[selinux-policy/f17] - Back port to allow l2tpd to read NM conf file - Add labeling for /run/nm-xl2tpd.conf - Add mozilla
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Jun 6 20:52:02 UTC 2013
commit aa42a0b5711a5506624b0c65c770d226999ddbb7
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Jun 6 22:51:38 2013 +0200
- Back port to allow l2tpd to read NM conf file
- Add labeling for /run/nm-xl2tpd.conf
- Add mozilla_plugin_use_gps boolean
- Label /usr/bin/razor-lightdm-greeter as xdm_exec_t instead of spamc_exec_t
- Add labeling for HOMEDIR/.icedtea
- Allow openvpn to add own log files
- Allow cobblerd to read network state
- Allow abrt to read utmp_t file
policy-F16.patch | 211 ++++++++++++++++++++++++++++++---------------------
selinux-policy.spec | 12 +++-
2 files changed, 135 insertions(+), 88 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 2d81e7a..ea02e3f 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -72106,10 +72106,10 @@ index dff0f12..ecab36d 100644
init_dbus_chat_script(mono_t)
diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
-index 93ac529..59152c0 100644
+index 93ac529..c9385bd 100644
--- a/policy/modules/apps/mozilla.fc
+++ b/policy/modules/apps/mozilla.fc
-@@ -1,8 +1,20 @@
+@@ -1,8 +1,21 @@
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -72123,6 +72123,7 @@ index 93ac529..59152c0 100644
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.grl-podcasts(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.icedtea(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.lyx(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -72130,7 +72131,7 @@ index 93ac529..59152c0 100644
#
# /bin
-@@ -14,16 +26,28 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+@@ -14,16 +27,28 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
@@ -72169,7 +72170,7 @@ index 93ac529..59152c0 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index fbb5c5a..2796603 100644
+index fbb5c5a..d85053e 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -72312,7 +72313,7 @@ index fbb5c5a..2796603 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -279,28 +361,122 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -279,28 +361,123 @@ interface(`mozilla_rw_tcp_sockets',`
## </summary>
## </param>
#
@@ -72434,6 +72435,7 @@ index fbb5c5a..2796603 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".grl-podcasts")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedtea")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
@@ -72443,10 +72445,10 @@ index fbb5c5a..2796603 100644
+')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..63839d5 100644
+index 2e9318b..a73bf97 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
-@@ -7,11 +7,25 @@ policy_module(mozilla, 2.3.3)
+@@ -7,11 +7,32 @@ policy_module(mozilla, 2.3.3)
## <desc>
## <p>
@@ -72469,10 +72471,17 @@ index 2e9318b..63839d5 100644
+## </desc>
+gen_tunable(mozilla_plugin_enable_homedirs, false)
+
++## <desc>
++## <p>
++## Allow mozilla plugin to support GPS.
++## </p>
++## </desc>
++gen_tunable(mozilla_plugin_use_gps, false)
++
type mozilla_t;
type mozilla_exec_t;
typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
-@@ -25,6 +39,7 @@ files_config_file(mozilla_conf_t)
+@@ -25,6 +46,7 @@ files_config_file(mozilla_conf_t)
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
@@ -72480,7 +72489,7 @@ index 2e9318b..63839d5 100644
userdom_user_home_content(mozilla_home_t)
type mozilla_plugin_t;
-@@ -33,13 +48,22 @@ application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
+@@ -33,13 +55,22 @@ application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
role system_r types mozilla_plugin_t;
type mozilla_plugin_tmp_t;
@@ -72503,7 +72512,7 @@ index 2e9318b..63839d5 100644
type mozilla_tmp_t;
files_tmp_file(mozilla_tmp_t)
ubac_constrained(mozilla_tmp_t)
-@@ -111,12 +135,15 @@ corenet_raw_sendrecv_generic_node(mozilla_t)
+@@ -111,12 +142,15 @@ corenet_raw_sendrecv_generic_node(mozilla_t)
corenet_tcp_sendrecv_http_port(mozilla_t)
corenet_tcp_sendrecv_http_cache_port(mozilla_t)
corenet_tcp_sendrecv_squid_port(mozilla_t)
@@ -72519,7 +72528,7 @@ index 2e9318b..63839d5 100644
corenet_tcp_connect_ipp_port(mozilla_t)
corenet_tcp_connect_generic_port(mozilla_t)
corenet_tcp_connect_soundd_port(mozilla_t)
-@@ -152,10 +179,14 @@ files_dontaudit_getattr_boot_dirs(mozilla_t)
+@@ -152,10 +186,14 @@ files_dontaudit_getattr_boot_dirs(mozilla_t)
fs_search_auto_mountpoints(mozilla_t)
fs_list_inotifyfs(mozilla_t)
@@ -72535,7 +72544,7 @@ index 2e9318b..63839d5 100644
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
-@@ -165,27 +196,21 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
+@@ -165,27 +203,21 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
# Browse the web, connect to printer
sysnet_dns_name_resolve(mozilla_t)
@@ -72569,7 +72578,7 @@ index 2e9318b..63839d5 100644
# Uploads, local html
tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
-@@ -262,6 +287,7 @@ optional_policy(`
+@@ -262,6 +294,7 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
gnome_manage_config(mozilla_t)
@@ -72577,7 +72586,7 @@ index 2e9318b..63839d5 100644
')
optional_policy(`
-@@ -278,10 +304,6 @@ optional_policy(`
+@@ -278,10 +311,6 @@ optional_policy(`
')
optional_policy(`
@@ -72588,7 +72597,7 @@ index 2e9318b..63839d5 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -296,25 +318,37 @@ optional_policy(`
+@@ -296,25 +325,37 @@ optional_policy(`
# mozilla_plugin local policy
#
@@ -72634,7 +72643,7 @@ index 2e9318b..63839d5 100644
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-@@ -322,39 +356,61 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
+@@ -322,39 +363,61 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
@@ -72703,7 +72712,7 @@ index 2e9318b..63839d5 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -362,15 +418,24 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -362,15 +425,24 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
@@ -72728,7 +72737,7 @@ index 2e9318b..63839d5 100644
logging_send_syslog_msg(mozilla_plugin_t)
miscfiles_read_localization(mozilla_plugin_t)
-@@ -383,34 +448,31 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
+@@ -383,34 +455,31 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
@@ -72761,14 +72770,14 @@ index 2e9318b..63839d5 100644
-tunable_policy(`allow_execstack',`
- allow mozilla_plugin_t self:process { execstack };
-')
-+userdom_home_manager(mozilla_plugin_t)
-
+-
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mozilla_plugin_t)
- fs_manage_nfs_files(mozilla_plugin_t)
- fs_manage_nfs_symlinks(mozilla_plugin_t)
-')
--
++userdom_home_manager(mozilla_plugin_t)
+
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mozilla_plugin_t)
- fs_manage_cifs_files(mozilla_plugin_t)
@@ -72778,7 +72787,7 @@ index 2e9318b..63839d5 100644
')
optional_policy(`
-@@ -421,24 +483,35 @@ optional_policy(`
+@@ -421,24 +490,35 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(mozilla_plugin_t)
dbus_session_bus_client(mozilla_plugin_t)
@@ -72818,7 +72827,7 @@ index 2e9318b..63839d5 100644
')
optional_policy(`
-@@ -446,10 +519,112 @@ optional_policy(`
+@@ -446,10 +526,118 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -72847,7 +72856,7 @@ index 2e9318b..63839d5 100644
+ xserver_read_user_iceauth(mozilla_plugin_t)
+ xserver_read_user_xauth(mozilla_plugin_t)
+ xserver_append_xdm_home_files(mozilla_plugin_t);
-+')
+ ')
+
+########################################
+#
@@ -72930,7 +72939,13 @@ index 2e9318b..63839d5 100644
+
+tunable_policy(`allow_execmod',`
+ userdom_execmod_user_home_files(mozilla_plugin_t)
- ')
++')
++
++tunable_policy(`mozilla_plugin_use_gps',`
++ fs_manage_dos_dirs(mozilla_plugin_t)
++ fs_manage_dos_files(mozilla_plugin_t)
++')
++
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
index d8ea41d..87c7046 100644
--- a/policy/modules/apps/mplayer.if
@@ -91164,7 +91179,7 @@ index 0b827c5..ac79ca6 100644
+ dontaudit $1 abrt_t:sock_file write;
')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..cb4c1de 100644
+index 30861ec..6de6194 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,13 +5,34 @@ policy_module(abrt, 1.2.0)
@@ -91329,12 +91344,13 @@ index 30861ec..cb4c1de 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,22 +197,32 @@ fs_read_nfs_files(abrt_t)
+@@ -131,22 +197,34 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
-sysnet_read_config(abrt_t)
--
++init_read_utmp(abrt_t)
+
logging_read_generic_logs(abrt_t)
-logging_send_syslog_msg(abrt_t)
+
@@ -91367,7 +91383,7 @@ index 30861ec..cb4c1de 100644
')
optional_policy(`
-@@ -167,6 +243,7 @@ optional_policy(`
+@@ -167,6 +245,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -91375,7 +91391,7 @@ index 30861ec..cb4c1de 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,12 +255,39 @@ optional_policy(`
+@@ -178,12 +257,39 @@ optional_policy(`
')
optional_policy(`
@@ -91416,7 +91432,7 @@ index 30861ec..cb4c1de 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -200,23 +304,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,23 +306,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -91445,7 +91461,7 @@ index 30861ec..cb4c1de 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +327,147 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +329,147 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -91453,7 +91469,7 @@ index 30861ec..cb4c1de 100644
+ optional_policy(`
+ rpm_dontaudit_leaks(abrt_helper_t)
+ ')
-+')
+ ')
+
+ifdef(`hide_broken_symptoms',`
+ gen_require(`
@@ -91579,7 +91595,7 @@ index 30861ec..cb4c1de 100644
+
+optional_policy(`
+ unconfined_domain(abrt_watch_log_t)
- ')
++')
+
+#######################################
+#
@@ -100156,7 +100172,7 @@ index 116d60f..e2c6ec6 100644
+ allow $1 cobblerd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te
-index 0258b48..7a7f3db 100644
+index 0258b48..80f07ad 100644
--- a/policy/modules/services/cobbler.te
+++ b/policy/modules/services/cobbler.te
@@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0)
@@ -100255,7 +100271,7 @@ index 0258b48..7a7f3db 100644
+files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file })
+
kernel_read_system_state(cobblerd_t)
-+kernel_dontaudit_search_network_state(cobblerd_t)
++kernel_read_network_state(cobblerd_t)
corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t)
@@ -111499,10 +111515,10 @@ index 0000000..ebe1dde
+')
diff --git a/policy/modules/services/glance.te b/policy/modules/services/glance.te
new file mode 100644
-index 0000000..0e4df5d
+index 0000000..9182aaf
--- /dev/null
+++ b/policy/modules/services/glance.te
-@@ -0,0 +1,125 @@
+@@ -0,0 +1,126 @@
+policy_module(glance, 1.0.0)
+
+########################################
@@ -111622,6 +111638,7 @@ index 0000000..0e4df5d
+corenet_tcp_bind_generic_node(glance_api_t)
+corenet_tcp_bind_glance_port(glance_api_t)
+corenet_tcp_bind_hplip_port(glance_api_t)
++corenet_tcp_connect_http_port(glance_api_t)
+corenet_tcp_connect_glance_registry_port(glance_api_t)
+corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
+
@@ -115086,10 +115103,10 @@ index 0000000..8bc2c6d
+')
diff --git a/policy/modules/services/l2tpd.te b/policy/modules/services/l2tpd.te
new file mode 100644
-index 0000000..1b720ad
+index 0000000..4e947d9
--- /dev/null
+++ b/policy/modules/services/l2tpd.te
-@@ -0,0 +1,101 @@
+@@ -0,0 +1,105 @@
+policy_module(l2tpd, 1.0.0)
+
+########################################
@@ -115187,6 +115204,10 @@ index 0000000..1b720ad
+sysnet_dns_name_resolve(l2tpd_t)
+
+optional_policy(`
++ networkmanager_read_pid_files(l2tpd_t)
++')
++
++optional_policy(`
+ ppp_domtrans(l2tpd_t)
+ ppp_signal(l2tpd_t)
+ ppp_kill(l2tpd_t)
@@ -120313,7 +120334,7 @@ index 8581040..7d8e93b 100644
init_labeled_script_domtrans($1, nagios_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index bf64a4c..1f9d8e1 100644
+index bf64a4c..30841e7 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -5,6 +5,8 @@ policy_module(nagios, 1.10.0)
@@ -120468,17 +120489,19 @@ index bf64a4c..1f9d8e1 100644
')
######################################
-@@ -310,6 +322,9 @@ optional_policy(`
+@@ -310,6 +322,11 @@ optional_policy(`
# needed by ioctl()
allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
+kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
+
++corecmd_exec_bin(nagios_checkdisk_plugin_t)
++
+files_getattr_all_dirs(nagios_checkdisk_plugin_t)
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
fs_getattr_all_fs(nagios_checkdisk_plugin_t)
-@@ -321,11 +336,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -321,11 +338,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
# local policy for service check plugins
#
@@ -120492,7 +120515,7 @@ index bf64a4c..1f9d8e1 100644
corecmd_exec_bin(nagios_services_plugin_t)
-@@ -340,6 +355,8 @@ files_read_usr_files(nagios_services_plugin_t)
+@@ -340,6 +357,8 @@ files_read_usr_files(nagios_services_plugin_t)
optional_policy(`
netutils_domtrans_ping(nagios_services_plugin_t)
@@ -120501,7 +120524,7 @@ index bf64a4c..1f9d8e1 100644
')
optional_policy(`
-@@ -363,6 +380,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -363,6 +382,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
@@ -120510,7 +120533,7 @@ index bf64a4c..1f9d8e1 100644
kernel_read_system_state(nagios_system_plugin_t)
kernel_read_kernel_sysctls(nagios_system_plugin_t)
-@@ -370,12 +389,15 @@ corecmd_exec_bin(nagios_system_plugin_t)
+@@ -370,12 +391,15 @@ corecmd_exec_bin(nagios_system_plugin_t)
corecmd_exec_shell(nagios_system_plugin_t)
dev_read_sysfs(nagios_system_plugin_t)
@@ -120527,7 +120550,7 @@ index bf64a4c..1f9d8e1 100644
# needed by check_users plugin
optional_policy(`
init_read_utmp(nagios_system_plugin_t)
-@@ -389,3 +411,52 @@ optional_policy(`
+@@ -389,3 +413,52 @@ optional_policy(`
optional_policy(`
unconfined_domain(nagios_unconfined_plugin_t)
')
@@ -120594,7 +120617,7 @@ index 74da57f..b94bb3b 100644
/usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0)
diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc
-index 386543b..8fe1d63 100644
+index 386543b..82f8ae6 100644
--- a/policy/modules/services/networkmanager.fc
+++ b/policy/modules/services/networkmanager.fc
@@ -1,6 +1,19 @@
@@ -120618,7 +120641,7 @@ index 386543b..8fe1d63 100644
/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-@@ -12,15 +25,19 @@
+@@ -12,15 +25,20 @@
/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
@@ -120637,6 +120660,7 @@ index 386543b..8fe1d63 100644
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
++/var/run/nm-xl2tpd.conf.* -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
@@ -124538,7 +124562,7 @@ index d883214..d6afa87 100644
init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
-index 8b550f4..cae4941 100644
+index 8b550f4..41920ae 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -6,9 +6,9 @@ policy_module(openvpn, 1.10.0)
@@ -124583,13 +124607,14 @@ index 8b550f4..cae4941 100644
allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
can_exec(openvpn_t, openvpn_etc_t)
-@@ -58,9 +60,13 @@ read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
+@@ -58,9 +60,14 @@ read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
+manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t)
+files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
+
++manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
allow openvpn_t openvpn_var_log_t:file manage_file_perms;
logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
@@ -124597,7 +124622,7 @@ index 8b550f4..cae4941 100644
manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir })
-@@ -68,6 +74,7 @@ kernel_read_kernel_sysctls(openvpn_t)
+@@ -68,6 +75,7 @@ kernel_read_kernel_sysctls(openvpn_t)
kernel_read_net_sysctls(openvpn_t)
kernel_read_network_state(openvpn_t)
kernel_read_system_state(openvpn_t)
@@ -124605,7 +124630,7 @@ index 8b550f4..cae4941 100644
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
-@@ -87,6 +94,7 @@ corenet_udp_bind_openvpn_port(openvpn_t)
+@@ -87,6 +95,7 @@ corenet_udp_bind_openvpn_port(openvpn_t)
corenet_tcp_bind_http_port(openvpn_t)
corenet_tcp_connect_openvpn_port(openvpn_t)
corenet_tcp_connect_http_port(openvpn_t)
@@ -124613,7 +124638,7 @@ index 8b550f4..cae4941 100644
corenet_tcp_connect_http_cache_port(openvpn_t)
corenet_rw_tun_tap_dev(openvpn_t)
corenet_sendrecv_openvpn_server_packets(openvpn_t)
-@@ -100,33 +108,40 @@ dev_read_urand(openvpn_t)
+@@ -100,33 +109,40 @@ dev_read_urand(openvpn_t)
files_read_etc_files(openvpn_t)
files_read_etc_runtime_files(openvpn_t)
@@ -124662,7 +124687,7 @@ index 8b550f4..cae4941 100644
optional_policy(`
daemontools_service_domain(openvpn_t, openvpn_exec_t)
-@@ -138,3 +153,7 @@ optional_policy(`
+@@ -138,3 +154,7 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
@@ -124946,10 +124971,10 @@ index 0000000..e2c300a
+')
diff --git a/policy/modules/services/openvswitch.te b/policy/modules/services/openvswitch.te
new file mode 100644
-index 0000000..31370ed
+index 0000000..fd89b37
--- /dev/null
+++ b/policy/modules/services/openvswitch.te
-@@ -0,0 +1,83 @@
+@@ -0,0 +1,92 @@
+policy_module(openvswitch, 1.0.0)
+
+########################################
@@ -124986,6 +125011,7 @@ index 0000000..31370ed
+allow openvswitch_t self:fifo_file rw_fifo_file_perms;
+allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow openvswitch_t self:netlink_socket create_socket_perms;
++allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
+
+can_exec(openvswitch_t, openvswitch_exec_t)
+
@@ -125011,14 +125037,18 @@ index 0000000..31370ed
+
+kernel_read_network_state(openvswitch_t)
+kernel_read_system_state(openvswitch_t)
++kernel_request_load_module(openvswitch_t)
+
+corecmd_exec_bin(openvswitch_t)
++corecmd_exec_shell(openvswitch_t)
+
++dev_read_rand(openvswitch_t)
+dev_read_urand(openvswitch_t)
+
+domain_use_interactive_fds(openvswitch_t)
+
+files_read_etc_files(openvswitch_t)
++files_read_kernel_modules(openvswitch_t)
+
+fs_getattr_all_fs(openvswitch_t)
+fs_search_cgroup_dirs(openvswitch_t)
@@ -125027,6 +125057,10 @@ index 0000000..31370ed
+
+logging_send_syslog_msg(openvswitch_t)
+
++modutils_exec_insmod(openvswitch_t)
++modutils_list_module_config(openvswitch_t)
++modutils_read_module_config(openvswitch_t)
++
+sysnet_dns_name_resolve(openvswitch_t)
+
+optional_policy(`
@@ -145726,7 +145760,7 @@ index aa6e5a8..42a0efb 100644
########################################
## <summary>
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 4966c94..c231dab 100644
+index 4966c94..09d5420 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -145796,7 +145830,7 @@ index 4966c94..c231dab 100644
#
# /opt
#
-@@ -48,28 +72,32 @@ ifdef(`distro_redhat',`
+@@ -48,28 +72,33 @@ ifdef(`distro_redhat',`
# /tmp
#
@@ -145822,6 +145856,7 @@ index 4966c94..c231dab 100644
+/usr/(s)?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
++/usr/bin/razor-lightdm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -145836,7 +145871,7 @@ index 4966c94..c231dab 100644
/usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
-@@ -90,17 +118,49 @@ ifdef(`distro_debian', `
+@@ -90,17 +119,49 @@ ifdef(`distro_debian', `
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
@@ -147213,7 +147248,7 @@ index 130ced9..dd8a707 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..0b0510a 100644
+index 143c893..6fd6718 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -147763,7 +147798,7 @@ index 143c893..0b0510a 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -446,28 +618,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -446,28 +618,39 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -147791,6 +147826,7 @@ index 143c893..0b0510a 100644
+init_pid_filetrans(xdm_t, xdm_var_run_t, dir, "multi-session-x")
libs_exec_lib_files(xdm_t)
++libs_exec_ldconfig(xdm_t)
logging_read_generic_logs(xdm_t)
@@ -147805,7 +147841,7 @@ index 143c893..0b0510a 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -476,24 +658,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -476,24 +659,43 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -147855,7 +147891,7 @@ index 143c893..0b0510a 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -507,11 +708,25 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -507,11 +709,25 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -147881,7 +147917,7 @@ index 143c893..0b0510a 100644
')
optional_policy(`
-@@ -519,12 +734,64 @@ optional_policy(`
+@@ -519,12 +735,64 @@ optional_policy(`
')
optional_policy(`
@@ -147946,7 +147982,7 @@ index 143c893..0b0510a 100644
hostname_exec(xdm_t)
')
-@@ -542,28 +809,69 @@ optional_policy(`
+@@ -542,28 +810,69 @@ optional_policy(`
')
optional_policy(`
@@ -148025,7 +148061,7 @@ index 143c893..0b0510a 100644
')
optional_policy(`
-@@ -575,6 +883,14 @@ optional_policy(`
+@@ -575,6 +884,14 @@ optional_policy(`
')
optional_policy(`
@@ -148040,7 +148076,7 @@ index 143c893..0b0510a 100644
xfs_stream_connect(xdm_t)
')
-@@ -599,7 +915,8 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -599,7 +916,8 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -148050,7 +148086,7 @@ index 143c893..0b0510a 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -613,8 +930,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -613,8 +931,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -148066,7 +148102,7 @@ index 143c893..0b0510a 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -633,12 +957,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -633,12 +958,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -148088,7 +148124,7 @@ index 143c893..0b0510a 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -646,6 +977,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -646,6 +978,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -148096,7 +148132,7 @@ index 143c893..0b0510a 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -672,21 +1004,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -672,21 +1005,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -148127,7 +148163,7 @@ index 143c893..0b0510a 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -697,8 +1036,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -697,8 +1037,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -148141,7 +148177,7 @@ index 143c893..0b0510a 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -711,8 +1055,6 @@ init_getpgid(xserver_t)
+@@ -711,8 +1056,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -148150,7 +148186,7 @@ index 143c893..0b0510a 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -720,11 +1062,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -720,11 +1063,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -148165,7 +148201,7 @@ index 143c893..0b0510a 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -778,16 +1121,40 @@ optional_policy(`
+@@ -778,16 +1122,40 @@ optional_policy(`
')
optional_policy(`
@@ -148207,7 +148243,7 @@ index 143c893..0b0510a 100644
unconfined_domtrans(xserver_t)
')
-@@ -796,6 +1163,10 @@ optional_policy(`
+@@ -796,6 +1164,10 @@ optional_policy(`
')
optional_policy(`
@@ -148218,7 +148254,7 @@ index 143c893..0b0510a 100644
xfs_stream_connect(xserver_t)
')
-@@ -811,10 +1182,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -811,10 +1183,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -148232,7 +148268,7 @@ index 143c893..0b0510a 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -822,7 +1193,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -822,7 +1194,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -148241,7 +148277,7 @@ index 143c893..0b0510a 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -835,26 +1206,21 @@ init_use_fds(xserver_t)
+@@ -835,26 +1207,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -148276,7 +148312,7 @@ index 143c893..0b0510a 100644
')
optional_policy(`
-@@ -862,6 +1228,10 @@ optional_policy(`
+@@ -862,6 +1229,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -148287,7 +148323,7 @@ index 143c893..0b0510a 100644
########################################
#
# Rules common to all X window domains
-@@ -905,7 +1275,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -905,7 +1276,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -148296,7 +148332,7 @@ index 143c893..0b0510a 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -959,11 +1329,31 @@ allow x_domain self:x_resource { read write };
+@@ -959,11 +1330,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -148328,7 +148364,7 @@ index 143c893..0b0510a 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -985,18 +1375,44 @@ tunable_policy(`! xserver_object_manager',`
+@@ -985,18 +1376,44 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -153799,7 +153835,7 @@ index 14d9670..358255e 100644
+/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+/usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
-index ddbd8be..fad18e0 100644
+index ddbd8be..b267b3f 100644
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
@@ -31,7 +31,6 @@ files_pid_file(iscsi_var_run_t)
@@ -153810,15 +153846,16 @@ index ddbd8be..fad18e0 100644
allow iscsid_t self:process { setrlimit setsched signal };
allow iscsid_t self:fifo_file rw_fifo_file_perms;
allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -66,6 +65,7 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
+@@ -66,6 +65,8 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
kernel_read_network_state(iscsid_t)
kernel_read_system_state(iscsid_t)
+kernel_setsched(iscsid_t)
++kernel_request_load_module(iscsid_t)
corenet_all_recvfrom_unlabeled(iscsid_t)
corenet_all_recvfrom_netlabel(iscsid_t)
-@@ -75,9 +75,12 @@ corenet_tcp_sendrecv_all_ports(iscsid_t)
+@@ -75,9 +76,12 @@ corenet_tcp_sendrecv_all_ports(iscsid_t)
corenet_tcp_connect_http_port(iscsid_t)
corenet_tcp_connect_iscsi_port(iscsid_t)
corenet_tcp_connect_isns_port(iscsid_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index fa19b9f..f643b00 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 169%{?dist}
+Release: 170%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Jun 6 2013 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-170
+- Back port to allow l2tpd to read NM conf file
+- Add labeling for /run/nm-xl2tpd.conf
+- Add mozilla_plugin_use_gps boolean
+- Label /usr/bin/razor-lightdm-greeter as xdm_exec_t instead of spamc_exec_t
+- Add labeling for HOMEDIR/.icedtea
+- Allow openvpn to add own log files
+- Allow cobblerd to read network state
+- Allow abrt to read utmp_t file
+
* Thu Apr 4 2013 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-169
- Allow cupsd to read hplip lib files
- Allow NM to create rawip socket
More information about the scm-commits
mailing list