From 23ec6cbed259d3c228ce089a15580784f8b43ada Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Aug 05 2009 21:49:50 +0000 Subject: - Allow svirt images to create sock_file in svirt_var_run_t --- diff --git a/policy-20090521.patch b/policy-20090521.patch index c2e056d..46e4212 100644 --- a/policy-20090521.patch +++ b/policy-20090521.patch @@ -167,7 +167,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te --- nsaserefpolicy/policy/modules/admin/readahead.te 2009-06-25 10:19:43.000000000 +0200 -+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-07-13 11:23:45.000000000 +0200 ++++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-08-05 21:59:03.000000000 +0200 @@ -50,11 +50,13 @@ domain_use_interactive_fds(readahead_t) domain_read_all_domains_state(readahead_t) @@ -517,6 +517,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +permissive shorewall_t; + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.12/policy/modules/admin/sudo.if +--- nsaserefpolicy/policy/modules/admin/sudo.if 2009-06-25 10:19:43.000000000 +0200 ++++ serefpolicy-3.6.12/policy/modules/admin/sudo.if 2009-08-05 23:24:01.000000000 +0200 +@@ -152,6 +152,10 @@ + optional_policy(` + dbus_system_bus_client($1_sudo_t) + ') ++ ++ optional_policy(` ++ fprintd_dbus_chat($1_sudo_t) ++ ') + ') + + ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.12/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-06-25 10:19:43.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/admin/usermanage.te 2009-06-25 10:21:01.000000000 +0200 @@ -528,6 +542,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(groupadd_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/calamaris.te serefpolicy-3.6.12/policy/modules/apps/calamaris.te +--- nsaserefpolicy/policy/modules/apps/calamaris.te 2009-04-07 21:54:49.000000000 +0200 ++++ serefpolicy-3.6.12/policy/modules/apps/calamaris.te 2009-08-05 23:27:19.000000000 +0200 +@@ -82,5 +82,9 @@ + ') + + optional_policy(` ++ nscd_socket_use(calamaris_t) ++') ++ ++optional_policy(` + nis_use_ypbind(calamaris_t) + ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.6.12/policy/modules/apps/gitosis.fc --- nsaserefpolicy/policy/modules/apps/gitosis.fc 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.6.12/policy/modules/apps/gitosis.fc 2009-06-25 10:21:01.000000000 +0200 @@ -1291,6 +1318,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + hal_dbus_chat(sandbox_net_client_t) +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.12/policy/modules/apps/screen.if +--- nsaserefpolicy/policy/modules/apps/screen.if 2009-06-25 10:19:43.000000000 +0200 ++++ serefpolicy-3.6.12/policy/modules/apps/screen.if 2009-08-05 23:21:33.000000000 +0200 +@@ -62,6 +62,7 @@ + manage_dirs_pattern($1_screen_t, screen_dir_t, screen_dir_t) + filetrans_pattern($1_screen_t, screen_dir_t, screen_var_run_t, fifo_file) + files_pid_filetrans($1_screen_t, screen_dir_t, dir) ++ dontaudit $3 screen_var_run_t:fifo_file read; + + allow $1_screen_t screen_home_t:dir list_dir_perms; + read_files_pattern($1_screen_t, screen_home_t, screen_home_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.12/policy/modules/apps/vmware.fc --- nsaserefpolicy/policy/modules/apps/vmware.fc 2009-04-07 21:54:49.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/apps/vmware.fc 2009-06-25 10:21:01.000000000 +0200 @@ -1795,7 +1833,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write the controlling diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.12/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2009-06-25 10:19:44.000000000 +0200 -+++ serefpolicy-3.6.12/policy/modules/roles/staff.te 2009-06-25 10:21:01.000000000 +0200 ++++ serefpolicy-3.6.12/policy/modules/roles/staff.te 2009-08-05 21:52:27.000000000 +0200 @@ -44,6 +44,10 @@ ') @@ -1807,7 +1845,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol secadm_role_change(staff_r) ') -@@ -95,6 +99,10 @@ +@@ -87,6 +91,10 @@ + ') + + optional_policy(` ++ lpd_list_spool(staff_t) ++') ++ ++optional_policy(` + kerneloops_dbus_chat(staff_t) + ') + +@@ -95,6 +103,10 @@ ') optional_policy(` @@ -2128,6 +2177,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_home_filetrans_user_home_dir(cups_pdf_t) userdom_manage_user_home_content_dirs(cups_pdf_t) userdom_manage_user_home_content_files(cups_pdf_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.12/policy/modules/services/dbus.if +--- nsaserefpolicy/policy/modules/services/dbus.if 2009-06-25 10:19:44.000000000 +0200 ++++ serefpolicy-3.6.12/policy/modules/services/dbus.if 2009-08-05 21:48:06.000000000 +0200 +@@ -176,6 +176,10 @@ + xserver_use_xdm_fds($1_dbusd_t) + xserver_rw_xdm_pipes($1_dbusd_t) + ') ++ ++ optional_policy(` ++ xserver_use_xdm($1_dbusd_t) ++ ') + ') + + ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.12/policy/modules/services/dcc.te --- nsaserefpolicy/policy/modules/services/dcc.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/dcc.te 2009-06-25 10:21:01.000000000 +0200 @@ -3776,7 +3839,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(uucpd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-06-25 10:19:44.000000000 +0200 -+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-08-04 09:35:17.000000000 +0200 ++++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-08-05 20:44:32.000000000 +0200 @@ -22,6 +22,13 @@ ## @@ -3820,9 +3883,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` brctl_domtrans(virtd_t) ') -@@ -306,7 +321,9 @@ +@@ -305,8 +320,11 @@ + manage_dirs_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) manage_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) manage_lnk_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) ++manage_sock_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) files_pid_filetrans(svirt_t, svirt_var_run_t, { dir file }) +stream_connect_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t, virtd_t) @@ -3830,7 +3895,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow svirt_t svirt_image_t:dir search_dir_perms; manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t) manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t) -@@ -316,16 +333,17 @@ +@@ -316,16 +334,17 @@ dontaudit svirt_t virt_content_t:file write_file_perms; dontaudit svirt_t virt_content_t:dir write; @@ -3851,7 +3916,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_udp_sendrecv_generic_if(svirt_t) corenet_udp_sendrecv_generic_node(svirt_t) corenet_udp_sendrecv_all_ports(svirt_t) -@@ -353,10 +371,6 @@ +@@ -353,10 +372,6 @@ ') optional_policy(` @@ -3883,8 +3948,45 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.12/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-06-25 10:19:44.000000000 +0200 -+++ serefpolicy-3.6.12/policy/modules/services/xserver.if 2009-06-25 10:21:01.000000000 +0200 -@@ -861,6 +861,24 @@ ++++ serefpolicy-3.6.12/policy/modules/services/xserver.if 2009-08-05 23:23:17.000000000 +0200 +@@ -599,9 +599,10 @@ + # + interface(`xserver_use_xdm_fds',` + gen_require(` +- type xdm_t; ++ type xdm_t, xdm_home_t; + ') + ++ allow $1 xdm_home_t:file append_file_perms; + allow $1 xdm_t:fd use; + ') + +@@ -779,6 +780,24 @@ + manage_files_pattern($1, xdm_var_run_t, xdm_var_run_t) + ') + ++####################################### ++## ++## Search XDM var lib dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_search_xdm_lib',` ++ gen_require(` ++ type xdm_var_lib_t; ++ ') ++ ++ allow $1 xdm_var_lib_t:dir search_dir_perms; ++') ++ + ######################################## + ## + ## Read XDM var lib files. +@@ -861,6 +880,24 @@ ######################################## ## @@ -3909,8 +4011,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute an X session in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). -@@ -1411,6 +1429,7 @@ +@@ -1409,8 +1446,10 @@ + # Allow connections to X server. + xserver_stream_connect_xdm($1) xserver_read_xdm_tmp_files($1) ++ xserver_search_xdm_lib($1) xserver_xdm_stream_connect($1) xserver_setattr_xdm_tmp_dirs($1) + xserver_read_xdm_pid($1) @@ -4751,7 +4856,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-06-25 10:19:44.000000000 +0200 -+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-07-31 09:32:45.000000000 +0200 ++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-08-05 23:25:40.000000000 +0200 @@ -627,12 +627,6 @@ ') @@ -4765,7 +4870,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol evolution_dbus_chat($1_usertype) evolution_alarm_dbus_chat($1_usertype) ') -@@ -968,6 +962,16 @@ +@@ -968,6 +962,21 @@ ') optional_policy(` @@ -4775,6 +4880,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + + optional_policy(` ++ fprintd_dbus_chat($1_t) ++ ') ++ ++ ++ optional_policy(` + gnomeclock_dbus_chat($1_usertype) + ') + @@ -4782,7 +4892,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol gnome_manage_config($1_usertype) gnome_manage_gconf_home_files($1_usertype) gnome_read_gconf_config($1_usertype) -@@ -1457,6 +1461,7 @@ +@@ -1457,6 +1466,7 @@ ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -4790,7 +4900,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_home($1) ') -@@ -1880,7 +1885,7 @@ +@@ -1880,7 +1890,7 @@ type user_home_t; ') @@ -4799,7 +4909,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3317,10 +3322,6 @@ +@@ -3317,10 +3327,6 @@ seutil_run_newrole($1_t, $1_r) optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 81467e9..684a452 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 73%{?dist} +Release: 74%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -475,6 +475,9 @@ exit 0 %endif %changelog +* Wed Aug 5 2009 Miroslav Grepl 3.6.12-74 +- Allow svirt images to create sock_file in svirt_var_run_t + * Tue Aug 4 2009 Miroslav Grepl 3.6.12-73 - Allow svirt_t to stream_connect to virtd_t