[selinux-policy/f17] * Fri Mar 16 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-102 - More fixes for boinc policy - Allo
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Mar 16 12:34:49 UTC 2012
commit 81f76e1fce6095a0871c8d5e809f64b56e0de086
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Mar 16 13:34:29 2012 +0100
* Fri Mar 16 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-102
- More fixes for boinc policy
- Allow polipo domain to create its own cache dir and pid file
- Add systemctl support to httpd domain
- Add systemctl support to polipo, allow NetworkManager to manage the service
- Add policy for jockey-backend
- Add support for motion daemon which is now covered by zoneminder policy
- Allow colord to read/write motion tmpfs
- Allow vnstat to search through var_lib_t directories
- Stop transitioning to quota_t, from init an sysadm_t
modules-targeted.conf | 7 +
permissivedomains.pp | Bin 78004 -> 81662 bytes
permissivedomains.te | 8 +
policy-F16.patch | 508 ++++++++++++++++++++++++++++++++++++++++---------
selinux-policy.spec | 13 ++-
5 files changed, 449 insertions(+), 87 deletions(-)
---
diff --git a/modules-targeted.conf b/modules-targeted.conf
index febad56..3f8b6c2 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2494,3 +2494,10 @@ obex = module
# policy for grindengine MPI jobs
#
sge = module
+
+# Layer: apps
+# Module: jockey
+#
+# policy for jockey-backend
+#
+jockey = module
diff --git a/permissivedomains.pp b/permissivedomains.pp
index 759d8b3..9e832a7 100644
Binary files a/permissivedomains.pp and b/permissivedomains.pp differ
diff --git a/permissivedomains.te b/permissivedomains.te
index 74c5a37..a77064c 100644
--- a/permissivedomains.te
+++ b/permissivedomains.te
@@ -87,3 +87,11 @@ optional_policy(`
permissive pacemaker_t;
')
+
+optional_policy(`
+ gen_require(`
+ type jockey_t;
+ ')
+
+ permissive jockey_t;
+')
diff --git a/policy-F16.patch b/policy-F16.patch
index 03a11ae..9e1d2c3 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -58536,10 +58536,20 @@ index bf75d99..d1af9cf 100644
+ domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
+')
diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te
-index 5dd42f5..c0b7cd0 100644
+index 5dd42f5..b4ebb85 100644
--- a/policy/modules/admin/quota.te
+++ b/policy/modules/admin/quota.te
-@@ -15,6 +15,13 @@ files_type(quota_db_t)
+@@ -7,7 +7,8 @@ policy_module(quota, 1.5.0)
+
+ type quota_t;
+ type quota_exec_t;
+-init_system_domain(quota_t, quota_exec_t)
++application_domain(quota_t, quota_exec_t)
++#init_system_domain(quota_t, quota_exec_t)
+
+ type quota_db_t;
+ files_type(quota_db_t)
+@@ -15,6 +16,13 @@ files_type(quota_db_t)
type quota_flag_t;
files_type(quota_flag_t)
@@ -58553,7 +58563,7 @@ index 5dd42f5..c0b7cd0 100644
########################################
#
# Local policy
-@@ -34,6 +41,13 @@ files_home_filetrans(quota_t, quota_db_t, file)
+@@ -34,6 +42,13 @@ files_home_filetrans(quota_t, quota_db_t, file)
files_usr_filetrans(quota_t, quota_db_t, file)
files_var_filetrans(quota_t, quota_db_t, file)
files_spool_filetrans(quota_t, quota_db_t, file)
@@ -58567,7 +58577,7 @@ index 5dd42f5..c0b7cd0 100644
kernel_list_proc(quota_t)
kernel_read_proc_symlinks(quota_t)
-@@ -72,7 +86,7 @@ init_use_script_ptys(quota_t)
+@@ -72,7 +87,7 @@ init_use_script_ptys(quota_t)
logging_send_syslog_msg(quota_t)
@@ -58576,7 +58586,7 @@ index 5dd42f5..c0b7cd0 100644
userdom_dontaudit_use_unpriv_user_fds(quota_t)
optional_policy(`
-@@ -82,3 +96,34 @@ optional_policy(`
+@@ -82,3 +97,34 @@ optional_policy(`
optional_policy(`
udev_read_db(quota_t)
')
@@ -63820,6 +63830,200 @@ index 66beb80..4bc18b6 100644
- nis_use_ypbind(irc_t)
+ automount_dontaudit_getattr_tmp_dirs(irssi_t)
')
+diff --git a/policy/modules/apps/jockey.fc b/policy/modules/apps/jockey.fc
+new file mode 100644
+index 0000000..274cdec
+--- /dev/null
++++ b/policy/modules/apps/jockey.fc
+@@ -0,0 +1,6 @@
++/usr/share/jockey/jockey-backend -- gen_context(system_u:object_r:jockey_exec_t,s0)
++
++/var/cache/jockey(/.*)? gen_context(system_u:object_r:jockey_cache_t,s0)
++
++/var/log/jockey(/.*)? gen_context(system_u:object_r:jockey_var_log_t,s0)
++/var/log/jockey\.log -- gen_context(system_u:object_r:jockey_var_log_t,s0)
+diff --git a/policy/modules/apps/jockey.if b/policy/modules/apps/jockey.if
+new file mode 100644
+index 0000000..b083ea3
+--- /dev/null
++++ b/policy/modules/apps/jockey.if
+@@ -0,0 +1,133 @@
++
++## <summary>policy for jockey</summary>
++
++########################################
++## <summary>
++## Transition to jockey.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`jockey_domtrans',`
++ gen_require(`
++ type jockey_t, jockey_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, jockey_exec_t, jockey_t)
++')
++
++########################################
++## <summary>
++## Search jockey cache directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`jockey_search_cache',`
++ gen_require(`
++ type jockey_cache_t;
++ ')
++
++ allow $1 jockey_cache_t:dir search_dir_perms;
++ files_search_var($1)
++')
++
++########################################
++## <summary>
++## Read jockey cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`jockey_read_cache_files',`
++ gen_require(`
++ type jockey_cache_t;
++ ')
++
++ files_search_var($1)
++ read_files_pattern($1, jockey_cache_t jockey_cache_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## jockey cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`jockey_manage_cache_files',`
++ gen_require(`
++ type jockey_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_files_pattern($1, jockey_cache_t, jockey_cache_t)
++')
++
++########################################
++## <summary>
++## Manage jockey cache dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`jockey_manage_cache_dirs',`
++ gen_require(`
++ type jockey_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_dirs_pattern($1, jockey_cache_t, jockey_cache_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an jockey environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`jockey_admin',`
++ gen_require(`
++ type jockey_t;
++ type jockey_cache_t;
++ ')
++
++ allow $1 jockey_t:process { ptrace signal_perms };
++ ps_process_pattern($1, jockey_t)
++
++ files_search_var($1)
++ admin_pattern($1, jockey_cache_t)
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/policy/modules/apps/jockey.te b/policy/modules/apps/jockey.te
+new file mode 100644
+index 0000000..a323883
+--- /dev/null
++++ b/policy/modules/apps/jockey.te
+@@ -0,0 +1,37 @@
++policy_module(jockey, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type jockey_t;
++type jockey_exec_t;
++dbus_system_domain(jockey_t, jockey_exec_t)
++
++type jockey_cache_t;
++files_type(jockey_cache_t)
++
++type jockey_var_log_t;
++logging_log_file(jockey_var_log_t)
++
++########################################
++#
++# jockey local policy
++#
++
++
++manage_dirs_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
++manage_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
++manage_lnk_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
++files_var_filetrans(jockey_t, jockey_cache_t, { dir file })
++
++manage_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
++manage_dirs_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
++logging_log_filetrans(jockey_t, jockey_var_log_t, { file dir })
++
++domain_use_interactive_fds(jockey_t)
++
++files_read_etc_files(jockey_t)
++
++miscfiles_read_localization(jockey_t)
diff --git a/policy/modules/apps/kde.fc b/policy/modules/apps/kde.fc
new file mode 100644
index 0000000..25e4b68
@@ -78874,7 +79078,7 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..5bacc97 100644
+index e14b961..6f59878 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,62 @@ policy_module(sysadm, 2.2.1)
@@ -78995,18 +79199,18 @@ index e14b961..5bacc97 100644
- consoletype_run(sysadm_t, sysadm_r)
+ cron_admin_role(sysadm_r, sysadm_t)
+ #cron_role(sysadm_r, sysadm_t)
+ ')
+
+ optional_policy(`
+- cvs_exec(sysadm_t)
++ consoletype_exec(sysadm_t)
+')
+
+optional_policy(`
-+ consoletype_exec(sysadm_t)
++ daemonstools_run_start(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
-+ daemonstools_run_start(sysadm_t, sysadm_r)
- ')
-
- optional_policy(`
-- cvs_exec(sysadm_t)
+ dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
@@ -79157,7 +79361,7 @@ index e14b961..5bacc97 100644
optional_policy(`
- razor_role(sysadm_r, sysadm_t)
-+ quota_run(sysadm_t, sysadm_r)
++ quota_filetrans_named_content(sysadm_t)
')
optional_policy(`
@@ -79318,9 +79522,8 @@ index e14b961..5bacc97 100644
optional_policy(`
- java_role(sysadm_r, sysadm_t)
+ lockdev_role(sysadm_r, sysadm_t)
- ')
--')
-
++ ')
++
+ optional_policy(`
+ mock_admin(sysadm_t)
+ ')
@@ -79359,8 +79562,9 @@ index e14b961..5bacc97 100644
+
+ optional_policy(`
+ uml_role(sysadm_r, sysadm_t)
-+ ')
-+
+ ')
+-')
+
+ optional_policy(`
+ userhelper_role_template(sysadm, sysadm_r, sysadm_t)
+ ')
@@ -82190,7 +82394,7 @@ index 9e39aa5..2386b92 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index 6480167..2ad693a 100644
+index 6480167..b2db556 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -13,62 +13,46 @@
@@ -82757,20 +82961,43 @@ index 6480167..2ad693a 100644
')
########################################
-@@ -1150,12 +1275,6 @@ interface(`apache_cgi_domain',`
+@@ -1148,14 +1273,31 @@ interface(`apache_cgi_domain',`
+
+ ########################################
## <summary>
- ## All of the rules required to administrate an apache environment
+-## All of the rules required to administrate an apache environment
++## Execute httpd server in the httpd domain.
## </summary>
-## <param name="prefix">
--## <summary>
++## <param name="domain">
+ ## <summary>
-## Prefix of the domain. Example, user would be
-## the prefix for the uder_t domain.
--## </summary>
--## </param>
++## Domain allowed to transition.
+ ## </summary>
+ ## </param>
++#
++interface(`httpd_systemctl',`
++ gen_require(`
++ type httpd_t;
++ type httpd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 httpd_unit_file_t:file read_file_perms;
++ allow $1 httpd_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, httpd_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate an apache environment
++## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -1170,19 +1289,21 @@ interface(`apache_cgi_domain',`
+@@ -1170,19 +1312,21 @@ interface(`apache_cgi_domain',`
#
interface(`apache_admin',`
gen_require(`
@@ -82799,7 +83026,7 @@ index 6480167..2ad693a 100644
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 httpd_initrc_exec_t system_r;
-@@ -1191,10 +1312,10 @@ interface(`apache_admin',`
+@@ -1191,10 +1335,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -82812,7 +83039,7 @@ index 6480167..2ad693a 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1205,14 +1326,69 @@ interface(`apache_admin',`
+@@ -1205,14 +1349,70 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -82831,7 +83058,8 @@ index 6480167..2ad693a 100644
admin_pattern($1, httpd_php_tmp_t)
admin_pattern($1, httpd_suexec_tmp_t)
+
-+ allow $1 httpd_unit_file_t:service all_service_perms;
++ admin_pattern($1, httpd_unit_file_t)
++ httpd_systemctl($1)
+
+ ifdef(`TODO',`
+ apache_set_booleans($1, $2, $3, httpd_bool_t)
@@ -85655,10 +85883,10 @@ index 0000000..9fe3f9e
+')
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
new file mode 100644
-index 0000000..ede2bdb
+index 0000000..f713e4f
--- /dev/null
+++ b/policy/modules/services/boinc.te
-@@ -0,0 +1,171 @@
+@@ -0,0 +1,188 @@
+policy_module(boinc, 1.0.0)
+
+########################################
@@ -85702,6 +85930,9 @@ index 0000000..ede2bdb
+allow boinc_domain self:fifo_file rw_fifo_file_perms;
+allow boinc_domain self:sem create_sem_perms;
+
++manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
++manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
++
+# needs read /proc/interrupts
+kernel_read_system_state(boinc_domain)
+
@@ -85747,13 +85978,17 @@ index 0000000..ede2bdb
+fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
+
+exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-+manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-+manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-+filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir)
++# this should be created by default by boinc
++# we need this label for transition to boinc_project_t
++# other boinc lib files will end up with boinc_var_lib_t
++filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots")
++filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects")
+
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+
++kernel_search_vm_sysctl(boinc_t)
++
+files_getattr_all_dirs(boinc_t)
+files_getattr_all_files(boinc_t)
+
@@ -85791,30 +86026,32 @@ index 0000000..ede2bdb
+# boinc-projects local policy
+#
+
++allow boinc_project_t self:capability { setuid setgid };
++
+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+allow boinc_t boinc_project_t:process sigkill;
++allow boinc_t boinc_project_t:process noatsecure;
+
-+allow boinc_project_t self:process { setpgid setsched signal signull sigkill sigstop };
++allow boinc_project_t self:process { ptrace setcap getcap setpgid setsched signal signull sigkill sigstop };
+allow boinc_project_t self:process { execmem execstack };
+
+manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
-+files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file })
++manage_sock_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
++files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file sock_file})
+
+allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
+exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { file dir })
++files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "projects")
++files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "slots" )
+
+allow boinc_project_t boinc_project_var_lib_t:file execmod;
+
+allow boinc_project_t boinc_t:shm rw_shm_perms;
+allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
+
-+list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
-+rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
-+
+kernel_read_kernel_sysctls(boinc_project_t)
+kernel_search_vm_sysctl(boinc_project_t)
+kernel_read_network_state(boinc_project_t)
@@ -85823,6 +86060,9 @@ index 0000000..ede2bdb
+
+files_dontaudit_search_home(boinc_project_t)
+
++# needed by java
++fs_read_hugetlbfs_files(boinc_project_t)
++
+optional_policy(`
+ gnome_read_gconf_config(boinc_project_t)
+')
@@ -85830,6 +86070,11 @@ index 0000000..ede2bdb
+optional_policy(`
+ java_exec(boinc_project_t)
+')
++
++# until solution for VirtualBox, java ..
++optional_policy(`
++ unconfined_domain(boinc_project_t)
++')
diff --git a/policy/modules/services/bugzilla.fc b/policy/modules/services/bugzilla.fc
index 8c84063..c8bfb68 100644
--- a/policy/modules/services/bugzilla.fc
@@ -89042,7 +89287,7 @@ index 0000000..ab1d55b
+')
+
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
-index 74505cc..543b5dc 100644
+index 74505cc..37cb2d5 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.0.0)
@@ -89140,7 +89385,7 @@ index 74505cc..543b5dc 100644
policykit_dbus_chat(colord_t)
policykit_domtrans_auth(colord_t)
policykit_read_lib(colord_t)
-@@ -96,5 +129,16 @@ optional_policy(`
+@@ -96,5 +129,20 @@ optional_policy(`
')
optional_policy(`
@@ -89157,6 +89402,10 @@ index 74505cc..543b5dc 100644
+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
+ xserver_read_inherited_xdm_lib_files(colord_t)
+')
++
++optional_policy(`
++ zoneminder_rw_tmpfs_files(colord_t)
++')
diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
index fd15dfe..d33cc41 100644
--- a/policy/modules/services/consolekit.if
@@ -106666,7 +106915,7 @@ index 2324d9e..8666a3c 100644
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf")
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..e8e7ad6 100644
+index 0619395..71b47c8 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -106875,7 +107124,18 @@ index 0619395..e8e7ad6 100644
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -241,6 +309,7 @@ optional_policy(`
+@@ -234,6 +302,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ polipo_systemctl(NetworkManager_t)
++')
++
++optional_policy(`
+ ppp_initrc_domtrans(NetworkManager_t)
+ ppp_domtrans(NetworkManager_t)
+ ppp_manage_pid_files(NetworkManager_t)
+@@ -241,6 +313,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -106883,7 +107143,7 @@ index 0619395..e8e7ad6 100644
')
optional_policy(`
-@@ -254,6 +323,10 @@ optional_policy(`
+@@ -254,6 +327,10 @@ optional_policy(`
')
optional_policy(`
@@ -106894,7 +107154,7 @@ index 0619395..e8e7ad6 100644
udev_exec(NetworkManager_t)
udev_read_db(NetworkManager_t)
')
-@@ -263,6 +336,7 @@ optional_policy(`
+@@ -263,6 +340,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -107737,7 +107997,7 @@ index 85188dc..0a96e14 100644
+ nscd_systemctl($1)
')
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
-index 7936e09..2f6a98f 100644
+index 7936e09..c0538d0 100644
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -1,9 +1,16 @@
@@ -107768,7 +108028,7 @@ index 7936e09..2f6a98f 100644
type nscd_log_t;
logging_log_file(nscd_log_t)
-@@ -47,9 +57,10 @@ allow nscd_t self:nscd { admin getstat };
+@@ -47,13 +57,15 @@ allow nscd_t self:nscd { admin getstat };
allow nscd_t nscd_log_t:file manage_file_perms;
logging_log_filetrans(nscd_t, nscd_log_t, file)
@@ -107780,7 +108040,12 @@ index 7936e09..2f6a98f 100644
corecmd_search_bin(nscd_t)
can_exec(nscd_t, nscd_exec_t)
-@@ -90,6 +101,7 @@ selinux_compute_create_context(nscd_t)
+
++kernel_read_network_state(nscd_t)
+ kernel_read_kernel_sysctls(nscd_t)
+ kernel_list_proc(nscd_t)
+ kernel_read_proc_symlinks(nscd_t)
+@@ -90,6 +102,7 @@ selinux_compute_create_context(nscd_t)
selinux_compute_relabel_context(nscd_t)
selinux_compute_user_contexts(nscd_t)
domain_use_interactive_fds(nscd_t)
@@ -107788,7 +108053,7 @@ index 7936e09..2f6a98f 100644
files_read_etc_files(nscd_t)
files_read_generic_tmp_symlinks(nscd_t)
-@@ -112,6 +124,10 @@ userdom_dontaudit_use_unpriv_user_fds(nscd_t)
+@@ -112,6 +125,10 @@ userdom_dontaudit_use_unpriv_user_fds(nscd_t)
userdom_dontaudit_search_user_home_dirs(nscd_t)
optional_policy(`
@@ -107799,7 +108064,7 @@ index 7936e09..2f6a98f 100644
cron_read_system_job_tmp_files(nscd_t)
')
-@@ -127,3 +143,17 @@ optional_policy(`
+@@ -127,3 +144,17 @@ optional_policy(`
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
xen_append_log(nscd_t)
')
@@ -110861,10 +111126,10 @@ index 1e7169d..fdb8fc0 100644
-
diff --git a/policy/modules/services/polipo.fc b/policy/modules/services/polipo.fc
new file mode 100644
-index 0000000..8a06f66
+index 0000000..e108c40
--- /dev/null
+++ b/policy/modules/services/polipo.fc
-@@ -0,0 +1,14 @@
+@@ -0,0 +1,16 @@
+HOME_DIR/\.polipo -- gen_context(system_u:object_r:polipo_config_home_t,s0)
+HOME_DIR/\.polipo-cache(/.*)? gen_context(system_u:object_r:polipo_cache_home_t,s0)
+
@@ -110872,6 +111137,8 @@ index 0000000..8a06f66
+
+/etc/rc\.d/init\.d/polipo -- gen_context(system_u:object_r:polipo_initrc_exec_t,s0)
+
++/lib/systemd/system/polipo\.service -- gen_context(system_u:object_r:polipo_unit_file_t,s0)
++
+/usr/bin/polipo -- gen_context(system_u:object_r:polipo_exec_t,s0)
+
+/var/cache/polipo(/.*)? gen_context(system_u:object_r:polipo_cache_t,s0)
@@ -110881,10 +111148,10 @@ index 0000000..8a06f66
+/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_pid_t,s0)
diff --git a/policy/modules/services/polipo.if b/policy/modules/services/polipo.if
new file mode 100644
-index 0000000..7dc2c0c
+index 0000000..64a6d26
--- /dev/null
+++ b/policy/modules/services/polipo.if
-@@ -0,0 +1,191 @@
+@@ -0,0 +1,218 @@
+## <summary>Caching web proxy.</summary>
+
+########################################
@@ -111033,6 +111300,29 @@ index 0000000..7dc2c0c
+
+########################################
+## <summary>
++## Execute polipo server in the polipo domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`polipo_systemctl',`
++ gen_require(`
++ type polipo_t;
++ type polipo_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 polipo_unit_file_t:file read_file_perms;
++ allow $1 polipo_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, polipo_t)
++')
++
++########################################
++## <summary>
+## Administrate an polipo environment.
+## </summary>
+## <param name="domain">
@@ -111051,6 +111341,7 @@ index 0000000..7dc2c0c
+ gen_require(`
+ type polipo_t, polipo_pid_t, polipo_cache_t;
+ type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t;
++ type polipo_unit_file_t;
+ ')
+
+ allow $1 polipo_t:process signal_perms;
@@ -111075,13 +111366,16 @@ index 0000000..7dc2c0c
+
+ files_list_pids($1)
+ admin_pattern($1, polipo_pid_t)
++
++ admin_pattern($1, polipo_unit_file_t)
++ polipo_systemctl($1)
+')
diff --git a/policy/modules/services/polipo.te b/policy/modules/services/polipo.te
new file mode 100644
-index 0000000..87e8372
+index 0000000..a18621f
--- /dev/null
+++ b/policy/modules/services/polipo.te
-@@ -0,0 +1,160 @@
+@@ -0,0 +1,166 @@
+policy_module(polipo, 1.0.0)
+
+########################################
@@ -111168,6 +111462,9 @@ index 0000000..87e8372
+type polipo_cache_home_t;
+userdom_user_home_content(polipo_cache_home_t)
+
++type polipo_unit_file_t;
++systemd_unit_file(polipo_unit_file_t)
++
+########################################
+#
+# Global local policy
@@ -111199,10 +111496,13 @@ index 0000000..87e8372
+read_files_pattern(polipo_t, polipo_etc_t, polipo_etc_t)
+
+manage_files_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
++files_var_filetrans(polipo_t, polipo_cache_t, dir)
+
-+append_files_pattern(polipo_t, polipo_log_t, polipo_log_t)
++manage_files_pattern(polipo_t, polipo_log_t, polipo_log_t)
++logging_log_filetrans(polipo_t, polipo_log_t, file)
+
+manage_files_pattern(polipo_t, polipo_pid_t, polipo_pid_t)
++files_pid_filetrans(polipo_t, polipo_pid_t, file)
+
+auth_use_nsswitch(polipo_t)
+
@@ -118811,7 +119111,7 @@ index 82cb169..6cdb535 100644
+ samba_systemctl($1)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..bba1598 100644
+index e30bb63..1fc4dd8 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -32,6 +32,14 @@ gen_tunable(samba_domain_controller, false)
@@ -118988,18 +119288,19 @@ index e30bb63..bba1598 100644
optional_policy(`
cups_read_rw_config(smbd_t)
-@@ -422,6 +442,10 @@ optional_policy(`
+@@ -422,6 +442,11 @@ optional_policy(`
')
optional_policy(`
+ ldap_stream_connect(smbd_t)
++ dirsrv_stream_connect(smbd_t)
+')
+
+optional_policy(`
lpd_exec_lpr(smbd_t)
')
-@@ -445,26 +469,25 @@ optional_policy(`
+@@ -445,26 +470,25 @@ optional_policy(`
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -119033,7 +119334,7 @@ index e30bb63..bba1598 100644
########################################
#
# nmbd Local policy
-@@ -484,8 +507,10 @@ allow nmbd_t self:udp_socket create_socket_perms;
+@@ -484,8 +508,10 @@ allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -119045,7 +119346,7 @@ index e30bb63..bba1598 100644
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -555,18 +580,21 @@ optional_policy(`
+@@ -555,18 +581,21 @@ optional_policy(`
# smbcontrol local policy
#
@@ -119071,7 +119372,7 @@ index e30bb63..bba1598 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -574,11 +602,19 @@ samba_read_winbind_pid(smbcontrol_t)
+@@ -574,11 +603,19 @@ samba_read_winbind_pid(smbcontrol_t)
domain_use_interactive_fds(smbcontrol_t)
@@ -119092,7 +119393,7 @@ index e30bb63..bba1598 100644
########################################
#
-@@ -644,19 +680,21 @@ auth_use_nsswitch(smbmount_t)
+@@ -644,19 +681,21 @@ auth_use_nsswitch(smbmount_t)
miscfiles_read_localization(smbmount_t)
@@ -119117,7 +119418,7 @@ index e30bb63..bba1598 100644
########################################
#
# SWAT Local policy
-@@ -677,7 +715,8 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +716,8 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -119127,7 +119428,7 @@ index e30bb63..bba1598 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -692,12 +731,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +732,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -119142,7 +119443,7 @@ index e30bb63..bba1598 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +751,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +752,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -119150,7 +119451,7 @@ index e30bb63..bba1598 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -754,6 +796,8 @@ logging_search_logs(swat_t)
+@@ -754,6 +797,8 @@ logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
@@ -119159,7 +119460,7 @@ index e30bb63..bba1598 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -783,7 +827,8 @@ allow winbind_t self:udp_socket create_socket_perms;
+@@ -783,7 +828,8 @@ allow winbind_t self:udp_socket create_socket_perms;
allow winbind_t nmbd_t:process { signal signull };
@@ -119169,7 +119470,7 @@ index e30bb63..bba1598 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -806,15 +851,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +852,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -119191,7 +119492,7 @@ index e30bb63..bba1598 100644
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +879,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +880,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -119199,7 +119500,7 @@ index e30bb63..bba1598 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -850,10 +897,14 @@ domain_use_interactive_fds(winbind_t)
+@@ -850,10 +898,14 @@ domain_use_interactive_fds(winbind_t)
files_read_etc_files(winbind_t)
files_read_usr_symlinks(winbind_t)
@@ -119214,7 +119515,7 @@ index e30bb63..bba1598 100644
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
-@@ -863,6 +914,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
+@@ -863,6 +915,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
userdom_manage_user_home_content_sockets(winbind_t)
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
@@ -119227,7 +119528,7 @@ index e30bb63..bba1598 100644
optional_policy(`
kerberos_use(winbind_t)
')
-@@ -904,7 +961,7 @@ logging_send_syslog_msg(winbind_helper_t)
+@@ -904,7 +962,7 @@ logging_send_syslog_msg(winbind_helper_t)
miscfiles_read_localization(winbind_helper_t)
@@ -119236,7 +119537,7 @@ index e30bb63..bba1598 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -922,19 +979,34 @@ optional_policy(`
+@@ -922,19 +980,34 @@ optional_policy(`
#
optional_policy(`
@@ -126215,10 +126516,10 @@ index 727fe95..adbb3fb 100644
files_list_var_lib($1)
admin_pattern($1, vnstatd_var_lib_t)
diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te
-index 8121937..5a462fb 100644
+index 8121937..275409f 100644
--- a/policy/modules/services/vnstatd.te
+++ b/policy/modules/services/vnstatd.te
-@@ -28,9 +28,12 @@ allow vnstatd_t self:process signal;
+@@ -28,9 +28,13 @@ allow vnstatd_t self:process signal;
allow vnstatd_t self:fifo_file rw_fifo_file_perms;
allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;
@@ -126229,11 +126530,15 @@ index 8121937..5a462fb 100644
manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
-files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
++files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, dir)
manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
-@@ -64,7 +67,6 @@ allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
+@@ -62,9 +66,9 @@ allow vnstat_t self:process signal;
+ allow vnstat_t self:fifo_file rw_fifo_file_perms;
+ allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
++files_search_var_lib(vnstat_t)
manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
-files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file })
@@ -129443,13 +129748,16 @@ index ade6c2c..2b78f0d 100644
logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
diff --git a/policy/modules/services/zoneminder.fc b/policy/modules/services/zoneminder.fc
new file mode 100644
-index 0000000..b74fadf
+index 0000000..47e388a
--- /dev/null
+++ b/policy/modules/services/zoneminder.fc
-@@ -0,0 +1,12 @@
+@@ -0,0 +1,22 @@
++/etc/rc\.d/init\.d/motion -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0)
+
+/etc/rc\.d/init\.d/zoneminder -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0)
+
++/usr/bin/motion -- gen_context(system_u:object_r:zoneminder_exec_t,s0)
++
+/usr/bin/zmpkg.pl -- gen_context(system_u:object_r:zoneminder_exec_t,s0)
+
+/usr/libexec/zoneminder/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_zoneminder_script_exec_t,s0)
@@ -129458,13 +129766,20 @@ index 0000000..b74fadf
+
+/var/log/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_log_t,s0)
+
++/var/log/motion\.log -- gen_context(system_u:object_r:zoneminder_log_t,s0)
++
++/var/run/motion\.pid -- gen_context(system_u:object_r:zoneminder_var_run_t,s0)
++
+/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0)
++
++
++
diff --git a/policy/modules/services/zoneminder.if b/policy/modules/services/zoneminder.if
new file mode 100644
-index 0000000..d3e6527
+index 0000000..b34b8b4
--- /dev/null
+++ b/policy/modules/services/zoneminder.if
-@@ -0,0 +1,320 @@
+@@ -0,0 +1,339 @@
+
+## <summary>policy for zoneminder</summary>
+
@@ -129740,6 +130055,25 @@ index 0000000..d3e6527
+ stream_connect_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t, zoneminder_t)
+')
+
++######################################
++## <summary>
++## Read/write zonerimender tmpfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`zoneminder_rw_tmpfs_files',`
++ gen_require(`
++ type zoneminder_tmpfs_t;
++ ')
++
++ fs_search_tmpfs($1)
++ rw_files_pattern($1, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
++')
++
+########################################
+## <summary>
+## All of the rules required to administrate
@@ -129787,10 +130121,10 @@ index 0000000..d3e6527
+
diff --git a/policy/modules/services/zoneminder.te b/policy/modules/services/zoneminder.te
new file mode 100644
-index 0000000..bcbe09f
+index 0000000..9562539
--- /dev/null
+++ b/policy/modules/services/zoneminder.te
-@@ -0,0 +1,122 @@
+@@ -0,0 +1,124 @@
+policy_module(zoneminder, 1.0.0)
+
+########################################
@@ -129866,12 +130200,14 @@ index 0000000..bcbe09f
+corecmd_exec_bin(zoneminder_t)
+corecmd_exec_shell(zoneminder_t)
+
++corenet_tcp_bind_http_cache_port(zoneminder_t)
++corenet_tcp_bind_transproxy_port(zoneminder_t)
++
+dev_read_sysfs(zoneminder_t)
+dev_read_rand(zoneminder_t)
+dev_read_urand(zoneminder_t)
+dev_read_video_dev(zoneminder_t)
-+
-+domain_use_interactive_fds(zoneminder_t)
++dev_write_video_dev(zoneminder_t)
+
+files_read_etc_files(zoneminder_t)
+files_read_usr_files(zoneminder_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e1bac3c..4a437ea 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 101%{?dist}
+Release: 102%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -483,6 +483,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Mar 16 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-102
+- More fixes for boinc policy
+- Allow polipo domain to create its own cache dir and pid file
+- Add systemctl support to httpd domain
+- Add systemctl support to polipo, allow NetworkManager to manage the service
+- Add policy for jockey-backend
+- Add support for motion daemon which is now covered by zoneminder policy
+- Allow colord to read/write motion tmpfs
+- Allow vnstat to search through var_lib_t directories
+- Stop transitioning to quota_t, from init an sysadm_t
+
* Wed Mar 14 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-101
- Add svirt_lxc_file_t as a customizable type
More information about the scm-commits
mailing list