[selinux-policy/f18] - Update virt_qemu_ga_t policy - Allow authconfig running from realmd to restart oddjob service - Ad
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Feb 19 17:40:06 UTC 2013
commit d5e78cf63cd3256a333659adee022363e3b1c12a
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Feb 19 18:38:56 2013 +0100
- Update virt_qemu_ga_t policy
- Allow authconfig running from realmd to restart oddjob service
- Add systemd support for oddjob
- Add initial policy for realmd_consolehelper_t which if for authconfig executed by realmd
policy-f18-base.patch | 321 +++++++++++++++++++++++++--------------------
policy-f18-contrib.patch | 103 ++++++++++++---
selinux-policy.spec | 8 +-
3 files changed, 267 insertions(+), 165 deletions(-)
---
diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index 2a53c91..1130d24 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -117750,7 +117750,7 @@ index 8796ca3..cb02728 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index e1e814d..c291c5a 100644
+index e1e814d..1d13f16 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -117982,7 +117982,32 @@ index e1e814d..c291c5a 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1655,6 +1819,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1563,6 +1727,24 @@ interface(`files_getattr_all_mountpoints',`
+ allow $1 mountpoint:dir getattr;
+ ')
+
++#######################################
++## <summary>
++## Get the attributes of all mount points.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_list_all_mountpoints',`
++ gen_require(`
++ attribute mountpoint;
++ ')
++
++ allow $1 mountpoint:dir list_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Set the attributes of all mount points.
+@@ -1655,6 +1837,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
## <summary>
@@ -118007,7 +118032,7 @@ index e1e814d..c291c5a 100644
## Do not audit attempts to write to mount points.
## </summary>
## <param name="domain">
-@@ -1673,6 +1855,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
+@@ -1673,6 +1873,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
########################################
## <summary>
@@ -118032,7 +118057,7 @@ index e1e814d..c291c5a 100644
## List the contents of the root directory.
## </summary>
## <param name="domain">
-@@ -1856,6 +2056,42 @@ interface(`files_delete_root_dir_entry',`
+@@ -1856,6 +2074,42 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
@@ -118075,7 +118100,7 @@ index e1e814d..c291c5a 100644
## Unmount a rootfs filesystem.
## </summary>
## <param name="domain">
-@@ -1874,6 +2110,24 @@ interface(`files_unmount_rootfs',`
+@@ -1874,6 +2128,24 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
@@ -118100,7 +118125,7 @@ index e1e814d..c291c5a 100644
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
-@@ -2573,6 +2827,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2573,6 +2845,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -118125,7 +118150,7 @@ index e1e814d..c291c5a 100644
##########################################
## <summary>
## Manage generic directories in /etc
-@@ -2644,6 +2916,7 @@ interface(`files_read_etc_files',`
+@@ -2644,6 +2934,7 @@ interface(`files_read_etc_files',`
allow $1 etc_t:dir list_dir_perms;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
@@ -118133,7 +118158,7 @@ index e1e814d..c291c5a 100644
')
########################################
-@@ -2652,7 +2925,7 @@ interface(`files_read_etc_files',`
+@@ -2652,7 +2943,7 @@ interface(`files_read_etc_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -118142,7 +118167,7 @@ index e1e814d..c291c5a 100644
## </summary>
## </param>
#
-@@ -2708,6 +2981,25 @@ interface(`files_manage_etc_files',`
+@@ -2708,6 +2999,25 @@ interface(`files_manage_etc_files',`
########################################
## <summary>
@@ -118168,7 +118193,7 @@ index e1e814d..c291c5a 100644
## Delete system configuration files in /etc.
## </summary>
## <param name="domain">
-@@ -2726,6 +3018,24 @@ interface(`files_delete_etc_files',`
+@@ -2726,6 +3036,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -118193,7 +118218,7 @@ index e1e814d..c291c5a 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2891,26 +3201,8 @@ interface(`files_delete_boot_flag',`
+@@ -2891,24 +3219,6 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
@@ -118215,14 +118240,10 @@ index e1e814d..c291c5a 100644
-
-########################################
-## <summary>
--## Read files in /etc that are dynamically
--## created on boot, such as mtab.
-+## Read files in /etc that are dynamically
-+## created on boot, such as mtab.
+ ## Read files in /etc that are dynamically
+ ## created on boot, such as mtab.
## </summary>
- ## <desc>
- ## <p>
-@@ -2949,6 +3241,42 @@ interface(`files_read_etc_runtime_files',`
+@@ -2949,6 +3259,42 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -118265,7 +118286,7 @@ index e1e814d..c291c5a 100644
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
-@@ -2986,6 +3314,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -2986,6 +3332,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -118273,7 +118294,7 @@ index e1e814d..c291c5a 100644
')
########################################
-@@ -3007,6 +3336,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3007,6 +3354,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -118281,7 +118302,7 @@ index e1e814d..c291c5a 100644
')
########################################
-@@ -3059,6 +3389,25 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3059,6 +3407,25 @@ interface(`files_getattr_isid_type_dirs',`
########################################
## <summary>
@@ -118307,7 +118328,7 @@ index e1e814d..c291c5a 100644
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
## </summary>
-@@ -3135,6 +3484,25 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3135,6 +3502,25 @@ interface(`files_delete_isid_type_dirs',`
########################################
## <summary>
@@ -118333,7 +118354,7 @@ index e1e814d..c291c5a 100644
## Create, read, write, and delete directories
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3382,6 +3750,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3382,6 +3768,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
## <summary>
@@ -118359,7 +118380,7 @@ index e1e814d..c291c5a 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3723,20 +4110,38 @@ interface(`files_list_mnt',`
+@@ -3723,20 +4128,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -118403,7 +118424,7 @@ index e1e814d..c291c5a 100644
')
########################################
-@@ -4126,6 +4531,133 @@ interface(`files_read_world_readable_sockets',`
+@@ -4126,6 +4549,133 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -118537,7 +118558,7 @@ index e1e814d..c291c5a 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -4148,6 +4680,26 @@ interface(`files_associate_tmp',`
+@@ -4148,6 +4698,26 @@ interface(`files_associate_tmp',`
########################################
## <summary>
@@ -118564,7 +118585,7 @@ index e1e814d..c291c5a 100644
## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4161,17 +4713,37 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4161,17 +4731,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -118603,7 +118624,7 @@ index e1e814d..c291c5a 100644
## </summary>
## </param>
#
-@@ -4198,6 +4770,7 @@ interface(`files_search_tmp',`
+@@ -4198,6 +4788,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -118611,7 +118632,7 @@ index e1e814d..c291c5a 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4234,6 +4807,7 @@ interface(`files_list_tmp',`
+@@ -4234,6 +4825,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -118619,7 +118640,7 @@ index e1e814d..c291c5a 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4243,7 +4817,7 @@ interface(`files_list_tmp',`
+@@ -4243,7 +4835,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -118628,7 +118649,7 @@ index e1e814d..c291c5a 100644
## </summary>
## </param>
#
-@@ -4255,6 +4829,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4255,6 +4847,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -118654,7 +118675,7 @@ index e1e814d..c291c5a 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4270,6 +4863,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4270,6 +4881,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -118662,7 +118683,7 @@ index e1e814d..c291c5a 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4311,6 +4905,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4311,6 +4923,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -118695,7 +118716,7 @@ index e1e814d..c291c5a 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4365,7 +4985,7 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4365,7 +5003,7 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -118704,7 +118725,7 @@ index e1e814d..c291c5a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4373,17 +4993,17 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4373,17 +5011,17 @@ interface(`files_rw_generic_tmp_sockets',`
## </summary>
## </param>
#
@@ -118726,7 +118747,7 @@ index e1e814d..c291c5a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4391,53 +5011,125 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4391,34 +5029,106 @@ interface(`files_setattr_all_tmp_dirs',`
## </summary>
## </param>
#
@@ -118764,28 +118785,23 @@ index e1e814d..c291c5a 100644
- allow $1 var_t:dir search_dir_perms;
- relabel_dirs_pattern($1, tmpfile, tmpfile)
+ allow $1 tmpfile:dir { search_dir_perms setattr };
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to get the attributes
--## of all tmp files.
++')
++
++########################################
++## <summary>
+## Allow caller to read inherited tmp files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain not to audit.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_dontaudit_getattr_all_tmp_files',`
++## </summary>
++## </param>
++#
+interface(`files_read_inherited_tmp_files',`
- gen_require(`
- attribute tmpfile;
- ')
-
-- dontaudit $1 tmpfile:file getattr;
++ gen_require(`
++ attribute tmpfile;
++ ')
++
+ allow $1 tmpfile:file { append read_inherited_file_perms };
+')
+
@@ -118845,29 +118861,19 @@ index e1e814d..c291c5a 100644
+
+ allow $1 var_t:dir search_dir_perms;
+ relabel_dirs_pattern($1, tmpfile, tmpfile)
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to get the attributes
-+## of all tmp files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_dontaudit_getattr_all_tmp_files',`
-+ gen_require(`
-+ attribute tmpfile;
-+ ')
-+
-+ dontaudit $1 tmpfile:file getattr;
')
########################################
-@@ -4488,7 +5180,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4428,7 +5138,7 @@ interface(`files_relabel_all_tmp_dirs',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain not to audit.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+@@ -4488,7 +5198,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -118876,7 +118882,7 @@ index e1e814d..c291c5a 100644
## </summary>
## </param>
#
-@@ -4573,6 +5265,16 @@ interface(`files_purge_tmp',`
+@@ -4573,6 +5283,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -118893,7 +118899,7 @@ index e1e814d..c291c5a 100644
')
########################################
-@@ -5150,6 +5852,24 @@ interface(`files_list_var',`
+@@ -5150,6 +5870,24 @@ interface(`files_list_var',`
########################################
## <summary>
@@ -118918,7 +118924,7 @@ index e1e814d..c291c5a 100644
## Create, read, write, and delete directories
## in the /var directory.
## </summary>
-@@ -5505,6 +6225,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5505,6 +6243,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -118944,7 +118950,7 @@ index e1e814d..c291c5a 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5550,7 +6289,7 @@ interface(`files_manage_mounttab',`
+@@ -5550,7 +6307,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -118953,7 +118959,7 @@ index e1e814d..c291c5a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5558,12 +6297,13 @@ interface(`files_manage_mounttab',`
+@@ -5558,12 +6315,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -118969,7 +118975,7 @@ index e1e814d..c291c5a 100644
')
########################################
-@@ -5581,6 +6321,7 @@ interface(`files_search_locks',`
+@@ -5581,6 +6339,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -118977,7 +118983,7 @@ index e1e814d..c291c5a 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5607,7 +6348,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5607,7 +6366,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -119005,7 +119011,7 @@ index e1e814d..c291c5a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5615,13 +6375,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5615,13 +6393,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -119022,7 +119028,7 @@ index e1e814d..c291c5a 100644
')
########################################
-@@ -5640,7 +6399,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5640,7 +6417,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -119031,7 +119037,7 @@ index e1e814d..c291c5a 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5673,7 +6432,6 @@ interface(`files_create_lock_dirs',`
+@@ -5673,7 +6450,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -119039,7 +119045,7 @@ index e1e814d..c291c5a 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5701,8 +6459,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5701,8 +6477,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -119049,7 +119055,7 @@ index e1e814d..c291c5a 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5718,13 +6475,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5718,13 +6493,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -119067,7 +119073,7 @@ index e1e814d..c291c5a 100644
')
########################################
-@@ -5743,8 +6499,7 @@ interface(`files_manage_generic_locks',`
+@@ -5743,8 +6517,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -119077,7 +119083,7 @@ index e1e814d..c291c5a 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5786,8 +6541,7 @@ interface(`files_read_all_locks',`
+@@ -5786,8 +6559,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -119087,7 +119093,7 @@ index e1e814d..c291c5a 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5809,8 +6563,7 @@ interface(`files_manage_all_locks',`
+@@ -5809,8 +6581,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -119097,7 +119103,7 @@ index e1e814d..c291c5a 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5847,8 +6600,7 @@ interface(`files_lock_filetrans',`
+@@ -5847,8 +6618,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -119107,7 +119113,7 @@ index e1e814d..c291c5a 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5911,6 +6663,43 @@ interface(`files_search_pids',`
+@@ -5911,6 +6681,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -119151,7 +119157,7 @@ index e1e814d..c291c5a 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5933,6 +6722,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -5933,6 +6740,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -119177,7 +119183,7 @@ index e1e814d..c291c5a 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -6048,7 +6856,6 @@ interface(`files_pid_filetrans',`
+@@ -6048,7 +6874,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -119185,7 +119191,7 @@ index e1e814d..c291c5a 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6157,30 +6964,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6157,30 +6982,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -119220,7 +119226,7 @@ index e1e814d..c291c5a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6188,43 +6990,35 @@ interface(`files_read_all_pids',`
+@@ -6188,43 +7008,35 @@ interface(`files_read_all_pids',`
## </summary>
## </param>
#
@@ -119271,7 +119277,7 @@ index e1e814d..c291c5a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6232,21 +7026,17 @@ interface(`files_delete_all_pids',`
+@@ -6232,21 +7044,17 @@ interface(`files_delete_all_pids',`
## </summary>
## </param>
#
@@ -119296,7 +119302,7 @@ index e1e814d..c291c5a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6254,56 +7044,59 @@ interface(`files_delete_all_pid_dirs',`
+@@ -6254,56 +7062,59 @@ interface(`files_delete_all_pid_dirs',`
## </summary>
## </param>
#
@@ -119372,7 +119378,7 @@ index e1e814d..c291c5a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6311,18 +7104,17 @@ interface(`files_list_spool',`
+@@ -6311,18 +7122,17 @@ interface(`files_list_spool',`
## </summary>
## </param>
#
@@ -119395,7 +119401,7 @@ index e1e814d..c291c5a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6330,19 +7122,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6330,19 +7140,18 @@ interface(`files_manage_generic_spool_dirs',`
## </summary>
## </param>
#
@@ -119420,7 +119426,7 @@ index e1e814d..c291c5a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6350,9 +7141,274 @@ interface(`files_read_generic_spool',`
+@@ -6350,13 +7159,278 @@ interface(`files_read_generic_spool',`
## </summary>
## </param>
#
@@ -119429,8 +119435,10 @@ index e1e814d..c291c5a 100644
gen_require(`
- type var_t, var_spool_t;
+ attribute pidfile;
-+ ')
-+
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_files_pattern($1, var_spool_t, var_spool_t)
+ manage_files_pattern($1,pidfile,pidfile)
+')
+
@@ -119694,10 +119702,14 @@ index e1e814d..c291c5a 100644
+interface(`files_manage_generic_spool',`
+ gen_require(`
+ type var_t, var_spool_t;
- ')
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ manage_files_pattern($1, var_spool_t, var_spool_t)
+ ')
- allow $1 var_t:dir search_dir_perms;
-@@ -6467,3 +7523,459 @@ interface(`files_unconfined',`
+ ########################################
+@@ -6467,3 +7541,459 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -133077,7 +133089,7 @@ index d2e40b8..0e9e947 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index d26fe81..83d92a5 100644
+index d26fe81..4f7db68 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -106,6 +106,8 @@ interface(`init_domain',`
@@ -133513,7 +133525,7 @@ index d26fe81..83d92a5 100644
')
')
-@@ -838,19 +1004,41 @@ interface(`init_spec_domtrans_script',`
+@@ -838,19 +1004,59 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -133553,13 +133565,31 @@ index d26fe81..83d92a5 100644
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
- ')
++ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
++')
++
++########################################
++## <summary>
++## Allow domain transition to a domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_transition_initrc_to',`
++ gen_require(`
++ type initrc_t;
+ ')
++
++ allow initrc_t $1:process transition;
')
########################################
-@@ -906,9 +1094,14 @@ interface(`init_script_file_domtrans',`
+@@ -906,9 +1112,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -133574,7 +133604,7 @@ index d26fe81..83d92a5 100644
files_search_etc($1)
')
-@@ -999,7 +1192,9 @@ interface(`init_ptrace',`
+@@ -999,7 +1210,9 @@ interface(`init_ptrace',`
type init_t;
')
@@ -133585,7 +133615,7 @@ index d26fe81..83d92a5 100644
')
########################################
-@@ -1098,6 +1293,25 @@ interface(`init_getattr_all_script_files',`
+@@ -1098,6 +1311,25 @@ interface(`init_getattr_all_script_files',`
########################################
## <summary>
@@ -133611,7 +133641,7 @@ index d26fe81..83d92a5 100644
## Read all init script files.
## </summary>
## <param name="domain">
-@@ -1117,6 +1331,24 @@ interface(`init_read_all_script_files',`
+@@ -1117,6 +1349,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -133636,7 +133666,7 @@ index d26fe81..83d92a5 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1168,12 +1400,7 @@ interface(`init_read_script_state',`
+@@ -1168,12 +1418,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -133650,7 +133680,7 @@ index d26fe81..83d92a5 100644
')
########################################
-@@ -1413,6 +1640,27 @@ interface(`init_dbus_send_script',`
+@@ -1413,6 +1658,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -133678,7 +133708,7 @@ index d26fe81..83d92a5 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1499,6 +1747,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1499,6 +1765,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -133704,17 +133734,20 @@ index d26fe81..83d92a5 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1557,6 +1824,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1557,15 +1842,33 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
+-## Create files in a init script
+-## temporary data directory.
+## Read and write init script inherited temporary data.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <param name="file_type">
+#
+interface(`init_rw_inherited_script_tmp_files',`
+ gen_require(`
@@ -133726,19 +133759,26 @@ index d26fe81..83d92a5 100644
+
+########################################
+## <summary>
- ## Create files in a init script
- ## temporary data directory.
- ## </summary>
-@@ -1629,11 +1914,48 @@ interface(`init_read_utmp',`
++## Create files in a init script
++## temporary data directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="file_type">
+ ## <summary>
+ ## The type of the object to be created
+ ## </summary>
+@@ -1629,6 +1932,43 @@ interface(`init_read_utmp',`
########################################
## <summary>
--## Do not audit attempts to write utmp.
+## Read utmp.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
@@ -133772,15 +133812,10 @@ index d26fe81..83d92a5 100644
+
+########################################
+## <summary>
-+## Do not audit attempts to write utmp.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
- ## </summary>
- ## </param>
- #
-@@ -1717,7 +2039,7 @@ interface(`init_dontaudit_rw_utmp',`
+ ## Do not audit attempts to write utmp.
+ ## </summary>
+ ## <param name="domain">
+@@ -1717,7 +2057,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -133789,7 +133824,7 @@ index d26fe81..83d92a5 100644
')
########################################
-@@ -1758,6 +2080,133 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1758,6 +2098,133 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
@@ -133923,7 +133958,7 @@ index d26fe81..83d92a5 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1792,3 +2241,284 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1792,3 +2259,284 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index 06cbabb..8d57318 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -42379,10 +42379,13 @@ index 0000000..e9f259e
+ dbus_system_bus_client(obex_t)
+')
diff --git a/oddjob.fc b/oddjob.fc
-index 9c272c2..7e2287c 100644
+index 9c272c2..fbbe3ff 100644
--- a/oddjob.fc
+++ b/oddjob.fc
-@@ -1,7 +1,7 @@
+@@ -1,7 +1,10 @@
++
++/usr/lib/systemd/system/oddjobd.* -- gen_context(system_u:object_r:oddjob_unit_file_t,s0)
++
/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
@@ -42393,7 +42396,7 @@ index 9c272c2..7e2287c 100644
-
/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
diff --git a/oddjob.if b/oddjob.if
-index bd76ec2..dec6bc7 100644
+index bd76ec2..7de054a 100644
--- a/oddjob.if
+++ b/oddjob.if
@@ -22,6 +22,25 @@ interface(`oddjob_domtrans',`
@@ -42455,11 +42458,34 @@ index bd76ec2..dec6bc7 100644
########################################
## <summary>
## Execute a domain transition to run oddjob_mkhomedir.
-@@ -109,3 +147,41 @@ interface(`oddjob_run_mkhomedir',`
+@@ -109,3 +147,64 @@ interface(`oddjob_run_mkhomedir',`
oddjob_domtrans_mkhomedir($1)
role $2 types oddjob_mkhomedir_t;
')
+
++#######################################
++## <summary>
++## Execute oddjob in the oddjob domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`oddjob_systemctl',`
++ gen_require(`
++ type oddjob_unit_file_t;
++ type oddjob_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 oddjob_unit_file_t:file read_file_perms;
++ allow $1 oddjob_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, oddjob_t)
++')
++
+########################################
+## <summary>
+## Create a domain which can be started by init,
@@ -42498,10 +42524,20 @@ index bd76ec2..dec6bc7 100644
+ ')
+')
diff --git a/oddjob.te b/oddjob.te
-index a17ba31..467700e 100644
+index a17ba31..edc3e32 100644
--- a/oddjob.te
+++ b/oddjob.te
-@@ -51,9 +51,9 @@ mcs_process_set_categories(oddjob_t)
+@@ -24,6 +24,9 @@ oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
+ type oddjob_var_run_t;
+ files_pid_file(oddjob_var_run_t)
+
++type oddjob_unit_file_t;
++systemd_unit_file(oddjob_unit_file_t)
++
+ ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(oddjob_t, oddjob_exec_t, s0 - mcs_systemhigh)
+ ')
+@@ -51,9 +54,9 @@ mcs_process_set_categories(oddjob_t)
selinux_compute_create_context(oddjob_t)
@@ -42513,7 +42549,7 @@ index a17ba31..467700e 100644
locallogin_dontaudit_use_fds(oddjob_t)
-@@ -78,13 +78,10 @@ allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
+@@ -78,13 +81,10 @@ allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
kernel_read_system_state(oddjob_mkhomedir_t)
@@ -42527,7 +42563,7 @@ index a17ba31..467700e 100644
selinux_get_fs_mount(oddjob_mkhomedir_t)
selinux_validate_context(oddjob_mkhomedir_t)
-@@ -99,8 +96,9 @@ seutil_read_default_contexts(oddjob_mkhomedir_t)
+@@ -99,8 +99,9 @@ seutil_read_default_contexts(oddjob_mkhomedir_t)
# Add/remove user home directories
userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
@@ -47062,10 +47098,10 @@ index 0000000..83c13cf
+
diff --git a/pki.te b/pki.te
new file mode 100644
-index 0000000..dfebbd9
+index 0000000..8bad28e
--- /dev/null
+++ b/pki.te
-@@ -0,0 +1,289 @@
+@@ -0,0 +1,292 @@
+policy_module(pki,10.0.11)
+
+########################################
@@ -47131,6 +47167,9 @@ index 0000000..dfebbd9
+domain_type(pki_tomcat_script_t)
+role system_r types pki_tomcat_script_t;
+
++# FIXME: workaround for F17->F18 upgrade
++init_transition_initrc_to(pki_tomcat_script_t)
++
+optional_policy(`
+ unconfined_domain(pki_tomcat_script_t)
+')
@@ -55366,10 +55405,10 @@ index 0000000..e38693b
+')
diff --git a/realmd.te b/realmd.te
new file mode 100644
-index 0000000..e9df76a
+index 0000000..97e946e
--- /dev/null
+++ b/realmd.te
-@@ -0,0 +1,122 @@
+@@ -0,0 +1,139 @@
+policy_module(realmd, 1.0.0)
+
+########################################
@@ -55492,6 +55531,23 @@ index 0000000..e9df76a
+optional_policy(`
+ xserver_read_state_xdm(realmd_t)
+')
++
++#####################################
++#
++# realmd consolehelper local policy
++#
++
++
++optional_policy(`
++ userhelper_console_role_template(realmd, system_r, realmd_t)
++ authconfig_manage_lib_files(realmd_consolehelper_t)
++
++ oddjob_systemctl(realmd_consolehelper_t)
++
++ unconfined_domain_noaudit(realmd_consolehelper_t)
++')
++
++
diff --git a/remotelogin.te b/remotelogin.te
index 0a76027..18f59a7 100644
--- a/remotelogin.te
@@ -67142,7 +67198,7 @@ index 0000000..dd2ac36
+
diff --git a/svnserve.te b/svnserve.te
new file mode 100644
-index 0000000..ba40a17
+index 0000000..1a2e9f1
--- /dev/null
+++ b/svnserve.te
@@ -0,0 +1,53 @@
@@ -67186,9 +67242,9 @@ index 0000000..ba40a17
+files_pid_filetrans(svnserve_t, svnserve_var_run_t, { dir file })
+
+corenet_udp_bind_generic_node(svnserve_t)
-+#corenet_tcp_connect_svn_port(svnserve_t)
-+#corenet_tcp_bind_svn_port(svnserve_t)
-+#corenet_udp_bind_svn_port(svnserve_t)
++corenet_tcp_connect_svn_port(svnserve_t)
++corenet_tcp_bind_svn_port(svnserve_t)
++corenet_udp_bind_svn_port(svnserve_t)
+
+domain_use_interactive_fds(svnserve_t)
+
@@ -72150,7 +72206,7 @@ index 6f0736b..882e76b 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..051f330 100644
+index 947bbc6..450e551 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,97 @@ policy_module(virt, 1.5.0)
@@ -72844,7 +72900,7 @@ index 947bbc6..051f330 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -438,34 +664,626 @@ dev_write_sound(virt_domain)
+@@ -438,34 +664,631 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -72903,7 +72959,7 @@ index 947bbc6..051f330 100644
virt_read_content(virt_domain)
virt_stream_connect(virt_domain)
+ virt_domtrans_bridgehelper(virt_domain)
- ')
++')
+
+optional_policy(`
+ xserver_rw_shm(virt_domain)
@@ -73303,7 +73359,7 @@ index 947bbc6..051f330 100644
+
+optional_policy(`
+ udev_read_pid_files(svirt_lxc_domain)
-+')
+ ')
+
+optional_policy(`
+ apache_exec_modules(svirt_lxc_domain)
@@ -73418,7 +73474,7 @@ index 947bbc6..051f330 100644
+# virt_qemu_ga local policy
+#
+
-+allow virt_qemu_ga_t self:capability sys_tty_config;
++allow virt_qemu_ga_t self:capability { sys_admin sys_tty_config };
+
+allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms;
+allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms;
@@ -73437,8 +73493,13 @@ index 947bbc6..051f330 100644
+
+dev_rw_sysfs(virt_qemu_ga_t)
+
++files_list_all_mountpoints(virt_qemu_ga_t)
++files_write_all_mountpoints(virt_qemu_ga_t)
++fs_list_all(virt_qemu_ga_t)
++
+term_use_virtio_console(virt_qemu_ga_t)
+term_use_all_ttys(virt_qemu_ga_t)
++term_use_unallocated_ttys(virt_qemu_ga_t)
+
+logging_send_syslog_msg(virt_qemu_ga_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ec1766d..0ef65b7 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 79%{?dist}
+Release: 80%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,12 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Feb 19 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-80
+- Update virt_qemu_ga_t policy
+- Allow authconfig running from realmd to restart oddjob service
+- Add systemd support for oddjob
+- Add initial policy for realmd_consolehelper_t which if for authconfig executed by realmd
+
* Tue Feb 19 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-79
- Fix condor policy
- Add labeling for gnashpluginrc
More information about the scm-commits
mailing list