lvrabec pushed to selinux-policy (f21). "* Mon Mar 30 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.10 (..more)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Mon Mar 30 18:09:07 UTC 2015
>From f40bf2e8a9fb79669452fd22c2772294773a7117 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec at redhat.com>
Date: Mon, 30 Mar 2015 20:08:39 +0200
Subject: * Mon Mar 30 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.10 -
Allow kmscon to read system state. BZ (1206871) - Allow plymouthd to open
usbttys. BZ(1202429) - apmd needs sys_resource when shutting down the machine
- Allow xdm_t to read colord_var_lib_t files. BZ(1201985) - Allow all domains
some process flags
diff --git a/policy-f21-base.patch b/policy-f21-base.patch
index 13f8ce3..5c49f28 100644
--- a/policy-f21-base.patch
+++ b/policy-f21-base.patch
@@ -9015,7 +9015,7 @@ index 6a1e4d1..7ac2831 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..c84dc1a 100644
+index cf04cb5..b1ed42b 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@@ -9082,7 +9082,7 @@ index cf04cb5..c84dc1a 100644
# create child processes in the domain
-allow domain self:process { fork sigchld };
-+allow domain self:process { getcap fork getsched signal_perms };
++allow domain self:process { getcap fork getsched signal_perms setrlimit getattr getcap getsched getsession };
# Use trusted objects in /dev
+dev_read_cpu_online(domain)
@@ -25620,7 +25620,7 @@ index 6bf0ecc..b036584 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b40377..5a2c173 100644
+index 8b40377..3495bef 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@@ -26261,7 +26261,7 @@ index 8b40377..5a2c173 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,24 +688,155 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +688,159 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -26309,6 +26309,10 @@ index 8b40377..5a2c173 100644
+userdom_filetrans_generic_home_content(xdm_t)
+
+optional_policy(`
++ colord_read_lib_files(xdm_t)
++')
++
++optional_policy(`
+ gnome_config_filetrans(xdm_t, home_cert_t, dir, "certificates")
+')
+
@@ -26423,7 +26427,7 @@ index 8b40377..5a2c173 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,12 +849,31 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,12 +853,31 @@ tunable_policy(`xdm_sysadm_login',`
# allow xserver_t xdm_tmpfs_t:file rw_file_perms;
')
@@ -26455,7 +26459,7 @@ index 8b40377..5a2c173 100644
')
optional_policy(`
-@@ -517,9 +883,34 @@ optional_policy(`
+@@ -517,9 +887,34 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(xdm_t)
dbus_connect_system_bus(xdm_t)
@@ -26463,17 +26467,17 @@ index 8b40377..5a2c173 100644
+ optional_policy(`
+ accountsd_dbus_chat(xdm_t)
+ ')
-+
-+ optional_policy(`
+
+ optional_policy(`
+- accountsd_dbus_chat(xdm_t)
+ bluetooth_dbus_chat(xdm_t)
+ ')
+
+ optional_policy(`
+ cpufreqselector_dbus_chat(xdm_t)
+ ')
-
- optional_policy(`
-- accountsd_dbus_chat(xdm_t)
++
++ optional_policy(`
+ devicekit_dbus_chat_disk(xdm_t)
+ devicekit_dbus_chat_power(xdm_t)
+ ')
@@ -26491,7 +26495,7 @@ index 8b40377..5a2c173 100644
')
')
-@@ -530,6 +921,20 @@ optional_policy(`
+@@ -530,6 +925,20 @@ optional_policy(`
')
optional_policy(`
@@ -26512,7 +26516,7 @@ index 8b40377..5a2c173 100644
hostname_exec(xdm_t)
')
-@@ -547,28 +952,78 @@ optional_policy(`
+@@ -547,28 +956,78 @@ optional_policy(`
')
optional_policy(`
@@ -26600,7 +26604,7 @@ index 8b40377..5a2c173 100644
')
optional_policy(`
-@@ -580,6 +1035,14 @@ optional_policy(`
+@@ -580,6 +1039,14 @@ optional_policy(`
')
optional_policy(`
@@ -26615,7 +26619,7 @@ index 8b40377..5a2c173 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,7 +1057,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1061,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -26624,7 +26628,7 @@ index 8b40377..5a2c173 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -604,8 +1067,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1071,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -26637,7 +26641,7 @@ index 8b40377..5a2c173 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -618,8 +1084,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1088,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -26653,7 +26657,7 @@ index 8b40377..5a2c173 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -627,6 +1100,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1104,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -26664,7 +26668,7 @@ index 8b40377..5a2c173 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -638,25 +1115,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,25 +1119,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -26701,7 +26705,7 @@ index 8b40377..5a2c173 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -677,23 +1161,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1165,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -26733,7 +26737,7 @@ index 8b40377..5a2c173 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -705,6 +1194,14 @@ fs_search_nfs(xserver_t)
+@@ -705,6 +1198,14 @@ fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -26748,7 +26752,7 @@ index 8b40377..5a2c173 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -718,20 +1215,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1219,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -26772,7 +26776,7 @@ index 8b40377..5a2c173 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -739,8 +1234,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1238,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -26781,7 +26785,7 @@ index 8b40377..5a2c173 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -785,17 +1278,50 @@ optional_policy(`
+@@ -785,17 +1282,50 @@ optional_policy(`
')
optional_policy(`
@@ -26834,7 +26838,7 @@ index 8b40377..5a2c173 100644
')
optional_policy(`
-@@ -803,6 +1329,10 @@ optional_policy(`
+@@ -803,6 +1333,10 @@ optional_policy(`
')
optional_policy(`
@@ -26845,7 +26849,7 @@ index 8b40377..5a2c173 100644
xfs_stream_connect(xserver_t)
')
-@@ -818,18 +1348,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,18 +1352,17 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -26870,7 +26874,7 @@ index 8b40377..5a2c173 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -842,26 +1371,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1375,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -26905,7 +26909,7 @@ index 8b40377..5a2c173 100644
')
optional_policy(`
-@@ -912,7 +1436,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1440,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -26914,7 +26918,7 @@ index 8b40377..5a2c173 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -966,11 +1490,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1494,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -26946,7 +26950,7 @@ index 8b40377..5a2c173 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -992,18 +1536,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1540,148 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
diff --git a/policy-f21-contrib.patch b/policy-f21-contrib.patch
index dfa87b9..86b9b80 100644
--- a/policy-f21-contrib.patch
+++ b/policy-f21-contrib.patch
@@ -7798,7 +7798,7 @@ index 1a7a97e..2c7252a 100644
domain_system_change_exemption($1)
role_transition $2 apmd_initrc_exec_t system_r;
diff --git a/apm.te b/apm.te
-index 7fd431b..5ce1846 100644
+index 7fd431b..e9c4c5a 100644
--- a/apm.te
+++ b/apm.te
@@ -35,12 +35,15 @@ files_type(apmd_var_lib_t)
@@ -7827,11 +7827,13 @@ index 7fd431b..5ce1846 100644
domain_use_interactive_fds(apm_t)
-@@ -60,7 +63,7 @@ logging_send_syslog_msg(apm_t)
+@@ -59,8 +62,8 @@ logging_send_syslog_msg(apm_t)
+ # Server local policy
#
- allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
+-allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
++allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod sys_resource };
+dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
@@ -40801,10 +40803,10 @@ index 0000000..b9347fa
+')
diff --git a/kmscon.te b/kmscon.te
new file mode 100644
-index 0000000..be3d5d6
+index 0000000..32a9e13
--- /dev/null
+++ b/kmscon.te
-@@ -0,0 +1,86 @@
+@@ -0,0 +1,88 @@
+# KMSCon SELinux policy module
+# Contributed by Lubomir Rintel <lkundrak at v3.sk>
+
@@ -40848,6 +40850,8 @@ index 0000000..be3d5d6
+list_dirs_pattern(kmscon_t, kmscon_conf_t, kmscon_conf_t)
+read_files_pattern(kmscon_t, kmscon_conf_t, kmscon_conf_t)
+
++kernel_read_system_state(kmscon_t)
++
+auth_read_passwd(kmscon_t)
+
+dev_rw_dri(kmscon_t)
@@ -67455,7 +67459,7 @@ index 30e751f..61feb3a 100644
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/plymouthd.te b/plymouthd.te
-index 3078ce9..18872dc 100644
+index 3078ce9..c57d1cf 100644
--- a/plymouthd.te
+++ b/plymouthd.te
@@ -15,7 +15,7 @@ type plymouthd_exec_t;
@@ -67495,7 +67499,7 @@ index 3078ce9..18872dc 100644
logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir })
manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
-@@ -70,19 +69,26 @@ domain_use_interactive_fds(plymouthd_t)
+@@ -70,19 +69,27 @@ domain_use_interactive_fds(plymouthd_t)
fs_getattr_all_fs(plymouthd_t)
@@ -67505,15 +67509,16 @@ index 3078ce9..18872dc 100644
term_getattr_pty_fs(plymouthd_t)
term_use_all_terms(plymouthd_t)
term_use_ptmx(plymouthd_t)
-
--miscfiles_read_localization(plymouthd_t)
++term_use_usb_ttys(plymouthd_t)
++
+init_signal(plymouthd_t)
+
+logging_link_generic_logs(plymouthd_t)
+logging_delete_generic_logs(plymouthd_t)
+
+auth_use_nsswitch(plymouthd_t)
-+
+
+-miscfiles_read_localization(plymouthd_t)
miscfiles_read_fonts(plymouthd_t)
miscfiles_manage_fonts_cache(plymouthd_t)
@@ -67527,7 +67532,7 @@ index 3078ce9..18872dc 100644
')
optional_policy(`
-@@ -90,35 +96,37 @@ optional_policy(`
+@@ -90,35 +97,37 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4b80494..447f88e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 105.9%{?dist}
+Release: 105.10%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -604,6 +604,13 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Mar 30 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.10
+- Allow kmscon to read system state. BZ (1206871)
+- Allow plymouthd to open usbttys. BZ(1202429)
+- apmd needs sys_resource when shutting down the machine
+- Allow xdm_t to read colord_var_lib_t files. BZ(1201985)
+- Allow all domains some process flags
+
* Mon Mar 23 2015 Lukas Vrabec <lvrabec at redhat.com> 3.13.1-105.9
- Allow mysqld_t to use pam. BZ(1196104)
- Allow fetchmail to read mail_spool_t. BZ(1200552)
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/selinux-policy.git/commit/?h=f21&id=f40bf2e8a9fb79669452fd22c2772294773a7117
More information about the scm-commits
mailing list