[selinux-policy/f17] - Allow cupsd to read hplip lib files - Allow NM to create rawip socket - Allow ping to read networ
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Apr 4 06:21:22 UTC 2013
commit d4c6dc601fb92d03063ee9a7174244faab8a12cd
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Apr 4 08:21:07 2013 +0200
- Allow cupsd to read hplip lib files
- Allow NM to create rawip socket
- Allow ping to read network state.
- Add tcp/8891 as milter port
- New directories under ~/.cache
policy-F16.patch | 101 ++++++++++++++++++++++++++++++++-------------------
selinux-policy.spec | 9 ++++-
2 files changed, 72 insertions(+), 38 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 03c047e..2d81e7a 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -65007,7 +65007,7 @@ index c6ca761..46e0767 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index e0791b9..54acef1 100644
+index e0791b9..aec140a 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -41,6 +41,7 @@ allow netutils_t self:packet_socket create_socket_perms;
@@ -65055,7 +65055,15 @@ index e0791b9..54acef1 100644
dontaudit ping_t self:capability sys_tty_config;
allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
-@@ -134,8 +142,6 @@ logging_send_syslog_msg(ping_t)
+@@ -127,6 +135,7 @@ files_read_etc_files(ping_t)
+ files_dontaudit_search_var(ping_t)
+
+ kernel_read_system_state(ping_t)
++kernel_read_network_state(ping_t)
+
+ auth_use_nsswitch(ping_t)
+
+@@ -134,8 +143,6 @@ logging_send_syslog_msg(ping_t)
miscfiles_read_localization(ping_t)
@@ -65064,7 +65072,7 @@ index e0791b9..54acef1 100644
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
-@@ -145,11 +151,30 @@ ifdef(`hide_broken_symptoms',`
+@@ -145,11 +152,30 @@ ifdef(`hide_broken_symptoms',`
')
')
@@ -65095,7 +65103,7 @@ index e0791b9..54acef1 100644
pcmcia_use_cardmgr_fds(ping_t)
')
-@@ -157,6 +182,10 @@ optional_policy(`
+@@ -157,6 +183,10 @@ optional_policy(`
hotplug_use_fds(ping_t)
')
@@ -65106,7 +65114,7 @@ index e0791b9..54acef1 100644
########################################
#
# Traceroute local policy
-@@ -194,6 +223,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -194,6 +224,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
@@ -65114,7 +65122,7 @@ index e0791b9..54acef1 100644
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
-@@ -204,9 +234,16 @@ logging_send_syslog_msg(traceroute_t)
+@@ -204,9 +235,16 @@ logging_send_syslog_msg(traceroute_t)
miscfiles_read_localization(traceroute_t)
@@ -68591,6 +68599,18 @@ index 37475dd..130f87c 100644
+optional_policy(`
+ xserver_dbus_chat_xdm(cpufreqselector_t)
+')
+diff --git a/policy/modules/apps/evolution.fc b/policy/modules/apps/evolution.fc
+index c011277..3f411d9 100644
+--- a/policy/modules/apps/evolution.fc
++++ b/policy/modules/apps/evolution.fc
+@@ -4,6 +4,7 @@
+
+ HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
+ HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
++HOME_DIR/\.cache/evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
+
+ #
+ # /tmp
diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
index cd70958..e8c94b1 100644
--- a/policy/modules/apps/evolution.te
@@ -68937,12 +68957,13 @@ index 4a2e63b..e964f12 100644
+ mta_send_mail(gitosis_t)
+')
diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc
-index 00a19e3..17006fc 100644
+index 00a19e3..9d34d11 100644
--- a/policy/modules/apps/gnome.fc
+++ b/policy/modules/apps/gnome.fc
-@@ -1,9 +1,54 @@
+@@ -1,9 +1,55 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
++HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
@@ -68998,7 +69019,7 @@ index 00a19e3..17006fc 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..c675357 100644
+index f5afe78..a4534c4 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -1,44 +1,975 @@
@@ -70231,7 +70252,7 @@ index f5afe78..c675357 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +1187,307 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1187,308 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -70472,6 +70493,7 @@ index f5afe78..c675357 100644
+ filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
+ filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
+ filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
++ gnome_cache_filetrans($1, config_home_t, dir, "dconf")
+ userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf")
+ userdom_user_tmp_filetrans($1, gstreamer_home_t, dir, ".orc")
+')
@@ -72084,13 +72106,14 @@ index dff0f12..ecab36d 100644
init_dbus_chat_script(mono_t)
diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
-index 93ac529..2985694 100644
+index 93ac529..59152c0 100644
--- a/policy/modules/apps/mozilla.fc
+++ b/policy/modules/apps/mozilla.fc
-@@ -1,8 +1,19 @@
+@@ -1,8 +1,20 @@
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.cache\mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -72107,7 +72130,7 @@ index 93ac529..2985694 100644
#
# /bin
-@@ -14,16 +25,28 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+@@ -14,16 +26,28 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
@@ -72146,7 +72169,7 @@ index 93ac529..2985694 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index fbb5c5a..b644095 100644
+index fbb5c5a..2796603 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -72289,7 +72312,7 @@ index fbb5c5a..b644095 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -279,28 +361,121 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -279,28 +361,122 @@ interface(`mozilla_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -72416,6 +72439,7 @@ index fbb5c5a..b644095 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive")
++ gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla")
+')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
@@ -76645,10 +76669,10 @@ index 0000000..3a7c395
+/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0)
diff --git a/policy/modules/apps/thumb.if b/policy/modules/apps/thumb.if
new file mode 100644
-index 0000000..9127cec
+index 0000000..7252755
--- /dev/null
+++ b/policy/modules/apps/thumb.if
-@@ -0,0 +1,125 @@
+@@ -0,0 +1,126 @@
+
+## <summary>policy for thumb</summary>
+
@@ -76773,6 +76797,7 @@ index 0000000..9127cec
+
+ userdom_user_home_dir_filetrans($1, thumb_home_t, dir, ".thumbnails")
+ userdom_user_home_dir_filetrans($1, thumb_home_t, file, "missfont.log")
++ gnome_cache_filetrans($1, thumb_home_t, dir, "thumbnails")
+')
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
new file mode 100644
@@ -79579,7 +79604,7 @@ index 8e0f9cd..da3b374 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..ec36f29 100644
+index 99b71cb..1861fd0 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
@@ -79757,7 +79782,7 @@ index 99b71cb..ec36f29 100644
network_port(mail, tcp,2000,s0, tcp,3905,s0)
+network_port(matahari, tcp,49000,s0, udp,49000,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
-+network_port(milter) # no defined portcon
++network_port(milter, tcp, 8891,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+network_port(mongod, tcp,27017,s0)
network_port(monopd, tcp,1234,s0)
@@ -104248,7 +104273,7 @@ index 305ddf4..d1b97fb 100644
+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat")
')
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..ba7a0bb 100644
+index 0f28095..c26452e 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -104533,12 +104558,13 @@ index 0f28095..ba7a0bb 100644
dontaudit hplip_t self:capability sys_tty_config;
allow hplip_t self:fifo_file rw_fifo_file_perms;
allow hplip_t self:process signal_perms;
-@@ -635,11 +680,18 @@ read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
+@@ -635,11 +680,19 @@ read_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
+allow hplip_t cupsd_unit_file_t:file read_file_perms;
+
++read_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
@@ -104553,7 +104579,7 @@ index 0f28095..ba7a0bb 100644
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -647,6 +699,9 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
+@@ -647,6 +700,9 @@ files_pid_filetrans(hplip_t, hplip_var_run_t, file)
kernel_read_system_state(hplip_t)
kernel_read_kernel_sysctls(hplip_t)
@@ -104563,7 +104589,7 @@ index 0f28095..ba7a0bb 100644
corenet_all_recvfrom_unlabeled(hplip_t)
corenet_all_recvfrom_netlabel(hplip_t)
corenet_tcp_sendrecv_generic_if(hplip_t)
-@@ -661,6 +716,8 @@ corenet_tcp_bind_generic_node(hplip_t)
+@@ -661,6 +717,8 @@ corenet_tcp_bind_generic_node(hplip_t)
corenet_udp_bind_generic_node(hplip_t)
corenet_tcp_bind_hplip_port(hplip_t)
corenet_tcp_connect_hplip_port(hplip_t)
@@ -104572,7 +104598,7 @@ index 0f28095..ba7a0bb 100644
corenet_tcp_connect_ipp_port(hplip_t)
corenet_sendrecv_hplip_client_packets(hplip_t)
corenet_receive_hplip_server_packets(hplip_t)
-@@ -673,18 +730,20 @@ dev_read_rand(hplip_t)
+@@ -673,18 +731,20 @@ dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
dev_rw_usbfs(hplip_t)
@@ -104600,7 +104626,7 @@ index 0f28095..ba7a0bb 100644
logging_send_syslog_msg(hplip_t)
-@@ -695,9 +754,12 @@ sysnet_read_config(hplip_t)
+@@ -695,9 +755,12 @@ sysnet_read_config(hplip_t)
userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -120807,7 +120833,7 @@ index 2324d9e..a26865a 100644
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..288addf 100644
+index 0619395..1af77c5 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -120826,7 +120852,7 @@ index 0619395..288addf 100644
type NetworkManager_log_t;
logging_log_file(NetworkManager_log_t)
-@@ -35,26 +44,49 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+@@ -35,26 +44,50 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
@@ -120856,6 +120882,7 @@ index 0619395..288addf 100644
+allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
++allow NetworkManager_t self:rawip_socket create_socket_perms;
allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
@@ -120880,7 +120907,7 @@ index 0619395..288addf 100644
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -95,11 +127,12 @@ corenet_sendrecv_all_client_packets(NetworkManager_t)
+@@ -95,11 +128,12 @@ corenet_sendrecv_all_client_packets(NetworkManager_t)
corenet_rw_tun_tap_dev(NetworkManager_t)
corenet_getattr_ppp_dev(NetworkManager_t)
@@ -120894,7 +120921,7 @@ index 0619395..288addf 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
-@@ -113,10 +146,11 @@ corecmd_exec_shell(NetworkManager_t)
+@@ -113,10 +147,11 @@ corecmd_exec_shell(NetworkManager_t)
corecmd_exec_bin(NetworkManager_t)
domain_use_interactive_fds(NetworkManager_t)
@@ -120907,7 +120934,7 @@ index 0619395..288addf 100644
files_read_usr_files(NetworkManager_t)
files_read_usr_src_files(NetworkManager_t)
-@@ -128,35 +162,52 @@ init_domtrans_script(NetworkManager_t)
+@@ -128,35 +163,52 @@ init_domtrans_script(NetworkManager_t)
auth_use_nsswitch(NetworkManager_t)
@@ -120962,7 +120989,7 @@ index 0619395..288addf 100644
')
optional_policy(`
-@@ -176,10 +227,17 @@ optional_policy(`
+@@ -176,10 +228,17 @@ optional_policy(`
')
optional_policy(`
@@ -120980,7 +121007,7 @@ index 0619395..288addf 100644
')
')
-@@ -191,6 +249,7 @@ optional_policy(`
+@@ -191,6 +250,7 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -120988,7 +121015,7 @@ index 0619395..288addf 100644
')
optional_policy(`
-@@ -202,23 +261,49 @@ optional_policy(`
+@@ -202,23 +262,49 @@ optional_policy(`
')
optional_policy(`
@@ -121038,7 +121065,7 @@ index 0619395..288addf 100644
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -234,6 +319,10 @@ optional_policy(`
+@@ -234,6 +320,10 @@ optional_policy(`
')
optional_policy(`
@@ -121049,7 +121076,7 @@ index 0619395..288addf 100644
ppp_initrc_domtrans(NetworkManager_t)
ppp_domtrans(NetworkManager_t)
ppp_manage_pid_files(NetworkManager_t)
-@@ -241,6 +330,7 @@ optional_policy(`
+@@ -241,6 +331,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -121057,7 +121084,7 @@ index 0619395..288addf 100644
')
optional_policy(`
-@@ -254,6 +344,10 @@ optional_policy(`
+@@ -254,6 +345,10 @@ optional_policy(`
')
optional_policy(`
@@ -121068,7 +121095,7 @@ index 0619395..288addf 100644
udev_exec(NetworkManager_t)
udev_read_db(NetworkManager_t)
')
-@@ -263,6 +357,7 @@ optional_policy(`
+@@ -263,6 +358,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 18231b0..070a466 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 168%{?dist}
+Release: 169%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,13 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Mar 4 2013 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-169
+- Allow cupsd to read hplip lib files
+- Allow NM to create rawip socket
+- Allow ping to read network state.
+- Add tcp/8891 as milter port
+- New directories under ~/.cache
+
* Tue Mar 5 2013 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-168
- Add files_dontaudit_read_all_sockets interface
- Add gnome_dontaudit_rw_inherited_config interface
More information about the scm-commits
mailing list