[selinux-policy/f18] - Make systemd_hostnamed_t as unconfined domain in F18 - Call rhcs_manage_cluster_pid_files() instea
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Mar 8 15:12:02 UTC 2013
commit 7d08f6be4892e9b835568d5adfd7dabd913628f4
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Mar 8 16:10:54 2013 +0100
- Make systemd_hostnamed_t as unconfined domain in F18
- Call rhcs_manage_cluster_pid_files() instead of rgmanger_manage_pid_files() i
- Allow sshd to stream connect to an lxc domain
- Allow nsswitch_domains to read /etc/hostname
- xdm_t will try to list any directory mounted, we should just dontaudit them
- Fix systemd_filetrans_named_content() interface
- Allow postgresql to manage rgmanager pid files
- Allow postgresql to read ccs data
- Allow systemd_domain to send dbus messages to policykit
- Add labels for /etc/hostname and /etc/machine-info and allow systemd-hostname
- All systemd domains that create content are reading the file_context file and
- Systemd domains need to search through init_var_run_t
- Allow sshd to communicate with libvirt to set containers labels
- Add labeling for /var/run/hplip
- Allow iscsid to read /dev/urandom
- Allow sshd to log a user directly into a container
- Allow screen domains to configure tty and setup sock_file in ~/.screen direct
- ALlow setroubleshoot to read default_context_t, needed to backport to F18
- Label /etc/owncloud as being an apache writable directory
- Add interface to manage pid files
- Allow NetworkManger_t to read /etc/hostname
- Allow virtual machines to setrlimit and send itself signals.
- Dontaudit chrome_sandbox_nacl_t using user terminals
- Allow gluster to manage all directories as well as files
policy-f18-base.patch | 172 +++++++++++++++++++++++++++++++++-----------
policy-f18-contrib.patch | 178 +++++++++++++++++++++++++++++++++-------------
selinux-policy.spec | 28 +++++++-
3 files changed, 283 insertions(+), 95 deletions(-)
---
diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index 21a4bcc..36bfede 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -127087,7 +127087,7 @@ index ecef19f..5213ad7 100644
+ postgresql_filetrans_named_content($1)
')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 4318f73..612e37c 100644
+index 4318f73..67baac4 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,25 +19,32 @@ gen_require(`
@@ -127100,15 +127100,15 @@ index 4318f73..612e37c 100644
+## <p>
+## Allow postgresql to use ssh and rsync for point-in-time recovery
+## </p>
- ## </desc>
--gen_tunable(sepgsql_enable_users_ddl, true)
++## </desc>
+gen_tunable(postgresql_can_rsync, false)
+
+## <desc>
+## <p>
+## Allow unprivileged users to execute DDL statement
+## </p>
-+## </desc>
+ ## </desc>
+-gen_tunable(sepgsql_enable_users_ddl, true)
+gen_tunable(postgresql_selinux_users_ddl, true)
## <desc>
@@ -127190,16 +127190,27 @@ index 4318f73..612e37c 100644
seutil_libselinux_linked(postgresql_t)
seutil_read_default_contexts(postgresql_t)
-@@ -366,7 +372,7 @@ optional_policy(`
+@@ -363,10 +369,18 @@ userdom_dontaudit_search_user_home_dirs(postgresql_t)
+ userdom_dontaudit_use_user_terminals(postgresql_t)
+
+ optional_policy(`
++ ccs_read_config(postgresql_t)
++')
++
++optional_policy(`
mta_getattr_spool(postgresql_t)
')
-tunable_policy(`allow_execmem',`
++optional_policy(`
++ rgmanager_manage_pid_files(postgresql_t)
++')
++
+tunable_policy(`deny_execmem',`',`
allow postgresql_t self:process execmem;
')
-@@ -484,10 +490,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
+@@ -484,10 +498,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
# It is always allowed to operate temporary objects for any database client.
allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom };
@@ -127256,7 +127267,7 @@ index 4318f73..612e37c 100644
allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
')
-@@ -535,7 +583,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
+@@ -535,7 +591,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
@@ -127265,7 +127276,7 @@ index 4318f73..612e37c 100644
allow sepgsql_admin_type sepgsql_database_type:db_database *;
allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
-@@ -588,3 +636,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
+@@ -588,3 +644,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
@@ -127955,7 +127966,7 @@ index fe0c682..da12170 100644
+ allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index b17e27a..f73da31 100644
+index b17e27a..7bf776d 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,44 +6,51 @@ policy_module(ssh, 2.3.0)
@@ -128301,7 +128312,7 @@ index b17e27a..f73da31 100644
rpm_use_script_fds(sshd_t)
')
-@@ -283,6 +336,32 @@ optional_policy(`
+@@ -283,13 +336,69 @@ optional_policy(`
')
optional_policy(`
@@ -128334,7 +128345,14 @@ index b17e27a..f73da31 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -290,6 +369,29 @@ optional_policy(`
+ optional_policy(`
++ kernel_write_proc_files(sshd_t)
++ virt_transition_svirt_lxc(sshd_t, system_r)
++ virt_stream_connect_lxc(sshd_t)
++ virt_stream_connect(sshd_t)
++')
++
++optional_policy(`
xserver_domtrans_xauth(sshd_t)
')
@@ -128364,7 +128382,7 @@ index b17e27a..f73da31 100644
########################################
#
# ssh_keygen local policy
-@@ -298,19 +400,26 @@ optional_policy(`
+@@ -298,19 +407,26 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -128392,7 +128410,7 @@ index b17e27a..f73da31 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -327,9 +436,11 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -327,9 +443,11 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -128406,7 +128424,7 @@ index b17e27a..f73da31 100644
')
optional_policy(`
-@@ -339,3 +450,124 @@ optional_policy(`
+@@ -339,3 +457,124 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -139334,7 +139352,7 @@ index 4584457..300c3f7 100644
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 63931f6..041c38f 100644
+index 63931f6..4dd812b 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -10,35 +10,60 @@ policy_module(mount, 1.15.0)
@@ -139535,7 +139553,7 @@ index 63931f6..041c38f 100644
term_dontaudit_manage_pty_dirs(mount_t)
auth_use_nsswitch(mount_t)
-@@ -121,16 +191,20 @@ auth_use_nsswitch(mount_t)
+@@ -121,16 +191,19 @@ auth_use_nsswitch(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -139545,7 +139563,7 @@ index 63931f6..041c38f 100644
logging_send_syslog_msg(mount_t)
-miscfiles_read_localization(mount_t)
-
+-
sysnet_use_portmap(mount_t)
seutil_read_config(mount_t)
@@ -139557,7 +139575,7 @@ index 63931f6..041c38f 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -146,26 +220,27 @@ ifdef(`distro_ubuntu',`
+@@ -146,26 +219,27 @@ ifdef(`distro_ubuntu',`
')
')
@@ -139597,7 +139615,7 @@ index 63931f6..041c38f 100644
corenet_tcp_bind_generic_port(mount_t)
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
-@@ -179,6 +254,8 @@ optional_policy(`
+@@ -179,6 +253,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -139606,7 +139624,7 @@ index 63931f6..041c38f 100644
')
optional_policy(`
-@@ -186,6 +263,28 @@ optional_policy(`
+@@ -186,6 +262,32 @@ optional_policy(`
')
optional_policy(`
@@ -139626,6 +139644,10 @@ index 63931f6..041c38f 100644
+')
+
+optional_policy(`
++ glusterd_domtrans(mount_t)
++')
++
++optional_policy(`
+ hal_write_log(mount_t)
+ hal_use_fds(mount_t)
+ hal_dontaudit_rw_pipes(mount_t)
@@ -139635,7 +139657,7 @@ index 63931f6..041c38f 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -193,21 +292,121 @@ optional_policy(`
+@@ -193,21 +295,121 @@ optional_policy(`
')
')
@@ -141938,10 +141960,13 @@ index ed363e1..808e49e 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..7917796
+index 0000000..d76b063
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,38 @@
+@@ -0,0 +1,41 @@
++/etc/hostname -- gen_context(system_u:object_r:hostname_etc_t,s0)
++/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0)
++
+/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
+/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
+/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
@@ -141982,10 +142007,10 @@ index 0000000..7917796
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..a32bdce
+index 0000000..63dba69
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1006 @@
+@@ -0,0 +1,1028 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -142740,6 +142765,25 @@ index 0000000..a32bdce
+ files_var_lib_filetrans($1, random_seed_t, file, "random_seed")
+')
+
++########################################
++## <summary>
++## Allow process to read hostname config file.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`systemd_hostnamed_read_config',`
++ gen_require(`
++ type hostname_etc_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 hostname_etc_t:file read_file_perms;
++')
+
+########################################
+## <summary>
@@ -142755,11 +142799,14 @@ index 0000000..a32bdce
+ gen_require(`
+ type systemd_passwd_var_run_t;
+ type systemd_logind_var_run_t;
++ type hostname_etc_t;
+ ')
+
+ files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin")
+ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block")
+ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
++ files_etc_filetrans($1, hostname_etc_t, file, "hostname" )
++ files_etc_filetrans($1, hostname_etc_t, file, "machine-info" )
+')
+
+########################################
@@ -142994,10 +143041,10 @@ index 0000000..a32bdce
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..4c332d5
+index 0000000..957dd67
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,616 @@
+@@ -0,0 +1,653 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -143072,6 +143119,9 @@ index 0000000..4c332d5
+type systemd_hostnamed_exec_t;
+init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
+
++type hostname_etc_t;
++files_config_file(hostname_etc_t)
++
+type systemd_timedated_t, systemd_domain;
+type systemd_timedated_exec_t;
+init_daemon_domain(systemd_timedated_t, systemd_timedated_exec_t)
@@ -143214,10 +143264,6 @@ index 0000000..4c332d5
+')
+
+optional_policy(`
-+ policykit_dbus_chat(systemd_logind_t)
-+')
-+
-+optional_policy(`
+ rpm_dbus_chat(systemd_logind_t)
+')
+
@@ -143232,7 +143278,7 @@ index 0000000..4c332d5
+#
+
+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
-+allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
++allow systemd_passwd_agent_t self:process { setsockcreate };
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
@@ -143353,9 +143399,6 @@ index 0000000..4c332d5
+miscfiles_relabel_man_pages(systemd_tmpfiles_t)
+miscfiles_delete_man_pages(systemd_tmpfiles_t)
+
-+seutil_read_config(systemd_tmpfiles_t)
-+seutil_read_file_contexts(systemd_tmpfiles_t)
-+
+ifdef(`distro_redhat',`
+ userdom_list_user_home_content(systemd_tmpfiles_t)
+ userdom_delete_all_user_home_content_dirs(systemd_tmpfiles_t)
@@ -143486,9 +143529,6 @@ index 0000000..4c332d5
+
+dev_write_kmsg(systemd_localed_t)
+
-+seutil_read_config(systemd_localed_t)
-+seutil_read_file_contexts(systemd_localed_t)
-+
+logging_stream_connect_syslog(systemd_localed_t)
+logging_send_syslog_msg(systemd_localed_t)
+
@@ -143506,13 +143546,17 @@ index 0000000..4c332d5
+#
+# Hostnamed policy
+#
-+
-+dontaudit systemd_hostnamed_t self:capability sys_ptrace;
++dontaudit systemd_hostnamed_t self:capability { sys_admin sys_ptrace };
+
+allow systemd_hostnamed_t self:fifo_file rw_fifo_file_perms;
+allow systemd_hostnamed_t self:unix_stream_socket create_stream_socket_perms;
+allow systemd_hostnamed_t self:unix_dgram_socket create_socket_perms;
+
++manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
++manage_lnk_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
++files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "hostname" )
++files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "machine-info" )
++
+kernel_dgram_send(systemd_hostnamed_t)
+
+dev_write_kmsg(systemd_hostnamed_t)
@@ -143525,6 +143569,9 @@ index 0000000..4c332d5
+logging_stream_connect_syslog(systemd_hostnamed_t)
+logging_send_syslog_msg(systemd_hostnamed_t)
+
++userdom_read_all_users_state(systemd_hostnamed_t)
++userdom_dbus_send_all_users(systemd_hostnamed_t)
++
+optional_policy(`
+ dbus_system_bus_client(systemd_hostnamed_t)
+ dbus_connect_system_bus(systemd_hostnamed_t)
@@ -143536,7 +143583,7 @@ index 0000000..4c332d5
+#
+
+allow systemd_timedated_t self:capability { sys_nice sys_time dac_override };
-+allow systemd_timedated_t self:process { getattr getsched signal setfscreate };
++allow systemd_timedated_t self:process { getattr getsched setfscreate };
+allow systemd_timedated_t self:fifo_file rw_fifo_file_perms;
+allow systemd_timedated_t self:unix_stream_socket create_stream_socket_perms;
+allow systemd_timedated_t self:unix_dgram_socket create_socket_perms;
@@ -143569,8 +143616,6 @@ index 0000000..4c332d5
+miscfiles_manage_localization(systemd_timedated_t)
+miscfiles_etc_filetrans_localization(systemd_timedated_t)
+
-+seutil_read_file_contexts(systemd_timedated_t)
-+
+userdom_read_all_users_state(systemd_timedated_t)
+
+optional_policy(`
@@ -143609,11 +143654,50 @@ index 0000000..4c332d5
+')
+
+optional_policy(`
-+ policykit_dbus_chat(systemd_timedated_t)
+ policykit_domtrans_auth(systemd_timedated_t)
+ policykit_read_lib(systemd_timedated_t)
+ policykit_read_reload(systemd_timedated_t)
+')
++
++########################################
++#
++# systemd_sysctl domains local policy
++#
++allow systemd_sysctl_t self:capability net_admin;
++allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms;
++
++kernel_dgram_send(systemd_sysctl_t)
++kernel_rw_all_sysctls(systemd_sysctl_t)
++
++files_read_system_conf_files(systemd_sysctl_t)
++
++dev_write_kmsg(systemd_sysctl_t)
++
++domain_use_interactive_fds(systemd_sysctl_t)
++
++init_stream_connect(systemd_sysctl_t)
++
++########################################
++#
++# Common rules for systemd domains
++#
++
++allow systemd_domain self:process { setfscreate signal_perms };
++files_read_etc_files(systemd_domain)
++files_read_etc_runtime_files(systemd_domain)
++files_read_usr_files(systemd_domain)
++
++init_search_pid_dirs(systemd_domain)
++
++logging_stream_connect_syslog(systemd_domain)
++
++seutil_read_config(systemd_domain)
++seutil_read_file_contexts(systemd_domain)
++
++optional_policy(`
++ policykit_dbus_chat(systemd_domain)
++')
++
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 2575393..49fd32e 100644
--- a/policy/modules/system/udev.fc
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index e05c39b..e35d55d 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -2160,7 +2160,7 @@ index 0000000..adcd6f4
+ files_getattr_all_sockets(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index fd9fa07..dcb9d6e 100644
+index fd9fa07..be8be7c 100644
--- a/apache.fc
+++ b/apache.fc
@@ -1,20 +1,37 @@
@@ -2174,7 +2174,7 @@ index fd9fa07..dcb9d6e 100644
-/etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/etc/owncloud/config\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
@@ -8962,10 +8962,10 @@ index 0000000..efebae7
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..d1bd04c
+index 0000000..7dcfb29
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,201 @@
+@@ -0,0 +1,202 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -9162,6 +9162,7 @@ index 0000000..d1bd04c
+userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
+userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
+userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t)
++userdom_dontaudit_use_user_terminals(chrome_sandbox_nacl_t)
+
+optional_policy(`
+ gnome_dontaudit_append_config_files(chrome_sandbox_nacl_t)
@@ -14825,7 +14826,7 @@ index 0000000..33656de
+ sysnet_domtrans_ifconfig(ctdbd_t)
+')
diff --git a/cups.fc b/cups.fc
-index 848bb92..85b210b 100644
+index 848bb92..0332f88 100644
--- a/cups.fc
+++ b/cups.fc
@@ -15,28 +15,30 @@
@@ -14874,7 +14875,7 @@ index 848bb92..85b210b 100644
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -52,18 +54,32 @@
+@@ -52,18 +54,33 @@
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -14895,6 +14896,7 @@ index 848bb92..85b210b 100644
-/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
-/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
+/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
++/var/run/hplip(/.*) gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/hp.*\.pid -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/run/hp.*\.port -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
@@ -24198,10 +24200,10 @@ index 0000000..e15bbb0
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..b25e643
+index 0000000..63aa5b0
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,141 @@
+@@ -0,0 +1,142 @@
+policy_module(glusterd, 1.0.0)
+
+## <desc>
@@ -24340,8 +24342,9 @@ index 0000000..b25e643
+')
+
+tunable_policy(`gluster_export_all_rw',`
-+ fs_manage_noxattr_fs_files(glusterd_t)
-+ files_manage_non_security_files(glusterd_t)
++ fs_manage_noxattr_fs_files(glusterd_t)
++ files_manage_non_security_dirs(glusterd_t)
++ files_manage_non_security_files(glusterd_t)
+')
diff --git a/gnome.fc b/gnome.fc
index 00a19e3..52e5a3a 100644
@@ -28311,7 +28314,7 @@ index 14d9670..e94b352 100644
+/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+/usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
diff --git a/iscsi.te b/iscsi.te
-index 8bcfa2f..f71614d 100644
+index 8bcfa2f..82dfe5b 100644
--- a/iscsi.te
+++ b/iscsi.te
@@ -31,7 +31,6 @@ files_pid_file(iscsi_var_run_t)
@@ -28332,7 +28335,7 @@ index 8bcfa2f..f71614d 100644
corenet_all_recvfrom_netlabel(iscsid_t)
corenet_tcp_sendrecv_generic_if(iscsid_t)
corenet_tcp_sendrecv_generic_node(iscsid_t)
-@@ -75,14 +74,16 @@ corenet_tcp_sendrecv_all_ports(iscsid_t)
+@@ -75,23 +74,23 @@ corenet_tcp_sendrecv_all_ports(iscsid_t)
corenet_tcp_connect_http_port(iscsid_t)
corenet_tcp_connect_iscsi_port(iscsid_t)
corenet_tcp_connect_isns_port(iscsid_t)
@@ -28342,15 +28345,16 @@ index 8bcfa2f..f71614d 100644
dev_rw_userio_dev(iscsid_t)
+dev_read_raw_memory(iscsid_t)
+dev_write_raw_memory(iscsid_t)
++dev_read_urand(iscsid_t)
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
-files_read_etc_files(iscsid_t)
-
+-
auth_use_nsswitch(iscsid_t)
-@@ -90,8 +91,6 @@ init_stream_connect_script(iscsid_t)
+ init_stream_connect_script(iscsid_t)
logging_send_syslog_msg(iscsid_t)
@@ -40134,7 +40138,7 @@ index 2324d9e..b9c69d2 100644
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0619395..52574f2 100644
+index 0619395..be8c8b2 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -40393,20 +40397,21 @@ index 0619395..52574f2 100644
')
optional_policy(`
-@@ -254,6 +342,12 @@ optional_policy(`
+@@ -254,6 +342,13 @@ optional_policy(`
')
optional_policy(`
+ systemd_write_inhibit_pipes(NetworkManager_t)
+ systemd_read_logind_sessions_files(NetworkManager_t)
+ systemd_dbus_chat_logind(NetworkManager_t)
++ systemd_hostnamed_read_config(NetworkManager_t)
+')
+
+optional_policy(`
udev_exec(NetworkManager_t)
udev_read_db(NetworkManager_t)
')
-@@ -263,6 +357,7 @@ optional_policy(`
+@@ -263,6 +358,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -40414,7 +40419,7 @@ index 0619395..52574f2 100644
')
########################################
-@@ -284,6 +379,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -284,6 +380,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -44533,10 +44538,10 @@ index 0000000..6e20e72
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..ec227d2
+index 0000000..901198d
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,468 @@
+@@ -0,0 +1,482 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -44603,6 +44608,9 @@ index 0000000..ec227d2
+type openshift_cgroup_read_exec_t;
+application_domain(openshift_cgroup_read_t, openshift_cgroup_read_exec_t)
+
++type openshift_cgroup_read_tmp_t, openshift_file_type;
++files_tmp_file(openshift_cgroup_read_tmp_t)
++
+type openshift_cron_t;
+type openshift_cron_exec_t;
+domain_type(openshift_cron_t)
@@ -44880,6 +44888,7 @@ index 0000000..ec227d2
+#
+# Rules specific to openshift and openshift_app_t
+#
++
+kernel_read_vm_sysctls(openshift_t)
+kernel_read_vm_sysctls(openshift_app_t)
+kernel_search_vm_sysctl(openshift_t)
@@ -44906,11 +44915,20 @@ index 0000000..ec227d2
+allow openshift_cgroup_read_t self:unix_stream_socket create_stream_socket_perms;
+allow openshift_cgroup_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
+
++manage_dirs_pattern(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, openshift_cgroup_read_tmp_t)
++manage_files_pattern(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, openshift_cgroup_read_tmp_t)
++files_tmp_filetrans(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, { file dir })
++
++kernel_read_system_state(openshift_cgroup_read_t)
++
++miscfiles_read_localization(openshift_cgroup_read_t)
++
+optional_policy(`
+ ssh_use_ptys(openshift_cgroup_read_t)
+')
+
+corecmd_exec_bin(openshift_cgroup_read_t)
++corecmd_exec_shell(openshift_cgroup_read_t)
+
+dev_read_urand(openshift_cgroup_read_t)
+
@@ -44929,6 +44947,7 @@ index 0000000..ec227d2
+
+allow openshift_domain openshift_cgroup_read_t:process { getattr signal signull sigkill };
+
++fs_list_cgroup_dirs(openshift_cgroup_read_t)
+fs_read_cgroup_files(openshift_cgroup_read_t)
+
+allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms;
@@ -56627,7 +56646,7 @@ index 3c97ef0..91e69b8 100644
+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_run_t,s0)
/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
diff --git a/rgmanager.if b/rgmanager.if
-index 7dc38d1..7d70a46 100644
+index 7dc38d1..8af1f78 100644
--- a/rgmanager.if
+++ b/rgmanager.if
@@ -5,9 +5,9 @@
@@ -56651,7 +56670,33 @@ index 7dc38d1..7d70a46 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -75,3 +75,111 @@ interface(`rgmanager_manage_tmpfs_files',`
+@@ -38,6 +38,25 @@ interface(`rgmanager_stream_connect',`
+ stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t)
+ ')
+
++########################################
++## <summary>
++## Manage rgmanager pid files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rgmanager_manage_pid_files',`
++ gen_require(`
++ type rgmanager_var_run_t;
++ ')
++
++ files_search_pids($1)
++ manage_files_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t)
++')
++
+ ######################################
+ ## <summary>
+ ## Allow manage rgmanager tmp files.
+@@ -75,3 +94,111 @@ interface(`rgmanager_manage_tmpfs_files',`
fs_search_tmpfs($1)
manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
')
@@ -63509,7 +63554,7 @@ index c50a444..ee00be2 100644
+ can_exec($1, screen_exec_t)
+')
diff --git a/screen.te b/screen.te
-index 2583626..86af6f6 100644
+index 2583626..49db984 100644
--- a/screen.te
+++ b/screen.te
@@ -5,6 +5,8 @@ policy_module(screen, 2.5.0)
@@ -63521,7 +63566,7 @@ index 2583626..86af6f6 100644
type screen_exec_t;
application_executable_file(screen_exec_t)
-@@ -13,13 +15,84 @@ typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_sc
+@@ -13,13 +15,86 @@ typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_sc
typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t };
userdom_user_home_content(screen_home_t)
@@ -63541,7 +63586,8 @@ index 2583626..86af6f6 100644
+# Local policy
+#
+
-+allow screen_domain self:capability { setuid setgid fsetid };
++allow screen_domain self:capability { fsetid setgid setuid sys_tty_config };
++dontaudit screen_domain self:capability dac_override;
+allow screen_domain self:process signal_perms;
+allow screen_domain self:fifo_file rw_fifo_file_perms;
+allow screen_domain self:tcp_socket create_stream_socket_perms;
@@ -63560,6 +63606,7 @@ index 2583626..86af6f6 100644
+allow screen_domain screen_home_t:dir list_dir_perms;
+manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t)
+manage_fifo_files_pattern(screen_domain, screen_home_t, screen_home_t)
++manage_sock_files_pattern(screen_domain, screen_home_t, screen_home_t)
+userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir)
+userdom_admin_home_dir_filetrans(screen_domain, screen_home_t, dir)
+read_files_pattern(screen_domain, screen_home_t, screen_home_t)
@@ -64152,7 +64199,7 @@ index bcdd16c..039b0c8 100644
files_list_var_lib($1)
admin_pattern($1, setroubleshoot_var_lib_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 086cd5f..ab3ba4d 100644
+index 086cd5f..c09da74 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -12,7 +12,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
@@ -64230,7 +64277,7 @@ index 086cd5f..ab3ba4d 100644
term_dontaudit_use_all_ptys(setroubleshootd_t)
term_dontaudit_use_all_ttys(setroubleshootd_t)
-@@ -104,15 +112,15 @@ auth_use_nsswitch(setroubleshootd_t)
+@@ -104,27 +112,45 @@ auth_use_nsswitch(setroubleshootd_t)
init_read_utmp(setroubleshootd_t)
init_dontaudit_write_utmp(setroubleshootd_t)
@@ -64243,13 +64290,16 @@ index 086cd5f..ab3ba4d 100644
logging_send_audit_msgs(setroubleshootd_t)
logging_send_syslog_msg(setroubleshootd_t)
logging_stream_connect_dispatcher(setroubleshootd_t)
--
--modutils_read_module_config(setroubleshootd_t)
+logging_stream_connect_syslog(setroubleshootd_t)
+-modutils_read_module_config(setroubleshootd_t)
+-
++seutil_read_bin_policy(setroubleshootd_t)
seutil_read_config(setroubleshootd_t)
++seutil_read_default_contexts(setroubleshootd_t)
seutil_read_file_contexts(setroubleshootd_t)
-@@ -121,10 +129,27 @@ seutil_read_bin_policy(setroubleshootd_t)
+-seutil_read_bin_policy(setroubleshootd_t)
+
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
optional_policy(`
@@ -64277,7 +64327,7 @@ index 086cd5f..ab3ba4d 100644
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
-@@ -150,11 +175,16 @@ kernel_read_system_state(setroubleshoot_fixit_t)
+@@ -150,11 +176,16 @@ kernel_read_system_state(setroubleshoot_fixit_t)
corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
@@ -64295,7 +64345,7 @@ index 086cd5f..ab3ba4d 100644
files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -162,9 +192,19 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -162,9 +193,19 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
logging_send_audit_msgs(setroubleshoot_fixit_t)
logging_send_syslog_msg(setroubleshoot_fixit_t)
@@ -70781,10 +70831,10 @@ index 54b8605..a04f013 100644
admin_pattern($1, tuned_var_run_t)
')
diff --git a/tuned.te b/tuned.te
-index db9d2a5..01ed6d3 100644
+index db9d2a5..cadecaa 100644
--- a/tuned.te
+++ b/tuned.te
-@@ -12,53 +12,113 @@ init_daemon_domain(tuned_t, tuned_exec_t)
+@@ -12,53 +12,114 @@ init_daemon_domain(tuned_t, tuned_exec_t)
type tuned_initrc_exec_t;
init_script_file(tuned_initrc_exec_t)
@@ -70853,6 +70903,7 @@ index db9d2a5..01ed6d3 100644
+dev_dontaudit_getattr_all(tuned_t)
dev_read_urand(tuned_t)
-dev_read_sysfs(tuned_t)
++dev_read_cpuid(tuned_t)
+dev_rw_sysfs(tuned_t)
# to allow cpu tuning
dev_rw_netcontrol(tuned_t)
@@ -72282,7 +72333,7 @@ index 2124b6a..014e40c 100644
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 6f0736b..882e76b 100644
+index 6f0736b..2fbc418 100644
--- a/virt.if
+++ b/virt.if
@@ -13,67 +13,30 @@
@@ -72716,7 +72767,7 @@ index 6f0736b..882e76b 100644
')
########################################
-@@ -468,18 +636,70 @@ interface(`virt_manage_images',`
+@@ -468,20 +636,93 @@ interface(`virt_manage_images',`
manage_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
rw_blk_files_pattern($1, virt_image_type, virt_image_type)
@@ -72789,13 +72840,36 @@ index 6f0736b..882e76b 100644
+interface(`virt_ptrace',`
+ gen_require(`
+ attribute virt_domain;
- ')
++ ')
+
+ allow $1 virt_domain:process ptrace;
++')
++
++#######################################
++## <summary>
++## Connect to virt over a unix domain stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_stream_connect_lxc',`
++ gen_require(`
++ attribute svirt_lxc_domain;
++ type svirt_lxc_file_t;
+ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, svirt_lxc_file_t, svirt_lxc_file_t, svirt_lxc_domain)
')
++
########################################
-@@ -502,10 +722,20 @@ interface(`virt_manage_images',`
+ ## <summary>
+ ## All of the rules required to administrate
+@@ -502,10 +743,20 @@ interface(`virt_manage_images',`
interface(`virt_admin',`
gen_require(`
type virtd_t, virtd_initrc_exec_t;
@@ -72817,7 +72891,7 @@ index 6f0736b..882e76b 100644
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -517,4 +747,305 @@ interface(`virt_admin',`
+@@ -517,4 +768,305 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
@@ -73124,7 +73198,7 @@ index 6f0736b..882e76b 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..36ba28d 100644
+index 947bbc6..4c3ba2d 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,97 @@ policy_module(virt, 1.5.0)
@@ -73732,7 +73806,7 @@ index 947bbc6..36ba28d 100644
-allow virt_domain self:process { execmem execstack signal getsched signull };
-allow virt_domain self:fifo_file rw_file_perms;
+allow virt_domain self:capability2 compromise_kernel;
-+allow virt_domain self:process { signal getsched signull };
++allow virt_domain self:process { setrlimit signal_perms getsched };
+allow virt_domain self:fifo_file rw_fifo_file_perms;
allow virt_domain self:shm create_shm_perms;
allow virt_domain self:unix_stream_socket create_stream_socket_perms;
@@ -73819,7 +73893,7 @@ index 947bbc6..36ba28d 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -438,34 +665,642 @@ dev_write_sound(virt_domain)
+@@ -438,34 +665,646 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -73841,12 +73915,12 @@ index 947bbc6..36ba28d 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-
--term_use_all_terms(virt_domain)
++
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-+
+
+-term_use_all_terms(virt_domain)
+sysnet_read_config(virt_domain)
+
+term_use_all_inherited_terms(virt_domain)
@@ -73923,7 +73997,7 @@ index 947bbc6..36ba28d 100644
+ tunable_policy(`virt_use_sanlock',`
+ sanlock_stream_connect(virt_domain)
+ ')
- ')
++')
+
+tunable_policy(`virt_use_rawip',`
+ allow virt_domain self:rawip_socket create_socket_perms;
@@ -74282,19 +74356,23 @@ index 947bbc6..36ba28d 100644
+miscfiles_read_fonts(svirt_lxc_domain)
+
+optional_policy(`
++ apache_exec_modules(svirt_lxc_domain)
++ apache_read_sys_content(svirt_lxc_domain)
++')
++
++optional_policy(`
+ mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
+')
+
+systemd_read_unit_files(svirt_lxc_domain)
+
+optional_policy(`
-+ udev_read_pid_files(svirt_lxc_domain)
++ ssh_use_ptys(svirt_lxc_net_t)
+')
+
+optional_policy(`
-+ apache_exec_modules(svirt_lxc_domain)
-+ apache_read_sys_content(svirt_lxc_domain)
-+')
++ udev_read_pid_files(svirt_lxc_domain)
+ ')
+
+virt_lxc_domain_template(svirt_lxc_net)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 362e687..ab902e0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 83%{?dist}
+Release: 84%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,32 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Mar 8 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-84
+- Make systemd_hostnamed_t as unconfined domain in F18
+- Call rhcs_manage_cluster_pid_files() instead of rgmanger_manage_pid_files() interface
+- Allow sshd to stream connect to an lxc domain
+- Allow nsswitch_domains to read /etc/hostname
+- xdm_t will try to list any directory mounted, we should just dontaudit them
+- Fix systemd_filetrans_named_content() interface
+- Allow postgresql to manage rgmanager pid files
+- Allow postgresql to read ccs data
+- Allow systemd_domain to send dbus messages to policykit
+- Add labels for /etc/hostname and /etc/machine-info and allow systemd-hostnamed to create them
+- All systemd domains that create content are reading the file_context file and setfscreate
+- Systemd domains need to search through init_var_run_t
+- Allow sshd to communicate with libvirt to set containers labels
+- Add labeling for /var/run/hplip
+- Allow iscsid to read /dev/urandom
+- Allow sshd to log a user directly into a container
+- Allow screen domains to configure tty and setup sock_file in ~/.screen directory, dontaudit attempts to read /etc/shadow still need to dont audit dac_override
+- ALlow setroubleshoot to read default_context_t, needed to backport to F18
+- Label /etc/owncloud as being an apache writable directory
+- Add interface to manage pid files
+- Allow NetworkManger_t to read /etc/hostname
+- Allow virtual machines to setrlimit and send itself signals.
+- Dontaudit chrome_sandbox_nacl_t using user terminals
+- Allow gluster to manage all directories as well as files
+
* Mon Mar 4 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-83
- Fix iptables labels
- Allow munin CGI scripts to append munin log file
More information about the scm-commits
mailing list