[selinux-policy/f17] * Wed Mar 14 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-100 - Add additional fixes for icmp nagi
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Mar 14 17:57:28 UTC 2012
commit ae56b99bfe636537c5091616b0f7448b3ba04096
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Mar 14 18:57:15 2012 +0100
* Wed Mar 14 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-100
- Add additional fixes for icmp nagios plugin
- Allow cron jobs to open fifo_files from cron, since service script opens /dev/stdin
- Add certmonger_unconfined_exec_t
- Make sure tap22 device is created with the correct label
- Allow staff users to read systemd unit files
- Merge in previously built policy
- Arpwatch needs to be able to start netlink sockets in order to start
- Allow cgred_t to sys_ptrace to look at other DAC Processes
policy-F16.patch | 282 ++++++++++++++++++++++++++++++++++++---------------
selinux-policy.spec | 12 ++-
2 files changed, 213 insertions(+), 81 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index b812efe..03a11ae 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -68172,24 +68172,31 @@ index 2533ea0..92f0ecb 100644
+')
diff --git a/policy/modules/apps/thumb.fc b/policy/modules/apps/thumb.fc
new file mode 100644
-index 0000000..a4be758
+index 0000000..b43c093
--- /dev/null
+++ b/policy/modules/apps/thumb.fc
-@@ -0,0 +1,4 @@
-+
+@@ -0,0 +1,12 @@
+/usr/bin/evince-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/gsf-office-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/gnome-thumbnail-font -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/gnome-[^/]*-thumbnailer(.sh)? -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/raw-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/shotwell-video-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
+/usr/bin/totem-video-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/whaaw-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/[^/]*thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/ffmpegthumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
++
++/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0)
diff --git a/policy/modules/apps/thumb.if b/policy/modules/apps/thumb.if
new file mode 100644
-index 0000000..5554dc9
+index 0000000..79515db
--- /dev/null
+++ b/policy/modules/apps/thumb.if
-@@ -0,0 +1,84 @@
+@@ -0,0 +1,103 @@
+
+## <summary>policy for thumb</summary>
+
-+
+########################################
+## <summary>
+## Transition to thumb.
@@ -68270,12 +68277,32 @@ index 0000000..5554dc9
+ allow thumb_t $2:dbus send_msg;
+')
+
++########################################
++## <summary>
++## Send and receive messages from
++## thumb over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`thumb_dbus_chat',`
++ gen_require(`
++ type thumb_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 thumb_t:dbus send_msg;
++ allow thumb_t $1:dbus send_msg;
++')
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
new file mode 100644
-index 0000000..0e7f810
+index 0000000..a5ba4ff
--- /dev/null
+++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,84 @@
+@@ -0,0 +1,86 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -68314,12 +68341,14 @@ index 0000000..0e7f810
+exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir })
+userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir })
++can_exec(thumb_t, thumb_exec_t)
+
+kernel_read_system_state(thumb_t)
+
+domain_use_interactive_fds(thumb_t)
+
+corecmd_exec_bin(thumb_t)
++corecmd_exec_shell(thumb_t)
+
+dev_read_sysfs(thumb_t)
+
@@ -69549,7 +69578,7 @@ index f9b25c1..9af1f7a 100644
+/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index 4f3b542..1552f90 100644
+index 4f3b542..63f4e1c 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -615,6 +615,24 @@ interface(`corenet_raw_sendrecv_all_if',`
@@ -70871,7 +70900,7 @@ index 4f3b542..1552f90 100644
corenet_tcp_recvfrom_labeled($1, $2)
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
-@@ -3134,3 +3885,43 @@ interface(`corenet_unconfined',`
+@@ -3134,3 +3885,53 @@ interface(`corenet_unconfined',`
typeattribute $1 corenet_unconfined_type;
')
@@ -70913,6 +70942,16 @@ index 4f3b542..1552f90 100644
+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap17")
+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap18")
+ dev_filetrans($1, tun_tap_device_t, chr_file, "tap19")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap20")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap21")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap22")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap23")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap24")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap25")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap26")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap27")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap28")
++ dev_filetrans($1, tun_tap_device_t, chr_file, "tap29")
+ dev_filetrans($1, ppp_device_t, chr_file, "ppp")
+')
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
@@ -76503,7 +76542,7 @@ index 6346378..3bfb1f8 100644
')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index d91c62f..d78f93c 100644
+index d91c62f..e6f3965 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,12 @@
@@ -76536,7 +76575,14 @@ index d91c62f..d78f93c 100644
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -242,11 +252,14 @@ dev_search_usbfs(kernel_t)
+@@ -236,17 +246,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
+ corenet_tcp_sendrecv_all_nodes(kernel_t)
+ corenet_raw_send_generic_node(kernel_t)
+ corenet_send_all_packets(kernel_t)
++corenet_filetrans_all_named_dev(kernel_t)
+
+ dev_read_sysfs(kernel_t)
+ dev_search_usbfs(kernel_t)
# devtmpfs handling:
dev_create_generic_dirs(kernel_t)
dev_delete_generic_dirs(kernel_t)
@@ -76555,7 +76601,7 @@ index d91c62f..d78f93c 100644
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
-@@ -255,7 +268,8 @@ fs_unmount_all_fs(kernel_t)
+@@ -255,7 +269,8 @@ fs_unmount_all_fs(kernel_t)
selinux_load_policy(kernel_t)
@@ -76565,7 +76611,7 @@ index d91c62f..d78f93c 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -269,25 +283,47 @@ files_list_root(kernel_t)
+@@ -269,25 +284,47 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -76613,7 +76659,7 @@ index d91c62f..d78f93c 100644
')
optional_policy(`
-@@ -297,6 +333,19 @@ optional_policy(`
+@@ -297,6 +334,19 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(kernel_t)
@@ -76633,7 +76679,7 @@ index d91c62f..d78f93c 100644
')
optional_policy(`
-@@ -334,9 +383,7 @@ optional_policy(`
+@@ -334,9 +384,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -76644,7 +76690,7 @@ index d91c62f..d78f93c 100644
')
tunable_policy(`nfs_export_all_rw',`
-@@ -345,7 +392,7 @@ optional_policy(`
+@@ -345,7 +393,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -76653,7 +76699,7 @@ index d91c62f..d78f93c 100644
')
')
-@@ -358,6 +405,15 @@ optional_policy(`
+@@ -358,6 +406,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -76669,7 +76715,7 @@ index d91c62f..d78f93c 100644
########################################
#
# Unlabeled process local policy
-@@ -386,4 +442,17 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+@@ -386,4 +443,17 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;
@@ -78498,7 +78544,7 @@ index 234a940..d340f20 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..b6ee027 100644
+index 2be17d2..17e711a 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,55 @@ policy_module(staff, 2.2.0)
@@ -78679,10 +78725,11 @@ index 2be17d2..b6ee027 100644
')
optional_policy(`
-@@ -48,10 +187,56 @@ optional_policy(`
+@@ -48,10 +187,59 @@ optional_policy(`
')
optional_policy(`
++ systemd_read_unit_files(staff_t)
+ systemd_exec_systemctl(staff_t)
+')
+
@@ -78717,6 +78764,8 @@ index 2be17d2..b6ee027 100644
+')
+
+optional_policy(`
++ virt_getattr_exec(staff_t)
++ virt_search_images(staff_t)
+ virt_stream_connect(staff_t)
+')
+
@@ -78736,7 +78785,7 @@ index 2be17d2..b6ee027 100644
xserver_role(staff_r, staff_t)
')
-@@ -61,10 +246,6 @@ ifndef(`distro_redhat',`
+@@ -61,10 +249,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -78747,7 +78796,7 @@ index 2be17d2..b6ee027 100644
cdrecord_role(staff_r, staff_t)
')
-@@ -89,18 +270,10 @@ ifndef(`distro_redhat',`
+@@ -89,18 +273,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -78766,7 +78815,7 @@ index 2be17d2..b6ee027 100644
java_role(staff_r, staff_t)
')
-@@ -121,10 +294,6 @@ ifndef(`distro_redhat',`
+@@ -121,10 +297,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -78777,7 +78826,7 @@ index 2be17d2..b6ee027 100644
pyzor_role(staff_r, staff_t)
')
-@@ -137,10 +306,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +309,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -78788,7 +78837,7 @@ index 2be17d2..b6ee027 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -172,3 +337,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +340,7 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -84317,10 +84366,18 @@ index c804110..980cd57 100644
domain_system_change_exemption($1)
role_transition $2 arpwatch_initrc_exec_t system_r;
diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
-index 804135f..af04567 100644
+index 804135f..2573a6d 100644
--- a/policy/modules/services/arpwatch.te
+++ b/policy/modules/services/arpwatch.te
-@@ -47,8 +47,9 @@ manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
+@@ -34,6 +34,7 @@ allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
+ allow arpwatch_t self:udp_socket create_socket_perms;
+ allow arpwatch_t self:packet_socket create_socket_perms;
+ allow arpwatch_t self:socket create_socket_perms;
++allow arpwatch_t self:netlink_socket create_socket_perms;;
+
+ manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
+ manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
+@@ -47,8 +48,9 @@ manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
kernel_read_network_state(arpwatch_t)
@@ -86762,6 +86819,16 @@ index 3384132..97d3269 100644
files_list_var(certmaster_t)
files_search_var_lib(certmaster_t)
+diff --git a/policy/modules/services/certmonger.fc b/policy/modules/services/certmonger.fc
+index 5ad1a52..e66fcf6 100644
+--- a/policy/modules/services/certmonger.fc
++++ b/policy/modules/services/certmonger.fc
+@@ -4,3 +4,5 @@
+
+ /var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0)
+ /var/run/certmonger.pid -- gen_context(system_u:object_r:certmonger_var_run_t,s0)
++
++/usr/lib/ipa/certmonger(/.*)? gen_context(system_u:object_r:certmonger_unconfined_exec_t,s0)
diff --git a/policy/modules/services/certmonger.if b/policy/modules/services/certmonger.if
index 7a6e5ba..e238dfd 100644
--- a/policy/modules/services/certmonger.if
@@ -86804,10 +86871,18 @@ index 7a6e5ba..e238dfd 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
-index c3e3f79..b6b4976 100644
+index c3e3f79..046721e 100644
--- a/policy/modules/services/certmonger.te
+++ b/policy/modules/services/certmonger.te
-@@ -23,7 +23,8 @@ files_type(certmonger_var_lib_t)
+@@ -18,12 +18,16 @@ files_pid_file(certmonger_var_run_t)
+ type certmonger_var_lib_t;
+ files_type(certmonger_var_lib_t)
+
++type certmonger_unconfined_exec_t;
++application_executable_file(certmonger_unconfined_exec_t)
++
+ ########################################
+ #
# certmonger local policy
#
@@ -86817,7 +86892,7 @@ index c3e3f79..b6b4976 100644
allow certmonger_t self:process { getsched setsched sigkill };
allow certmonger_t self:fifo_file rw_file_perms;
allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
-@@ -32,16 +33,23 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -32,16 +36,23 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
@@ -86842,7 +86917,7 @@ index c3e3f79..b6b4976 100644
dev_read_urand(certmonger_t)
-@@ -51,6 +59,9 @@ files_read_etc_files(certmonger_t)
+@@ -51,6 +62,9 @@ files_read_etc_files(certmonger_t)
files_read_usr_files(certmonger_t)
files_list_tmp(certmonger_t)
@@ -86852,7 +86927,7 @@ index c3e3f79..b6b4976 100644
logging_send_syslog_msg(certmonger_t)
miscfiles_read_localization(certmonger_t)
-@@ -58,15 +69,35 @@ miscfiles_manage_generic_cert_files(certmonger_t)
+@@ -58,15 +72,52 @@ miscfiles_manage_generic_cert_files(certmonger_t)
sysnet_dns_name_resolve(certmonger_t)
@@ -86888,6 +86963,23 @@ index c3e3f79..b6b4976 100644
+ pcscd_read_pub_files(certmonger_t)
pcscd_stream_connect(certmonger_t)
')
++
++########################################
++#
++# certmonger_unconfined_script_t local policy
++#
++
++optional_policy(`
++ type certmonger_unconfined_t;
++ domain_type(certmonger_unconfined_t)
++
++ domain_entry_file(certmonger_unconfined_t, certmonger_unconfined_exec_t)
++ role system_r types certmonger_unconfined_t;
++
++ unconfined_domain(certmonger_unconfined_t)
++
++ allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms;
++')
diff --git a/policy/modules/services/cfengine.fc b/policy/modules/services/cfengine.fc
new file mode 100644
index 0000000..4ec83df
@@ -87171,7 +87263,7 @@ index 33facaf..225e70c 100644
admin_pattern($1, cgrules_etc_t)
files_list_etc($1)
diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
-index dad226c..084063b 100644
+index dad226c..944cc0f 100644
--- a/policy/modules/services/cgroup.te
+++ b/policy/modules/services/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -87198,7 +87290,7 @@ index dad226c..084063b 100644
#
-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
-+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override };
++allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace };
+
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
@@ -89458,11 +89550,13 @@ index 04969e5..a603e70 100644
+
diff --git a/policy/modules/services/couchdb.fc b/policy/modules/services/couchdb.fc
new file mode 100644
-index 0000000..3f0d629
+index 0000000..a0c0865
--- /dev/null
+++ b/policy/modules/services/couchdb.fc
-@@ -0,0 +1,9 @@
-+/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
+@@ -0,0 +1,11 @@
++/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_etc_t,s0)
++
++/usr/bin/couchdb -- gen_context(system_u:object_r:couchdb_exec_t,s0)
+
+/usr/lib/systemd/system/couchdb.service -- gen_context(system_u:object_r:couchdb_unit_file_t,s0)
+
@@ -89473,10 +89567,10 @@ index 0000000..3f0d629
+/var/run/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_run_t,s0)
diff --git a/policy/modules/services/couchdb.if b/policy/modules/services/couchdb.if
new file mode 100644
-index 0000000..9efb8c6
+index 0000000..b556467
--- /dev/null
+++ b/policy/modules/services/couchdb.if
-@@ -0,0 +1,245 @@
+@@ -0,0 +1,249 @@
+
+## <summary>policy for couchdb</summary>
+
@@ -89698,6 +89792,7 @@ index 0000000..9efb8c6
+interface(`couchdb_admin',`
+ gen_require(`
+ type couchdb_t;
++ type couchdb_etc_t;
+ type couchdb_log_t;
+ type couchdb_var_lib_t;
+ type couchdb_var_run_t;
@@ -89710,6 +89805,9 @@ index 0000000..9efb8c6
+ logging_search_logs($1)
+ admin_pattern($1, couchdb_log_t)
+
++ files_search_etc($1)
++ admin_pattern($1, couchdb_etc_t)
++
+ files_search_var_lib($1)
+ admin_pattern($1, couchdb_var_lib_t)
+
@@ -89724,10 +89822,10 @@ index 0000000..9efb8c6
+')
diff --git a/policy/modules/services/couchdb.te b/policy/modules/services/couchdb.te
new file mode 100644
-index 0000000..153c2ad
+index 0000000..4a80b5c
--- /dev/null
+++ b/policy/modules/services/couchdb.te
-@@ -0,0 +1,78 @@
+@@ -0,0 +1,85 @@
+policy_module(couchdb, 1.0.0)
+
+########################################
@@ -89739,6 +89837,9 @@ index 0000000..153c2ad
+type couchdb_exec_t;
+init_daemon_domain(couchdb_t, couchdb_exec_t)
+
++type couchdb_etc_t;
++files_config_file(couchdb_etc_t)
++
+type couchdb_tmp_t;
+files_tmp_file(couchdb_tmp_t)
+
@@ -89758,11 +89859,15 @@ index 0000000..153c2ad
+#
+# couchdb local policy
+#
++allow couchdb_t self:process { setsched signal signull sigkill };
+allow couchdb_t self:fifo_file rw_fifo_file_perms;
+allow couchdb_t self:unix_stream_socket create_stream_socket_perms;
+allow couchdb_t self:tcp_socket create_stream_socket_perms;
+allow couchdb_t self:udp_socket create_socket_perms;
+
++allow couchdb_t couchdb_etc_t:dir list_dir_perms;
++read_files_pattern(couchdb_t, couchdb_etc_t, couchdb_etc_t)
++
+manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
+manage_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
+logging_log_filetrans(couchdb_t, couchdb_log_t, { dir file })
@@ -89797,15 +89902,15 @@ index 0000000..153c2ad
+domain_use_interactive_fds(couchdb_t)
+
+files_read_etc_files(couchdb_t)
++files_read_usr_files(couchdb_t)
+
-+fs_getattr_tmpfs(couchdb_t)
++fs_getattr_xattr_fs(couchdb_t)
+
+auth_use_nsswitch(couchdb_t)
+
+libs_exec_lib_files(couchdb_t)
+
+miscfiles_read_localization(couchdb_t)
-+
diff --git a/policy/modules/services/courier.fc b/policy/modules/services/courier.fc
index 01d31f1..8e2754b 100644
--- a/policy/modules/services/courier.fc
@@ -90060,7 +90165,7 @@ index 2eefc08..32a4a69 100644
+
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
-index 35241ed..9ac0000 100644
+index 35241ed..1b14bab 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -12,6 +12,11 @@
@@ -90276,7 +90381,17 @@ index 35241ed..9ac0000 100644
')
########################################
-@@ -304,7 +323,7 @@ interface(`cron_exec',`
+@@ -264,6 +283,9 @@ interface(`cron_system_entry',`
+ domtrans_pattern(crond_t, $2, $1)
+
+ role system_r types $1;
++
++ allow $1 crond_t:fifo_file rw_fifo_file_perms;
++ allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
+ ')
+
+ ########################################
+@@ -304,7 +326,7 @@ interface(`cron_exec',`
########################################
## <summary>
@@ -90285,7 +90400,7 @@ index 35241ed..9ac0000 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -322,6 +341,29 @@ interface(`cron_initrc_domtrans',`
+@@ -322,6 +344,29 @@ interface(`cron_initrc_domtrans',`
########################################
## <summary>
@@ -90315,7 +90430,7 @@ index 35241ed..9ac0000 100644
## Inherit and use a file descriptor
## from the cron daemon.
## </summary>
-@@ -359,6 +401,24 @@ interface(`cron_sigchld',`
+@@ -359,6 +404,24 @@ interface(`cron_sigchld',`
########################################
## <summary>
@@ -90340,7 +90455,7 @@ index 35241ed..9ac0000 100644
## Read a cron daemon unnamed pipe.
## </summary>
## <param name="domain">
-@@ -377,6 +437,47 @@ interface(`cron_read_pipes',`
+@@ -377,6 +440,47 @@ interface(`cron_read_pipes',`
########################################
## <summary>
@@ -90388,7 +90503,7 @@ index 35241ed..9ac0000 100644
## Do not audit attempts to write cron daemon unnamed pipes.
## </summary>
## <param name="domain">
-@@ -390,6 +491,7 @@ interface(`cron_dontaudit_write_pipes',`
+@@ -390,6 +494,7 @@ interface(`cron_dontaudit_write_pipes',`
type crond_t;
')
@@ -90396,7 +90511,7 @@ index 35241ed..9ac0000 100644
dontaudit $1 crond_t:fifo_file write;
')
-@@ -408,7 +510,43 @@ interface(`cron_rw_pipes',`
+@@ -408,7 +513,43 @@ interface(`cron_rw_pipes',`
type crond_t;
')
@@ -90441,7 +90556,7 @@ index 35241ed..9ac0000 100644
')
########################################
-@@ -468,6 +606,25 @@ interface(`cron_search_spool',`
+@@ -468,6 +609,25 @@ interface(`cron_search_spool',`
########################################
## <summary>
@@ -90467,7 +90582,7 @@ index 35241ed..9ac0000 100644
## Manage pid files used by cron
## </summary>
## <param name="domain">
-@@ -481,6 +638,7 @@ interface(`cron_manage_pid_files',`
+@@ -481,6 +641,7 @@ interface(`cron_manage_pid_files',`
type crond_var_run_t;
')
@@ -90475,7 +90590,7 @@ index 35241ed..9ac0000 100644
manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
')
-@@ -536,7 +694,7 @@ interface(`cron_write_system_job_pipes',`
+@@ -536,7 +697,7 @@ interface(`cron_write_system_job_pipes',`
type system_cronjob_t;
')
@@ -90484,7 +90599,7 @@ index 35241ed..9ac0000 100644
')
########################################
-@@ -554,7 +712,7 @@ interface(`cron_rw_system_job_pipes',`
+@@ -554,7 +715,7 @@ interface(`cron_rw_system_job_pipes',`
type system_cronjob_t;
')
@@ -90493,7 +90608,7 @@ index 35241ed..9ac0000 100644
')
########################################
-@@ -587,11 +745,14 @@ interface(`cron_rw_system_job_stream_sockets',`
+@@ -587,11 +748,14 @@ interface(`cron_rw_system_job_stream_sockets',`
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
@@ -90509,7 +90624,7 @@ index 35241ed..9ac0000 100644
')
########################################
-@@ -627,7 +788,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
+@@ -627,7 +791,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
@@ -106098,7 +106213,7 @@ index 8581040..7d8e93b 100644
init_labeled_script_domtrans($1, nagios_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index bf64a4c..5d6fe80 100644
+index bf64a4c..57dfbca 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -5,6 +5,8 @@ policy_module(nagios, 1.10.0)
@@ -106248,15 +106363,21 @@ index bf64a4c..5d6fe80 100644
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
fs_getattr_all_fs(nagios_checkdisk_plugin_t)
-@@ -323,7 +341,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -321,11 +339,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+ # local policy for service check plugins
+ #
- allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
+-allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
++allow nagios_services_plugin_t self:capability { setuid net_bind_service net_raw };
allow nagios_services_plugin_t self:process { signal sigkill };
-
allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_services_plugin_t self:udp_socket create_socket_perms;
++allow nagios_services_plugin_t self:rawip_socket create_socket_perms;
+
+ corecmd_exec_bin(nagios_services_plugin_t)
-@@ -340,6 +357,8 @@ files_read_usr_files(nagios_services_plugin_t)
+@@ -340,6 +358,8 @@ files_read_usr_files(nagios_services_plugin_t)
optional_policy(`
netutils_domtrans_ping(nagios_services_plugin_t)
@@ -106265,7 +106386,7 @@ index bf64a4c..5d6fe80 100644
')
optional_policy(`
-@@ -363,6 +382,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -363,6 +383,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
@@ -106274,7 +106395,7 @@ index bf64a4c..5d6fe80 100644
kernel_read_system_state(nagios_system_plugin_t)
kernel_read_kernel_sysctls(nagios_system_plugin_t)
-@@ -376,6 +397,8 @@ domain_read_all_domains_state(nagios_system_plugin_t)
+@@ -376,6 +398,8 @@ domain_read_all_domains_state(nagios_system_plugin_t)
files_read_etc_files(nagios_system_plugin_t)
@@ -106283,7 +106404,7 @@ index bf64a4c..5d6fe80 100644
# needed by check_users plugin
optional_policy(`
init_read_utmp(nagios_system_plugin_t)
-@@ -389,3 +412,49 @@ optional_policy(`
+@@ -389,3 +413,49 @@ optional_policy(`
optional_policy(`
unconfined_domain(nagios_unconfined_plugin_t)
')
@@ -125099,7 +125220,7 @@ index 7c5d8d8..c542fe7 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..e2dc691 100644
+index 3eca020..f44c5bd 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,84 @@ policy_module(virt, 1.4.0)
@@ -125364,7 +125485,7 @@ index 3eca020..e2dc691 100644
xen_rw_image_files(svirt_t)
')
-@@ -173,22 +264,40 @@ optional_policy(`
+@@ -173,22 +264,41 @@ optional_policy(`
# virtd local policy
#
@@ -125387,6 +125508,7 @@ index 3eca020..e2dc691 100644
+allow virtd_t self:rawip_socket create_socket_perms;
+allow virtd_t self:packet_socket create_socket_perms;
allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow virtd_t self:netlink_route_socket create_netlink_socket_perms;
-manage_dirs_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
-manage_files_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
@@ -125412,7 +125534,7 @@ index 3eca020..e2dc691 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -199,9 +308,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -199,9 +309,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -125433,7 +125555,7 @@ index 3eca020..e2dc691 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -217,9 +335,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -217,9 +336,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -125449,7 +125571,7 @@ index 3eca020..e2dc691 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +363,33 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +364,33 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -125484,7 +125606,7 @@ index 3eca020..e2dc691 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +397,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +398,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -125503,7 +125625,7 @@ index 3eca020..e2dc691 100644
mcs_process_set_categories(virtd_t)
-@@ -276,6 +423,8 @@ term_use_ptmx(virtd_t)
+@@ -276,6 +424,8 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -125512,7 +125634,7 @@ index 3eca020..e2dc691 100644
miscfiles_read_localization(virtd_t)
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -285,16 +434,31 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +435,31 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -125544,7 +125666,7 @@ index 3eca020..e2dc691 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +477,10 @@ optional_policy(`
+@@ -313,6 +478,10 @@ optional_policy(`
')
optional_policy(`
@@ -125555,7 +125677,7 @@ index 3eca020..e2dc691 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -326,6 +494,14 @@ optional_policy(`
+@@ -326,6 +495,14 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -125570,7 +125692,7 @@ index 3eca020..e2dc691 100644
')
optional_policy(`
-@@ -334,11 +510,14 @@ optional_policy(`
+@@ -334,11 +511,14 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_read_pid_files(virtd_t)
dnsmasq_signull(virtd_t)
@@ -125585,7 +125707,7 @@ index 3eca020..e2dc691 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -360,11 +539,11 @@ optional_policy(`
+@@ -360,11 +540,11 @@ optional_policy(`
')
optional_policy(`
@@ -125602,7 +125724,7 @@ index 3eca020..e2dc691 100644
')
optional_policy(`
-@@ -394,20 +573,36 @@ optional_policy(`
+@@ -394,20 +574,36 @@ optional_policy(`
# virtual domains common policy
#
@@ -125642,7 +125764,7 @@ index 3eca020..e2dc691 100644
corecmd_exec_bin(virt_domain)
corecmd_exec_shell(virt_domain)
-@@ -418,10 +613,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +614,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -125655,7 +125777,7 @@ index 3eca020..e2dc691 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +625,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +626,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -125668,7 +125790,7 @@ index 3eca020..e2dc691 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +638,386 @@ files_search_all(virt_domain)
+@@ -440,25 +639,386 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 81cb451..2206946 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 99%{?dist}
+Release: 100%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -483,6 +483,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Mar 14 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-100
+- Add additional fixes for icmp nagios plugin
+- Allow cron jobs to open fifo_files from cron, since service script opens /dev/stdin
+- Add certmonger_unconfined_exec_t
+- Make sure tap22 device is created with the correct label
+- Allow staff users to read systemd unit files
+- Merge in previously built policy
+- Arpwatch needs to be able to start netlink sockets in order to start
+- Allow cgred_t to sys_ptrace to look at other DAC Processes
+
* Mon Mar 12 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-99
- Back port some of the access that was allowed in nsplugin_t
- Add definitiona for couchdb ports
More information about the scm-commits
mailing list