commit 380b3b96ddf6f1fb86b045489949fffb4dc49d17
Author: Tomasz Torcz <tomek at pipebreaker.pl>
Date: Tue Sep 17 09:28:11 2013 +0200
apply SELinux policy patch by Daniel J Walsh (#975959)
ladvd.fc | 6 ++++-
ladvd.if | 41 +++++++++++++++++++++++++++++++++----
ladvd.spec | 5 +++-
ladvd.te | 65 +++++++++++++++++++++--------------------------------------
4 files changed, 68 insertions(+), 49 deletions(-)
---
diff --git a/ladvd.fc b/ladvd.fc
index 612d4ee..2e22d2c 100644
--- a/ladvd.fc
+++ b/ladvd.fc
@@ -1,4 +1,8 @@
/usr/sbin/ladvd -- gen_context(system_u:object_r:ladvd_exec_t,s0)
-/etc/rc.d/init.d/ladvd -- gen_context(system_u:object_r:ladvd_script_exec_t,s0)
+/etc/rc\.d/init\.d/ladvd -- gen_context(system_u:object_r:ladvd_script_exec_t,s0)
+
+/usr/lib/systemd/system/ladvd.* -- gen_context(system_u:object_r:ladvd_unit_file_t,s0)
+
+/var/run/ladvd(/.*)? gen_context(system_u:object_r:ladvd_var_run_t,s0)
diff --git a/ladvd.if b/ladvd.if
index cbbafbb..b9b3de5 100644
--- a/ladvd.if
+++ b/ladvd.if
@@ -41,6 +41,29 @@ interface(`ladvd_script_domtrans',`
########################################
## <summary>
+## Execute ladvd server in the ladvd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ladvd_systemctl',`
+ gen_require(`
+ type ladvd_t;
+ type ladvd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 ladvd_unit_file_t:file manage_file_perms;
+ allow $1 ladvd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, ladvd_t)
+')
+
+########################################
+## <summary>
## All of the rules required to administrate
## an ladvd environment
## </summary>
@@ -64,20 +87,28 @@ interface(`ladvd_script_domtrans',`
interface(`ladvd_admin',`
gen_require(`
type ladvd_t;
+ type ladvd_script_exec_t;
+ type ladvd_unit_file_t;
')
- allow $1 ladvd_t:process { ptrace signal_perms getattr };
- read_files_pattern($1, ladvd_t, ladvd_t)
-
+ allow $1 ladvd_t:process { signal_perms };
+ ps_process_pattern($1, ladvd_t)
- gen_require(`
- type ladvd_script_exec_t;
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 ladvd_t:process ptrace;
')
+ init_labeled_script_domtrans($1, ladvd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 ladvd_initrc_exec_t system_r;
+ allow $2 system_r;
+
# Allow ladvd_t to restart the apache service
ladvd_script_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 ladvd_script_exec_t system_r;
allow $2 system_r;
+ files_list_pids($1)
+ admin_pattern($1, ladvd_var_run_t)
')
diff --git a/ladvd.spec b/ladvd.spec
index b1d6d03..9ac32a3 100644
--- a/ladvd.spec
+++ b/ladvd.spec
@@ -9,7 +9,7 @@
Name: ladvd
Version: 1.0.4
-Release: 8%{?dist}
+Release: 9%{?dist}
Summary: CDP/LLDP sender for UNIX
Group: Applications/Internet
@@ -167,6 +167,9 @@ fi
%changelog
+* Tue Sep 17 2013 Tomasz Torcz <ttorcz at fedoraproject.org> - 1.0.4-9
+- apply SELinux policy patch by Daniel J Walsh (#975959)
+
* Mon Aug 19 2013 Ralf Corsépius <corsepiu at fedoraproject.org> - 1.0.4-8
- Address FTBFS, RHBZ#992031:
- Fix typo in spec (Use %%_tmpfilesdir instead of ${_tmpfilesdir}).
diff --git a/ladvd.te b/ladvd.te
index 528810c..5c83fb2 100644
--- a/ladvd.te
+++ b/ladvd.te
@@ -1,21 +1,5 @@
policy_module(ladvd,1.0.0)
-require {
- type net_conf_t;
- type sysctl_net_t;
- type var_run_t;
- type ladvd_t;
- type sysfs_t;
- type sysctl_t;
- class capability { setuid net_raw setgid };
- class file { write getattr read lock create };
- class netlink_route_socket { write getattr read bind create nlmsg_read };
- class packet_socket { write create };
- class lnk_file read;
- class udp_socket { create ioctl };
- class dir { write search add_name getattr };
-}
-
########################################
#
# Declarations
@@ -28,43 +12,40 @@ init_daemon_domain(ladvd_t, ladvd_exec_t)
type ladvd_script_exec_t;
init_script_file(ladvd_script_exec_t)
+type ladvd_var_run_t;
+files_pid_file(ladvd_var_run_t)
+
+type ladvd_unit_file_t;
+systemd_unit_file(ladvd_unit_file_t)
+
########################################
#
# ladvd local policy
#
-
-# Init script handling
-domain_use_interactive_fds(ladvd_t)
-
-# internal communication is often done using fifo and unix sockets.
allow ladvd_t self:fifo_file rw_file_perms;
allow ladvd_t self:unix_stream_socket create_stream_socket_perms;
+allow ladvd_t self:capability { setuid net_admin net_raw setgid setpcap };
+allow ladvd_t self:process { signal_perms setcap };
+allow ladvd_t self:packet_socket create_socket_perms;
-files_read_etc_files(ladvd_t)
+manage_files_pattern(ladvd_t, ladvd_var_run_t, ladvd_var_run_t)
+manage_dirs_pattern(ladvd_t, ladvd_var_run_t, ladvd_var_run_t)
+manage_sock_files_pattern(ladvd_t, ladvd_var_run_t, ladvd_var_run_t)
+manage_lnk_files_pattern(ladvd_t, ladvd_var_run_t, ladvd_var_run_t)
+files_pid_filetrans(ladvd_t, ladvd_var_run_t, { file dir sock_file })
-libs_use_ld_so(ladvd_t)
-libs_use_shared_libs(ladvd_t)
+kernel_read_net_sysctls(ladvd_t)
-miscfiles_read_localization(ladvd_t)
+corecmd_exec_bin(ladvd_t)
-logging_send_syslog_msg(ladvd_t)
+dev_read_sysfs(ladvd_t)
+domain_use_interactive_fds(ladvd_t)
-allow ladvd_t net_conf_t:file { read getattr };
-allow ladvd_t self:capability { setuid net_raw setgid };
-allow ladvd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
-allow ladvd_t self:packet_socket { write create };
-allow ladvd_t self:udp_socket { create ioctl };
-allow ladvd_t sysctl_net_t:dir search;
-allow ladvd_t sysctl_net_t:file read;
-allow ladvd_t sysctl_t:dir search;
-allow ladvd_t sysfs_t:dir { search getattr };
-allow ladvd_t sysfs_t:file { read getattr };
-allow ladvd_t sysfs_t:lnk_file read;
-allow ladvd_t var_run_t:dir { write add_name };
-allow ladvd_t var_run_t:file { write lock create };
+files_read_etc_files(ladvd_t)
-# RHBZ #975959
-allow ladvd_t passwd_file_t:file read;
-auth_read_passwd(ladvd_t)
+miscfiles_read_localization(ladvd_t)
+
+logging_send_syslog_msg(ladvd_t)
+auth_use_nsswitch(ladvd_t)