[selinux-policy/f18] - Allow abrt to manage mock build environments to catch build problems. - Allow virt_domains to sets
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Mar 27 14:50:37 UTC 2013
commit ed9f9c61dd2d7f97f269eb965da695ad094ac27d
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Mar 27 15:50:15 2013 +0100
- Allow abrt to manage mock build environments to catch build problems.
- Allow virt_domains to setsched for running gdb on itself
- Allow pulseaudio running as mozilla_plugin_t to read /run/systemd/users/1000
- Allow cups_t to read inhered tmpfs_t from the kernel
- Allow openshift_cron_t to look at quota
- Allow cgred to send signal perms to itself, needs back port to RHEL6
- Allow certwatch to execut /usr/bin/httpd
- Allow yppasswdd to use NIS
- Tuned wants sys_rawio capability
- Allow thumb_t to execute user home content
- Allow s-c-kdump to connect to syslogd
- Allow condor domains block_suspend and dac_override caps
- Allow condor_master to read passd
- Allow condor_master to read system state
- Allow mount to write keys for the unconfined domain
- Add unconfined_write_keys() interface
- Add labeling for /usr/share/pki
- Add additional ports as mongod_port_t for 27018, 27019, 28017, 28018 and 28019 ports
- Allow commands that are going to read mount pid files to search mount_var_run_t
policy-f18-base.patch | 60 ++++++++++----
policy-f18-contrib.patch | 204 +++++++++++++++++++++++++++++-----------------
selinux-policy.spec | 25 +++++-
3 files changed, 196 insertions(+), 93 deletions(-)
---
diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index 73b2728..a8141d5 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -114463,7 +114463,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index fe2ee5e..e180b33 100644
+index fe2ee5e..9d3694c 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.0)
@@ -114659,7 +114659,7 @@ index fe2ee5e..e180b33 100644
-network_port(milter) # no defined portcon
+network_port(milter, tcp, 8891, s0) # no defined portcon
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
-+network_port(mongod, tcp,27017,s0)
++network_port(mongod, tcp,27017-27019,s0, tcp, 28017-28019,s0)
network_port(monopd, tcp,1234,s0)
+network_port(movaz_ssc, tcp,5252,s0)
network_port(mpd, tcp,6600,s0)
@@ -125547,10 +125547,10 @@ index 0000000..0e8654b
+/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
new file mode 100644
-index 0000000..bac0dc0
+index 0000000..cf6582f
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.if
-@@ -0,0 +1,595 @@
+@@ -0,0 +1,613 @@
+## <summary>Unconfiend user role</summary>
+
+########################################
@@ -125978,6 +125978,24 @@ index 0000000..bac0dc0
+
+########################################
+## <summary>
++## Write keys for the unconfined domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`unconfined_write_keys',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:key write;
++')
++
++########################################
++## <summary>
+## Send messages to the unconfined domain over dbus.
+## </summary>
+## <param name="domain">
@@ -138488,7 +138506,7 @@ index f8eeecd..7cc1e43 100644
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index fe3427d..2410a4e 100644
+index fe3427d..a3e8830 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -9,8 +9,9 @@ ifdef(`distro_gentoo',`
@@ -138515,7 +138533,15 @@ index fe3427d..2410a4e 100644
/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
-@@ -75,8 +71,9 @@ ifdef(`distro_redhat',`
+@@ -51,6 +47,7 @@ ifdef(`distro_redhat',`
+ /usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
+ /usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)
+
++/usr/share/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
+ /usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0)
+ /usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0)
+
+@@ -75,8 +72,9 @@ ifdef(`distro_redhat',`
/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
@@ -139425,7 +139451,7 @@ index 4584457..0755e25 100644
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 63931f6..275bf01 100644
+index 63931f6..6f83f3c 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -10,35 +10,60 @@ policy_module(mount, 1.15.0)
@@ -139732,7 +139758,7 @@ index 63931f6..275bf01 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -193,21 +297,121 @@ optional_policy(`
+@@ -193,21 +297,125 @@ optional_policy(`
')
')
@@ -139789,20 +139815,24 @@ index 63931f6..275bf01 100644
+optional_policy(`
+ usbmuxd_stream_connect(mount_t)
+')
-
- optional_policy(`
-- files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
-- unconfined_domain(unconfined_mount_t)
++
++optional_policy(`
+ userhelper_exec_console(mount_t)
- ')
++')
+
+optional_policy(`
-+ virt_read_blk_images(mount_t)
++ unconfined_write_keys(mount_t)
+')
+
+optional_policy(`
-+ vmware_exec_host(mount_t)
++ virt_read_blk_images(mount_t)
+')
+
+ optional_policy(`
+- files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
+- unconfined_domain(unconfined_mount_t)
++ vmware_exec_host(mount_t)
+ ')
+
+######################################
+#
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index e51d3db..c3c264b 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -367,7 +367,7 @@ index 0b827c5..cce58bb 100644
+ dontaudit $1 abrt_t:sock_file write;
')
diff --git a/abrt.te b/abrt.te
-index 30861ec..d183b7e 100644
+index 30861ec..aa15e08 100644
--- a/abrt.te
+++ b/abrt.te
@@ -5,13 +5,33 @@ policy_module(abrt, 1.2.0)
@@ -677,7 +677,7 @@ index 30861ec..d183b7e 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +331,150 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +331,151 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -767,6 +767,7 @@ index 30861ec..d183b7e 100644
+
+optional_policy(`
+ mock_domtrans(abrt_retrace_worker_t)
++ mock_manage_lib_files(abrt_t)
+')
+
+########################################
@@ -8384,7 +8385,7 @@ index c3e3f79..8dcec07 100644
+ unconfined_domain(certmonger_unconfined_t)
+')
diff --git a/certwatch.te b/certwatch.te
-index e07cef5..2f5dd78 100644
+index e07cef5..86a8b81 100644
--- a/certwatch.te
+++ b/certwatch.te
@@ -17,6 +17,9 @@ role system_r types certwatch_t;
@@ -8397,7 +8398,7 @@ index e07cef5..2f5dd78 100644
dev_read_urand(certwatch_t)
files_read_etc_files(certwatch_t)
-@@ -27,15 +30,15 @@ files_list_tmp(certwatch_t)
+@@ -27,17 +30,18 @@ files_list_tmp(certwatch_t)
fs_list_inotifyfs(certwatch_t)
auth_manage_cache(certwatch_t)
@@ -8415,7 +8416,10 @@ index e07cef5..2f5dd78 100644
+userdom_dontaudit_list_admin_dir(certwatch_t)
optional_policy(`
++ apache_exec(certwatch_t)
apache_exec_modules(certwatch_t)
+ apache_read_config(certwatch_t)
+ ')
diff --git a/cfengine.fc b/cfengine.fc
new file mode 100644
index 0000000..4c52fa3
@@ -8737,7 +8741,7 @@ index 33facaf..11700ae 100644
admin_pattern($1, cgrules_etc_t)
files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te
-index 806191a..06ea735 100644
+index 806191a..c0df94c 100644
--- a/cgroup.te
+++ b/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -8782,10 +8786,10 @@ index 806191a..06ea735 100644
#
# cgred personal policy.
#
++allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace };
++allow cgred_t self:process signal_perms;
-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
-+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace };
-+
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
@@ -11805,10 +11809,10 @@ index 0000000..8424fdb
+')
diff --git a/condor.te b/condor.te
new file mode 100644
-index 0000000..3558844
+index 0000000..f31a2e8
--- /dev/null
+++ b/condor.te
-@@ -0,0 +1,244 @@
+@@ -0,0 +1,264 @@
+policy_module(condor, 1.0.0)
+
+########################################
@@ -11867,6 +11871,9 @@ index 0000000..3558844
+# condor domain local policy
+#
+
++allow condor_domain self:capability dac_override;
++allow condor_domain self:capability2 block_suspend;
++
+allow condor_domain self:process signal_perms;
+allow condor_domain self:fifo_file rw_fifo_file_perms;
+
@@ -11932,7 +11939,7 @@ index 0000000..3558844
+# condor master local policy
+#
+
-+allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
++allow condor_master_t self:capability { setuid setgid sys_ptrace };
+
+allow condor_master_t condor_domain:process { sigkill signal };
+
@@ -11940,12 +11947,24 @@ index 0000000..3558844
+manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
+files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
+
++can_exec(condor_master_t, condor_master_exec_t)
++
++kernel_read_system_state(condor_master_tmp_t)
++
++corenet_udp_sendrecv_generic_if(condor_master_t)
++corenet_udp_sendrecv_generic_node(condor_master_t)
++corenet_tcp_bind_generic_node(condor_master_t)
++corenet_udp_bind_generic_node(condor_master_t)
++
++corenet_sendrecv_condor_server_packets(condor_master_t)
+corenet_tcp_bind_condor_port(condor_master_t)
+corenet_udp_bind_condor_port(condor_master_t)
+corenet_tcp_connect_amqp_port(condor_master_t)
+
+domain_read_all_domains_state(condor_master_t)
+
++auth_read_passwd(condor_master_t)
++
+optional_policy(`
+ mta_send_mail(condor_master_t)
+ mta_read_config(condor_master_t)
@@ -12000,6 +12019,11 @@ index 0000000..3558844
+
+allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
+
++allow condor_schedd_t condor_master_tmp_t:dir getattr;
++
++domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
++domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
++
+manage_dirs_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
@@ -15173,7 +15197,7 @@ index 305ddf4..ca832e1 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index e5a8924..2baae57 100644
+index e5a8924..5ca2d2b 100644
--- a/cups.te
+++ b/cups.te
@@ -1,22 +1,28 @@
@@ -15406,7 +15430,7 @@ index e5a8924..2baae57 100644
corenet_tcp_bind_ipp_port(cupsd_t)
corenet_udp_bind_ipp_port(cupsd_t)
corenet_udp_bind_howl_port(cupsd_t)
-@@ -185,60 +211,61 @@ corenet_tcp_bind_reserved_port(cupsd_t)
+@@ -185,60 +211,62 @@ corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_bind_all_rpc_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -15486,6 +15510,7 @@ index e5a8924..2baae57 100644
+fs_search_fusefs(cupsd_t)
+fs_read_anon_inodefs_files(cupsd_t)
+fs_rw_anon_inodefs_files(cupsd_t)
++fs_rw_inherited_tmpfs_files(cupsd_t)
+
+mls_fd_use_all_levels(cupsd_t)
+mls_file_downgrade(cupsd_t)
@@ -15500,7 +15525,7 @@ index e5a8924..2baae57 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -251,30 +278,21 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -251,30 +279,21 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@@ -15536,7 +15561,7 @@ index e5a8924..2baae57 100644
optional_policy(`
apm_domtrans_client(cupsd_t)
-@@ -287,6 +305,8 @@ optional_policy(`
+@@ -287,6 +306,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -15545,7 +15570,7 @@ index e5a8924..2baae57 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -297,8 +317,10 @@ optional_policy(`
+@@ -297,8 +318,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -15556,7 +15581,7 @@ index e5a8924..2baae57 100644
')
')
-@@ -311,17 +333,28 @@ optional_policy(`
+@@ -311,17 +334,28 @@ optional_policy(`
')
optional_policy(`
@@ -15586,7 +15611,7 @@ index e5a8924..2baae57 100644
')
optional_policy(`
-@@ -336,18 +369,18 @@ optional_policy(`
+@@ -336,18 +370,18 @@ optional_policy(`
udev_read_db(cupsd_t)
')
@@ -15611,7 +15636,7 @@ index e5a8924..2baae57 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -360,9 +393,7 @@ manage_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
+@@ -360,9 +394,7 @@ manage_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
manage_lnk_files_pattern(cupsd_config_t, cupsd_rw_etc_t, cupsd_rw_etc_t)
files_var_filetrans(cupsd_config_t, cupsd_rw_etc_t, file)
@@ -15622,7 +15647,7 @@ index e5a8924..2baae57 100644
manage_lnk_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
manage_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
-@@ -371,70 +402,49 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -371,70 +403,49 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -15706,7 +15731,7 @@ index e5a8924..2baae57 100644
optional_policy(`
term_use_generic_ptys(cupsd_config_t)
-@@ -450,12 +460,19 @@ optional_policy(`
+@@ -450,12 +461,19 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(cupsd_config_t)
')
@@ -15727,7 +15752,7 @@ index e5a8924..2baae57 100644
')
optional_policy(`
-@@ -467,8 +484,7 @@ optional_policy(`
+@@ -467,8 +485,7 @@ optional_policy(`
')
optional_policy(`
@@ -15737,7 +15762,7 @@ index e5a8924..2baae57 100644
')
optional_policy(`
-@@ -489,231 +505,84 @@ optional_policy(`
+@@ -489,231 +506,84 @@ optional_policy(`
########################################
#
@@ -15990,7 +16015,7 @@ index e5a8924..2baae57 100644
########################################
#
-@@ -723,14 +592,12 @@ optional_policy(`
+@@ -723,14 +593,12 @@ optional_policy(`
allow ptal_t self:capability { chown sys_rawio };
dontaudit ptal_t self:capability sys_tty_config;
allow ptal_t self:fifo_file rw_fifo_file_perms;
@@ -16006,7 +16031,7 @@ index e5a8924..2baae57 100644
manage_dirs_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
manage_files_pattern(ptal_t, ptal_var_run_t, ptal_var_run_t)
-@@ -743,29 +610,26 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -743,29 +611,26 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -18539,7 +18564,7 @@ index 0000000..332a1c9
+')
diff --git a/dirsrv-admin.te b/dirsrv-admin.te
new file mode 100644
-index 0000000..a3d076f
+index 0000000..ab083cf
--- /dev/null
+++ b/dirsrv-admin.te
@@ -0,0 +1,144 @@
@@ -18577,7 +18602,7 @@ index 0000000..a3d076f
+#
+allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource };
-+allow dirsrvadmin_t self:process setrlimit;
++allow dirsrvadmin_t self:process { setrlimit signal_perms };
+
+manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
@@ -22676,7 +22701,7 @@ index 9d3201b..6e75e3d 100644
+ allow $1 ftpd_unit_file_t:service all_service_perms;
')
diff --git a/ftp.te b/ftp.te
-index 80026bb..4772c87 100644
+index 80026bb..43b014a 100644
--- a/ftp.te
+++ b/ftp.te
@@ -12,7 +12,7 @@ policy_module(ftp, 1.14.0)
@@ -22697,7 +22722,7 @@ index 80026bb..4772c87 100644
## <desc>
## <p>
-@@ -28,7 +28,7 @@ gen_tunable(allow_ftpd_full_access, false)
+@@ -28,15 +28,43 @@ gen_tunable(allow_ftpd_full_access, false)
## used for public file transfer services.
## </p>
## </desc>
@@ -22706,11 +22731,19 @@ index 80026bb..4772c87 100644
## <desc>
## <p>
-@@ -36,7 +36,28 @@ gen_tunable(allow_ftpd_use_cifs, false)
- ## used for public file transfer services.
- ## </p>
- ## </desc>
--gen_tunable(allow_ftpd_use_nfs, false)
+-## Allow ftp servers to use nfs
+-## used for public file transfer services.
++## Allow samba to export ntfs/fusefs volumes.
++## </p>
++## </desc>
++gen_tunable(ftpd_use_fusefs, false)
++
++## <desc>
++## <p>
++## Determine whether ftpd can use NFS
++## used for public file transfer services.
++## </p>
++## </desc>
+gen_tunable(ftpd_use_nfs, false)
+
+## <desc>
@@ -22730,13 +22763,14 @@ index 80026bb..4772c87 100644
+## <desc>
+## <p>
+## Allow ftp servers to connect to all ports > 1023
-+## </p>
-+## </desc>
+ ## </p>
+ ## </desc>
+-gen_tunable(allow_ftpd_use_nfs, false)
+gen_tunable(ftpd_connect_all_unreserved, false)
## <desc>
## <p>
-@@ -70,6 +91,14 @@ gen_tunable(sftpd_enable_homedirs, false)
+@@ -70,6 +98,14 @@ gen_tunable(sftpd_enable_homedirs, false)
## </desc>
gen_tunable(sftpd_full_access, false)
@@ -22751,7 +22785,7 @@ index 80026bb..4772c87 100644
type anon_sftpd_t;
typealias anon_sftpd_t alias sftpd_anon_t;
domain_type(anon_sftpd_t)
-@@ -85,6 +114,9 @@ files_config_file(ftpd_etc_t)
+@@ -85,6 +121,9 @@ files_config_file(ftpd_etc_t)
type ftpd_initrc_exec_t;
init_script_file(ftpd_initrc_exec_t)
@@ -22761,7 +22795,7 @@ index 80026bb..4772c87 100644
type ftpd_lock_t;
files_lock_file(ftpd_lock_t)
-@@ -115,6 +147,10 @@ ifdef(`enable_mcs',`
+@@ -115,6 +154,10 @@ ifdef(`enable_mcs',`
init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
')
@@ -22772,7 +22806,7 @@ index 80026bb..4772c87 100644
########################################
#
# anon-sftp local policy
-@@ -133,7 +169,7 @@ tunable_policy(`sftpd_anon_write',`
+@@ -133,7 +176,7 @@ tunable_policy(`sftpd_anon_write',`
# ftpd local policy
#
@@ -22781,7 +22815,7 @@ index 80026bb..4772c87 100644
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
allow ftpd_t self:fifo_file rw_fifo_file_perms;
-@@ -151,7 +187,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
+@@ -151,7 +194,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
@@ -22789,7 +22823,7 @@ index 80026bb..4772c87 100644
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -163,13 +198,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
+@@ -163,13 +205,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
@@ -22805,7 +22839,7 @@ index 80026bb..4772c87 100644
# Create and modify /var/log/xferlog.
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-@@ -177,14 +212,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
+@@ -177,14 +219,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
kernel_read_kernel_sysctls(ftpd_t)
kernel_read_system_state(ftpd_t)
@@ -22821,7 +22855,7 @@ index 80026bb..4772c87 100644
corenet_all_recvfrom_netlabel(ftpd_t)
corenet_tcp_sendrecv_generic_if(ftpd_t)
corenet_udp_sendrecv_generic_if(ftpd_t)
-@@ -196,9 +230,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
+@@ -196,9 +237,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
corenet_tcp_bind_ftp_port(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
corenet_tcp_bind_generic_port(ftpd_t)
@@ -22833,7 +22867,7 @@ index 80026bb..4772c87 100644
corenet_sendrecv_ftp_server_packets(ftpd_t)
domain_use_interactive_fds(ftpd_t)
-@@ -212,13 +245,11 @@ fs_search_auto_mountpoints(ftpd_t)
+@@ -212,13 +252,11 @@ fs_search_auto_mountpoints(ftpd_t)
fs_getattr_all_fs(ftpd_t)
fs_search_fusefs(ftpd_t)
@@ -22849,7 +22883,7 @@ index 80026bb..4772c87 100644
init_rw_utmp(ftpd_t)
-@@ -226,42 +257,48 @@ logging_send_audit_msgs(ftpd_t)
+@@ -226,42 +264,55 @@ logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t)
logging_set_loginuid(ftpd_t)
@@ -22881,6 +22915,13 @@ index 80026bb..4772c87 100644
')
-tunable_policy(`allow_ftpd_use_nfs',`
++tunable_policy(`ftpd_use_fusefs',`
++ fs_manage_fusefs_dirs(ftpd_t)
++ fs_manage_fusefs_files(ftpd_t)
++',`
++ fs_search_fusefs(ftpd_t)
++')
++
+tunable_policy(`ftpd_use_nfs',`
fs_read_nfs_files(ftpd_t)
fs_read_nfs_symlinks(ftpd_t)
@@ -22908,7 +22949,7 @@ index 80026bb..4772c87 100644
')
tunable_policy(`ftp_home_dir',`
-@@ -270,10 +307,13 @@ tunable_policy(`ftp_home_dir',`
+@@ -270,10 +321,13 @@ tunable_policy(`ftp_home_dir',`
# allow access to /home
files_list_home(ftpd_t)
userdom_read_user_home_content_files(ftpd_t)
@@ -22926,7 +22967,7 @@ index 80026bb..4772c87 100644
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -309,10 +349,35 @@ optional_policy(`
+@@ -309,10 +363,35 @@ optional_policy(`
')
optional_policy(`
@@ -22963,7 +23004,7 @@ index 80026bb..4772c87 100644
')
optional_policy(`
-@@ -347,16 +412,17 @@ optional_policy(`
+@@ -347,16 +426,17 @@ optional_policy(`
# Allow ftpdctl to talk to ftpd over a socket connection
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -22983,7 +23024,7 @@ index 80026bb..4772c87 100644
########################################
#
-@@ -365,18 +431,35 @@ userdom_use_user_terminals(ftpdctl_t)
+@@ -365,18 +445,35 @@ userdom_use_user_terminals(ftpdctl_t)
files_read_etc_files(sftpd_t)
@@ -23022,7 +23063,7 @@ index 80026bb..4772c87 100644
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -394,19 +477,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+@@ -394,19 +491,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
@@ -30035,7 +30076,7 @@ index d6af9b0..8b1d9c2 100644
+')
+
diff --git a/kdumpgui.te b/kdumpgui.te
-index 0c52f60..6454b8f 100644
+index 0c52f60..0ea64e7 100644
--- a/kdumpgui.te
+++ b/kdumpgui.te
@@ -7,25 +7,36 @@ policy_module(kdumpgui, 1.1.0)
@@ -30077,7 +30118,7 @@ index 0c52f60..6454b8f 100644
files_manage_boot_files(kdumpgui_t)
files_manage_boot_symlinks(kdumpgui_t)
-@@ -36,28 +47,53 @@ files_manage_etc_runtime_files(kdumpgui_t)
+@@ -36,28 +47,54 @@ files_manage_etc_runtime_files(kdumpgui_t)
files_etc_filetrans_etc_runtime(kdumpgui_t, file)
files_read_usr_files(kdumpgui_t)
@@ -30094,6 +30135,7 @@ index 0c52f60..6454b8f 100644
logging_send_syslog_msg(kdumpgui_t)
+logging_list_logs(kdumpgui_t)
+logging_read_generic_logs(kdumpgui_t)
++logging_stream_connect_syslog(kdumpgui_t)
-miscfiles_read_localization(kdumpgui_t)
+mount_exec(kdumpgui_t)
@@ -35804,7 +35846,7 @@ index b397fde..aaf4cdf 100644
+')
+
diff --git a/mozilla.te b/mozilla.te
-index d4fcb75..4c03ada 100644
+index d4fcb75..710c1e6 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0)
@@ -36088,7 +36130,7 @@ index d4fcb75..4c03ada 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -363,55 +423,60 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -363,55 +423,62 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
@@ -36122,7 +36164,8 @@ index d4fcb75..4c03ada 100644
miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
-sysnet_dns_name_resolve(mozilla_plugin_t)
--
++systemd_read_logind_sessions_files(mozilla_plugin_t)
+
term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
+term_getattr_ptmx(mozilla_plugin_t)
@@ -36154,14 +36197,14 @@ index d4fcb75..4c03ada 100644
-tunable_policy(`allow_execstack',`
- allow mozilla_plugin_t self:process { execstack };
-')
--
++userdom_home_manager(mozilla_plugin_t)
+
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mozilla_plugin_t)
- fs_manage_nfs_files(mozilla_plugin_t)
- fs_manage_nfs_symlinks(mozilla_plugin_t)
-')
-+userdom_home_manager(mozilla_plugin_t)
-
+-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mozilla_plugin_t)
- fs_manage_cifs_files(mozilla_plugin_t)
@@ -36171,7 +36214,7 @@ index d4fcb75..4c03ada 100644
')
optional_policy(`
-@@ -420,26 +485,45 @@ optional_policy(`
+@@ -420,26 +487,45 @@ optional_policy(`
')
optional_policy(`
@@ -36221,7 +36264,7 @@ index d4fcb75..4c03ada 100644
')
optional_policy(`
-@@ -447,10 +531,121 @@ optional_policy(`
+@@ -447,10 +533,121 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -40695,7 +40738,7 @@ index abe3f7f..1112fae 100644
+ allow $1 nis_unit_file_t:service all_service_perms;
')
diff --git a/nis.te b/nis.te
-index f27899c..f1dd1fa 100644
+index f27899c..4dd251e 100644
--- a/nis.te
+++ b/nis.te
@@ -18,11 +18,14 @@ init_daemon_domain(ypbind_t, ypbind_exec_t)
@@ -40785,7 +40828,7 @@ index f27899c..f1dd1fa 100644
sysnet_read_config(yppasswdd_t)
-@@ -211,6 +217,10 @@ optional_policy(`
+@@ -211,6 +217,14 @@ optional_policy(`
')
optional_policy(`
@@ -40793,10 +40836,14 @@ index f27899c..f1dd1fa 100644
+')
+
+optional_policy(`
++ nis_use_ypbind(yppasswdd_t)
++')
++
++optional_policy(`
seutil_sigchld_newrole(yppasswdd_t)
')
-@@ -247,7 +257,6 @@ kernel_read_kernel_sysctls(ypserv_t)
+@@ -247,7 +261,6 @@ kernel_read_kernel_sysctls(ypserv_t)
kernel_list_proc(ypserv_t)
kernel_read_proc_symlinks(ypserv_t)
@@ -40804,7 +40851,7 @@ index f27899c..f1dd1fa 100644
corenet_all_recvfrom_netlabel(ypserv_t)
corenet_tcp_sendrecv_generic_if(ypserv_t)
corenet_udp_sendrecv_generic_if(ypserv_t)
-@@ -279,7 +288,6 @@ files_read_etc_files(ypserv_t)
+@@ -279,7 +292,6 @@ files_read_etc_files(ypserv_t)
logging_send_syslog_msg(ypserv_t)
@@ -40812,7 +40859,7 @@ index f27899c..f1dd1fa 100644
nis_domtrans_ypxfr(ypserv_t)
-@@ -317,7 +325,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
+@@ -317,7 +329,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
@@ -40820,7 +40867,7 @@ index f27899c..f1dd1fa 100644
corenet_all_recvfrom_netlabel(ypxfr_t)
corenet_tcp_sendrecv_generic_if(ypxfr_t)
corenet_udp_sendrecv_generic_if(ypxfr_t)
-@@ -342,6 +349,5 @@ files_search_usr(ypxfr_t)
+@@ -342,6 +353,5 @@ files_search_usr(ypxfr_t)
logging_send_syslog_msg(ypxfr_t)
@@ -44577,10 +44624,10 @@ index 0000000..6e20e72
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..4a02808
+index 0000000..c35f870
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,527 @@
+@@ -0,0 +1,531 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -45105,6 +45152,10 @@ index 0000000..4a02808
+')
+
+optional_policy(`
++ quota_read_db(openshift_cron_t)
++')
++
++optional_policy(`
+ ssh_exec_keygen(openshift_cron_t)
+ ssh_dontaudit_read_server_keys(openshift_cron_t)
+')
@@ -69842,10 +69893,10 @@ index 0000000..c5e890b
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..6eb48e3
+index 0000000..641b262
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,140 @@
+@@ -0,0 +1,141 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -69943,6 +69994,7 @@ index 0000000..6eb48e3
+userdom_dontaudit_setattr_user_tmp(thumb_t)
+userdom_read_user_tmp_files(thumb_t)
+userdom_read_user_home_content_files(thumb_t)
++userdom_exec_user_home_content_files(thumb_t)
+userdom_write_user_tmp_files(thumb_t)
+userdom_read_home_audio_files(thumb_t)
+userdom_home_reader(thumb_t)
@@ -70930,10 +70982,10 @@ index 54b8605..a04f013 100644
admin_pattern($1, tuned_var_run_t)
')
diff --git a/tuned.te b/tuned.te
-index db9d2a5..cadecaa 100644
+index db9d2a5..9fd29b2 100644
--- a/tuned.te
+++ b/tuned.te
-@@ -12,53 +12,114 @@ init_daemon_domain(tuned_t, tuned_exec_t)
+@@ -12,53 +12,115 @@ init_daemon_domain(tuned_t, tuned_exec_t)
type tuned_initrc_exec_t;
init_script_file(tuned_initrc_exec_t)
@@ -70956,8 +71008,8 @@ index db9d2a5..cadecaa 100644
#
# tuned local policy
#
--
-+allow tuned_t self:capability { sys_admin sys_nice };
+
++allow tuned_t self:capability { sys_admin sys_nice sys_rawio };
dontaudit tuned_t self:capability { dac_override sys_tty_config };
+allow tuned_t self:process { setsched signal };
+allow tuned_t self:fifo_file rw_fifo_file_perms;
@@ -73299,7 +73351,7 @@ index 6f0736b..b83424b 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..3708791 100644
+index 947bbc6..1033949 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,97 @@ policy_module(virt, 1.5.0)
@@ -73907,7 +73959,7 @@ index 947bbc6..3708791 100644
-allow virt_domain self:process { execmem execstack signal getsched signull };
-allow virt_domain self:fifo_file rw_file_perms;
+allow virt_domain self:capability2 compromise_kernel;
-+allow virt_domain self:process { setrlimit signal_perms getsched };
++allow virt_domain self:process { setrlimit signal_perms getsched setsched };
+allow virt_domain self:fifo_file rw_fifo_file_perms;
allow virt_domain self:shm create_shm_perms;
allow virt_domain self:unix_stream_socket create_stream_socket_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 409c014..200626e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 87%{?dist}
+Release: 88%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -520,7 +520,28 @@ SELinux Reference policy mls base module.
%{_usr}/share/selinux/mls/modules-contrib.lst
%endif
-%changelog
+%Changelog
+* Wed Mar 27 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-88
+- Allow abrt to manage mock build environments to catch build problems.
+- Allow virt_domains to setsched for running gdb on itself
+- Allow pulseaudio running as mozilla_plugin_t to read /run/systemd/users/1000
+- Allow cups_t to read inhered tmpfs_t from the kernel
+- Allow openshift_cron_t to look at quota
+- Allow cgred to send signal perms to itself, needs back port to RHEL6
+- Allow certwatch to execut /usr/bin/httpd
+- Allow yppasswdd to use NIS
+- Tuned wants sys_rawio capability
+- Allow thumb_t to execute user home content
+- Allow s-c-kdump to connect to syslogd
+- Allow condor domains block_suspend and dac_override caps
+- Allow condor_master to read passd
+- Allow condor_master to read system state
+- Allow mount to write keys for the unconfined domain
+- Add unconfined_write_keys() interface
+- Add labeling for /usr/share/pki
+- Add additional ports as mongod_port_t for 27018, 27019, 28017, 28018 and 28019 ports
+- Allow commands that are going to read mount pid files to search mount_var_run_t
+
* Thu Mar 21 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-87
- Allow commands that are going to read mount pid files to search mount_var_run_t
- Make localectl set-x11-keymap working at all
More information about the scm-commits
mailing list