc>
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
-index a19ecea..99c4da1 100644
+index a19ecea..486d7f2 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -10,11 +10,9 @@ type mdadm_exec_t;
@@ -77122,7 +77175,7 @@ index a19ecea..99c4da1 100644
########################################
#
-@@ -23,18 +21,19 @@ files_pid_file(mdadm_var_run_t)
+@@ -23,18 +21,20 @@ files_pid_file(mdadm_var_run_t)
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
dontaudit mdadm_t self:capability sys_tty_config;
@@ -77138,6 +77191,7 @@ index a19ecea..99c4da1 100644
+manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
-files_pid_filetrans(mdadm_t, mdadm_var_run_t, file)
++manage_lnk_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
+manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
+files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir })
+dev_filetrans(mdadm_t, mdadm_var_run_t, { file dir sock_file })
@@ -77148,12 +77202,13 @@ index a19ecea..99c4da1 100644
kernel_rw_software_raid_state(mdadm_t)
kernel_getattr_core_if(mdadm_t)
-@@ -52,13 +51,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
+@@ -52,13 +52,17 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
dev_read_realtime_clock(mdadm_t)
# unfortunately needed for DMI decoding:
dev_read_raw_memory(mdadm_t)
+dev_read_generic_files(mdadm_t)
++domain_read_all_domains_state(mdadm_t)
domain_use_interactive_fds(mdadm_t)
files_read_etc_files(mdadm_t)
@@ -77166,7 +77221,7 @@ index a19ecea..99c4da1 100644
fs_dontaudit_list_tmpfs(mdadm_t)
mls_file_read_all_levels(mdadm_t)
-@@ -68,6 +70,7 @@ mls_file_write_all_levels(mdadm_t)
+@@ -68,9 +72,12 @@ mls_file_write_all_levels(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_dev_filetrans_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
@@ -77174,7 +77229,12 @@ index a19ecea..99c4da1 100644
term_dontaudit_list_ptys(mdadm_t)
-@@ -84,6 +87,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t)
++auth_use_nsswitch(mdadm_t)
++
+ init_dontaudit_getattr_initctl(mdadm_t)
+
+ logging_send_syslog_msg(mdadm_t)
+@@ -84,6 +91,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t)
mta_send_mail(mdadm_t)
optional_policy(`
@@ -81035,7 +81095,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..330f877 100644
+index 4b2878a..eeb5b5a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -82671,12 +82731,16 @@ index 4b2878a..330f877 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1700,12 +2186,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1698,14 +2184,35 @@ interface(`userdom_mmap_user_home_content_files',`
+ interface(`userdom_read_user_home_content_files',`
+ gen_require(`
type user_home_dir_t, user_home_t;
++ attribute user_home_type;
')
-+ list_dirs_pattern($1, { user_home_dir_t user_home_t }, { user_home_dir_t user_home_t })
- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
++ list_dirs_pattern($1, { user_home_dir_t user_home_type }, { user_home_dir_t user_home_type })
++ read_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
files_search_home($1)
')
@@ -82704,7 +82768,7 @@ index 4b2878a..330f877 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2222,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2223,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -82722,7 +82786,7 @@ index 4b2878a..330f877 100644
')
########################################
-@@ -1779,6 +2288,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2289,60 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -82783,7 +82847,7 @@ index 4b2878a..330f877 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1810,8 +2373,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2374,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -82793,7 +82857,7 @@ index 4b2878a..330f877 100644
')
########################################
-@@ -1827,20 +2389,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2390,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -82818,7 +82882,16 @@ index 4b2878a..330f877 100644
########################################
## <summary>
-@@ -1941,6 +2497,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -1920,7 +2477,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+ allow $1 user_home_dir_t:dir search_dir_perms;
+ files_search_home($1)
+ ')
+-
++/
+ ########################################
+ ## <summary>
+ ## Delete symbolic links in a user home directory.
+@@ -1941,6 +2498,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -82843,7 +82916,7 @@ index 4b2878a..330f877 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2008,7 +2582,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2583,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -82852,7 +82925,7 @@ index 4b2878a..330f877 100644
files_search_home($1)
')
-@@ -2039,7 +2613,7 @@ interface(`userdom_user_home_content_filetrans',`
+@@ -2039,7 +2614,7 @@ interface(`userdom_user_home_content_filetrans',`
type user_home_dir_t, user_home_t;
')
@@ -82861,7 +82934,7 @@ index 4b2878a..330f877 100644
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
-@@ -2182,7 +2756,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2757,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -82870,7 +82943,7 @@ index 4b2878a..330f877 100644
')
########################################
-@@ -2390,7 +2964,7 @@ interface(`userdom_user_tmp_filetrans',`
+@@ -2390,7 +2965,7 @@ interface(`userdom_user_tmp_filetrans',`
type user_tmp_t;
')
@@ -82879,7 +82952,7 @@ index 4b2878a..330f877 100644
files_search_tmp($1)
')
-@@ -2419,6 +2993,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2419,6 +2994,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2)
')
@@ -82905,7 +82978,7 @@ index 4b2878a..330f877 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2435,13 +3028,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3029,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -82921,7 +82994,7 @@ index 4b2878a..330f877 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,7 +3056,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,7 +3057,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -82930,7 +83003,7 @@ index 4b2878a..330f877 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2470,14 +3064,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2470,14 +3065,30 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -82965,7 +83038,7 @@ index 4b2878a..330f877 100644
')
########################################
-@@ -2572,6 +3182,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,6 +3183,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -82990,7 +83063,7 @@ index 4b2878a..330f877 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2590,22 +3218,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2590,22 +3219,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -83033,7 +83106,7 @@ index 4b2878a..330f877 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2614,14 +3254,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2614,14 +3255,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -83071,7 +83144,7 @@ index 4b2878a..330f877 100644
')
########################################
-@@ -2640,8 +3299,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2640,8 +3300,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -83101,7 +83174,7 @@ index 4b2878a..330f877 100644
')
########################################
-@@ -2713,45 +3391,45 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2713,45 +3392,45 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -83167,7 +83240,7 @@ index 4b2878a..330f877 100644
')
########################################
-@@ -2772,25 +3450,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2772,25 +3451,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
allow $1 unpriv_userdomain:sem create_sem_perms;
')
@@ -83193,7 +83266,7 @@ index 4b2878a..330f877 100644
########################################
## <summary>
## Manage unpriviledged user SysV shared
-@@ -2852,7 +3511,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3512,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -83202,7 +83275,7 @@ index 4b2878a..330f877 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2868,29 +3527,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3528,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -83236,7 +83309,7 @@ index 4b2878a..330f877 100644
')
########################################
-@@ -2972,7 +3615,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3616,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -83245,7 +83318,7 @@ index 4b2878a..330f877 100644
')
########################################
-@@ -3027,7 +3670,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3671,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -83292,7 +83365,7 @@ index 4b2878a..330f877 100644
')
########################################
-@@ -3045,7 +3726,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3045,7 +3727,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -83301,7 +83374,7 @@ index 4b2878a..330f877 100644
')
########################################
-@@ -3064,6 +3745,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3746,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -83309,7 +83382,7 @@ index 4b2878a..330f877 100644
kernel_search_proc($1)
')
-@@ -3142,6 +3824,24 @@ interface(`userdom_signal_all_users',`
+@@ -3142,6 +3825,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -83334,7 +83407,7 @@ index 4b2878a..330f877 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3160,6 +3860,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3160,6 +3861,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -83359,7 +83432,7 @@ index 4b2878a..330f877 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +3912,1236 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3913,1236 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 865308c..9f4b498 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -16,7 +16,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 76%{?dist}
+Release: 77%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Jan 23 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-77
+- Treat Bip with bitlbee policy
+ * Bip is an IRC proxy
+- Add port definition for interwise port
+- Add support for ipa_memcached socket
+- systemd_jounald needs to getattr on all processes
+- mdadmin fixes
+ * uses getpw
+- amavisd calls getpwnam()
+- denyhosts calls getpwall()
+
* Fri Jan 20 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-76
- Setup labeling of /var/rsa and /var/lib/rsa to allow login programs to write there
- bluetooth says they do not use /tmp and want to remove the type
@@ -479,7 +490,7 @@ SELinux Reference policy mls base module.
- Allow postfix_smtpd_t to connect to spamd
- Add boolean to allow ftp to connect to all ports > 1023
- Allow sendmain to write to inherited dovecot tmp files
-
+- setroubleshoot needs to be able to execute rpm to see what version of packages
* Mon Jan 16 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-75
- Merge systemd patch
- systemd-tmpfiles wants to relabel /sys/devices/system/cpu/online
More information about the scm-commits
mailing list