[selinux-policy/f19] * Fri Sep 20 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-74.6 - Keep initrc_domain if init_t exec
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Sep 20 12:54:48 UTC 2013
commit 2ec0a73b77c7c2e75802d69de240751342d2ac44
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Sep 20 14:54:29 2013 +0200
* Fri Sep 20 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-74.6
- Keep initrc_domain if init_t executes bin_t
policy-f19-base.patch | 106 ++++++++++++++++++++++++++----------------------
selinux-policy.spec | 6 ++-
2 files changed, 61 insertions(+), 51 deletions(-)
---
diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index 151a236..a7f173d 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -27602,7 +27602,7 @@ index 24e7804..c4155c7 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..3ec4566 100644
+index dd3be8d..ee26201 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -27690,7 +27690,16 @@ index dd3be8d..3ec4566 100644
type initrc_exec_t, init_script_file_type;
domain_type(initrc_t)
domain_entry_file(initrc_t, initrc_exec_t)
-@@ -98,7 +130,8 @@ ifdef(`enable_mls',`
+@@ -66,6 +98,8 @@ role system_r types initrc_t;
+ # of the below init_upstart tunable
+ # but this has a typeattribute in it
+ corecmd_shell_entry_type(initrc_t)
++corecmd_bin_entry_type(initrc_t)
++corecmd_bin_domtrans(init_t, initrc_t)
+
+ type initrc_devpts_t;
+ term_pty(initrc_devpts_t)
+@@ -98,7 +132,8 @@ ifdef(`enable_mls',`
#
# Use capabilities. old rule:
@@ -27700,7 +27709,7 @@ index dd3be8d..3ec4566 100644
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -110,12 +143,33 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -110,12 +145,33 @@ allow init_t self:fifo_file rw_fifo_file_perms;
# Re-exec itself
can_exec(init_t, init_exec_t)
@@ -27740,7 +27749,7 @@ index dd3be8d..3ec4566 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +179,17 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +181,17 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -27759,7 +27768,7 @@ index dd3be8d..3ec4566 100644
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
-@@ -139,14 +197,20 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +199,20 @@ domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
@@ -27780,7 +27789,7 @@ index dd3be8d..3ec4566 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +220,49 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +222,49 @@ fs_list_inotifyfs(init_t)
fs_write_ramfs_sockets(init_t)
mcs_process_set_categories(init_t)
@@ -27833,7 +27842,7 @@ index dd3be8d..3ec4566 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +271,187 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +273,186 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -27997,7 +28006,6 @@ index dd3be8d..3ec4566 100644
+
+auth_use_nsswitch(init_t)
+auth_rw_login_records(init_t)
-+auth_domtrans_chk_passwd(init_t)
+
+optional_policy(`
+ lvm_rw_pipes(init_t)
@@ -28029,7 +28037,7 @@ index dd3be8d..3ec4566 100644
')
optional_policy(`
-@@ -216,6 +459,27 @@ optional_policy(`
+@@ -216,6 +460,27 @@ optional_policy(`
')
optional_policy(`
@@ -28057,7 +28065,7 @@ index dd3be8d..3ec4566 100644
unconfined_domain(init_t)
')
-@@ -225,8 +489,9 @@ optional_policy(`
+@@ -225,8 +490,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -28069,7 +28077,7 @@ index dd3be8d..3ec4566 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +522,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +523,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -28086,7 +28094,7 @@ index dd3be8d..3ec4566 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +547,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +548,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -28129,7 +28137,7 @@ index dd3be8d..3ec4566 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +584,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +585,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -28141,7 +28149,7 @@ index dd3be8d..3ec4566 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +596,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +597,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -28152,7 +28160,7 @@ index dd3be8d..3ec4566 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +607,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +608,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -28162,7 +28170,7 @@ index dd3be8d..3ec4566 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +616,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +617,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -28170,7 +28178,7 @@ index dd3be8d..3ec4566 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +623,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +624,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -28178,7 +28186,7 @@ index dd3be8d..3ec4566 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +631,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +632,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -28196,7 +28204,7 @@ index dd3be8d..3ec4566 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +649,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +650,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -28210,7 +28218,7 @@ index dd3be8d..3ec4566 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +664,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +665,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -28224,7 +28232,7 @@ index dd3be8d..3ec4566 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +677,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +678,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -28232,7 +28240,7 @@ index dd3be8d..3ec4566 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +689,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +690,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -28240,7 +28248,7 @@ index dd3be8d..3ec4566 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +708,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +709,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -28264,7 +28272,7 @@ index dd3be8d..3ec4566 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +741,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +742,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -28272,7 +28280,7 @@ index dd3be8d..3ec4566 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +775,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +776,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -28283,7 +28291,7 @@ index dd3be8d..3ec4566 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +799,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +800,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -28292,7 +28300,7 @@ index dd3be8d..3ec4566 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +814,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +815,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -28300,7 +28308,7 @@ index dd3be8d..3ec4566 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +835,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +836,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -28308,7 +28316,7 @@ index dd3be8d..3ec4566 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +845,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +846,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -28353,7 +28361,7 @@ index dd3be8d..3ec4566 100644
')
optional_policy(`
-@@ -558,14 +890,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +891,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -28385,7 +28393,7 @@ index dd3be8d..3ec4566 100644
')
')
-@@ -576,6 +925,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +926,39 @@ ifdef(`distro_suse',`
')
')
@@ -28425,7 +28433,7 @@ index dd3be8d..3ec4566 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +970,8 @@ optional_policy(`
+@@ -588,6 +971,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -28434,7 +28442,7 @@ index dd3be8d..3ec4566 100644
')
optional_policy(`
-@@ -609,6 +993,7 @@ optional_policy(`
+@@ -609,6 +994,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -28442,7 +28450,7 @@ index dd3be8d..3ec4566 100644
')
optional_policy(`
-@@ -625,6 +1010,17 @@ optional_policy(`
+@@ -625,6 +1011,17 @@ optional_policy(`
')
optional_policy(`
@@ -28460,7 +28468,7 @@ index dd3be8d..3ec4566 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1037,13 @@ optional_policy(`
+@@ -641,9 +1038,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -28474,7 +28482,7 @@ index dd3be8d..3ec4566 100644
')
optional_policy(`
-@@ -656,15 +1056,11 @@ optional_policy(`
+@@ -656,15 +1057,11 @@ optional_policy(`
')
optional_policy(`
@@ -28492,7 +28500,7 @@ index dd3be8d..3ec4566 100644
')
optional_policy(`
-@@ -685,6 +1081,15 @@ optional_policy(`
+@@ -685,6 +1082,15 @@ optional_policy(`
')
optional_policy(`
@@ -28508,7 +28516,7 @@ index dd3be8d..3ec4566 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1130,7 @@ optional_policy(`
+@@ -725,6 +1131,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -28516,7 +28524,7 @@ index dd3be8d..3ec4566 100644
')
optional_policy(`
-@@ -742,7 +1148,14 @@ optional_policy(`
+@@ -742,7 +1149,14 @@ optional_policy(`
')
optional_policy(`
@@ -28531,7 +28539,7 @@ index dd3be8d..3ec4566 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1178,10 @@ optional_policy(`
+@@ -765,6 +1179,10 @@ optional_policy(`
')
optional_policy(`
@@ -28542,7 +28550,7 @@ index dd3be8d..3ec4566 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1191,20 @@ optional_policy(`
+@@ -774,10 +1192,20 @@ optional_policy(`
')
optional_policy(`
@@ -28563,7 +28571,7 @@ index dd3be8d..3ec4566 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1213,10 @@ optional_policy(`
+@@ -786,6 +1214,10 @@ optional_policy(`
')
optional_policy(`
@@ -28574,7 +28582,7 @@ index dd3be8d..3ec4566 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1238,6 @@ optional_policy(`
+@@ -807,8 +1239,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -28583,7 +28591,7 @@ index dd3be8d..3ec4566 100644
')
optional_policy(`
-@@ -817,6 +1246,10 @@ optional_policy(`
+@@ -817,6 +1247,10 @@ optional_policy(`
')
optional_policy(`
@@ -28594,7 +28602,7 @@ index dd3be8d..3ec4566 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1259,12 @@ optional_policy(`
+@@ -826,10 +1260,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -28607,7 +28615,7 @@ index dd3be8d..3ec4566 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1291,27 @@ optional_policy(`
+@@ -856,12 +1292,27 @@ optional_policy(`
')
optional_policy(`
@@ -28636,7 +28644,7 @@ index dd3be8d..3ec4566 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1321,18 @@ optional_policy(`
+@@ -871,6 +1322,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -28655,7 +28663,7 @@ index dd3be8d..3ec4566 100644
')
optional_policy(`
-@@ -886,6 +1348,10 @@ optional_policy(`
+@@ -886,6 +1349,10 @@ optional_policy(`
')
optional_policy(`
@@ -28666,7 +28674,7 @@ index dd3be8d..3ec4566 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1362,196 @@ optional_policy(`
+@@ -896,3 +1363,196 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 963aa3c..24f563c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 74.5%{?dist}
+Release: 74.6%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -539,12 +539,14 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Sep 20 2013 Miroslav Grepl <mgrepl at redhat.com> 3.12.1-74.6
+- Keep initrc_domain if init_t executes bin_t
+
* Fri Sep 20 2013 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-74.5
- Fix label on pam_krb5 helper apps
- Allow apps that read ipsec_mgmt_var_run_t to search ipsec_var_run_t
- Allow init_t to run crash utility
- Fix label on pam_krb5 helper apps
-- Take away transition from init_t to initrc_t when executing bin_t, allow init_t to run chk_passwd_t
- Allow init_t to run crash utility
- Call neutron interfaces instead of quantum
- Allow users to communicate with journald using tmpfs files
More information about the scm-commits
mailing list