[selinux-policy/f20] * Wed Jun 18 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-170 - Add labels for swapon and xfs_growf
Lukas Vrabec
lvrabec at fedoraproject.org
Wed Jun 18 09:38:26 UTC 2014
commit af7820fd90f44e71abd66450c3de161498449522
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Wed Jun 18 11:38:06 2014 +0200
* Wed Jun 18 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-170
- Add labels for swapon and xfs_growfs
- Add mozilla_plugin_use_bluejeans boolean
- apcupsd will send a wall message to all terminals telling the system
is about to go down
- Additional policy required for geard.
- Allow geard to transition to passwd and useradd
policy-f20-base.patch | 6 +-
policy-f20-contrib.patch | 138 ++++++++++++++++++++++++++--------------------
selinux-policy.spec | 9 +++-
3 files changed, 90 insertions(+), 63 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 70354c1..741c176 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -29594,7 +29594,7 @@ index 3694bfe..7fcd27a 100644
')
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
-index a97a096..bf726c3 100644
+index a97a096..ce0abe6 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -1,4 +1,3 @@
@@ -29610,7 +29610,7 @@ index a97a096..bf726c3 100644
/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -35,13 +33,53 @@
+@@ -35,13 +33,55 @@
/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -29658,8 +29658,10 @@ index a97a096..bf726c3 100644
+/usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/xfs_growfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
+
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index c6010de..ee269bc 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -7361,7 +7361,7 @@ index f3c0aba..cbe3d4a 100644
+ files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
')
diff --git a/apcupsd.te b/apcupsd.te
-index b236327..5206035 100644
+index b236327..a813b6c 100644
--- a/apcupsd.te
+++ b/apcupsd.te
@@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t)
@@ -7408,7 +7408,7 @@ index b236327..5206035 100644
corenet_udp_bind_snmp_port(apcupsd_t)
corenet_sendrecv_snmp_server_packets(apcupsd_t)
-@@ -74,19 +82,25 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
+@@ -74,19 +82,24 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
dev_rw_generic_usb_dev(apcupsd_t)
@@ -7418,8 +7418,8 @@ index b236327..5206035 100644
files_manage_etc_runtime_files(apcupsd_t)
files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin")
- term_use_unallocated_ttys(apcupsd_t)
-+term_use_usb_ttys(apcupsd_t)
+-term_use_unallocated_ttys(apcupsd_t)
++term_use_all_terms(apcupsd_t)
-logging_send_syslog_msg(apcupsd_t)
+#apcupsd runs shutdown, probably need a shutdown domain
@@ -7438,7 +7438,7 @@ index b236327..5206035 100644
optional_policy(`
hostname_exec(apcupsd_t)
-@@ -101,6 +115,11 @@ optional_policy(`
+@@ -101,6 +114,11 @@ optional_policy(`
shutdown_domtrans(apcupsd_t)
')
@@ -7450,7 +7450,7 @@ index b236327..5206035 100644
########################################
#
# CGI local policy
-@@ -112,7 +131,6 @@ optional_policy(`
+@@ -112,7 +130,6 @@ optional_policy(`
allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
@@ -28254,10 +28254,10 @@ index 0000000..04e159f
+')
diff --git a/gear.te b/gear.te
new file mode 100644
-index 0000000..cb68ca9
+index 0000000..9d55eae
--- /dev/null
+++ b/gear.te
-@@ -0,0 +1,125 @@
+@@ -0,0 +1,131 @@
+policy_module(gear, 1.0.0)
+
+########################################
@@ -28357,7 +28357,10 @@ index 0000000..cb68ca9
+
+mount_domtrans(gear_t)
+
++selinux_validate_context(gear_t)
++
+seutil_read_default_contexts(gear_t)
++seutil_read_config(gear_t)
+
+sysnet_dns_name_resolve(gear_t)
+
@@ -28366,6 +28369,9 @@ index 0000000..cb68ca9
+
+systemd_manage_all_unit_files(gear_t)
+
++usermanage_domtrans_useradd(gear_t)
++usermanage_domtrans_passwd(gear_t)
++
+optional_policy(`
+ hostname_exec(gear_t)
+')
@@ -45541,7 +45547,7 @@ index 6194b80..7490fe3 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..44a39ff 100644
+index 6a306ee..6c2d2fa 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -45550,7 +45556,7 @@ index 6a306ee..44a39ff 100644
########################################
#
-@@ -6,17 +6,41 @@ policy_module(mozilla, 2.7.4)
+@@ -6,17 +6,48 @@ policy_module(mozilla, 2.7.4)
#
## <desc>
@@ -45581,6 +45587,13 @@ index 6a306ee..44a39ff 100644
+
+## <desc>
+## <p>
++## Allow mozilla plugin to use Bluejeans.
++## </p>
++## </desc>
++gen_tunable(mozilla_plugin_use_bluejeans, false)
++
++## <desc>
++## <p>
+## Allow confined web browsers to read home directory content
+## </p>
+## </desc>
@@ -45597,7 +45610,7 @@ index 6a306ee..44a39ff 100644
type mozilla_t;
type mozilla_exec_t;
typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
-@@ -24,6 +48,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
+@@ -24,6 +55,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
userdom_user_application_domain(mozilla_t, mozilla_exec_t)
role mozilla_roles types mozilla_t;
@@ -45607,7 +45620,7 @@ index 6a306ee..44a39ff 100644
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
-@@ -31,28 +58,24 @@ userdom_user_home_content(mozilla_home_t)
+@@ -31,28 +65,24 @@ userdom_user_home_content(mozilla_home_t)
type mozilla_plugin_t;
type mozilla_plugin_exec_t;
@@ -45641,7 +45654,7 @@ index 6a306ee..44a39ff 100644
role mozilla_plugin_config_roles types mozilla_plugin_config_t;
type mozilla_tmp_t;
-@@ -63,10 +86,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
+@@ -63,10 +93,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
userdom_user_tmpfs_file(mozilla_tmpfs_t)
@@ -45652,7 +45665,7 @@ index 6a306ee..44a39ff 100644
########################################
#
# Local policy
-@@ -75,27 +94,30 @@ optional_policy(`
+@@ -75,27 +101,30 @@ optional_policy(`
allow mozilla_t self:capability { sys_nice setgid setuid };
allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
allow mozilla_t self:fifo_file rw_fifo_file_perms;
@@ -45696,7 +45709,7 @@ index 6a306ee..44a39ff 100644
manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
-@@ -103,76 +125,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+@@ -103,76 +132,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
@@ -45804,7 +45817,7 @@ index 6a306ee..44a39ff 100644
term_dontaudit_getattr_pty_dirs(mozilla_t)
-@@ -181,57 +196,76 @@ auth_use_nsswitch(mozilla_t)
+@@ -181,57 +203,76 @@ auth_use_nsswitch(mozilla_t)
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
@@ -45812,11 +45825,11 @@ index 6a306ee..44a39ff 100644
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
-userdom_use_user_ptys(mozilla_t)
--
--userdom_manage_user_tmp_dirs(mozilla_t)
--userdom_manage_user_tmp_files(mozilla_t)
+userdom_use_inherited_user_ptys(mozilla_t)
+-userdom_manage_user_tmp_dirs(mozilla_t)
+-userdom_manage_user_tmp_files(mozilla_t)
+-
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
@@ -45917,7 +45930,7 @@ index 6a306ee..44a39ff 100644
optional_policy(`
apache_read_user_scripts(mozilla_t)
-@@ -244,19 +278,12 @@ optional_policy(`
+@@ -244,19 +285,12 @@ optional_policy(`
optional_policy(`
cups_read_rw_config(mozilla_t)
@@ -45939,7 +45952,7 @@ index 6a306ee..44a39ff 100644
optional_policy(`
networkmanager_dbus_chat(mozilla_t)
-@@ -265,33 +292,32 @@ optional_policy(`
+@@ -265,33 +299,32 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
@@ -45952,34 +45965,34 @@ index 6a306ee..44a39ff 100644
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
+ gnome_manage_config(mozilla_t)
+ gnome_manage_gconf_home_files(mozilla_t)
-+')
-+
-+optional_policy(`
-+ java_domtrans(mozilla_t)
')
optional_policy(`
- java_exec(mozilla_t)
- java_manage_generic_home_content(mozilla_t)
- java_home_filetrans_java_home(mozilla_t, dir, ".java")
-+ lpd_domtrans_lpr(mozilla_t)
++ java_domtrans(mozilla_t)
')
optional_policy(`
- lpd_run_lpr(mozilla_t, mozilla_roles)
-+ mplayer_domtrans(mozilla_t)
-+ mplayer_read_user_home_files(mozilla_t)
++ lpd_domtrans_lpr(mozilla_t)
')
optional_policy(`
- mplayer_exec(mozilla_t)
- mplayer_manage_generic_home_content(mozilla_t)
- mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
-+ nscd_socket_use(mozilla_t)
++ mplayer_domtrans(mozilla_t)
++ mplayer_read_user_home_files(mozilla_t)
')
optional_policy(`
- pulseaudio_run(mozilla_t, mozilla_roles)
++ nscd_socket_use(mozilla_t)
++')
++
++optional_policy(`
+ #pulseaudio_role(mozilla_roles, mozilla_t)
+ pulseaudio_exec(mozilla_t)
+ pulseaudio_stream_connect(mozilla_t)
@@ -45987,7 +46000,7 @@ index 6a306ee..44a39ff 100644
')
optional_policy(`
-@@ -300,259 +326,256 @@ optional_policy(`
+@@ -300,259 +333,256 @@ optional_policy(`
########################################
#
@@ -46254,12 +46267,12 @@ index 6a306ee..44a39ff 100644
-userdom_manage_user_tmp_dirs(mozilla_plugin_t)
-userdom_manage_user_tmp_files(mozilla_plugin_t)
--
++systemd_read_logind_sessions_files(mozilla_plugin_t)
+
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
-userdom_manage_user_home_content_files(mozilla_plugin_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
-+systemd_read_logind_sessions_files(mozilla_plugin_t)
-
+-
-userdom_write_user_tmp_sockets(mozilla_plugin_t)
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
@@ -46390,7 +46403,7 @@ index 6a306ee..44a39ff 100644
')
optional_policy(`
-@@ -560,7 +583,11 @@ optional_policy(`
+@@ -560,7 +590,11 @@ optional_policy(`
')
optional_policy(`
@@ -46403,7 +46416,7 @@ index 6a306ee..44a39ff 100644
')
optional_policy(`
-@@ -568,108 +595,131 @@ optional_policy(`
+@@ -568,108 +602,136 @@ optional_policy(`
')
optional_policy(`
@@ -46436,19 +46449,17 @@ index 6a306ee..44a39ff 100644
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms;
-+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
-
+-
-manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
-manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
--
++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
+
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix")
-+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
-+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
-
+-
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".adobe")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".macromedia")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gnash")
@@ -46457,20 +46468,22 @@ index 6a306ee..44a39ff 100644
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".spicec")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".ICAClient")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata")
-+ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
++allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
++allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
-filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
++ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
+
+-can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
+dev_read_sysfs(mozilla_plugin_config_t)
+dev_read_urand(mozilla_plugin_config_t)
+dev_dontaudit_read_rand(mozilla_plugin_config_t)
+dev_dontaudit_rw_dri(mozilla_plugin_config_t)
--can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
+-ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
+fs_search_auto_mountpoints(mozilla_plugin_config_t)
+fs_list_inotifyfs(mozilla_plugin_config_t)
--ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
--
-kernel_read_system_state(mozilla_plugin_config_t)
-kernel_request_load_module(mozilla_plugin_config_t)
+can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)
@@ -46542,18 +46555,14 @@ index 6a306ee..44a39ff 100644
- allow mozilla_plugin_config_t self:process execmem;
+optional_policy(`
+ gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t)
- ')
-
--tunable_policy(`mozilla_execstack',`
-- allow mozilla_plugin_config_t self:process { execmem execstack };
++')
++
+optional_policy(`
+ xserver_use_user_fonts(mozilla_plugin_config_t)
')
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(mozilla_plugin_config_t)
-- fs_manage_nfs_files(mozilla_plugin_config_t)
-- fs_manage_nfs_symlinks(mozilla_plugin_config_t)
+-tunable_policy(`mozilla_execstack',`
+- allow mozilla_plugin_config_t self:process { execmem execstack };
+ifdef(`distro_redhat',`
+ typealias mozilla_plugin_t alias nsplugin_t;
+ typealias mozilla_plugin_exec_t alias nsplugin_exec_t;
@@ -46564,10 +46573,10 @@ index 6a306ee..44a39ff 100644
+ typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t;
')
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(mozilla_plugin_config_t)
-- fs_manage_cifs_files(mozilla_plugin_config_t)
-- fs_manage_cifs_symlinks(mozilla_plugin_config_t)
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(mozilla_plugin_config_t)
+- fs_manage_nfs_files(mozilla_plugin_config_t)
+- fs_manage_nfs_symlinks(mozilla_plugin_config_t)
+#tunable_policy(`mozilla_plugin_enable_homedirs',`
+# userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
+#', `
@@ -46580,8 +46589,10 @@ index 6a306ee..44a39ff 100644
+ userdom_execmod_user_home_files(mozilla_plugin_t)
')
--optional_policy(`
-- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(mozilla_plugin_config_t)
+- fs_manage_cifs_files(mozilla_plugin_config_t)
+- fs_manage_cifs_symlinks(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_spice',`
+ dev_rw_generic_usb_dev(mozilla_plugin_t)
+ dev_setattr_generic_usb_dev(mozilla_plugin_t)
@@ -46589,11 +46600,18 @@ index 6a306ee..44a39ff 100644
')
-optional_policy(`
-- xserver_use_user_fonts(mozilla_plugin_config_t)
+- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_gps',`
+ fs_manage_dos_dirs(mozilla_plugin_t)
+ fs_manage_dos_files(mozilla_plugin_t)
')
+
+-optional_policy(`
+- xserver_use_user_fonts(mozilla_plugin_config_t)
++tunable_policy(`mozilla_plugin_use_bluejeans',`
++ corenet_tcp_bind_unreserved_ports(mozilla_plugin_t)
++ corenet_dontaudit_tcp_bind_all_defined_ports(mozilla_plugin_t)
+ ')
diff --git a/mpd.fc b/mpd.fc
index 313ce52..ae93e07 100644
--- a/mpd.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f9ab584..298fa91 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 169%{?dist}
+Release: 170%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,13 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Jun 18 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-170
+- Add labels for swapon and xfs_growfs
+- Add mozilla_plugin_use_bluejeans boolean
+- apcupsd will send a wall message to all terminals telling the system is about to go down
+- Additional policy required for geard.
+- Allow geard to transition to passwd and useradd
+
* Tue Jun 17 2014 Lukas Vrabec <lvrabec at redhat.com> 3.12.1-169
- Allow unpriv users to manage games data files. Needed by nethack.
- add games_manage_data_files() interface
More information about the scm-commits
mailing list