[selinux-policy/f17] - Fix labeling for passwd*
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Oct 30 21:07:21 UTC 2012
commit 04d5075e47d55419670b89dbc733eb44eb4b9c06
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Oct 30 22:06:11 2012 +0100
- Fix labeling for passwd*
policy-F16.patch | 128 ++++++++++++++++++++++++++++++++++-----------------
selinux-policy.spec | 5 ++-
2 files changed, 89 insertions(+), 44 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index cf53b0a..5e210c5 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -64981,7 +64981,7 @@ index c6ca761..46e0767 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index e0791b9..6309996 100644
+index e0791b9..54acef1 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -41,6 +41,7 @@ allow netutils_t self:packet_socket create_socket_perms;
@@ -65038,7 +65038,7 @@ index e0791b9..6309996 100644
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
-@@ -145,11 +151,29 @@ ifdef(`hide_broken_symptoms',`
+@@ -145,11 +151,30 @@ ifdef(`hide_broken_symptoms',`
')
')
@@ -65062,13 +65062,14 @@ index e0791b9..6309996 100644
+
+optional_policy(`
+ openshift_rw_inherited_content(ping_t)
++ openshift_dontaudit_rw_inherited_fifo_files(ping_t)
+')
+
+optional_policy(`
pcmcia_use_cardmgr_fds(ping_t)
')
-@@ -157,6 +181,10 @@ optional_policy(`
+@@ -157,6 +182,10 @@ optional_policy(`
hotplug_use_fds(ping_t)
')
@@ -65079,7 +65080,7 @@ index e0791b9..6309996 100644
########################################
#
# Traceroute local policy
-@@ -194,6 +222,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -194,6 +223,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
@@ -65087,7 +65088,7 @@ index e0791b9..6309996 100644
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
-@@ -204,9 +233,16 @@ logging_send_syslog_msg(traceroute_t)
+@@ -204,9 +234,16 @@ logging_send_syslog_msg(traceroute_t)
miscfiles_read_localization(traceroute_t)
@@ -86801,7 +86802,7 @@ index 7d45d15..22c9cfe 100644
+
+/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 01dd2f1..89ae860 100644
+index 01dd2f1..16789bd 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -208,6 +208,27 @@ interface(`term_use_all_terms',`
@@ -86957,7 +86958,7 @@ index 01dd2f1..89ae860 100644
## </summary>
## </param>
#
-@@ -1240,7 +1320,28 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1240,7 +1320,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
@@ -86984,10 +86985,29 @@ index 01dd2f1..89ae860 100644
+
+ dev_list_all_dev_nodes($1)
+ allow $1 usbtty_device_t:chr_file rw_chr_file_perms;
++')
++
++#######################################
++## <summary>
++## Setattr on USB tty character
++## device nodes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`term_setattr_usb_ttys',`
++ gen_require(`
++ type usbtty_device_t;
++ ')
++
++ allow $1 usbtty_device_t:chr_file setattr;
')
########################################
-@@ -1256,11 +1357,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1256,11 +1376,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
#
interface(`term_getattr_all_ttys',`
gen_require(`
@@ -87001,7 +87021,7 @@ index 01dd2f1..89ae860 100644
')
########################################
-@@ -1277,10 +1380,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1277,10 +1399,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',`
gen_require(`
attribute ttynode;
@@ -87014,7 +87034,7 @@ index 01dd2f1..89ae860 100644
')
########################################
-@@ -1358,7 +1463,27 @@ interface(`term_use_all_ttys',`
+@@ -1358,7 +1482,27 @@ interface(`term_use_all_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -87043,7 +87063,7 @@ index 01dd2f1..89ae860 100644
')
########################################
-@@ -1377,7 +1502,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1377,7 +1521,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
@@ -87052,7 +87072,7 @@ index 01dd2f1..89ae860 100644
')
########################################
-@@ -1485,7 +1610,7 @@ interface(`term_use_all_user_ttys',`
+@@ -1485,7 +1629,7 @@ interface(`term_use_all_user_ttys',`
## </summary>
## <param name="domain">
## <summary>
@@ -87061,7 +87081,7 @@ index 01dd2f1..89ae860 100644
## </summary>
## </param>
#
-@@ -1493,3 +1618,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1493,3 +1637,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
')
@@ -91507,7 +91527,7 @@ index deca9d3..1aa76b0 100644
spamassassin_exec_client(amavis_t)
spamassassin_read_lib_files(amavis_t)
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..e4ffdc1 100644
+index 9e39aa5..b3efe6f 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,39 +1,55 @@
@@ -91599,7 +91619,7 @@ index 9e39aa5..e4ffdc1 100644
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,39 +93,75 @@ ifdef(`distro_suse', `
+@@ -73,39 +93,76 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -91672,6 +91692,7 @@ index 9e39aa5..e4ffdc1 100644
+
+/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
++/var/www/stickshift/[^/]*/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -95488,10 +95509,10 @@ index 0000000..a66b2ff
+')
diff --git a/policy/modules/services/blueman.te b/policy/modules/services/blueman.te
new file mode 100644
-index 0000000..6ed024b
+index 0000000..73442c8
--- /dev/null
+++ b/policy/modules/services/blueman.te
-@@ -0,0 +1,56 @@
+@@ -0,0 +1,60 @@
+policy_module(blueman, 1.0.0)
+
+########################################
@@ -95511,6 +95532,10 @@ index 0000000..6ed024b
+#
+# blueman local policy
+#
++
++allow blueman_t self:capability sys_nice;
++allow blueman_t self:process setsched;
++
+allow blueman_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
@@ -107796,7 +107821,7 @@ index 0000000..67906f0
+## <summary>Generate entropy from audio input</summary>
diff --git a/policy/modules/services/entropyd.te b/policy/modules/services/entropyd.te
new file mode 100644
-index 0000000..053caed
+index 0000000..b27d5e5
--- /dev/null
+++ b/policy/modules/services/entropyd.te
@@ -0,0 +1,82 @@
@@ -107835,7 +107860,7 @@ index 0000000..053caed
+files_pid_filetrans(entropyd_t, entropyd_var_run_t, file)
+
+kernel_rw_kernel_sysctl(entropyd_t)
-+kernel_list_proc(entropyd_t)
++kernel_read_system_state(entropyd_t)
+kernel_read_proc_symlinks(entropyd_t)
+
+dev_read_sysfs(entropyd_t)
@@ -122830,10 +122855,10 @@ index 0000000..681f8a0
+')
diff --git a/policy/modules/services/openshift.te b/policy/modules/services/openshift.te
new file mode 100644
-index 0000000..cd23fc5
+index 0000000..6c77c83
--- /dev/null
+++ b/policy/modules/services/openshift.te
-@@ -0,0 +1,357 @@
+@@ -0,0 +1,364 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -122863,6 +122888,9 @@ index 0000000..cd23fc5
+oddjob_system_entry(openshift_initrc_t, openshift_initrc_exec_t)
+domain_obj_id_change_exemption(openshift_initrc_t)
+
++type openshift_tmpfs_t;
++files_tmpfs_file(openshift_tmpfs_t)
++
+type openshift_initrc_tmp_t;
+files_tmp_file(openshift_initrc_tmp_t)
+
@@ -122970,6 +122998,10 @@ index 0000000..cd23fc5
+dontaudit openshift_domain openshift_file_type:dir search_dir_perms
+;
+
++manage_dirs_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
++manage_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
++fs_tmpfs_filetrans(openshift_domain, openshift_tmpfs_t, { dir file })
++
+manage_dirs_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+manage_fifo_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+manage_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
@@ -134777,10 +134809,10 @@ index 0000000..3eb745d
+')
diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te
new file mode 100644
-index 0000000..f0032ac
+index 0000000..2449c10
--- /dev/null
+++ b/policy/modules/services/sanlock.te
-@@ -0,0 +1,117 @@
+@@ -0,0 +1,118 @@
+policy_module(sanlock,1.0.0)
+
+########################################
@@ -134853,6 +134885,7 @@ index 0000000..f0032ac
+
+domain_use_interactive_fds(sanlock_t)
+
++files_read_mnt_symlinks(sanlock_t)
+files_read_etc_files(sanlock_t)
+
+storage_raw_rw_fixed_disk(sanlock_t)
@@ -140648,7 +140681,7 @@ index 54b8605..a04f013 100644
admin_pattern($1, tuned_var_run_t)
')
diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te
-index db9d2a5..23dca51 100644
+index db9d2a5..12334bb 100644
--- a/policy/modules/services/tuned.te
+++ b/policy/modules/services/tuned.te
@@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
@@ -140671,7 +140704,7 @@ index db9d2a5..23dca51 100644
-
+allow tuned_t self:capability { sys_admin sys_nice };
dontaudit tuned_t self:capability { dac_override sys_tty_config };
-+allow tuned_t self:process signal;
++allow tuned_t self:process { signal setsched };
+allow tuned_t self:fifo_file rw_fifo_file_perms;
+allow tuned_t self:udp_socket create_socket_perms;
+
@@ -147598,10 +147631,10 @@ index c6fdab7..32f45fa 100644
cron_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..82def3d 100644
+index 28ad538..9c82aad 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
-@@ -1,3 +1,7 @@
+@@ -1,11 +1,23 @@
+HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
+HOME_DIR/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0)
+/root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
@@ -147609,20 +147642,28 @@ index 28ad538..82def3d 100644
/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
-@@ -5,7 +9,12 @@
- /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
- /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
- /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
-+/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:shadow_t,s0)
- /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
-+/etc/passwd[-\+]? -- gen_context(system_u:object_r:passwd_file_t,s0)
-+/etc/passwd\.OLD -- gen_context(system_u:object_r:passwd_file_t,s0)
-+/etc/ptmptmp -- gen_context(system_u:object_r:passwd_file_t,s0)
-+/etc/group[-\+]? -- gen_context(system_u:object_r:passwd_file_t,s0)
+-/etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+-/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+-/etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
+-/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+-/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
++/etc/group\.lock -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
++/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
++/etc/security/opasswd -- gen_context(system_u:object_r:shadow_t,s0)
++/etc/security/opasswd\.old -- gen_context(system_u:object_r:shadow_t,s0)
++/etc/passwd\.lock -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/\.pwd\.lock -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/passwd[-\+]? -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/passwd\.OLD -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/ptmptmp -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/group[-\+]? -- gen_context(system_u:object_r:passwd_file_t,s0)
++
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
-@@ -16,13 +25,22 @@ ifdef(`distro_suse', `
+@@ -16,13 +28,22 @@ ifdef(`distro_suse', `
/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
')
@@ -147647,7 +147688,7 @@ index 28ad538..82def3d 100644
/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
-@@ -30,6 +48,8 @@ ifdef(`distro_gentoo', `
+@@ -30,6 +51,8 @@ ifdef(`distro_gentoo', `
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
@@ -147656,7 +147697,7 @@ index 28ad538..82def3d 100644
/var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
-@@ -39,11 +59,13 @@ ifdef(`distro_gentoo', `
+@@ -39,11 +62,13 @@ ifdef(`distro_gentoo', `
/var/log/tallylog -- gen_context(system_u:object_r:faillog_t,s0)
/var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
@@ -148906,13 +148947,14 @@ index e1a1848..909af45 100644
/var/log/vgetty\.log\..* -- gen_context(system_u:object_r:getty_log_t,s0)
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index ede3231..c8c15bd 100644
+index ede3231..cd8f3e9 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
-@@ -83,8 +83,10 @@ term_use_unallocated_ttys(getty_t)
+@@ -83,8 +83,11 @@ term_use_unallocated_ttys(getty_t)
term_setattr_all_ttys(getty_t)
term_setattr_unallocated_ttys(getty_t)
term_setattr_console(getty_t)
++term_setattr_usb_ttys(getty_t)
+term_use_console(getty_t)
auth_rw_login_records(getty_t)
@@ -148920,7 +148962,7 @@ index ede3231..c8c15bd 100644
init_rw_utmp(getty_t)
init_use_script_ptys(getty_t)
-@@ -125,10 +127,6 @@ optional_policy(`
+@@ -125,10 +128,6 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 48f768b..7324d5e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 157%{?dist}
+Release: 158%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Oct 30 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-158
+- Fix labeling for passwd*
+
* Tue Oct 23 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-157
- logwatch wants sys_nice/setsched
- Add labeling for mcollectived
More information about the scm-commits
mailing list