[selinux-policy] * Mon Sep 22 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-83 - Make sure /run/systemd/generator and
Lukas Vrabec
lvrabec at fedoraproject.org
Mon Sep 22 13:16:37 UTC 2014
commit 34303355645a5bbfa6a59c2588557c755c242513
Author: Lukas Vrabec <lvrabec at redhat.com>
Date: Mon Sep 22 15:16:17 2014 +0200
* Mon Sep 22 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-83
- Make sure /run/systemd/generator and system is labeled correctly on creation.
- Additional access required by usbmuxd
- Allow sensord read in /proc BZ(#1143799)
policy-rawhide-base.patch | 7 ++-
policy-rawhide-contrib.patch | 116 ++++++++++++++++++++++-------------------
selinux-policy.spec | 7 ++-
3 files changed, 73 insertions(+), 57 deletions(-)
---
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 24cc48b..6c2ab50 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -29122,7 +29122,7 @@ index bc0ffc8..7198bd9 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 79a45f6..c4546e2 100644
+index 79a45f6..f142c45 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -30144,7 +30144,7 @@ index 79a45f6..c4546e2 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1840,3 +2380,470 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1840,3 +2380,473 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -30608,12 +30608,15 @@ index 79a45f6..c4546e2 100644
+ type initrc_var_run_t;
+ type machineid_t;
+ type initctl_t;
++ type systemd_unit_file_t;
+ ')
+
+ files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
+ files_pid_filetrans($1, init_var_run_t, file, "random-seed")
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+ files_pid_filetrans($1, initctl_t, fifo_file, "fifo" )
++ init_pid_filetrans($1, systemd_unit_file_t, dir, "generator")
++ init_pid_filetrans($1, systemd_unit_file_t, dir, "system")
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 17eda24..dd417eb 100644
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 5a3fddc..e5049a0 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -13983,10 +13983,10 @@ index 0000000..2b8cac8
+ unconfined_domtrans(cockpit_session_t)
+')
diff --git a/collectd.fc b/collectd.fc
-index 79a3abe..8d70290 100644
+index 79a3abe..3237fb0 100644
--- a/collectd.fc
+++ b/collectd.fc
-@@ -1,9 +1,11 @@
+@@ -1,9 +1,12 @@
/etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
+/usr/lib/systemd/system/collectd.* -- gen_context(system_u:object_r:collectd_unit_file_t,s0)
@@ -13996,6 +13996,7 @@ index 79a3abe..8d70290 100644
/var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0)
/var/run/collectd\.pid -- gen_context(system_u:object_r:collectd_var_run_t,s0)
++/var/run/collectd-unixsock -s gen_context(system_u:object_r:collectd_var_run_t,s0)
-/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:httpd_collectd_script_exec_t,s0)
+/usr/share/collectd/collection3/bin/.*\.cgi -- gen_context(system_u:object_r:collectd_script_exec_t,s0)
@@ -14182,10 +14183,10 @@ index 954309e..f4db2ca 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8..e6d320a 100644
+index 6471fa8..1d00efb 100644
--- a/collectd.te
+++ b/collectd.te
-@@ -26,18 +26,28 @@ files_type(collectd_var_lib_t)
+@@ -26,43 +26,59 @@ files_type(collectd_var_lib_t)
type collectd_var_run_t;
files_pid_file(collectd_var_run_t)
@@ -14215,9 +14216,12 @@ index 6471fa8..e6d320a 100644
manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
-@@ -46,23 +56,29 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
+ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
+
manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
- files_pid_filetrans(collectd_t, collectd_var_run_t, file)
+-files_pid_filetrans(collectd_t, collectd_var_run_t, file)
++manage_sock_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
++files_pid_filetrans(collectd_t, collectd_var_run_t, { file sock_file })
-domain_use_interactive_fds(collectd_t)
+kernel_read_all_sysctls(collectd_t)
@@ -14227,8 +14231,7 @@ index 6471fa8..e6d320a 100644
-kernel_read_network_state(collectd_t)
-kernel_read_net_sysctls(collectd_t)
-kernel_read_system_state(collectd_t)
-+auth_getattr_passwd(collectd_t)
-+auth_read_passwd(collectd_t)
++auth_use_nsswitch(collectd_t)
+
+corenet_udp_bind_generic_node(collectd_t)
+corenet_udp_bind_collectd_port(collectd_t)
@@ -21265,7 +21268,7 @@ index 62d22cb..cbf09ce 100644
+ files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus")
')
diff --git a/dbus.te b/dbus.te
-index c9998c8..9c12159 100644
+index c9998c8..94ff984 100644
--- a/dbus.te
+++ b/dbus.te
@@ -4,17 +4,15 @@ gen_require(`
@@ -21389,7 +21392,7 @@ index c9998c8..9c12159 100644
mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +122,162 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +122,165 @@ term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)
@@ -21407,7 +21410,6 @@ index c9998c8..9c12159 100644
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
-init_all_labeled_script_domtrans(system_dbusd_t)
-+init_bin_domtrans_spec(system_dbusd_t)
+init_domtrans_script(system_dbusd_t)
+init_rw_stream_sockets(system_dbusd_t)
+init_status(system_dbusd_t)
@@ -21442,9 +21444,10 @@ index c9998c8..9c12159 100644
+
+optional_policy(`
+ getty_start_services(system_dbusd_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- seutil_sigchld_newrole(system_dbusd_t)
+ gnome_exec_gconf(system_dbusd_t)
+ gnome_read_inherited_home_icc_data_files(system_dbusd_t)
+')
@@ -21466,10 +21469,9 @@ index c9998c8..9c12159 100644
+
+optional_policy(`
+ sysnet_domtrans_dhcpc(system_dbusd_t)
- ')
-
- optional_policy(`
-- seutil_sigchld_newrole(system_dbusd_t)
++')
++
++optional_policy(`
+ systemd_use_fds_logind(system_dbusd_t)
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+ systemd_write_inhibit_pipes(system_dbusd_t)
@@ -21488,6 +21490,10 @@ index c9998c8..9c12159 100644
+ xserver_read_inherited_xdm_lib_files(system_dbusd_t)
+')
+
++optional_policy(`
++ unconfined_server_domtrans(system_dbusd_t)
++')
++
########################################
#
-# Common session bus local policy
@@ -21510,7 +21516,7 @@ index c9998c8..9c12159 100644
+init_rw_stream_sockets(system_bus_type)
+
+ps_process_pattern(system_dbusd_t, system_bus_type)
-
++
+userdom_dontaudit_search_admin_dir(system_bus_type)
+userdom_read_all_users_state(system_bus_type)
+
@@ -21525,7 +21531,7 @@ index c9998c8..9c12159 100644
+optional_policy(`
+ unconfined_dbus_send(system_bus_type)
+')
-+
+
+ifdef(`hide_broken_symptoms',`
+ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
+')
@@ -21566,7 +21572,7 @@ index c9998c8..9c12159 100644
kernel_read_kernel_sysctls(session_bus_type)
corecmd_list_bin(session_bus_type)
-@@ -191,23 +286,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +289,18 @@ corecmd_read_bin_files(session_bus_type)
corecmd_read_bin_pipes(session_bus_type)
corecmd_read_bin_sockets(session_bus_type)
@@ -21591,7 +21597,7 @@ index c9998c8..9c12159 100644
files_dontaudit_search_var(session_bus_type)
fs_getattr_romfs(session_bus_type)
-@@ -215,7 +305,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +308,6 @@ fs_getattr_xattr_fs(session_bus_type)
fs_list_inotifyfs(session_bus_type)
fs_dontaudit_list_nfs(session_bus_type)
@@ -21599,7 +21605,7 @@ index c9998c8..9c12159 100644
selinux_validate_context(session_bus_type)
selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type)
-@@ -225,18 +314,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +317,36 @@ selinux_compute_user_contexts(session_bus_type)
auth_read_pam_console_data(session_bus_type)
logging_send_audit_msgs(session_bus_type)
@@ -21641,7 +21647,7 @@ index c9998c8..9c12159 100644
')
########################################
-@@ -244,5 +351,9 @@ optional_policy(`
+@@ -244,5 +354,9 @@ optional_policy(`
# Unconfined access to this module
#
@@ -91145,10 +91151,10 @@ index d204752..31cc6e6 100644
+ ')
')
diff --git a/sensord.te b/sensord.te
-index 5e82fd6..64e130f 100644
+index 5e82fd6..d31876d 100644
--- a/sensord.te
+++ b/sensord.te
-@@ -9,27 +9,35 @@ type sensord_t;
+@@ -9,27 +9,37 @@ type sensord_t;
type sensord_exec_t;
init_daemon_domain(sensord_t, sensord_exec_t)
@@ -91180,10 +91186,12 @@ index 5e82fd6..64e130f 100644
manage_files_pattern(sensord_t, sensord_var_run_t, sensord_var_run_t)
files_pid_filetrans(sensord_t, sensord_var_run_t, file)
- dev_read_sysfs(sensord_t)
+-dev_read_sysfs(sensord_t)
++kernel_read_system_state(sensord_t)
-files_read_etc_files(sensord_t)
--
++dev_read_sysfs(sensord_t)
+
logging_send_syslog_msg(sensord_t)
-miscfiles_read_localization(sensord_t)
@@ -94331,7 +94339,7 @@ index 1499b0b..6950cab 100644
- spamassassin_role($2, $1)
')
diff --git a/spamassassin.te b/spamassassin.te
-index cc58e35..de9c4d9 100644
+index cc58e35..025b7d5 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1)
@@ -94635,7 +94643,7 @@ index cc58e35..de9c4d9 100644
')
########################################
-@@ -167,72 +248,90 @@ optional_policy(`
+@@ -167,72 +248,92 @@ optional_policy(`
# Client local policy
#
@@ -94736,18 +94744,20 @@ index cc58e35..de9c4d9 100644
-auth_use_nsswitch(spamc_t)
+fs_search_auto_mountpoints(spamc_t)
++
++libs_exec_ldconfig(spamc_t)
logging_send_syslog_msg(spamc_t)
-miscfiles_read_localization(spamc_t)
--
++auth_use_nsswitch(spamc_t)
+
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(spamc_t)
- fs_manage_nfs_files(spamc_t)
- fs_manage_nfs_symlinks(spamc_t)
-')
-+auth_use_nsswitch(spamc_t)
-
+-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(spamc_t)
- fs_manage_cifs_files(spamc_t)
@@ -94757,7 +94767,7 @@ index cc58e35..de9c4d9 100644
optional_policy(`
abrt_stream_connect(spamc_t)
-@@ -243,6 +342,7 @@ optional_policy(`
+@@ -243,6 +344,7 @@ optional_policy(`
')
optional_policy(`
@@ -94765,7 +94775,7 @@ index cc58e35..de9c4d9 100644
evolution_stream_connect(spamc_t)
')
-@@ -251,10 +351,16 @@ optional_policy(`
+@@ -251,10 +353,16 @@ optional_policy(`
')
optional_policy(`
@@ -94783,7 +94793,7 @@ index cc58e35..de9c4d9 100644
sendmail_stub(spamc_t)
')
-@@ -267,36 +373,38 @@ optional_policy(`
+@@ -267,36 +375,38 @@ optional_policy(`
########################################
#
@@ -94839,7 +94849,7 @@ index cc58e35..de9c4d9 100644
logging_log_filetrans(spamd_t, spamd_log_t, file)
manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
-@@ -308,7 +416,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+@@ -308,7 +418,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
@@ -94849,7 +94859,7 @@ index cc58e35..de9c4d9 100644
manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
-@@ -317,12 +426,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -317,12 +428,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
@@ -94865,7 +94875,7 @@ index cc58e35..de9c4d9 100644
corenet_all_recvfrom_netlabel(spamd_t)
corenet_tcp_sendrecv_generic_if(spamd_t)
corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -331,78 +441,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+@@ -331,78 +443,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
corenet_tcp_sendrecv_all_ports(spamd_t)
corenet_udp_sendrecv_all_ports(spamd_t)
corenet_tcp_bind_generic_node(spamd_t)
@@ -94969,7 +94979,7 @@ index cc58e35..de9c4d9 100644
')
optional_policy(`
-@@ -421,21 +512,13 @@ optional_policy(`
+@@ -421,21 +514,13 @@ optional_policy(`
')
optional_policy(`
@@ -94993,7 +95003,7 @@ index cc58e35..de9c4d9 100644
')
optional_policy(`
-@@ -443,8 +526,8 @@ optional_policy(`
+@@ -443,8 +528,8 @@ optional_policy(`
')
optional_policy(`
@@ -95003,7 +95013,7 @@ index cc58e35..de9c4d9 100644
')
optional_policy(`
-@@ -455,7 +538,17 @@ optional_policy(`
+@@ -455,7 +540,17 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
razor_read_lib_files(spamd_t)
@@ -95022,7 +95032,7 @@ index cc58e35..de9c4d9 100644
')
optional_policy(`
-@@ -463,9 +556,9 @@ optional_policy(`
+@@ -463,9 +558,9 @@ optional_policy(`
')
optional_policy(`
@@ -95033,7 +95043,7 @@ index cc58e35..de9c4d9 100644
')
optional_policy(`
-@@ -474,32 +567,32 @@ optional_policy(`
+@@ -474,32 +569,32 @@ optional_policy(`
########################################
#
@@ -95076,7 +95086,7 @@ index cc58e35..de9c4d9 100644
corecmd_exec_bin(spamd_update_t)
corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +601,21 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +603,21 @@ dev_read_urand(spamd_update_t)
domain_use_interactive_fds(spamd_update_t)
@@ -100978,7 +100988,7 @@ index 1ec5e99..88e287d 100644
+ allow $1 usbmuxd_unit_file_t:service all_service_perms;
+')
diff --git a/usbmuxd.te b/usbmuxd.te
-index 34a8917..21add3e 100644
+index 34a8917..a6b9e84 100644
--- a/usbmuxd.te
+++ b/usbmuxd.te
@@ -10,34 +10,54 @@ roleattribute system_r usbmuxd_roles;
@@ -101004,9 +101014,10 @@ index 34a8917..21add3e 100644
#
-allow usbmuxd_t self:capability { kill setgid setuid };
-+allow usbmuxd_t self:capability { chown kill setgid setuid };
+-allow usbmuxd_t self:process { signal signull };
++allow usbmuxd_t self:capability { fowner fsetid chown kill setgid setuid };
+dontaudit usbmuxd_t self:capability sys_resource;
- allow usbmuxd_t self:process { signal signull };
++allow usbmuxd_t self:process { signal_perms setrlimit };
allow usbmuxd_t self:fifo_file rw_fifo_file_perms;
+allow usbmuxd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow usbmuxd_t self:unix_stream_socket connectto;
@@ -104104,7 +104115,7 @@ index facdee8..c43ef2e 100644
+ typeattribute $1 sandbox_caps_domain;
')
diff --git a/virt.te b/virt.te
-index f03dcf5..fe1bceb 100644
+index f03dcf5..e74f60a 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,227 @@
@@ -104889,7 +104900,7 @@ index f03dcf5..fe1bceb 100644
dev_rw_sysfs(virtd_t)
dev_read_urand(virtd_t)
dev_read_rand(virtd_t)
-@@ -555,22 +444,27 @@ dev_rw_vhost(virtd_t)
+@@ -555,20 +444,25 @@ dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
@@ -104917,11 +104928,8 @@ index f03dcf5..fe1bceb 100644
+fs_read_tmpfs_symlinks(virtd_t)
fs_list_auto_mountpoints(virtd_t)
--fs_getattr_all_fs(virtd_t)
-+fs_getattr_xattr_fs(virtd_t)
+ fs_getattr_all_fs(virtd_t)
fs_rw_anon_inodefs_files(virtd_t)
- fs_list_inotifyfs(virtd_t)
- fs_manage_cgroup_dirs(virtd_t)
@@ -601,15 +495,18 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6ee3ce0..541ac06 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 82%{?dist}
+Release: 83%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -602,6 +602,11 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Sep 22 2014 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-83
+- Make sure /run/systemd/generator and system is labeled correctly on creation.
+- Additional access required by usbmuxd
+- Allow sensord read in /proc BZ(#1143799)
+
* Thu Sep 18 2014 Miroslav Grepl <mgrepl at redhat.com> 3.13.1-82
- Allow du running in logwatch_t read hwdata.
- Allow sys_admin capability for antivirus domians.
More information about the scm-commits
mailing list