From 1c6bcafb00ada1fe728e30a9f0389ad865c07f53 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh
Date: Oct 01 2009 21:27:34 +0000
Subject: - Allow svirt to list sysfs_t directory
---
diff --git a/policy-F12.patch b/policy-F12.patch
index ebf58bc..c461fa0 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -2514,6 +2514,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+seutil_domtrans_setfiles_mac(livecd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.6.32/policy/modules/apps/loadkeys.te
+--- nsaserefpolicy/policy/modules/apps/loadkeys.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/apps/loadkeys.te 2009-10-01 14:51:17.000000000 -0400
+@@ -45,3 +45,7 @@
+ optional_policy(`
+ nscd_dontaudit_search_pid(loadkeys_t)
+ ')
++
++ifdef(`hide_broken_symptoms',`
++ dev_dontaudit_rw_lvm_control_dev(loadkeys_t)
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.32/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/apps/mono.if 2009-09-30 16:12:48.000000000 -0400
@@ -5114,7 +5125,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2009-10-01 16:59:38.000000000 -0400
@@ -1692,6 +1692,78 @@
########################################
@@ -5256,7 +5267,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
##
## Read the lvm comtrol device.
-@@ -2305,6 +2432,25 @@
+@@ -1818,6 +1945,25 @@
+
+ ########################################
+ ##
++## Do not audit attempts to read and write lvm control device.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_dontaudit_rw_lvm_control_dev',`
++ gen_require(`
++ type lvm_control_t;
++ ')
++
++ dontaudit $1 lvm_control_t:chr_file rw_file_perms;
++')
++
++
++########################################
++##
+ ## dontaudit getattr raw memory devices (e.g. /dev/mem).
+ ##
+ ##
+@@ -2305,6 +2451,25 @@
########################################
##
@@ -5282,7 +5319,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read and write to the null device (/dev/null).
##
##
-@@ -3599,6 +3745,24 @@
+@@ -3599,6 +3764,24 @@
########################################
##
@@ -12460,7 +12497,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.32/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/ftp.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/ftp.te 2009-10-01 14:28:11.000000000 -0400
@@ -41,6 +41,13 @@
##
@@ -12475,7 +12512,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Allow ftp to read and write files in the user home directories
##
##
-@@ -78,6 +85,14 @@
+@@ -78,12 +85,20 @@
type xferlog_t;
logging_log_file(xferlog_t)
@@ -12490,6 +12527,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# ftpd local policy
+ #
+
+-allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
++allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_admin sys_nice sys_resource };
+ dontaudit ftpd_t self:capability sys_tty_config;
+ allow ftpd_t self:process signal_perms;
+ allow ftpd_t self:process { getcap setcap setsched setrlimit };
@@ -92,6 +107,8 @@
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
@@ -19809,7 +19853,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/virt.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/virt.te 2009-10-01 16:59:54.000000000 -0400
@@ -20,6 +20,28 @@
##
gen_tunable(virt_use_samba, false)
@@ -19970,9 +20014,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+fs_getattr_xattr_fs(virtd_t)
+fs_rw_anon_inodefs_files(virtd_t)
+fs_list_inotifyfs(virtd_t)
-
-+modutils_manage_module_config(virtd_t)
+
++modutils_manage_module_config(virtd_t)
+
+storage_manage_fixed_disk(virtd_t)
+storage_relabel_fixed_disk(virtd_t)
storage_raw_write_removable_device(virtd_t)
@@ -20015,6 +20059,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+optional_policy(`
+ kerberos_keytab_template(virtd, virtd_t)
++')
++
++optional_policy(`
++ lvm_domtrans(virtd_t)
')
-#optional_policy(`
@@ -20022,10 +20070,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-# polkit_domtrans_resolve(virtd_t)
-#')
+optional_policy(`
-+ lvm_domtrans(virtd_t)
-+')
-+
-+optional_policy(`
+ policykit_dbus_chat(virtd_t)
+ policykit_domtrans_auth(virtd_t)
+ policykit_domtrans_resolve(virtd_t)
@@ -20042,7 +20086,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -196,8 +301,160 @@
+@@ -196,8 +301,162 @@
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
@@ -20108,6 +20152,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ dev_rw_printer(svirt_t)
+')
+
++dev_list_sysfs(svirt_t)
++
+tunable_policy(`virt_manage_sysfs',`
+ dev_rw_sysfs(svirt_t)
+')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 02b817c..29dd93d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 17%{?dist}
+Release: 18%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -449,6 +449,9 @@ exit 0
%endif
%changelog
+* Thu Oct 1 2009 Dan Walsh 3.6.32-18
+- Allow svirt to list sysfs_t directory
+
* Thu Oct 1 2009 Dan Walsh 3.6.32-17
- Allow vpnc request the kernel to load modules