[selinux-policy] Fix kdump_admi() interface
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Aug 8 18:47:20 UTC 2013
commit 0b215e82ae7a324b50e9138105f9eba69dcb4152
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Aug 8 20:46:58 2013 +0200
Fix kdump_admi() interface
policy-rawhide-contrib.patch | 69 +++++++++++++++++++++++------------------
1 files changed, 39 insertions(+), 30 deletions(-)
---
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 8d0452b..e9e4180 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -18672,7 +18672,7 @@ index afcf3a2..8c49f40 100644
+ dontaudit system_bus_type $1:dbus send_msg;
')
diff --git a/dbus.te b/dbus.te
-index 2c2e7e1..78bbb7d 100644
+index 2c2e7e1..493ab48 100644
--- a/dbus.te
+++ b/dbus.te
@@ -1,20 +1,18 @@
@@ -18797,7 +18797,7 @@ index 2c2e7e1..78bbb7d 100644
mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +118,155 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +118,159 @@ term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)
@@ -18855,6 +18855,11 @@ index 2c2e7e1..78bbb7d 100644
+optional_policy(`
+ gnome_exec_gconf(system_dbusd_t)
+ gnome_read_inherited_home_icc_data_files(system_dbusd_t)
+ ')
+
+ optional_policy(`
+- seutil_sigchld_newrole(system_dbusd_t)
++ nis_use_ypbind(system_dbusd_t)
+')
+
+optional_policy(`
@@ -18870,10 +18875,9 @@ index 2c2e7e1..78bbb7d 100644
+
+optional_policy(`
+ sysnet_domtrans_dhcpc(system_dbusd_t)
- ')
-
- optional_policy(`
-- seutil_sigchld_newrole(system_dbusd_t)
++')
++
++optional_policy(`
+ systemd_use_fds_logind(system_dbusd_t)
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+ systemd_write_inhibit_pipes(system_dbusd_t)
@@ -18911,7 +18915,7 @@ index 2c2e7e1..78bbb7d 100644
+init_rw_stream_sockets(system_bus_type)
+
+ps_process_pattern(system_dbusd_t, system_bus_type)
-
++
+userdom_dontaudit_search_admin_dir(system_bus_type)
+userdom_read_all_users_state(system_bus_type)
+
@@ -18926,7 +18930,7 @@ index 2c2e7e1..78bbb7d 100644
+optional_policy(`
+ unconfined_dbus_send(system_bus_type)
+')
-+
+
+ifdef(`hide_broken_symptoms',`
+ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
+')
@@ -18967,7 +18971,7 @@ index 2c2e7e1..78bbb7d 100644
kernel_read_kernel_sysctls(session_bus_type)
corecmd_list_bin(session_bus_type)
-@@ -191,23 +275,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +279,18 @@ corecmd_read_bin_files(session_bus_type)
corecmd_read_bin_pipes(session_bus_type)
corecmd_read_bin_sockets(session_bus_type)
@@ -18992,7 +18996,7 @@ index 2c2e7e1..78bbb7d 100644
files_dontaudit_search_var(session_bus_type)
fs_getattr_romfs(session_bus_type)
-@@ -215,7 +294,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +298,6 @@ fs_getattr_xattr_fs(session_bus_type)
fs_list_inotifyfs(session_bus_type)
fs_dontaudit_list_nfs(session_bus_type)
@@ -19000,7 +19004,7 @@ index 2c2e7e1..78bbb7d 100644
selinux_validate_context(session_bus_type)
selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type)
-@@ -225,18 +303,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +307,36 @@ selinux_compute_user_contexts(session_bus_type)
auth_read_pam_console_data(session_bus_type)
logging_send_audit_msgs(session_bus_type)
@@ -19042,7 +19046,7 @@ index 2c2e7e1..78bbb7d 100644
')
########################################
-@@ -244,5 +340,6 @@ optional_policy(`
+@@ -244,5 +344,6 @@ optional_policy(`
# Unconfined access to this module
#
@@ -31423,7 +31427,7 @@ index a49ae4e..913a0e3 100644
-/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
+/var/crash(/.*)? gen_context(system_u:object_r:kdump_crash_t,s0)
diff --git a/kdump.if b/kdump.if
-index 3a00b3a..f6402dc 100644
+index 3a00b3a..b835e95 100644
--- a/kdump.if
+++ b/kdump.if
@@ -1,4 +1,4 @@
@@ -31494,7 +31498,7 @@ index 3a00b3a..f6402dc 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -56,10 +100,65 @@ interface(`kdump_read_config',`
+@@ -56,10 +100,66 @@ interface(`kdump_read_config',`
allow $1 kdump_etc_t:file read_file_perms;
')
@@ -31517,6 +31521,7 @@ index 3a00b3a..f6402dc 100644
+ read_files_pattern($1, kdump_crash_t, kdump_crash_t)
+')
+
++
+#####################################
+## <summary>
+## Read kdump crash files.
@@ -31562,7 +31567,7 @@ index 3a00b3a..f6402dc 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -76,10 +175,31 @@ interface(`kdump_manage_config',`
+@@ -76,10 +176,31 @@ interface(`kdump_manage_config',`
allow $1 kdump_etc_t:file manage_file_perms;
')
@@ -31596,7 +31601,7 @@ index 3a00b3a..f6402dc 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -88,19 +208,24 @@ interface(`kdump_manage_config',`
+@@ -88,19 +209,24 @@ interface(`kdump_manage_config',`
## </param>
## <param name="role">
## <summary>
@@ -31613,7 +31618,7 @@ index 3a00b3a..f6402dc 100644
+ type kdump_t, kdump_etc_t;
+ type kdump_initrc_exec_t;
+ type kdump_unit_file_t;
-+ type kdump_crash_t
++ type kdump_crash_t;
')
- allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms };
@@ -31626,7 +31631,7 @@ index 3a00b3a..f6402dc 100644
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -110,6 +235,10 @@ interface(`kdump_admin',`
+@@ -110,6 +236,10 @@ interface(`kdump_admin',`
files_search_etc($1)
admin_pattern($1, kdump_etc_t)
@@ -74999,7 +75004,7 @@ index aee75af..a6bab06 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 57c034b..ea8d79d 100644
+index 57c034b..aa2be40 100644
--- a/samba.te
+++ b/samba.te
@@ -1,4 +1,4 @@
@@ -75973,7 +75978,11 @@ index 57c034b..ea8d79d 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -837,13 +841,15 @@ allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
+@@ -834,16 +838,19 @@ optional_policy(`
+ #
+
+ allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
++allow winbind_t self:capability2 block_suspend;
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process { signal_perms getsched setsched };
allow winbind_t self:fifo_file rw_fifo_file_perms;
@@ -75993,7 +76002,7 @@ index 57c034b..ea8d79d 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -853,9 +859,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -853,9 +860,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -76004,7 +76013,7 @@ index 57c034b..ea8d79d 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -866,23 +870,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -866,23 +871,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -76034,7 +76043,7 @@ index 57c034b..ea8d79d 100644
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
kernel_read_network_state(winbind_t)
-@@ -891,13 +893,17 @@ kernel_read_system_state(winbind_t)
+@@ -891,13 +894,17 @@ kernel_read_system_state(winbind_t)
corecmd_exec_bin(winbind_t)
@@ -76055,7 +76064,7 @@ index 57c034b..ea8d79d 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -905,10 +911,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -905,10 +912,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -76066,7 +76075,7 @@ index 57c034b..ea8d79d 100644
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
-@@ -917,18 +919,24 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -917,18 +920,24 @@ auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
auth_manage_cache(winbind_t)
@@ -76093,7 +76102,7 @@ index 57c034b..ea8d79d 100644
optional_policy(`
ctdbd_stream_connect(winbind_t)
-@@ -936,7 +944,12 @@ optional_policy(`
+@@ -936,7 +945,12 @@ optional_policy(`
')
optional_policy(`
@@ -76106,7 +76115,7 @@ index 57c034b..ea8d79d 100644
')
optional_policy(`
-@@ -952,31 +965,29 @@ optional_policy(`
+@@ -952,31 +966,29 @@ optional_policy(`
# Winbind helper local policy
#
@@ -76144,7 +76153,7 @@ index 57c034b..ea8d79d 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -990,25 +1001,38 @@ optional_policy(`
+@@ -990,25 +1002,38 @@ optional_policy(`
########################################
#
@@ -86226,7 +86235,7 @@ index 0000000..92b6843
+/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0)
diff --git a/thumb.if b/thumb.if
new file mode 100644
-index 0000000..aa424d3
+index 0000000..8b2dfff
--- /dev/null
+++ b/thumb.if
@@ -0,0 +1,130 @@
@@ -86283,7 +86292,7 @@ index 0000000..aa424d3
+ dontaudit thumb_t $1:file read_file_perms;
+ dontaudit thumb_t $1:unix_stream_socket rw_socket_perms;
+
-+ allow thumb_t $1:shm rw_shm_perms;
++ allow thumb_t $1:shm create_shm_perms;
+ allow thumb_t $1:sem create_sem_perms;
+')
+
More information about the scm-commits
mailing list