From cb51c2687c8813a3c4fc622dd98303ea8da48077 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mar 27 2009 01:39:14 +0000 Subject: - Fixes for svirt --- diff --git a/policy-20090105.patch b/policy-20090105.patch index 225ba98..803eea6 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -4771,7 +4771,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.10/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/kernel/files.if 2009-03-24 09:03:48.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/kernel/files.if 2009-03-26 21:12:48.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -5179,7 +5179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.10/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/kernel/kernel.if 2009-03-24 09:03:48.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/kernel/kernel.if 2009-03-26 21:08:51.000000000 -0400 @@ -1197,6 +1197,26 @@ ') @@ -5580,8 +5580,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +gen_user(guest_u, user, guest_r, s0, s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.10/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/roles/staff.te 2009-03-24 09:03:48.000000000 -0400 -@@ -15,156 +15,88 @@ ++++ serefpolicy-3.6.10/policy/modules/roles/staff.te 2009-03-26 20:39:03.000000000 -0400 +@@ -15,156 +15,90 @@ # Local policy # @@ -5596,15 +5596,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - auditadm_role_change(staff_r) -') -- ++kernel_read_ring_buffer(staff_t) ++kernel_getattr_core_if(staff_t) ++kernel_getattr_message_if(staff_t) ++kernel_read_software_raid_state(staff_t) + -optional_policy(` - bluetooth_role(staff_r, staff_t) -') -- ++auth_domtrans_pam_console(staff_t) + -optional_policy(` - cdrecord_role(staff_r, staff_t) -') -- ++libs_manage_shared_libs(staff_t) + -optional_policy(` - cron_role(staff_r, staff_t) -') @@ -5612,8 +5618,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - dbus_role_template(staff, staff_r, staff_t) -') -- --optional_policy(` ++seutil_run_newrole(staff_t, staff_r) ++netutils_run_ping(staff_t, staff_r) + + optional_policy(` - ethereal_role(staff_r, staff_t) -') - @@ -5644,107 +5652,100 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - java_role(staff_r, staff_t) -') -+kernel_read_ring_buffer(staff_t) -+kernel_getattr_core_if(staff_t) -+kernel_getattr_message_if(staff_t) -+kernel_read_software_raid_state(staff_t) - +- -optional_policy(` - lockdev_role(staff_r, staff_t) -') -+auth_domtrans_pam_console(staff_t) - +- -optional_policy(` - lpd_role(staff_r, staff_t) -') -+libs_manage_shared_libs(staff_t) - +- -optional_policy(` - mozilla_role(staff_r, staff_t) --') -+seutil_run_newrole(staff_t, staff_r) -+netutils_run_ping(staff_t, staff_r) - - optional_policy(` -- mplayer_role(staff_r, staff_t) + sudo_role_template(staff, staff_r, staff_t) ') optional_policy(` -- mta_role(staff_r, staff_t) +- mplayer_role(staff_r, staff_t) + auditadm_role_change(staff_r) ') optional_policy(` -- oident_manage_user_content(staff_t) -- oident_relabel_user_content(staff_t) +- mta_role(staff_r, staff_t) + kerneloops_manage_tmp_files(staff_t) ') optional_policy(` -- pyzor_role(staff_r, staff_t) +- oident_manage_user_content(staff_t) +- oident_relabel_user_content(staff_t) + logadm_role_change(staff_r) ') optional_policy(` -- razor_role(staff_r, staff_t) +- pyzor_role(staff_r, staff_t) + secadm_role_change(staff_r) ') optional_policy(` -- rssh_role(staff_r, staff_t) +- razor_role(staff_r, staff_t) + ssh_role_template(staff, staff_r, staff_t) ') optional_policy(` -- screen_role_template(staff, staff_r, staff_t) +- rssh_role(staff_r, staff_t) + sysadm_role_change(staff_r) ') optional_policy(` -- secadm_role_change(staff_r) +- screen_role_template(staff, staff_r, staff_t) + usernetctl_run(staff_t, staff_r) ') optional_policy(` -- spamassassin_role(staff_r, staff_t) +- secadm_role_change(staff_r) + unconfined_role_change(staff_r) ') optional_policy(` -- ssh_role_template(staff, staff_r, staff_t) +- spamassassin_role(staff_r, staff_t) + webadm_role_change(staff_r) ') -optional_policy(` -- su_role_template(staff, staff_r, staff_t) +- ssh_role_template(staff, staff_r, staff_t) -') +domain_read_all_domains_state(staff_t) +domain_getattr_all_domains(staff_t) +domain_obj_id_change_exemption(staff_t) -optional_policy(` -- sudo_role_template(staff, staff_r, staff_t) +- su_role_template(staff, staff_r, staff_t) -') +files_read_kernel_modules(staff_t) -optional_policy(` -- sysadm_role_change(staff_r) -- userdom_dontaudit_use_user_terminals(staff_t) +- sudo_role_template(staff, staff_r, staff_t) -') +kernel_read_fs_sysctls(staff_t) -optional_policy(` -- thunderbird_role(staff_r, staff_t) +- sysadm_role_change(staff_r) +- userdom_dontaudit_use_user_terminals(staff_t) -') +modutils_read_module_config(staff_t) +modutils_read_module_deps(staff_t) -optional_policy(` -- tvtime_role(staff_r, staff_t) +- thunderbird_role(staff_r, staff_t) -') +miscfiles_read_hwdata(staff_t) +-optional_policy(` +- tvtime_role(staff_r, staff_t) +-') ++term_use_unallocated_ttys(staff_t) + optional_policy(` - uml_role(staff_r, staff_t) + gnomeclock_dbus_chat(staff_t) @@ -9800,7 +9801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.10/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/cups.te 2009-03-24 09:03:48.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/services/cups.te 2009-03-26 21:16:37.000000000 -0400 @@ -20,9 +20,18 @@ type cupsd_etc_t; files_config_file(cupsd_etc_t) @@ -10051,7 +10052,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit cupsd_config_t self:capability sys_tty_config; allow cupsd_config_t self:process signal_perms; allow cupsd_config_t self:fifo_file rw_fifo_file_perms; -@@ -311,7 +370,7 @@ +@@ -302,8 +361,10 @@ + + allow cupsd_config_t cupsd_log_t:file rw_file_perms; + +-allow cupsd_config_t cupsd_tmp_t:file manage_file_perms; +-files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir }) ++manage_lnk_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) ++manage_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) ++manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t) ++files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) + + allow cupsd_config_t cupsd_var_run_t:file read_file_perms; + +@@ -311,7 +372,7 @@ files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file) kernel_read_system_state(cupsd_config_t) @@ -10060,7 +10074,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(cupsd_config_t) corenet_all_recvfrom_netlabel(cupsd_config_t) -@@ -324,6 +383,7 @@ +@@ -324,6 +385,7 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) @@ -10068,7 +10082,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t) -@@ -341,13 +401,14 @@ +@@ -341,13 +403,14 @@ files_read_var_symlinks(cupsd_config_t) # Alternatives asks for this @@ -10084,7 +10098,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_dontaudit_search_config(cupsd_config_t) -@@ -359,14 +420,16 @@ +@@ -359,14 +422,16 @@ lpd_read_config(cupsd_config_t) ifdef(`distro_redhat',` @@ -10103,7 +10117,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') -@@ -382,6 +445,7 @@ +@@ -382,6 +447,7 @@ optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) @@ -10111,7 +10125,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -491,7 +555,10 @@ +@@ -491,7 +557,10 @@ allow hplip_t self:udp_socket create_socket_perms; allow hplip_t self:rawip_socket create_socket_perms; @@ -10123,7 +10137,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cups_stream_connect(hplip_t) -@@ -500,6 +567,10 @@ +@@ -500,6 +569,10 @@ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) @@ -10134,7 +10148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) -@@ -529,7 +600,8 @@ +@@ -529,7 +602,8 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -10144,7 +10158,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(hplip_t) fs_search_auto_mountpoints(hplip_t) -@@ -553,7 +625,9 @@ +@@ -553,7 +627,9 @@ userdom_dontaudit_search_user_home_dirs(hplip_t) userdom_dontaudit_search_user_home_content(hplip_t) @@ -10155,7 +10169,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` dbus_system_bus_client(hplip_t) -@@ -635,3 +709,49 @@ +@@ -635,3 +711,49 @@ optional_policy(` udev_read_db(ptal_t) ') @@ -23802,7 +23816,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.10/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/init.te 2009-03-24 09:03:48.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/system/init.te 2009-03-26 20:09:40.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart,false) @@ -24085,7 +24099,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol vmware_read_system_config(initrc_t) vmware_append_system_config(initrc_t) ') -@@ -790,3 +865,11 @@ +@@ -790,3 +865,17 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -24096,6 +24110,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +optional_policy(` + xserver_rw_xdm_home_files(daemon) ++ tunable_policy(`use_nfs_home_dirs',` ++ fs_dontaudit_rw_nfs_files(daemon) ++ ') ++ tunable_policy(`use_samba_home_dirs',` ++ fs_dontaudit_rw_cifs_files(daemon) ++ ') +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.6.10/policy/modules/system/ipsec.fc --- nsaserefpolicy/policy/modules/system/ipsec.fc 2008-08-07 11:15:12.000000000 -0400 @@ -27414,7 +27434,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.10/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/userdomain.if 2009-03-24 09:03:48.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/system/userdomain.if 2009-03-26 20:35:29.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -29354,8 +29374,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# No application file contexts. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.10/policy/modules/system/virtual.if --- nsaserefpolicy/policy/modules/system/virtual.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/virtual.if 2009-03-26 14:24:01.000000000 -0400 -@@ -0,0 +1,110 @@ ++++ serefpolicy-3.6.10/policy/modules/system/virtual.if 2009-03-26 20:45:05.000000000 -0400 +@@ -0,0 +1,113 @@ +## Virtual machine emulator and virtualizer + +######################################## @@ -29385,6 +29405,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + # start with basic domain + domain_type($1) ++ ++ # could be started by libvirt ++ domain_user_exemption_target($1) +') + +######################################## @@ -29468,8 +29491,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.10/policy/modules/system/virtual.te --- nsaserefpolicy/policy/modules/system/virtual.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/virtual.te 2009-03-26 14:21:16.000000000 -0400 -@@ -0,0 +1,81 @@ ++++ serefpolicy-3.6.10/policy/modules/system/virtual.te 2009-03-26 20:44:37.000000000 -0400 +@@ -0,0 +1,80 @@ + +policy_module(virtualization, 1.1.2) + @@ -29513,7 +29536,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +dev_rw_qemu(virtualdomain) + +domain_use_interactive_fds(virtualdomain) -+domain_user_exemption_target(virtualdomain) + +files_read_etc_files(virtualdomain) +files_read_usr_files(virtualdomain)