From 67894a15415f417d93933e2d5bbd813ac66c5c30 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Oct 31 2007 13:50:55 +0000 Subject: - Add type definition for /dev/kvm --- diff --git a/policy-20070703.patch b/policy-20070703.patch index fef70c1..757b51e 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -3643,7 +3643,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-10-31 09:43:13.000000000 -0400 @@ -20,6 +20,7 @@ /dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0) @@ -3652,7 +3652,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0) -@@ -98,6 +99,7 @@ +@@ -30,6 +31,7 @@ + /dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) + /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) + /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) ++/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,mls_systemhigh) + /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) + /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) + /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) +@@ -98,6 +100,7 @@ /dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0) /dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -3662,7 +3670,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.8/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-22 13:21:41.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-10-31 09:46:00.000000000 -0400 @@ -1306,6 +1306,44 @@ ######################################## @@ -3708,6 +3716,102 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Read input event devices (/dev/input). ## ## +@@ -1623,6 +1661,78 @@ + + ######################################## + ## ++## Get the attributes of the kvm devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_getattr_kvm_dev',` ++ gen_require(` ++ type device_t, kvm_device_t; ++ ') ++ ++ getattr_chr_files_pattern($1,device_t,kvm_device_t) ++') ++ ++######################################## ++## ++## Set the attributes of the kvm devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_setattr_kvm_dev',` ++ gen_require(` ++ type device_t, kvm_device_t; ++ ') ++ ++ setattr_chr_files_pattern($1,device_t,kvm_device_t) ++') ++ ++######################################## ++## ++## Read the kvm devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_kvm',` ++ gen_require(` ++ type device_t, kvm_device_t; ++ ') ++ ++ read_chr_files_pattern($1,device_t,kvm_device_t) ++') ++ ++######################################## ++## ++## Read and write to kvm devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_kvm',` ++ gen_require(` ++ type device_t, kvm_device_t; ++ ') ++ ++ rw_chr_files_pattern($1,device_t,kvm_device_t) ++') ++ ++######################################## ++## + ## Get the attributes of miscellaneous devices. + ## + ## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.0.8/policy/modules/kernel/devices.te +--- nsaserefpolicy/policy/modules/kernel/devices.te 2007-10-22 13:21:42.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/kernel/devices.te 2007-10-31 09:43:37.000000000 -0400 +@@ -72,6 +72,13 @@ + dev_node(kmsg_device_t) + + # ++# kvm_device_t is the type of ++# /dev/kvm ++# ++type kvm_device_t; ++dev_node(kvm_device_t) ++ ++# + # Type for /dev/mapper/control + # + type lvm_control_t; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.0.8/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2007-10-22 13:21:42.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/kernel/domain.if 2007-10-30 19:48:13.000000000 -0400 @@ -8543,7 +8647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail +files_type(mailscanner_spool_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.8/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/mta.if 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/mta.if 2007-10-31 07:35:43.000000000 -0400 @@ -142,6 +142,12 @@ sendmail_create_log($1_mail_t) ') @@ -8606,7 +8710,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. create_lnk_files_pattern($1,mail_spool_t,mail_spool_t) read_lnk_files_pattern($1,mail_spool_t,mail_spool_t) -@@ -447,20 +481,18 @@ +@@ -436,6 +470,24 @@ + + ######################################## + ## ++## Make the specified type readable for a system_mail_t ++## ++## ++## ++## Type to be used as a mail client. ++## ++## ++# ++interface(`mta_mailcontent',` ++ gen_require(` ++ attribute mailcontent_type; ++ ') ++ ++ typeattribute $1 mailcontent_type; ++') ++ ++######################################## ++## + ## Send mail from the system. + ## + ## +@@ -447,20 +499,18 @@ interface(`mta_send_mail',` gen_require(` attribute mta_user_agent; @@ -8633,7 +8762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ######################################## -@@ -595,6 +627,25 @@ +@@ -595,6 +645,25 @@ files_search_etc($1) allow $1 etc_aliases_t:file { rw_file_perms setattr }; ') @@ -8661,16 +8790,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-10-29 23:59:29.000000000 -0400 -@@ -6,6 +6,7 @@ ++++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-10-31 07:35:09.000000000 -0400 +@@ -6,6 +6,8 @@ # Declarations # ++attribute mailcontent_type; +attribute mailclient_exec_type; attribute mta_user_agent; attribute mailserver_delivery; attribute mailserver_domain; -@@ -27,6 +28,7 @@ +@@ -27,6 +29,7 @@ type sendmail_exec_t; application_executable_file(sendmail_exec_t) @@ -8678,7 +8808,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. mta_base_mail_template(system) role system_r types system_mail_t; -@@ -44,23 +46,33 @@ +@@ -40,27 +43,38 @@ + allow system_mail_t self:capability { dac_override }; + + read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t) ++read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type) + kernel_read_system_state(system_mail_t) kernel_read_network_state(system_mail_t) @@ -8712,7 +8847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -73,6 +85,7 @@ +@@ -73,6 +87,7 @@ optional_policy(` cron_read_system_job_tmp_files(system_mail_t) @@ -11670,6 +11805,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun seutil_sigchld_newrole(soundd_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.0.8/policy/modules/services/spamassassin.te +--- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-10-22 13:21:36.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2007-10-31 09:26:27.000000000 -0400 +@@ -81,7 +81,7 @@ + + # var/lib files for spamd + allow spamd_t spamd_var_lib_t:dir list_dir_perms; +-read_files_pattern(spamd_t,spamd_var_lib_t,spamd_var_lib_t) ++manage_files_pattern(spamd_t,spamd_var_lib_t,spamd_var_lib_t) + + manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) + manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.0.8/policy/modules/services/squid.fc --- nsaserefpolicy/policy/modules/services/squid.fc 2007-10-22 13:21:36.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/squid.fc 2007-10-29 23:59:29.000000000 -0400 diff --git a/selinux-policy.spec b/selinux-policy.spec index 7c614d7..0b91670 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.8 -Release: 42%{?dist} +Release: 43%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -373,6 +373,9 @@ exit 0 %endif %changelog +* Tue Oct 30 2007 Dan Walsh 3.0.8-43 +- Add type definition for /dev/kvm + * Tue Oct 30 2007 Dan Walsh 3.0.8-42 - Make tcbdomain - Allow domain domain:fd use