[selinux-policy/f19] - Fix lockdev_manage_files() - Allow setroubleshootd to read var_lib_t to make email_alert working -
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Apr 23 10:15:07 UTC 2013
commit 59a94b115d675c6a1e37001e4ecf57b105563263
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Apr 23 12:14:32 2013 +0200
- Fix lockdev_manage_files()
- Allow setroubleshootd to read var_lib_t to make email_alert working
- Add lockdev_manage_files()
- Call proper interface in virt.te
- Allow gkeyring_domain to create /var/run/UID/config/dbus file
- system dbus seems to be blocking suspend
- Dontaudit attemps to sys_ptrace, which I believe gpsd does not need
- When you enter a container from root, you generate avcs with a leaked file
- Allow mpd getattr on file system directories
- Make sure realmd creates content with the correct label
- Allow systemd-tty-ask to write kmsg
- Allow mgetty to use lockdev library for device locking
- Fix selinuxuser_user_share_music boolean name to selinuxuser_share_music
- When you enter a container from root, you generate avcs with a leaked file
- Make sure init.fc files are labeled correctly at creation
- File name trans vconsole.conf
- Fix labeling for nagios plugins
- label shared libraries in /opt/google/chrome as testrel_shlib_t
policy-rawhide-base.patch | 149 ++++++++++++++++++++++++++++++------------
policy-rawhide-contrib.patch | 132 ++++++++++++++++++++++++++-----------
selinux-policy.spec | 30 ++++++++-
3 files changed, 227 insertions(+), 84 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 574a67c..4e0fbde 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -7751,7 +7751,7 @@ index 6a1e4d1..adafd25 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..dc4207f 100644
+index cf04cb5..ff7b3f4 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -7877,7 +7877,7 @@ index cf04cb5..dc4207f 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +227,266 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +227,267 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -7906,6 +7906,7 @@ index cf04cb5..dc4207f 100644
+ init_reboot(unconfined_domain_type)
+ init_halt(unconfined_domain_type)
+ init_undefined(unconfined_domain_type)
++ init_filetrans_named_content(unconfined_domain_type)
+')
+
+optional_policy(`
@@ -18528,10 +18529,10 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..83e6404 100644
+index 88d0028..4cc476f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,78 @@ policy_module(sysadm, 2.5.1)
+@@ -5,39 +5,79 @@ policy_module(sysadm, 2.5.1)
# Declarations
#
@@ -18585,6 +18586,7 @@ index 88d0028..83e6404 100644
+application_exec(sysadm_t)
+
++init_filetrans_named_content(sysadm_t)
init_exec(sysadm_t)
+init_exec_script_files(sysadm_t)
+init_dbus_chat(sysadm_t)
@@ -18621,7 +18623,7 @@ index 88d0028..83e6404 100644
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -55,13 +94,7 @@ ifdef(`distro_gentoo',`
+@@ -55,13 +95,7 @@ ifdef(`distro_gentoo',`
init_exec_rc(sysadm_t)
')
@@ -18636,7 +18638,7 @@ index 88d0028..83e6404 100644
domain_ptrace_all_domains(sysadm_t)
')
-@@ -71,9 +104,9 @@ optional_policy(`
+@@ -71,9 +105,9 @@ optional_policy(`
optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
@@ -18647,7 +18649,7 @@ index 88d0028..83e6404 100644
')
optional_policy(`
-@@ -87,6 +120,7 @@ optional_policy(`
+@@ -87,6 +121,7 @@ optional_policy(`
optional_policy(`
asterisk_stream_connect(sysadm_t)
@@ -18655,7 +18657,7 @@ index 88d0028..83e6404 100644
')
optional_policy(`
-@@ -110,6 +144,10 @@ optional_policy(`
+@@ -110,6 +145,10 @@ optional_policy(`
')
optional_policy(`
@@ -18666,7 +18668,7 @@ index 88d0028..83e6404 100644
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -122,11 +160,19 @@ optional_policy(`
+@@ -122,11 +161,19 @@ optional_policy(`
')
optional_policy(`
@@ -18688,7 +18690,7 @@ index 88d0028..83e6404 100644
')
optional_policy(`
-@@ -140,6 +186,10 @@ optional_policy(`
+@@ -140,6 +187,10 @@ optional_policy(`
')
optional_policy(`
@@ -18699,7 +18701,7 @@ index 88d0028..83e6404 100644
dmesg_exec(sysadm_t)
')
-@@ -156,11 +206,11 @@ optional_policy(`
+@@ -156,11 +207,11 @@ optional_policy(`
')
optional_policy(`
@@ -18713,7 +18715,7 @@ index 88d0028..83e6404 100644
')
optional_policy(`
-@@ -179,6 +229,13 @@ optional_policy(`
+@@ -179,6 +230,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -18727,7 +18729,7 @@ index 88d0028..83e6404 100644
')
optional_policy(`
-@@ -186,15 +243,20 @@ optional_policy(`
+@@ -186,15 +244,20 @@ optional_policy(`
')
optional_policy(`
@@ -18751,7 +18753,7 @@ index 88d0028..83e6404 100644
')
optional_policy(`
-@@ -214,22 +276,20 @@ optional_policy(`
+@@ -214,22 +277,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -18780,7 +18782,7 @@ index 88d0028..83e6404 100644
')
optional_policy(`
-@@ -241,14 +301,27 @@ optional_policy(`
+@@ -241,14 +302,27 @@ optional_policy(`
')
optional_policy(`
@@ -18808,7 +18810,7 @@ index 88d0028..83e6404 100644
')
optional_policy(`
-@@ -256,10 +329,20 @@ optional_policy(`
+@@ -256,10 +330,20 @@ optional_policy(`
')
optional_policy(`
@@ -18829,7 +18831,7 @@ index 88d0028..83e6404 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,31 +353,36 @@ optional_policy(`
+@@ -270,31 +354,36 @@ optional_policy(`
')
optional_policy(`
@@ -18873,7 +18875,7 @@ index 88d0028..83e6404 100644
')
optional_policy(`
-@@ -319,12 +407,18 @@ optional_policy(`
+@@ -319,12 +408,18 @@ optional_policy(`
')
optional_policy(`
@@ -18893,7 +18895,7 @@ index 88d0028..83e6404 100644
')
optional_policy(`
-@@ -349,7 +443,18 @@ optional_policy(`
+@@ -349,7 +444,18 @@ optional_policy(`
')
optional_policy(`
@@ -18913,7 +18915,7 @@ index 88d0028..83e6404 100644
')
optional_policy(`
-@@ -360,19 +465,15 @@ optional_policy(`
+@@ -360,19 +466,15 @@ optional_policy(`
')
optional_policy(`
@@ -18935,7 +18937,7 @@ index 88d0028..83e6404 100644
')
optional_policy(`
-@@ -384,10 +485,6 @@ optional_policy(`
+@@ -384,10 +486,6 @@ optional_policy(`
')
optional_policy(`
@@ -18946,7 +18948,7 @@ index 88d0028..83e6404 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +492,9 @@ optional_policy(`
+@@ -395,6 +493,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -18956,7 +18958,7 @@ index 88d0028..83e6404 100644
')
optional_policy(`
-@@ -402,31 +502,34 @@ optional_policy(`
+@@ -402,31 +503,34 @@ optional_policy(`
')
optional_policy(`
@@ -18997,7 +18999,7 @@ index 88d0028..83e6404 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,10 +542,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +543,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -19008,7 +19010,7 @@ index 88d0028..83e6404 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -463,15 +562,75 @@ ifndef(`distro_redhat',`
+@@ -463,15 +563,75 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -26812,7 +26814,7 @@ index e4376aa..2c98c56 100644
+ allow $1 getty_unit_file_t:service start;
+')
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index fc38c9c..dce2d4e 100644
+index fc38c9c..61a1d24 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -27,6 +27,9 @@ files_tmp_file(getty_tmp_t)
@@ -26854,17 +26856,20 @@ index fc38c9c..dce2d4e 100644
# Support logging in from /dev/console
term_use_console(getty_t)
',`
-@@ -125,10 +130,6 @@ optional_policy(`
+@@ -121,11 +126,11 @@ tunable_policy(`console_login',`
+ ')
+
+ optional_policy(`
+- mta_send_mail(getty_t)
++ lockdev_manage_files(getty_t)
')
optional_policy(`
- nscd_use(getty_t)
--')
--
--optional_policy(`
- ppp_domtrans(getty_t)
++ mta_send_mail(getty_t)
')
+ optional_policy(`
diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
index 9dfecf7..6d00f5c 100644
--- a/policy/modules/system/hostname.fc
@@ -27076,7 +27081,7 @@ index 9a4d3a7..9d960bb 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 24e7804..1894886 100644
+index 24e7804..d0780a9 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -27961,7 +27966,7 @@ index 24e7804..1894886 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1819,3 +2284,284 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1819,3 +2284,306 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -28246,6 +28251,28 @@ index 24e7804..1894886 100644
+
+ allow $1 init_t:system undefined;
+')
++
++########################################
++## <summary>
++## Transition to init named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_filetrans_named_content',`
++ gen_require(`
++ type init_var_run_t;
++ type initrc_var_run_t;
++ type machineid_t;
++ ')
++
++ files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
++ files_pid_filetrans($1, init_var_run_t, file, "random-seed")
++ files_etc_filetrans($1, machineid_t, file, "machine-id" )
++')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index dd3be8d..969bda2 100644
--- a/policy/modules/system/init.te
@@ -32310,7 +32337,7 @@ index 9fe8e01..fa82aac 100644
/var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
')
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index fc28bc3..2f33076 100644
+index fc28bc3..2960ed7 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
@@ -32448,7 +32475,7 @@ index fc28bc3..2f33076 100644
')
########################################
-@@ -809,3 +882,60 @@ interface(`miscfiles_manage_localization',`
+@@ -809,3 +882,61 @@ interface(`miscfiles_manage_localization',`
manage_lnk_files_pattern($1, locale_t, locale_t)
')
@@ -32469,6 +32496,7 @@ index fc28bc3..2f33076 100644
+
+ files_etc_filetrans($1, locale_t, { lnk_file file }, "localtime")
+ files_etc_filetrans($1, locale_t, file, "locale.conf")
++ files_etc_filetrans($1, locale_t, file, "vconsole.conf")
+ files_etc_filetrans($1, locale_t, file, "locale.conf.new")
+ files_etc_filetrans($1, locale_t, file, "timezone")
+ files_etc_filetrans($1, locale_t, file, "clock")
@@ -37063,10 +37091,10 @@ index 0000000..5894afb
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..b3ea12d
+index 0000000..2c9ccbf
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,642 @@
+@@ -0,0 +1,643 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -37311,6 +37339,7 @@ index 0000000..b3ea12d
+dev_create_generic_dirs(systemd_passwd_agent_t)
+dev_read_generic_files(systemd_passwd_agent_t)
+dev_write_generic_sock_files(systemd_passwd_agent_t)
++dev_write_kmsg(systemd_passwd_agent_t)
+
+term_read_console(systemd_passwd_agent_t)
+
@@ -39081,7 +39110,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..9799799 100644
+index 3c5dba7..b44b1c9 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -40363,7 +40392,7 @@ index 3c5dba7..9799799 100644
- corenet_tcp_bind_generic_node($1_t)
- corenet_tcp_bind_generic_port($1_t)
+
-+ tunable_policy(`selinuxuser_user_share_music',`
++ tunable_policy(`selinuxuser_share_music',`
+ corenet_tcp_bind_daap_port($1_usertype)
+ ')
+
@@ -41748,7 +41777,7 @@ index 3c5dba7..9799799 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3438,4 +4197,1357 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3438,4 +4197,1393 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -42309,6 +42338,42 @@ index 3c5dba7..9799799 100644
+
+########################################
+## <summary>
++## Dontaudit Read files inherited from the admin home dir.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`userdom_dontaudit_read_inherited_admin_home_files',`
++ gen_require(`
++ attribute admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:file read_inherited_file_perms;
++')
++
++########################################
++## <summary>
++## Dontaudit append files inherited from the admin home dir.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`userdom_dontaudit_append_inherited_admin_home_file',`
++ gen_require(`
++ attribute admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:file append_inherited_file_perms;
++')
++
++########################################
++## <summary>
+## Read/Write files inherited
+## in a user home subdirectory.
+## </summary>
@@ -43107,7 +43172,7 @@ index 3c5dba7..9799799 100644
+ filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index e2b538b..6371ed6 100644
+index e2b538b..9e23738 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5)
@@ -43146,7 +43211,7 @@ index e2b538b..6371ed6 100644
## </p>
## </desc>
-gen_tunable(user_dmesg, false)
-+gen_tunable(selinuxuser_user_share_music, false)
++gen_tunable(selinuxuser_share_music, false)
## <desc>
## <p>
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 932a185..cc76d7e 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -7316,10 +7316,10 @@ index 0000000..98ab9ed
+')
diff --git a/authconfig.te b/authconfig.te
new file mode 100644
-index 0000000..d4eb297
+index 0000000..f2aa4e6
--- /dev/null
+++ b/authconfig.te
-@@ -0,0 +1,33 @@
+@@ -0,0 +1,32 @@
+policy_module(authconfig, 1.0.0)
+
+########################################
@@ -7349,7 +7349,6 @@ index 0000000..d4eb297
+
+domain_use_interactive_fds(authconfig_t)
+
-+
+init_domtrans_script(authconfig_t)
+
+unconfined_domain_noaudit(authconfig_t)
@@ -17928,7 +17927,7 @@ index afcf3a2..0730306 100644
+ dontaudit system_bus_type $1:dbus send_msg;
')
diff --git a/dbus.te b/dbus.te
-index 2c2e7e1..5e0bf2f 100644
+index 2c2e7e1..78bbb7d 100644
--- a/dbus.te
+++ b/dbus.te
@@ -1,20 +1,18 @@
@@ -17976,7 +17975,7 @@ index 2c2e7e1..5e0bf2f 100644
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
-@@ -51,59 +47,57 @@ ifdef(`enable_mls',`
+@@ -51,59 +47,58 @@ ifdef(`enable_mls',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
')
@@ -17989,6 +17988,7 @@ index 2c2e7e1..5e0bf2f 100644
+# dac_override: /var/run/dbus is owned by messagebus on Debian
+# cjp: dac_override should probably go in a distro_debian
++allow system_dbusd_t self:capability2 block_suspend;
allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
@@ -18052,7 +18052,7 @@ index 2c2e7e1..5e0bf2f 100644
mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +117,155 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +118,155 @@ term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)
@@ -18222,7 +18222,7 @@ index 2c2e7e1..5e0bf2f 100644
kernel_read_kernel_sysctls(session_bus_type)
corecmd_list_bin(session_bus_type)
-@@ -191,23 +274,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +275,18 @@ corecmd_read_bin_files(session_bus_type)
corecmd_read_bin_pipes(session_bus_type)
corecmd_read_bin_sockets(session_bus_type)
@@ -18247,7 +18247,7 @@ index 2c2e7e1..5e0bf2f 100644
files_dontaudit_search_var(session_bus_type)
fs_getattr_romfs(session_bus_type)
-@@ -215,7 +293,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +294,6 @@ fs_getattr_xattr_fs(session_bus_type)
fs_list_inotifyfs(session_bus_type)
fs_dontaudit_list_nfs(session_bus_type)
@@ -18255,7 +18255,7 @@ index 2c2e7e1..5e0bf2f 100644
selinux_validate_context(session_bus_type)
selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type)
-@@ -225,18 +302,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +303,36 @@ selinux_compute_user_contexts(session_bus_type)
auth_read_pam_console_data(session_bus_type)
logging_send_audit_msgs(session_bus_type)
@@ -18297,7 +18297,7 @@ index 2c2e7e1..5e0bf2f 100644
')
########################################
-@@ -244,5 +339,6 @@ optional_policy(`
+@@ -244,5 +340,6 @@ optional_policy(`
# Unconfined access to this module
#
@@ -26564,7 +26564,7 @@ index d03fd43..26023f7 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
')
diff --git a/gnome.te b/gnome.te
-index 20f726b..eb0d80a 100644
+index 20f726b..6af4e62 100644
--- a/gnome.te
+++ b/gnome.te
@@ -1,18 +1,36 @@
@@ -26608,7 +26608,7 @@ index 20f726b..eb0d80a 100644
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -29,107 +47,228 @@ type gconfd_exec_t;
+@@ -29,107 +47,227 @@ type gconfd_exec_t;
typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
@@ -26819,8 +26819,7 @@ index 20f726b..eb0d80a 100644
-allow gkeyringd_domain gnome_home_t:dir create_dir_perms;
-gnome_home_filetrans_gnome_home(gkeyringd_domain, dir, ".gnome2")
-+allow gkeyringd_domain config_home_t:dir add_entry_dir_perms;
-+allow gkeyringd_domain config_home_t:file write;
++manage_files_pattern(gkeyringd_domain, config_home_t, config_home_t)
-manage_dirs_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
-manage_files_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
@@ -27951,9 +27950,18 @@ index 3226f52..68b2eb8 100644
optional_policy(`
seutil_sigchld_newrole(gpm_t)
diff --git a/gpsd.te b/gpsd.te
-index 25f09ae..2200e6d 100644
+index 25f09ae..aa94571 100644
--- a/gpsd.te
+++ b/gpsd.te
+@@ -28,7 +28,7 @@ files_pid_file(gpsd_var_run_t)
+ #
+
+ allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
+-dontaudit gpsd_t self:capability { dac_read_search dac_override };
++dontaudit gpsd_t self:capability { sys_ptrace dac_read_search dac_override };
+ allow gpsd_t self:process { setsched signal_perms };
+ allow gpsd_t self:shm create_shm_perms;
+ allow gpsd_t self:unix_dgram_socket sendto;
@@ -62,13 +62,13 @@ domain_dontaudit_read_all_domains_state(gpsd_t)
term_use_unallocated_ttys(gpsd_t)
@@ -33136,6 +33144,36 @@ index 6cbb977..bd5406a 100644
userdom_list_user_home_content(loadkeys_t)
ifdef(`hide_broken_symptoms',`
+diff --git a/lockdev.if b/lockdev.if
+index 4313b8b..cd1435c 100644
+--- a/lockdev.if
++++ b/lockdev.if
+@@ -1,5 +1,25 @@
+ ## <summary>Library for locking devices.</summary>
+
++#######################################
++## <summary>
++## Create, read, write, and delete
++## lockdev lock files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`lockdev_manage_files',`
++ gen_require(`
++ type lockdev_lock_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, lockdev_lock_t, lockdev_lock_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Role access for lockdev.
diff --git a/lockdev.te b/lockdev.te
index db87831..30bfb76 100644
--- a/lockdev.te
@@ -38281,7 +38319,7 @@ index 5fa77c7..2e01c7d 100644
domain_system_change_exemption($1)
role_transition $2 mpd_initrc_exec_t system_r;
diff --git a/mpd.te b/mpd.te
-index 7c8afcc..0f46305 100644
+index 7c8afcc..97f2b6f 100644
--- a/mpd.te
+++ b/mpd.te
@@ -62,6 +62,9 @@ files_type(mpd_var_lib_t)
@@ -38322,15 +38360,18 @@ index 7c8afcc..0f46305 100644
corenet_all_recvfrom_netlabel(mpd_t)
corenet_tcp_sendrecv_generic_if(mpd_t)
corenet_tcp_sendrecv_generic_node(mpd_t)
-@@ -139,7 +148,6 @@ dev_read_sound(mpd_t)
+@@ -139,9 +148,9 @@ dev_read_sound(mpd_t)
dev_write_sound(mpd_t)
dev_read_sysfs(mpd_t)
-files_read_usr_files(mpd_t)
fs_getattr_all_fs(mpd_t)
++fs_getattr_all_dirs(mpd_t)
fs_list_inotifyfs(mpd_t)
-@@ -150,7 +158,9 @@ auth_use_nsswitch(mpd_t)
+ fs_rw_anon_inodefs_files(mpd_t)
+ fs_search_auto_mountpoints(mpd_t)
+@@ -150,7 +159,9 @@ auth_use_nsswitch(mpd_t)
logging_send_syslog_msg(mpd_t)
@@ -38341,7 +38382,7 @@ index 7c8afcc..0f46305 100644
tunable_policy(`mpd_enable_homedirs',`
userdom_search_user_home_dirs(mpd_t)
-@@ -199,6 +209,16 @@ optional_policy(`
+@@ -199,6 +210,16 @@ optional_policy(`
')
optional_policy(`
@@ -38491,10 +38532,10 @@ index c97c177..9411154 100644
netutils_domtrans_ping(mrtg_t)
diff --git a/mta.fc b/mta.fc
-index f42896c..8654c3c 100644
+index f42896c..cb2791a 100644
--- a/mta.fc
+++ b/mta.fc
-@@ -2,33 +2,42 @@ HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
+@@ -2,33 +2,43 @@ HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
@@ -38514,6 +38555,9 @@ index f42896c..8654c3c 100644
+/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
/etc/mail/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0)
-/etc/postfix/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0)
+-
+-/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
++/etc/mail/.*\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
+ifdef(`distro_redhat',`
+/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
+')
@@ -38523,8 +38567,7 @@ index f42896c..8654c3c 100644
+/root/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
-
--/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
++
+/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -63768,7 +63811,7 @@ index bff31df..e38693b 100644
## <param name="domain">
## <summary>
diff --git a/realmd.te b/realmd.te
-index 9a8f052..085ab40 100644
+index 9a8f052..c558c79 100644
--- a/realmd.te
+++ b/realmd.te
@@ -1,4 +1,4 @@
@@ -63777,7 +63820,7 @@ index 9a8f052..085ab40 100644
########################################
#
-@@ -7,47 +7,86 @@ policy_module(realmd, 1.0.2)
+@@ -7,47 +7,88 @@ policy_module(realmd, 1.0.2)
type realmd_t;
type realmd_exec_t;
@@ -63847,6 +63890,8 @@ index 9a8f052..085ab40 100644
auth_use_nsswitch(realmd_t)
++init_filetrans_named_content(realmd_t)
++
+logging_manage_generic_logs(realmd_t)
logging_send_syslog_msg(realmd_t)
@@ -63876,7 +63921,7 @@ index 9a8f052..085ab40 100644
networkmanager_dbus_chat(realmd_t)
')
-@@ -63,21 +102,40 @@ optional_policy(`
+@@ -63,21 +104,40 @@ optional_policy(`
optional_policy(`
kerberos_use(realmd_t)
kerberos_rw_keytab(realmd_t)
@@ -63920,7 +63965,7 @@ index 9a8f052..085ab40 100644
')
optional_policy(`
-@@ -86,5 +144,27 @@ optional_policy(`
+@@ -86,5 +146,27 @@ optional_policy(`
sssd_manage_lib_files(realmd_t)
sssd_manage_public_files(realmd_t)
sssd_read_pid_files(realmd_t)
@@ -75260,7 +75305,7 @@ index 3a9a70b..039b0c8 100644
logging_list_logs($1)
admin_pattern($1, setroubleshoot_var_log_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 49b12ae..a89828e 100644
+index 49b12ae..a7c3d7c 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -1,4 +1,4 @@
@@ -75349,7 +75394,7 @@ index 49b12ae..a89828e 100644
dev_read_urand(setroubleshootd_t)
dev_read_sysfs(setroubleshootd_t)
-@@ -79,7 +85,6 @@ dev_getattr_mtrr_dev(setroubleshootd_t)
+@@ -79,13 +85,13 @@ dev_getattr_mtrr_dev(setroubleshootd_t)
domain_dontaudit_search_all_domains_state(setroubleshootd_t)
domain_signull_all_domains(setroubleshootd_t)
@@ -75357,7 +75402,14 @@ index 49b12ae..a89828e 100644
files_list_all(setroubleshootd_t)
files_getattr_all_files(setroubleshootd_t)
files_getattr_all_pipes(setroubleshootd_t)
-@@ -107,27 +112,24 @@ init_read_utmp(setroubleshootd_t)
+ files_getattr_all_sockets(setroubleshootd_t)
+ files_read_all_symlinks(setroubleshootd_t)
+ files_read_mnt_files(setroubleshootd_t)
++files_read_var_lib_files(setroubleshootd_t)
+
+ fs_getattr_all_dirs(setroubleshootd_t)
+ fs_getattr_all_files(setroubleshootd_t)
+@@ -107,27 +113,24 @@ init_read_utmp(setroubleshootd_t)
init_dontaudit_write_utmp(setroubleshootd_t)
libs_exec_ld_so(setroubleshootd_t)
@@ -75390,7 +75442,7 @@ index 49b12ae..a89828e 100644
')
optional_policy(`
-@@ -135,10 +137,18 @@ optional_policy(`
+@@ -135,10 +138,18 @@ optional_policy(`
')
optional_policy(`
@@ -75409,7 +75461,7 @@ index 49b12ae..a89828e 100644
rpm_exec(setroubleshootd_t)
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
-@@ -148,15 +158,17 @@ optional_policy(`
+@@ -148,15 +159,17 @@ optional_policy(`
########################################
#
@@ -75428,7 +75480,7 @@ index 49b12ae..a89828e 100644
setroubleshoot_stream_connect(setroubleshoot_fixit_t)
kernel_read_system_state(setroubleshoot_fixit_t)
-@@ -165,9 +177,13 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
+@@ -165,9 +178,13 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
corecmd_getattr_all_executables(setroubleshoot_fixit_t)
@@ -75443,7 +75495,7 @@ index 49b12ae..a89828e 100644
files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -175,23 +191,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -175,23 +192,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
logging_send_audit_msgs(setroubleshoot_fixit_t)
logging_send_syslog_msg(setroubleshoot_fixit_t)
@@ -86559,7 +86611,7 @@ index 9dec06c..cd873d3 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..d0747ff 100644
+index 1f22fba..832423f 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,98 @@
@@ -88040,7 +88092,7 @@ index 1f22fba..d0747ff 100644
auth_dontaudit_read_login_records(svirt_lxc_domain)
auth_dontaudit_write_login_records(svirt_lxc_domain)
auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1111,90 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,96 +1111,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
@@ -88052,6 +88104,8 @@ index 1f22fba..d0747ff 100644
+systemd_read_unit_files(svirt_lxc_domain)
+
+userdom_use_inherited_user_terminals(svirt_lxc_domain)
++userdom_dontaudit_append_inherited_admin_home_file(svirt_lxc_domain)
++userdom_dontaudit_read_inherited_admin_home_files(svirt_lxc_domain)
+
+optional_policy(`
+ apache_exec_modules(svirt_lxc_domain)
@@ -88176,7 +88230,7 @@ index 1f22fba..d0747ff 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1207,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1209,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -88191,7 +88245,7 @@ index 1f22fba..d0747ff 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1225,8 @@ optional_policy(`
+@@ -1183,9 +1227,8 @@ optional_policy(`
########################################
#
@@ -88202,7 +88256,7 @@ index 1f22fba..d0747ff 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1239,70 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1241,70 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 754b6aa..e7cdbae 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 34%{?dist}
+Release: 35%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -229,8 +229,12 @@ if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
/sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \
rm -f ${FILE_CONTEXT}.pre; \
fi; \
-/sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \
-/sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null; \
+if /sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
+ continue; \
+fi; \
+if /sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null;then \
+ continue; \
+fi;
%define preInstall() \
if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \
@@ -526,6 +530,26 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Apr 23 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-35
+- Fix lockdev_manage_files()
+- Allow setroubleshootd to read var_lib_t to make email_alert working
+- Add lockdev_manage_files()
+- Call proper interface in virt.te
+- Allow gkeyring_domain to create /var/run/UID/config/dbus file
+- system dbus seems to be blocking suspend
+- Dontaudit attemps to sys_ptrace, which I believe gpsd does not need
+- When you enter a container from root, you generate avcs with a leaked file descriptor
+- Allow mpd getattr on file system directories
+- Make sure realmd creates content with the correct label
+- Allow systemd-tty-ask to write kmsg
+- Allow mgetty to use lockdev library for device locking
+- Fix selinuxuser_user_share_music boolean name to selinuxuser_share_music
+- When you enter a container from root, you generate avcs with a leaked file descriptor
+- Make sure init.fc files are labeled correctly at creation
+- File name trans vconsole.conf
+- Fix labeling for nagios plugins
+- label shared libraries in /opt/google/chrome as testrel_shlib_t
+
* Thu Apr 18 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-34
- Allow certmonger to dbus communicate with realmd
- Make realmd working
More information about the scm-commits
mailing list