[selinux-policy/f18] - Define usbtty_device_t as a term_tty - Allow svnserve to accept a connection - Allow xend manage d
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Nov 8 13:17:56 UTC 2012
commit 416c4cb42d8675efb4defe989edb77f88b46941c
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Nov 8 14:16:44 2012 +0100
- Define usbtty_device_t as a term_tty
- Allow svnserve to accept a connection
- Allow xend manage default virt_image_t type
- Allow prelink_cron_system_t to overide user componant when executing cp
- Add labeling for z-push
- Gnomeclock sets the realtime clock
- Openshift seems to be storing apache logs in /var/lib/openshift/.log/httpd
- Allow lxc domains to use /dev/random and /dev/urandom
policy-rawhide.patch | 33 ++++---
policy_contrib-rawhide.patch | 220 +++++++++++++++++++++++++++---------------
selinux-policy.spec | 12 ++-
3 files changed, 173 insertions(+), 92 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 20183a8..2da01b6 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -120816,7 +120816,7 @@ index 7be4ddf..f7021a0 100644
+
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 4bf45cb..dc7f313 100644
+index 4bf45cb..9f81200 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -267,7 +267,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@@ -121107,7 +121107,7 @@ index 4bf45cb..dc7f313 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2956,5 +3126,315 @@ interface(`kernel_unconfined',`
+@@ -2956,5 +3126,318 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -121380,10 +121380,11 @@ index 4bf45cb..dc7f313 100644
+#
+interface(`kernel_search_vm_overcommit_sysctl',`
+ gen_require(`
-+ type proc_t, sysctl_t, sysctl_vm_overcommit_t;
++ type sysctl_vm_overcommit_t;
+ ')
+
-+ search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t)
++ kernel_search_vm_sysctl($1)
++ search_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
+')
+
+########################################
@@ -121399,10 +121400,11 @@ index 4bf45cb..dc7f313 100644
+#
+interface(`kernel_read_vm_overcommit_sysctls',`
+ gen_require(`
-+ type proc_t, sysctl_t, sysctl_vm_overcommit_t;
++ type sysctl_vm_overcommit_t;
+ ')
+
-+ read_files_pattern($1, { proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t)
++ kernel_search_vm_sysctl($1)
++ read_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
+')
+
+########################################
@@ -121418,11 +121420,12 @@ index 4bf45cb..dc7f313 100644
+#
+interface(`kernel_rw_vm_overcommit_sysctls',`
+ gen_require(`
-+ type proc_t, sysctl_t, sysctl_vm_overcommit_t;
++ type sysctl_vm_overcommit_t;
+ ')
+
-+ rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t)
-+ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t)
++ kernel_search_vm_sysctl($1)
++ rw_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
++ list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index ab9b6cd..ccffb0f 100644
@@ -123407,7 +123410,7 @@ index 01dd2f1..3541088 100644
+ dev_filetrans($1, tty_device_t, chr_file, "xvc9")
+')
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
-index 9d64659..31b2165 100644
+index 9d64659..f85e86f 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -29,6 +29,7 @@ files_mountpoint(devpts_t)
@@ -123418,10 +123421,14 @@ index 9d64659..31b2165 100644
#
# devtty_t is the type of /dev/tty.
-@@ -56,3 +57,9 @@ dev_node(tty_device_t)
+@@ -54,5 +55,11 @@ dev_node(tty_device_t)
#
- type usbtty_device_t, serial_device;
- dev_node(usbtty_device_t)
+ # usbtty_device_t is the type of /dev/usr/tty*
+ #
+-type usbtty_device_t, serial_device;
+-dev_node(usbtty_device_t)
++type usbtty_device_t;
++term_tty(usbtty_device_t)
+
+#
+# virtio_device_t is the type of /dev/vport[0-9]p[0-9]
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 6fe1a6b..f243357 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -2072,10 +2072,10 @@ index 0000000..feabdf3
+ files_getattr_all_sockets(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index fd9fa07..ff0883d 100644
+index fd9fa07..3a26b0f 100644
--- a/apache.fc
+++ b/apache.fc
-@@ -1,41 +1,61 @@
+@@ -1,20 +1,36 @@
HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
@@ -2101,7 +2101,8 @@ index fd9fa07..ff0883d 100644
/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-
++/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++
+/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/usr/lib/systemd/system/httpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
@@ -2109,10 +2110,10 @@ index fd9fa07..ff0883d 100644
+/usr/lib/systemd/system/php-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+
+/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
-+
+
/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-
+@@ -22,20 +38,25 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -2145,7 +2146,7 @@ index fd9fa07..ff0883d 100644
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-@@ -43,8 +63,9 @@ ifdef(`distro_suse', `
+@@ -43,8 +64,9 @@ ifdef(`distro_suse', `
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
@@ -2157,7 +2158,7 @@ index fd9fa07..ff0883d 100644
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -54,9 +75,12 @@ ifdef(`distro_suse', `
+@@ -54,9 +76,13 @@ ifdef(`distro_suse', `
/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -2167,10 +2168,11 @@ index fd9fa07..ff0883d 100644
/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/usr/share/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,31 +97,48 @@ ifdef(`distro_suse', `
+@@ -73,31 +99,50 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -2185,10 +2187,12 @@ index fd9fa07..ff0883d 100644
+/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
-+/var/lib/openshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-+/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
++/var/lib/openshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
++/var/lib/openshift/\.log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -2197,13 +2201,14 @@ index fd9fa07..ff0883d 100644
-/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+-
+/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/php-fpm(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
-
++/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
')
@@ -2223,7 +2228,7 @@ index fd9fa07..ff0883d 100644
/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
-@@ -109,3 +150,26 @@ ifdef(`distro_debian', `
+@@ -109,3 +154,26 @@ ifdef(`distro_debian', `
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -4462,7 +4467,7 @@ index d052bf0..48f0ce4 100644
corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
diff --git a/apm.fc b/apm.fc
-index 0123777..f2f0c35 100644
+index 0123777..5bfd421 100644
--- a/apm.fc
+++ b/apm.fc
@@ -1,3 +1,4 @@
@@ -4470,6 +4475,14 @@ index 0123777..f2f0c35 100644
#
# /usr
+@@ -14,6 +15,7 @@
+ /var/log/acpid.* -- gen_context(system_u:object_r:apmd_log_t,s0)
+
+ /var/run/\.?acpid\.socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
++/var/run/acpid\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
+ /var/run/apmd\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
+ /var/run/powersaved\.pid -- gen_context(system_u:object_r:apmd_var_run_t,s0)
+ /var/run/powersave_socket -s gen_context(system_u:object_r:apmd_var_run_t,s0)
diff --git a/apm.if b/apm.if
index 1ea99b2..0b668ae 100644
--- a/apm.if
@@ -25023,7 +25036,7 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/gnomeclock.te b/gnomeclock.te
-index 4fde46b..1aa73d8 100644
+index 4fde46b..540e180 100644
--- a/gnomeclock.te
+++ b/gnomeclock.te
@@ -7,38 +7,84 @@ policy_module(gnomeclock, 1.0.0)
@@ -25054,7 +25067,7 @@ index 4fde46b..1aa73d8 100644
+
+corenet_tcp_connect_time_port(gnomeclock_t)
+
-+dev_read_realtime_clock(gnomeclock_t)
++dev_rw_realtime_clock(gnomeclock_t)
+dev_read_urand(gnomeclock_t)
+dev_write_kmsg(gnomeclock_t)
+dev_read_sysfs(gnomeclock_t)
@@ -26887,10 +26900,10 @@ index 9aeeaf9..a91de65 100644
userdom_dontaudit_search_user_home_dirs(irqbalance_t)
diff --git a/iscsi.fc b/iscsi.fc
-index 14d9670..6825edc 100644
+index 14d9670..e94b352 100644
--- a/iscsi.fc
+++ b/iscsi.fc
-@@ -1,7 +1,16 @@
+@@ -1,7 +1,17 @@
/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
@@ -26904,6 +26917,7 @@ index 14d9670..6825edc 100644
+/var/log/iscsiuio\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0)
+
/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
++/var/run/iscsiuio\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
+
+/usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
@@ -34995,7 +35009,7 @@ index afa18c8..2f102b2 100644
+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
-index 4e2a5ba..ef40577 100644
+index 4e2a5ba..def7747 100644
--- a/mta.if
+++ b/mta.if
@@ -37,6 +37,7 @@ interface(`mta_stub',`
@@ -35111,7 +35125,8 @@ index 4e2a5ba..ef40577 100644
allow mta_user_agent $2:fd use;
allow mta_user_agent $2:process sigchld;
- allow mta_user_agent $2:fifo_file { read write };
+- allow mta_user_agent $2:fifo_file { read write };
++ allow mta_user_agent $2:fifo_file rw_inherited_fifo_file_perms;
+
+ optional_policy(`
+ exim_run($2, $1)
@@ -35166,7 +35181,17 @@ index 4e2a5ba..ef40577 100644
')
#######################################
-@@ -393,12 +353,19 @@ interface(`mta_send_mail',`
+@@ -361,8 +321,7 @@ interface(`mta_send_mail',`
+
+ allow mta_user_agent $1:fd use;
+ allow mta_user_agent $1:process sigchld;
+- allow mta_user_agent $1:fifo_file rw_fifo_file_perms;
+-
++ allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit mta_user_agent $1:unix_stream_socket rw_socket_perms;
+ ')
+
+@@ -393,12 +352,19 @@ interface(`mta_send_mail',`
#
interface(`mta_sendmail_domtrans',`
gen_require(`
@@ -35184,11 +35209,11 @@ index 4e2a5ba..ef40577 100644
+ domtrans_pattern($1, mta_exec_type, $2)
+ allow mta_user_agent $1:fd use;
+ allow mta_user_agent $1:process sigchld;
-+ allow mta_user_agent $1:fifo_file { read write };
++ allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms;
')
########################################
-@@ -411,7 +378,6 @@ interface(`mta_sendmail_domtrans',`
+@@ -411,7 +377,6 @@ interface(`mta_sendmail_domtrans',`
## </summary>
## </param>
#
@@ -35196,7 +35221,7 @@ index 4e2a5ba..ef40577 100644
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
-@@ -422,6 +388,60 @@ interface(`mta_signal_system_mail',`
+@@ -422,6 +387,60 @@ interface(`mta_signal_system_mail',`
########################################
## <summary>
@@ -35257,7 +35282,7 @@ index 4e2a5ba..ef40577 100644
## Execute sendmail in the caller domain.
## </summary>
## <param name="domain">
-@@ -440,6 +460,26 @@ interface(`mta_sendmail_exec',`
+@@ -440,6 +459,26 @@ interface(`mta_sendmail_exec',`
########################################
## <summary>
@@ -35284,7 +35309,7 @@ index 4e2a5ba..ef40577 100644
## Read mail server configuration.
## </summary>
## <param name="domain">
-@@ -481,6 +521,25 @@ interface(`mta_write_config',`
+@@ -481,6 +520,25 @@ interface(`mta_write_config',`
########################################
## <summary>
@@ -35310,7 +35335,7 @@ index 4e2a5ba..ef40577 100644
## Read mail address aliases.
## </summary>
## <param name="domain">
-@@ -496,6 +555,7 @@ interface(`mta_read_aliases',`
+@@ -496,6 +554,7 @@ interface(`mta_read_aliases',`
files_search_etc($1)
allow $1 etc_aliases_t:file read_file_perms;
@@ -35318,7 +35343,7 @@ index 4e2a5ba..ef40577 100644
')
########################################
-@@ -516,6 +576,9 @@ interface(`mta_manage_aliases',`
+@@ -516,6 +575,9 @@ interface(`mta_manage_aliases',`
files_search_etc($1)
manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
@@ -35328,7 +35353,7 @@ index 4e2a5ba..ef40577 100644
')
########################################
-@@ -534,7 +597,7 @@ interface(`mta_etc_filetrans_aliases',`
+@@ -534,7 +596,7 @@ interface(`mta_etc_filetrans_aliases',`
type etc_aliases_t;
')
@@ -35337,7 +35362,7 @@ index 4e2a5ba..ef40577 100644
')
########################################
-@@ -554,7 +617,7 @@ interface(`mta_rw_aliases',`
+@@ -554,7 +616,7 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
@@ -35346,7 +35371,7 @@ index 4e2a5ba..ef40577 100644
')
#######################################
-@@ -576,6 +639,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
+@@ -576,6 +638,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
dontaudit $1 mailserver_delivery:tcp_socket { read write };
')
@@ -35372,7 +35397,7 @@ index 4e2a5ba..ef40577 100644
#######################################
## <summary>
## Connect to all mail servers over TCP. (Deprecated)
-@@ -648,8 +730,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -648,8 +729,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -35383,7 +35408,7 @@ index 4e2a5ba..ef40577 100644
')
#######################################
-@@ -679,7 +761,26 @@ interface(`mta_spool_filetrans',`
+@@ -679,7 +760,26 @@ interface(`mta_spool_filetrans',`
')
files_search_spool($1)
@@ -35411,7 +35436,7 @@ index 4e2a5ba..ef40577 100644
')
########################################
-@@ -699,8 +800,8 @@ interface(`mta_rw_spool',`
+@@ -699,8 +799,8 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -35422,7 +35447,7 @@ index 4e2a5ba..ef40577 100644
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -840,7 +941,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -840,7 +940,7 @@ interface(`mta_dontaudit_rw_queue',`
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -35431,7 +35456,7 @@ index 4e2a5ba..ef40577 100644
')
########################################
-@@ -866,6 +967,36 @@ interface(`mta_manage_queue',`
+@@ -866,6 +966,36 @@ interface(`mta_manage_queue',`
#######################################
## <summary>
@@ -35468,7 +35493,7 @@ index 4e2a5ba..ef40577 100644
## Read sendmail binary.
## </summary>
## <param name="domain">
-@@ -901,3 +1032,172 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -901,3 +1031,172 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -43606,7 +43631,7 @@ index ceafba6..47b690d 100644
+ udev_read_db(pcscd_t)
+')
diff --git a/pegasus.te b/pegasus.te
-index 3185114..5a51349 100644
+index 3185114..713423f 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -9,6 +9,9 @@ type pegasus_t;
@@ -43699,12 +43724,16 @@ index 3185114..5a51349 100644
sysnet_read_config(pegasus_t)
sysnet_domtrans_ifconfig(pegasus_t)
-@@ -121,12 +130,44 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
+@@ -121,12 +130,48 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
userdom_dontaudit_search_user_home_dirs(pegasus_t)
optional_policy(`
+ dbus_system_bus_client(pegasus_t)
+ dbus_connect_system_bus(pegasus_t)
++
++ optional_policy(`
++ networkmanager_dbus_chat(pegasus_t)
++ ')
+')
+
+optional_policy(`
@@ -43745,7 +43774,7 @@ index 3185114..5a51349 100644
')
optional_policy(`
-@@ -136,3 +177,14 @@ optional_policy(`
+@@ -136,3 +181,14 @@ optional_policy(`
optional_policy(`
unconfined_signull(pegasus_t)
')
@@ -48630,10 +48659,18 @@ index ec0e76a..62af9a4 100644
/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
diff --git a/prelink.te b/prelink.te
-index af55369..13dcbea 100644
+index af55369..9f1d1b5 100644
--- a/prelink.te
+++ b/prelink.te
-@@ -36,7 +36,7 @@ files_type(prelink_var_lib_t)
+@@ -18,6 +18,7 @@ type prelink_cron_system_t;
+ type prelink_cron_system_exec_t;
+ domain_type(prelink_cron_system_t)
+ domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t)
++domain_obj_id_change_exemption(prelink_cron_system_t)
+
+ type prelink_log_t;
+ logging_log_file(prelink_log_t)
+@@ -36,7 +37,7 @@ files_type(prelink_var_lib_t)
# Local policy
#
@@ -48642,7 +48679,7 @@ index af55369..13dcbea 100644
allow prelink_t self:process { execheap execmem execstack signal };
allow prelink_t self:fifo_file rw_fifo_file_perms;
-@@ -59,10 +59,11 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
+@@ -59,10 +60,11 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
@@ -48655,7 +48692,7 @@ index af55369..13dcbea 100644
kernel_read_system_state(prelink_t)
kernel_read_kernel_sysctls(prelink_t)
-@@ -73,6 +74,7 @@ corecmd_mmap_all_executables(prelink_t)
+@@ -73,6 +75,7 @@ corecmd_mmap_all_executables(prelink_t)
corecmd_read_bin_symlinks(prelink_t)
dev_read_urand(prelink_t)
@@ -48663,7 +48700,7 @@ index af55369..13dcbea 100644
files_list_all(prelink_t)
files_getattr_all_files(prelink_t)
-@@ -86,6 +88,8 @@ files_relabelfrom_usr_files(prelink_t)
+@@ -86,6 +89,8 @@ files_relabelfrom_usr_files(prelink_t)
fs_getattr_xattr_fs(prelink_t)
@@ -48672,7 +48709,7 @@ index af55369..13dcbea 100644
selinux_get_enforce_mode(prelink_t)
libs_exec_ld_so(prelink_t)
-@@ -96,9 +100,16 @@ libs_manage_shared_libs(prelink_t)
+@@ -96,9 +101,16 @@ libs_manage_shared_libs(prelink_t)
libs_relabel_shared_libs(prelink_t)
libs_delete_lib_symlinks(prelink_t)
@@ -48691,7 +48728,7 @@ index af55369..13dcbea 100644
optional_policy(`
amanda_manage_lib(prelink_t)
-@@ -109,6 +120,15 @@ optional_policy(`
+@@ -109,6 +121,15 @@ optional_policy(`
')
optional_policy(`
@@ -48707,7 +48744,7 @@ index af55369..13dcbea 100644
rpm_manage_tmp_files(prelink_t)
')
-@@ -129,6 +149,7 @@ optional_policy(`
+@@ -129,6 +150,7 @@ optional_policy(`
read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
allow prelink_cron_system_t prelink_cache_t:file unlink;
@@ -48715,7 +48752,7 @@ index af55369..13dcbea 100644
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
-@@ -144,21 +165,38 @@ optional_policy(`
+@@ -144,21 +166,38 @@ optional_policy(`
corecmd_exec_bin(prelink_cron_system_t)
corecmd_exec_shell(prelink_cron_system_t)
@@ -64634,10 +64671,10 @@ index 0000000..dd2ac36
+
diff --git a/svnserve.te b/svnserve.te
new file mode 100644
-index 0000000..f66149f
+index 0000000..ba40a17
--- /dev/null
+++ b/svnserve.te
-@@ -0,0 +1,52 @@
+@@ -0,0 +1,53 @@
+policy_module(svnserve, 1.0.0)
+
+########################################
@@ -64667,6 +64704,7 @@ index 0000000..f66149f
+#
+
+allow svnserve_t self:fifo_file rw_fifo_file_perms;
++allow svnserve_t self:tcp_socket create_stream_socket_perms;
+allow svnserve_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
@@ -68620,7 +68658,7 @@ index 32a3c13..0cbca75 100644
optional_policy(`
diff --git a/virt.fc b/virt.fc
-index 2124b6a..40b350a 100644
+index 2124b6a..e55e393 100644
--- a/virt.fc
+++ b/virt.fc
@@ -1,6 +1,14 @@
@@ -68640,7 +68678,7 @@ index 2124b6a..40b350a 100644
/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
/etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
-@@ -12,18 +20,58 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+@@ -12,18 +20,59 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
@@ -68666,6 +68704,7 @@ index 2124b6a..40b350a 100644
+/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
++/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0)
/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
-/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
@@ -68703,7 +68742,7 @@ index 2124b6a..40b350a 100644
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 6f0736b..cebdb3e 100644
+index 6f0736b..be0e5a5 100644
--- a/virt.if
+++ b/virt.if
@@ -13,64 +13,61 @@
@@ -69120,7 +69159,7 @@ index 6f0736b..cebdb3e 100644
')
########################################
-@@ -468,18 +647,30 @@ interface(`virt_manage_images',`
+@@ -468,18 +647,52 @@ interface(`virt_manage_images',`
manage_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
rw_blk_files_pattern($1, virt_image_type, virt_image_type)
@@ -69131,6 +69170,33 @@ index 6f0736b..cebdb3e 100644
- fs_manage_nfs_dirs($1)
- fs_manage_nfs_files($1)
- fs_read_nfs_symlinks($1)
+- ')
++#######################################
++## <summary>
++## Allow domain to manage virt image files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_manage_default_image_type',`
++ gen_require(`
++ type virt_var_lib_t;
++ type virt_image_t;
++ ')
++
++ virt_search_lib($1)
++ manage_dirs_pattern($1, virt_image_t, virt_image_t)
++ manage_files_pattern($1, virt_image_t, virt_image_t)
++ read_lnk_files_pattern($1, virt_image_t, virt_image_t)
++')
+
+- tunable_policy(`virt_use_samba',`
+- fs_manage_cifs_files($1)
+- fs_manage_cifs_files($1)
+- fs_read_cifs_symlinks($1)
+########################################
+## <summary>
+## Execute virt server in the virt domain.
@@ -69146,12 +69212,7 @@ index 6f0736b..cebdb3e 100644
+ type virtd_unit_file_t;
+ type virtd_t;
')
-
-- tunable_policy(`virt_use_samba',`
-- fs_manage_cifs_files($1)
-- fs_manage_cifs_files($1)
-- fs_read_cifs_symlinks($1)
-- ')
++
+ systemd_exec_systemctl($1)
+ allow $1 virtd_unit_file_t:file read_file_perms;
+ allow $1 virtd_unit_file_t:service manage_service_perms;
@@ -69160,7 +69221,7 @@ index 6f0736b..cebdb3e 100644
')
########################################
-@@ -502,10 +693,20 @@ interface(`virt_manage_images',`
+@@ -502,10 +715,20 @@ interface(`virt_manage_images',`
interface(`virt_admin',`
gen_require(`
type virtd_t, virtd_initrc_exec_t;
@@ -69182,7 +69243,7 @@ index 6f0736b..cebdb3e 100644
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -517,4 +718,299 @@ interface(`virt_admin',`
+@@ -517,4 +740,299 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
@@ -69483,7 +69544,7 @@ index 6f0736b..cebdb3e 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..ea2746e 100644
+index 947bbc6..8bca6b2 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,94 @@ policy_module(virt, 1.5.0)
@@ -70151,7 +70212,7 @@ index 947bbc6..ea2746e 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -449,23 +694,519 @@ files_search_all(virt_domain)
+@@ -449,23 +694,521 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -70489,7 +70550,6 @@ index 947bbc6..ea2746e 100644
+
+corecmd_exec_all_executables(svirt_lxc_domain)
+
-+files_read_kernel_modules(svirt_lxc_net_t)
+files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
+files_dontaudit_getattr_all_files(svirt_lxc_domain)
+files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
@@ -70542,7 +70602,7 @@ index 947bbc6..ea2746e 100644
+
+allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_admin sys_nice sys_ptrace sys_resource setpcap };
+dontaudit svirt_lxc_net_t self:capability2 block_suspend;
-+
++allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
+allow svirt_lxc_net_t self:process setrlimit;
+
+allow svirt_lxc_net_t self:udp_socket create_socket_perms;
@@ -70559,6 +70619,8 @@ index 947bbc6..ea2746e 100644
+
+dev_read_sysfs(svirt_lxc_net_t)
+dev_getattr_mtrr_dev(svirt_lxc_net_t)
++dev_read_rand(svirt_lxc_net_t)
++dev_read_urand(svirt_lxc_net_t)
+
+corenet_tcp_bind_generic_node(svirt_lxc_net_t)
+corenet_udp_bind_generic_node(svirt_lxc_net_t)
@@ -70568,7 +70630,13 @@ index 947bbc6..ea2746e 100644
+corenet_tcp_bind_all_ports(svirt_lxc_net_t)
+corenet_tcp_connect_all_ports(svirt_lxc_net_t)
+
++files_read_kernel_modules(svirt_lxc_net_t)
++
+fs_noxattr_type(svirt_lxc_file_t)
++fs_mount_cgroup(svirt_lxc_net_t)
++fs_manage_cgroup_dirs(svirt_lxc_net_t)
++fs_manage_cgroup_files(svirt_lxc_net_t)
++
+term_pty(svirt_lxc_file_t)
+
+auth_use_nsswitch(svirt_lxc_net_t)
@@ -70579,11 +70647,6 @@ index 947bbc6..ea2746e 100644
+
+userdom_use_inherited_user_ptys(svirt_lxc_net_t)
+
-+fs_mount_cgroup(svirt_lxc_net_t)
-+fs_manage_cgroup_dirs(svirt_lxc_net_t)
-+fs_manage_cgroup_files(svirt_lxc_net_t)
-+
-+
+#######################################
+#
+# svirt_prot_exec local policy
@@ -71684,7 +71747,7 @@ index 77d41b6..cc73c96 100644
files_search_pids($1)
diff --git a/xen.te b/xen.te
-index 07033bb..203e2f8 100644
+index 07033bb..08d37ba 100644
--- a/xen.te
+++ b/xen.te
@@ -4,6 +4,7 @@ policy_module(xen, 1.12.0)
@@ -71849,7 +71912,7 @@ index 07033bb..203e2f8 100644
optional_policy(`
brctl_domtrans(xend_t)
')
-@@ -349,6 +349,27 @@ optional_policy(`
+@@ -349,6 +349,28 @@ optional_policy(`
consoletype_exec(xend_t)
')
@@ -71870,6 +71933,7 @@ index 07033bb..203e2f8 100644
+')
+
+optional_policy(`
++ virt_manage_default_image_type(xend_t)
+ virt_search_images(xend_t)
+ virt_read_config(xend_t)
+')
@@ -71877,7 +71941,7 @@ index 07033bb..203e2f8 100644
########################################
#
# Xen console local policy
-@@ -374,8 +395,6 @@ dev_rw_xen(xenconsoled_t)
+@@ -374,8 +396,6 @@ dev_rw_xen(xenconsoled_t)
dev_filetrans_xen(xenconsoled_t)
dev_rw_sysfs(xenconsoled_t)
@@ -71886,7 +71950,7 @@ index 07033bb..203e2f8 100644
files_read_etc_files(xenconsoled_t)
files_read_usr_files(xenconsoled_t)
-@@ -390,7 +409,6 @@ term_use_console(xenconsoled_t)
+@@ -390,7 +410,6 @@ term_use_console(xenconsoled_t)
init_use_fds(xenconsoled_t)
init_use_script_ptys(xenconsoled_t)
@@ -71894,7 +71958,7 @@ index 07033bb..203e2f8 100644
xen_manage_log(xenconsoled_t)
xen_stream_connect_xenstore(xenconsoled_t)
-@@ -413,9 +431,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+@@ -413,9 +432,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
# pid file
@@ -71906,7 +71970,7 @@ index 07033bb..203e2f8 100644
# log files
manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-@@ -442,111 +461,24 @@ files_read_etc_files(xenstored_t)
+@@ -442,111 +462,24 @@ files_read_etc_files(xenstored_t)
files_read_usr_files(xenstored_t)
@@ -72020,7 +72084,7 @@ index 07033bb..203e2f8 100644
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)
files_search_mnt(xend_t)
-@@ -559,8 +491,4 @@ optional_policy(`
+@@ -559,8 +492,4 @@ optional_policy(`
fs_manage_nfs_files(xend_t)
fs_read_nfs_symlinks(xend_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d28d998..2bcee44 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 51%{?dist}
+Release: 52%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -523,6 +523,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+ Thu Nov 8 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-52
+- Define usbtty_device_t as a term_tty
+- Allow svnserve to accept a connection
+- Allow xend manage default virt_image_t type
+- Allow prelink_cron_system_t to overide user componant when executing cp
+- Add labeling for z-push
+- Gnomeclock sets the realtime clock
+- Openshift seems to be storing apache logs in /var/lib/openshift/.log/httpd
+- Allow lxc domains to use /dev/random and /dev/urandom
+
* Wed Nov 7 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-51
- Add port defintion for tcp/9000
- Fix labeling for /usr/share/cluster/checkquorum to label also checkquorum.wdmd
More information about the scm-commits
mailing list