[selinux-policy/f16] * Wed Mar 13 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-81 - boinc fixes - Allow vnstat to searc
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Mar 16 14:53:17 UTC 2012
commit 514305e2066ee9b256955e7f12343ee263c627d2
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Mar 16 15:53:03 2012 +0100
* Wed Mar 13 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-81
- boinc fixes
- Allow vnstat to search through var_lib_t directories
- Add jockey policy
- Allow nscd to read kernel network state
- Allow logrotate to read mysql home conten
- Add own type for rdate port
modules-targeted.conf | 7 ++
policy-F16.patch | 282 ++++++++++++++++++++++++++++++++++++++++++++----
selinux-policy.spec | 10 ++-
3 files changed, 274 insertions(+), 25 deletions(-)
---
diff --git a/modules-targeted.conf b/modules-targeted.conf
index bb47a0f..5e4bd24 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2486,3 +2486,10 @@ rabbitmq = module
# cloudform daemons
#
cloudform = module
+
+# Layer: apps
+# Module: jockey
+#
+# policy for jockey-backend
+#
+jockey_t = module
diff --git a/policy-F16.patch b/policy-F16.patch
index c63b62d..b091186 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1312,7 +1312,7 @@ index 4f7bd3c..a29af21 100644
- unconfined_domain(kudzu_t)
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..1c6d379 100644
+index 7090dae..24f535a 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -29,9 +29,9 @@ files_type(logrotate_var_lib_t)
@@ -1444,7 +1444,13 @@ index 7090dae..1c6d379 100644
icecast_signal(logrotate_t)
')
-@@ -200,9 +223,12 @@ optional_policy(`
+@@ -195,14 +218,18 @@ optional_policy(`
+
+ optional_policy(`
+ mysql_read_config(logrotate_t)
++ mysql_read_home_content(logrotate_t)
+ mysql_search_db(logrotate_t)
+ mysql_stream_connect(logrotate_t)
')
optional_policy(`
@@ -1458,7 +1464,7 @@ index 7090dae..1c6d379 100644
optional_policy(`
samba_exec_log(logrotate_t)
-@@ -228,3 +254,14 @@ optional_policy(`
+@@ -228,3 +255,14 @@ optional_policy(`
optional_policy(`
varnishd_manage_log(logrotate_t)
')
@@ -2013,10 +2019,10 @@ index 0000000..bd83148
+## <summary>No Interfaces</summary>
diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
new file mode 100644
-index 0000000..0bd2028
+index 0000000..3527e56
--- /dev/null
+++ b/policy/modules/admin/permissivedomains.te
-@@ -0,0 +1,349 @@
+@@ -0,0 +1,357 @@
+policy_module(permissivedomains,16)
+
+optional_policy(`
@@ -2366,6 +2372,14 @@ index 0000000..0bd2028
+
+ permissive matahari_sysconfigd_t;
+')
++
++optional_policy(`
++ gen_require(`
++ type jockey_t;
++ ')
++
++ permissive jockey_t;
++')
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index db46387..b665b08 100644
--- a/policy/modules/admin/portage.fc
@@ -7994,6 +8008,200 @@ index 167950d..27d37b0 100644
+ wine_domtrans(unconfined_java_t)
+ ')
')
+diff --git a/policy/modules/apps/jockey.fc b/policy/modules/apps/jockey.fc
+new file mode 100644
+index 0000000..274cdec
+--- /dev/null
++++ b/policy/modules/apps/jockey.fc
+@@ -0,0 +1,6 @@
++/usr/share/jockey/jockey-backend -- gen_context(system_u:object_r:jockey_exec_t,s0)
++
++/var/cache/jockey(/.*)? gen_context(system_u:object_r:jockey_cache_t,s0)
++
++/var/log/jockey(/.*)? gen_context(system_u:object_r:jockey_var_log_t,s0)
++/var/log/jockey\.log -- gen_context(system_u:object_r:jockey_var_log_t,s0)
+diff --git a/policy/modules/apps/jockey.if b/policy/modules/apps/jockey.if
+new file mode 100644
+index 0000000..b083ea3
+--- /dev/null
++++ b/policy/modules/apps/jockey.if
+@@ -0,0 +1,133 @@
++
++## <summary>policy for jockey</summary>
++
++########################################
++## <summary>
++## Transition to jockey.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`jockey_domtrans',`
++ gen_require(`
++ type jockey_t, jockey_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, jockey_exec_t, jockey_t)
++')
++
++########################################
++## <summary>
++## Search jockey cache directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`jockey_search_cache',`
++ gen_require(`
++ type jockey_cache_t;
++ ')
++
++ allow $1 jockey_cache_t:dir search_dir_perms;
++ files_search_var($1)
++')
++
++########################################
++## <summary>
++## Read jockey cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`jockey_read_cache_files',`
++ gen_require(`
++ type jockey_cache_t;
++ ')
++
++ files_search_var($1)
++ read_files_pattern($1, jockey_cache_t jockey_cache_t)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## jockey cache files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`jockey_manage_cache_files',`
++ gen_require(`
++ type jockey_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_files_pattern($1, jockey_cache_t, jockey_cache_t)
++')
++
++########################################
++## <summary>
++## Manage jockey cache dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`jockey_manage_cache_dirs',`
++ gen_require(`
++ type jockey_cache_t;
++ ')
++
++ files_search_var($1)
++ manage_dirs_pattern($1, jockey_cache_t, jockey_cache_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an jockey environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`jockey_admin',`
++ gen_require(`
++ type jockey_t;
++ type jockey_cache_t;
++ ')
++
++ allow $1 jockey_t:process { ptrace signal_perms };
++ ps_process_pattern($1, jockey_t)
++
++ files_search_var($1)
++ admin_pattern($1, jockey_cache_t)
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/policy/modules/apps/jockey.te b/policy/modules/apps/jockey.te
+new file mode 100644
+index 0000000..a323883
+--- /dev/null
++++ b/policy/modules/apps/jockey.te
+@@ -0,0 +1,37 @@
++policy_module(jockey, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type jockey_t;
++type jockey_exec_t;
++dbus_system_domain(jockey_t, jockey_exec_t)
++
++type jockey_cache_t;
++files_type(jockey_cache_t)
++
++type jockey_var_log_t;
++logging_log_file(jockey_var_log_t)
++
++########################################
++#
++# jockey local policy
++#
++
++
++manage_dirs_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
++manage_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
++manage_lnk_files_pattern(jockey_t, jockey_cache_t, jockey_cache_t)
++files_var_filetrans(jockey_t, jockey_cache_t, { dir file })
++
++manage_files_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
++manage_dirs_pattern(jockey_t, jockey_var_log_t, jockey_var_log_t)
++logging_log_filetrans(jockey_t, jockey_var_log_t, { file dir })
++
++domain_use_interactive_fds(jockey_t)
++
++files_read_etc_files(jockey_t)
++
++miscfiles_read_localization(jockey_t)
diff --git a/policy/modules/apps/kde.fc b/policy/modules/apps/kde.fc
new file mode 100644
index 0000000..25e4b68
@@ -28138,10 +28346,10 @@ index 0000000..fa9b95a
+')
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
new file mode 100644
-index 0000000..41698a6
+index 0000000..b673632
--- /dev/null
+++ b/policy/modules/services/boinc.te
-@@ -0,0 +1,175 @@
+@@ -0,0 +1,192 @@
+policy_module(boinc, 1.0.0)
+
+########################################
@@ -28185,6 +28393,9 @@ index 0000000..41698a6
+allow boinc_domain self:fifo_file rw_fifo_file_perms;
+allow boinc_domain self:sem create_sem_perms;
+
++manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
++manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
++
+# needs read /proc/interrupts
+kernel_read_system_state(boinc_domain)
+
@@ -28231,13 +28442,17 @@ index 0000000..41698a6
+fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
+
+exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-+manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-+manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
-+filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir)
++# this should be created by default by boinc
++# we need this label for transition to boinc_project_t
++# other boinc lib files will end up with boinc_var_lib_t
++filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots")
++filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects")
+
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+
++kernel_search_vm_sysctl(boinc_t)
++
+files_getattr_all_dirs(boinc_t)
+files_getattr_all_files(boinc_t)
+
@@ -28275,10 +28490,13 @@ index 0000000..41698a6
+# boinc-projects local policy
+#
+
++allow boinc_project_t self:capability { setuid setgid };
++
+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+allow boinc_t boinc_project_t:process sigkill;
++allow boinc_t boinc_project_t:process noatsecure;
+
-+allow boinc_project_t self:process { ptrace setpgid setsched signal signull sigkill sigstop };
++allow boinc_project_t self:process { ptrace setcap getcap setpgid setsched signal signull sigkill sigstop };
+allow boinc_project_t self:process { execmem execstack };
+
+allow boinc_project_t self:fifo_file rw_fifo_file_perms;
@@ -28286,22 +28504,21 @@ index 0000000..41698a6
+
+manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
+manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
-+files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file })
++manage_sock_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
++files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file sock_file})
+
+allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
+exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { file dir })
++files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "projects")
++files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "slots" )
+
+allow boinc_project_t boinc_project_var_lib_t:file execmod;
+
+allow boinc_project_t boinc_t:shm rw_shm_perms;
+allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
+
-+list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
-+rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
-+
+kernel_read_kernel_sysctls(boinc_project_t)
+kernel_search_vm_sysctl(boinc_project_t)
+kernel_read_network_state(boinc_project_t)
@@ -28310,6 +28527,9 @@ index 0000000..41698a6
+
+files_dontaudit_search_home(boinc_project_t)
+
++# needed by java
++fs_read_hugetlbfs_files(boinc_project_t)
++
+optional_policy(`
+ gnome_read_gconf_config(boinc_project_t)
+')
@@ -28317,6 +28537,11 @@ index 0000000..41698a6
+optional_policy(`
+ java_exec(boinc_project_t)
+')
++
++# until solution for VirtualBox, java ..
++optional_policy(`
++ unconfined_domain(boinc_project_t)
++')
diff --git a/policy/modules/services/bugzilla.fc b/policy/modules/services/bugzilla.fc
index 8c84063..c8bfb68 100644
--- a/policy/modules/services/bugzilla.fc
@@ -48040,7 +48265,7 @@ index 85188dc..56dd1f0 100644
+ nscd_systemctl($1)
')
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
-index 7936e09..812f966 100644
+index 7936e09..9384781 100644
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -1,9 +1,16 @@
@@ -48080,7 +48305,7 @@ index 7936e09..812f966 100644
dontaudit nscd_t self:capability sys_tty_config;
allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
allow nscd_t self:fifo_file read_fifo_file_perms;
-@@ -47,9 +57,10 @@ allow nscd_t self:nscd { admin getstat };
+@@ -47,13 +57,15 @@ allow nscd_t self:nscd { admin getstat };
allow nscd_t nscd_log_t:file manage_file_perms;
logging_log_filetrans(nscd_t, nscd_log_t, file)
@@ -48092,7 +48317,12 @@ index 7936e09..812f966 100644
corecmd_search_bin(nscd_t)
can_exec(nscd_t, nscd_exec_t)
-@@ -90,6 +101,7 @@ selinux_compute_create_context(nscd_t)
+
++kernel_read_network_state(nscd_t)
+ kernel_read_kernel_sysctls(nscd_t)
+ kernel_list_proc(nscd_t)
+ kernel_read_proc_symlinks(nscd_t)
+@@ -90,6 +102,7 @@ selinux_compute_create_context(nscd_t)
selinux_compute_relabel_context(nscd_t)
selinux_compute_user_contexts(nscd_t)
domain_use_interactive_fds(nscd_t)
@@ -48100,7 +48330,7 @@ index 7936e09..812f966 100644
files_read_etc_files(nscd_t)
files_read_generic_tmp_symlinks(nscd_t)
-@@ -112,6 +124,10 @@ userdom_dontaudit_use_unpriv_user_fds(nscd_t)
+@@ -112,6 +125,10 @@ userdom_dontaudit_use_unpriv_user_fds(nscd_t)
userdom_dontaudit_search_user_home_dirs(nscd_t)
optional_policy(`
@@ -48111,7 +48341,7 @@ index 7936e09..812f966 100644
cron_read_system_job_tmp_files(nscd_t)
')
-@@ -127,3 +143,17 @@ optional_policy(`
+@@ -127,3 +144,17 @@ optional_policy(`
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
xen_append_log(nscd_t)
')
@@ -64429,10 +64659,10 @@ index 727fe95..21af852 100644
## <summary>
## All of the rules required to administrate
diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te
-index 8121937..5a462fb 100644
+index 8121937..275409f 100644
--- a/policy/modules/services/vnstatd.te
+++ b/policy/modules/services/vnstatd.te
-@@ -28,9 +28,12 @@ allow vnstatd_t self:process signal;
+@@ -28,9 +28,13 @@ allow vnstatd_t self:process signal;
allow vnstatd_t self:fifo_file rw_fifo_file_perms;
allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;
@@ -64443,11 +64673,15 @@ index 8121937..5a462fb 100644
manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
-files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
++files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, dir)
manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
-@@ -64,7 +67,6 @@ allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
+@@ -62,9 +66,9 @@ allow vnstat_t self:process signal;
+ allow vnstat_t self:fifo_file rw_fifo_file_perms;
+ allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
++files_search_var_lib(vnstat_t)
manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
-files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file })
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a27d796..b9473eb 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 80%{?dist}
+Release: 81%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Mar 13 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-81
+- boinc fixes
+- Allow vnstat to search through var_lib_t directories
+- Add jockey policy
+- Allow nscd to read kernel network state
+- Allow logrotate to read mysql home conten
+- Add own type for rdate port
+
* Wed Mar 13 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-80
- Add own type for rdate port
- Allow sssd setrlimit
More information about the scm-commits
mailing list