[selinux-policy/f19] - Label polgengui as a bin_t - Allow semanage to create /.autorelabel file - Label systemd unit file
Lukas Vrabec
lvrabec at fedoraproject.org
Thu Aug 29 09:33:37 UTC 2013
commit e58783d9e6498193695ee2a715dab57a0640aeb9
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Wed Aug 28 17:38:54 2013 +0200
- Label polgengui as a bin_t
- Allow semanage to create /.autorelabel file
- Label systemd unit files under dracut correctly
- Allow systemd domain to read /proc
- Allow sssd to write to user keyrings for managing kerberos
- Allow rhsmcertd to read init state
- Allow fetchmail to create own pid with correct labeling
- Fix rhcs_domain_template()
- Allow roles which can run mock to read mock lib files to view results
- Allow rpcbind to use nsswitch
policy-f19-base.patch | 51 ++++++++++++++++++++++++-------------
policy-f19-contrib.patch | 62 ++++++++++++++++++++++++++++++---------------
selinux-policy.spec | 14 +++++++++-
3 files changed, 87 insertions(+), 40 deletions(-)
---
diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index 63fd39f..da94e3a 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -3046,7 +3046,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..51181b8 100644
+index 644d4d7..f9bcd44 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -3350,7 +3350,15 @@ index 644d4d7..51181b8 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +457,15 @@ ifdef(`distro_suse', `
+@@ -342,6 +416,7 @@ ifdef(`distro_redhat', `
+ /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/system-config-selinux/polgengui.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
+@@ -383,11 +458,15 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -3367,7 +3375,7 @@ index 644d4d7..51181b8 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +475,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +476,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -33699,7 +33707,7 @@ index 3822072..bddf002 100644
+ userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context")
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ec01d0b..e2b829b 100644
+index ec01d0b..076b0a0 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,16 @@ gen_require(`
@@ -34135,11 +34143,11 @@ index ec01d0b..e2b829b 100644
-auth_use_nsswitch(semanage_t)
-
-locallogin_use_fds(semanage_t)
--
--logging_send_syslog_msg(semanage_t)
+# Admins are creating pp files in random locations
+files_read_non_security_files(semanage_t)
+-logging_send_syslog_msg(semanage_t)
+-
-miscfiles_read_localization(semanage_t)
-
-seutil_libselinux_linked(semanage_t)
@@ -34227,7 +34235,7 @@ index ec01d0b..e2b829b 100644
')
########################################
-@@ -522,108 +598,181 @@ ifdef(`distro_ubuntu',`
+@@ -522,108 +598,187 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@@ -34309,12 +34317,12 @@ index ec01d0b..e2b829b 100644
+ # pki is leaking
+ pki_dontaudit_write_log(setfiles_t)
+')
-+
+
+-seutil_libselinux_linked(setfiles_t)
+optional_policy(`
+ xserver_append_xdm_tmp_files(setfiles_t)
+')
-
--seutil_libselinux_linked(setfiles_t)
++
+ifdef(`hide_broken_symptoms',`
+
+ optional_policy(`
@@ -34447,10 +34455,7 @@ index ec01d0b..e2b829b 100644
-')
+dev_read_rand(policy_manager_domain)
+dev_read_urand(policy_manager_domain)
-
--optional_policy(`
-- hotplug_use_fds(setfiles_t)
--')
++
+logging_send_audit_msgs(policy_manager_domain)
+
+# Domains that will manage policy
@@ -34494,6 +34499,13 @@ index ec01d0b..e2b829b 100644
+
+files_rw_inherited_generic_pid_files(setfiles_domain)
+files_rw_inherited_generic_pid_files(policy_manager_domain)
++files_create_boot_flag(policy_manager_domain, ".autorelabel")
++files_delete_boot_flag(policy_manager_domain)
+
+ optional_policy(`
+- hotplug_use_fds(setfiles_t)
++ policykit_dbus_chat(policy_manager_domain)
+ ')
diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc
index bea4629..06e2834 100644
--- a/policy/modules/system/setrans.fc
@@ -35288,10 +35300,10 @@ index b7686d5..7a9577f 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..2cd29ba
+index 0000000..431619e
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,43 @@
+@@ -0,0 +1,44 @@
+/etc/hostname -- gen_context(system_u:object_r:hostname_etc_t,s0)
+/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0)
+
@@ -35306,6 +35318,7 @@ index 0000000..2cd29ba
+/usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+
++/usr/lib/dracut/modules.d/.*\.service gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/usr/lib/systemd/system/systemd-vconsole-setup\.service gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0)
+/usr/lib/systemd/system/.*halt.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
@@ -35337,10 +35350,10 @@ index 0000000..2cd29ba
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..78eb081
+index 0000000..bd5a6b7
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1287 @@
+@@ -0,0 +1,1289 @@
+## <summary>SELinux policy for systemd components</summary>
+
+######################################
@@ -35385,6 +35398,8 @@ index 0000000..78eb081
+ role system_r types $1_systemctl_t;
+
+ domtrans_pattern($1_t, systemd_systemctl_exec_t , $1_systemctl_t)
++
++ kernel_read_domain_state($1_t)
+')
+
+########################################
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index cc8492c..a49f171 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -23598,7 +23598,7 @@ index 79b9273..76b7ed5 100644
logging_send_syslog_msg(fcoemon_t)
diff --git a/fetchmail.fc b/fetchmail.fc
-index 2486e2a..ea07c4f 100644
+index 2486e2a..72143ee 100644
--- a/fetchmail.fc
+++ b/fetchmail.fc
@@ -1,4 +1,5 @@
@@ -23607,6 +23607,12 @@ index 2486e2a..ea07c4f 100644
/etc/fetchmailrc -- gen_context(system_u:object_r:fetchmail_etc_t,s0)
+@@ -12,4 +13,4 @@ HOME_DIR/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t,s0)
+
+ /var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
+
+-/var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0)
++/var/run/fetchmail.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0)
diff --git a/fetchmail.if b/fetchmail.if
index c3f7916..cab3954 100644
--- a/fetchmail.if
@@ -23632,7 +23638,7 @@ index c3f7916..cab3954 100644
admin_pattern($1, fetchmail_etc_t)
diff --git a/fetchmail.te b/fetchmail.te
-index f0388cb..df501ec 100644
+index f0388cb..8e7f99e 100644
--- a/fetchmail.te
+++ b/fetchmail.te
@@ -32,15 +32,13 @@ files_type(fetchmail_uidl_cache_t)
@@ -23652,18 +23658,20 @@ index f0388cb..df501ec 100644
manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
append_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
create_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
-@@ -54,6 +52,11 @@ manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
- manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
- files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, dir)
+@@ -52,7 +50,12 @@ mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
+ manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
+ manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
+-files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, dir)
++files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, {file dir})
++
+list_dirs_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
+read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
+userdom_search_user_home_dirs(fetchmail_t)
+userdom_search_admin_dir(fetchmail_t)
-+
+
kernel_read_kernel_sysctls(fetchmail_t)
kernel_list_proc(fetchmail_t)
- kernel_getattr_proc_files(fetchmail_t)
@@ -63,7 +66,6 @@ kernel_dontaudit_read_system_state(fetchmail_t)
corecmd_exec_bin(fetchmail_t)
corecmd_exec_shell(fetchmail_t)
@@ -37776,10 +37784,10 @@ index 0000000..8d0e473
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
diff --git a/mock.if b/mock.if
new file mode 100644
-index 0000000..895f325
+index 0000000..6568bfe
--- /dev/null
+++ b/mock.if
-@@ -0,0 +1,305 @@
+@@ -0,0 +1,310 @@
+## <summary>policy for mock</summary>
+
+########################################
@@ -38026,9 +38034,14 @@ index 0000000..895f325
+
+ ps_process_pattern($2, mock_t)
+ allow $2 mock_t:process signal_perms;
++
+ tunable_policy(`deny_ptrace',`',`
+ allow $2 mock_t:process ptrace;
+ ')
++
++ optional_policy(`
++ mock_read_lib_files($2)
++ ')
+')
+
+#######################################
@@ -54596,10 +54609,10 @@ index 977b972..0000000
-miscfiles_read_localization(pkcs_slotd_t)
diff --git a/pkcsslotd.fc b/pkcsslotd.fc
new file mode 100644
-index 0000000..38fa01d
+index 0000000..a6d3859
--- /dev/null
+++ b/pkcsslotd.fc
-@@ -0,0 +1,7 @@
+@@ -0,0 +1,9 @@
+/usr/lib/systemd/system/pkcsslotd.service -- gen_context(system_u:object_r:pkcsslotd_unit_file_t,s0)
+
+/usr/sbin/pkcsslotd -- gen_context(system_u:object_r:pkcsslotd_exec_t,s0)
@@ -54607,6 +54620,8 @@ index 0000000..38fa01d
+/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcsslotd_var_lib_t,s0)
+
+/var/lock/opencryptoki(/.*)? gen_context(system_u:object_r:pkcsslotd_lock_t,s0)
++
++/var/run/pkcsslotd.* -- gen_context(system_u:object_r:pkcsslotd_var_run_t,s0)
diff --git a/pkcsslotd.if b/pkcsslotd.if
new file mode 100644
index 0000000..848ddc9
@@ -68688,7 +68703,7 @@ index 47de2d6..98a4280 100644
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
+/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0)
diff --git a/rhcs.if b/rhcs.if
-index 56bc01f..4699b1b 100644
+index 56bc01f..b8d154e 100644
--- a/rhcs.if
+++ b/rhcs.if
@@ -1,19 +1,19 @@
@@ -68717,7 +68732,7 @@ index 56bc01f..4699b1b 100644
')
##############################
-@@ -43,11 +43,6 @@ template(`rhcs_domain_template',`
+@@ -43,33 +43,27 @@ template(`rhcs_domain_template',`
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
@@ -68729,9 +68744,11 @@ index 56bc01f..4699b1b 100644
logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file })
manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
-@@ -56,20 +51,19 @@ template(`rhcs_domain_template',`
+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
- files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file })
+- files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file })
++ files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file })
- optional_policy(`
- dbus_system_bus_client($1_t)
@@ -70619,7 +70636,7 @@ index 6dbc905..d803796 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 1cedd70..f8ae4cc 100644
+index 1cedd70..6508b1e 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -30,7 +30,8 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -70632,7 +70649,7 @@ index 1cedd70..f8ae4cc 100644
allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -52,21 +53,35 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+@@ -52,21 +53,37 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t)
kernel_read_system_state(rhsmcertd_t)
@@ -70655,6 +70672,8 @@ index 1cedd70..f8ae4cc 100644
-miscfiles_read_localization(rhsmcertd_t)
-miscfiles_read_generic_certs(rhsmcertd_t)
++init_read_state(rhsmcertd_t)
++
+logging_send_syslog_msg(rhsmcertd_t)
+
+miscfiles_read_certs(rhsmcertd_t)
@@ -72349,7 +72368,7 @@ index 3b5e9ee..ff1163f 100644
+ admin_pattern($1, rpcbind_var_run_t)
')
diff --git a/rpcbind.te b/rpcbind.te
-index c49828c..a323332 100644
+index c49828c..56cb0c2 100644
--- a/rpcbind.te
+++ b/rpcbind.te
@@ -42,7 +42,6 @@ kernel_read_system_state(rpcbind_t)
@@ -72368,7 +72387,7 @@ index c49828c..a323332 100644
files_read_etc_runtime_files(rpcbind_t)
-logging_send_syslog_msg(rpcbind_t)
-+auth_read_passwd(rpcbind_t)
++auth_use_nsswitch(rpcbind_t)
-miscfiles_read_localization(rpcbind_t)
+logging_send_syslog_msg(rpcbind_t)
@@ -83478,7 +83497,7 @@ index a240455..54c5c1f 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 8b537aa..e9632c3 100644
+index 8b537aa..3bce4df 100644
--- a/sssd.te
+++ b/sssd.te
@@ -1,4 +1,4 @@
@@ -83567,7 +83586,7 @@ index 8b537aa..e9632c3 100644
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
auth_manage_cache(sssd_t)
-@@ -112,18 +105,31 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +105,32 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
@@ -83577,6 +83596,7 @@ index 8b537aa..e9632c3 100644
sysnet_use_ldap(sssd_t)
+userdom_manage_tmp_role(system_r, sssd_t)
++userdom_manage_all_users_keys(sssd_t)
+
optional_policy(`
dbus_system_bus_client(sssd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a224dff..db685ad 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 73%{?dist}
+Release: 74%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,18 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Aug 28 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74
+- Label polgengui as a bin_t
+- Allow semanage to create /.autorelabel file
+- Label systemd unit files under dracut correctly
+- Allow systemd domain to read /proc
+- Allow sssd to write to user keyrings for managing kerberos
+- Allow rhsmcertd to read init state
+- Allow fetchmail to create own pid with correct labeling
+- Fix rhcs_domain_template()
+- Allow roles which can run mock to read mock lib files to view results
+- Allow rpcbind to use nsswitch
+
* Fri Aug 23 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-73
- Update rules for condor domains
More information about the scm-commits
mailing list