From 4bc337112ad0ad411b1f8204c9b9b6d05dedd5b3 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Nov 16 2009 19:16:43 +0000 Subject: - abrt needs more access to rpm pid files - Abrt wants to execute its own tmp files - abrt needs to write sysfs - abrt needs to search all file system dirs - logrotate and tmpreaper need to be able to manage abrt cache - rtkit_daemon needs to be able to setsched on lots of user apps - networkmanager creates dirs in /var/lib - plymouth executes lvm tools --- diff --git a/policy-F12.patch b/policy-F12.patch index 6f1f1aa..a09c8c7 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -276,7 +276,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.32/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/logrotate.te 2009-11-09 11:59:58.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/admin/logrotate.te 2009-11-16 09:58:16.000000000 -0500 @@ -32,7 +32,7 @@ # Change ownership on log files. allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice }; @@ -297,7 +297,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_system_entry(logrotate_t, logrotate_exec_t) cron_search_spool(logrotate_t) -@@ -149,6 +150,14 @@ +@@ -137,6 +138,10 @@ + ') + + optional_policy(` ++ abrt_cache_manage(logrotate_t) ++') ++ ++optional_policy(` + acct_domtrans(logrotate_t) + acct_manage_data(logrotate_t) + acct_exec_data(logrotate_t) +@@ -149,6 +154,14 @@ ') optional_policy(` @@ -312,7 +323,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol consoletype_exec(logrotate_t) ') -@@ -183,6 +192,10 @@ +@@ -183,6 +196,10 @@ ') optional_policy(` @@ -700,7 +711,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-11-12 08:20:36.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-11-16 10:51:46.000000000 -0500 @@ -13,11 +13,34 @@ interface(`rpm_domtrans',` gen_require(` @@ -1595,7 +1606,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.32/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/tmpreaper.te 2009-11-12 08:20:55.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/admin/tmpreaper.te 2009-11-16 09:57:56.000000000 -0500 @@ -42,6 +42,7 @@ cron_system_entry(tmpreaper_t, tmpreaper_exec_t) @@ -1619,7 +1630,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -+ rpm_read_cache(tmpreaper_t) ++ rpm_manage_cache(tmpreaper_t) +') + +optional_policy(` @@ -6090,7 +6101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.32/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2009-11-09 13:41:27.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/devices.if 2009-11-16 10:03:52.000000000 -0500 @@ -1692,6 +1692,78 @@ ######################################## @@ -7309,7 +7320,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.32/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2009-11-09 16:33:29.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2009-11-16 10:42:35.000000000 -0500 @@ -290,7 +290,7 @@ ######################################## @@ -9250,8 +9261,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-11-09 15:10:48.000000000 -0500 -@@ -0,0 +1,424 @@ ++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-11-16 10:01:02.000000000 -0500 +@@ -0,0 +1,429 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -9641,6 +9652,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` ++ rtkit_daemon_system_domain(unconfined_notrans_t) ++') ++ ++ ++optional_policy(` + gen_require(` + type mplayer_exec_t; + type unconfined_execmem_t; @@ -10055,7 +10071,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-11-13 11:05:19.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-11-16 10:52:29.000000000 -0500 @@ -33,12 +33,23 @@ type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -10081,8 +10097,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow abrt_t self:process { signal signull setsched getsched }; allow abrt_t self:fifo_file rw_fifo_file_perms; -@@ -60,13 +71,15 @@ +@@ -58,15 +69,18 @@ + manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) + manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) ++can_exec(abrt_t, abrt_tmp_t) # abrt var/cache files -manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) @@ -10099,7 +10118,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir }) kernel_read_ring_buffer(abrt_t) -@@ -75,11 +88,17 @@ +@@ -75,10 +89,17 @@ corecmd_exec_bin(abrt_t) corecmd_exec_shell(abrt_t) @@ -10110,14 +10129,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +corenet_tcp_connect_all_ports(abrt_t) dev_read_urand(abrt_t) - ++dev_rw_sysfs(abrt_t) ++ +domain_read_all_domains_state(abrt_t) +domain_signull_all_domains(abrt_t) -+ + files_getattr_all_files(abrt_t) files_read_etc_files(abrt_t) - files_read_usr_files(abrt_t) -@@ -96,22 +115,59 @@ +@@ -87,6 +108,7 @@ + fs_list_inotifyfs(abrt_t) + fs_getattr_all_fs(abrt_t) + fs_getattr_all_dirs(abrt_t) ++fs_search_all(abrt_t) + + sysnet_read_config(abrt_t) + +@@ -96,22 +118,59 @@ miscfiles_read_certs(abrt_t) miscfiles_read_localization(abrt_t) @@ -10148,11 +10175,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - rpm_manage_db(abrt_t) - rpm_domtrans(abrt_t) -+ rpm_manage_cache(abrt_t) -+ rpm_read_db(abrt_t) -+ rpm_read_pid_files(abrt_t) + rpm_exec(abrt_t) + rpm_dontaudit_manage_db(abrt_t) ++ rpm_manage_cache(abrt_t) ++ rpm_manage_pid_files(abrt_t) ++ rpm_read_db(abrt_t) + rpm_signull(abrt_t) ') @@ -16397,7 +16424,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.32/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te 2009-11-16 10:30:04.000000000 -0500 @@ -19,6 +19,9 @@ type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) @@ -16425,7 +16452,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow NetworkManager_t self:tcp_socket create_stream_socket_perms; allow NetworkManager_t self:udp_socket create_socket_perms; allow NetworkManager_t self:packet_socket create_socket_perms; -@@ -51,8 +55,11 @@ +@@ -51,8 +55,13 @@ manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) @@ -16435,11 +16462,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) +files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) + ++manage_dirs_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) +manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) ++files_var_lib_filetrans(NetworkManager_t, NetworkManager_var_lib_t, dir) manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) -@@ -63,6 +70,9 @@ +@@ -63,6 +72,9 @@ kernel_read_network_state(NetworkManager_t) kernel_read_kernel_sysctls(NetworkManager_t) kernel_load_module(NetworkManager_t) @@ -16449,7 +16478,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(NetworkManager_t) corenet_all_recvfrom_netlabel(NetworkManager_t) -@@ -81,13 +91,18 @@ +@@ -81,13 +93,18 @@ corenet_sendrecv_isakmp_server_packets(NetworkManager_t) corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) corenet_sendrecv_all_client_packets(NetworkManager_t) @@ -16468,7 +16497,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mls_file_read_all_levels(NetworkManager_t) -@@ -98,15 +113,20 @@ +@@ -98,15 +115,20 @@ domain_use_interactive_fds(NetworkManager_t) domain_read_confined_domains_state(NetworkManager_t) @@ -16490,7 +16519,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(NetworkManager_t) miscfiles_read_localization(NetworkManager_t) -@@ -116,25 +136,40 @@ +@@ -116,25 +138,40 @@ seutil_read_config(NetworkManager_t) @@ -16538,7 +16567,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -146,8 +181,25 @@ +@@ -146,8 +183,25 @@ ') optional_policy(` @@ -16566,7 +16595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -155,23 +207,51 @@ +@@ -155,23 +209,51 @@ ') optional_policy(` @@ -16593,17 +16622,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) + openvpn_signull(NetworkManager_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + policykit_dbus_chat(NetworkManager_t) + policykit_domtrans_auth(NetworkManager_t) + policykit_read_lib(NetworkManager_t) + policykit_read_reload(NetworkManager_t) + userdom_read_all_users_state(NetworkManager_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` + ppp_initrc_domtrans(NetworkManager_t) ppp_domtrans(NetworkManager_t) ppp_read_pid_files(NetworkManager_t) @@ -16620,7 +16649,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -179,12 +259,15 @@ +@@ -179,12 +261,15 @@ ') optional_policy(` @@ -17795,8 +17824,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.6.32/policy/modules/services/plymouth.te --- nsaserefpolicy/policy/modules/services/plymouth.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2009-11-11 09:44:38.000000000 -0500 -@@ -0,0 +1,97 @@ ++++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2009-11-16 10:36:15.000000000 -0500 +@@ -0,0 +1,101 @@ +policy_module(plymouthd, 1.0.0) + +######################################## @@ -17888,6 +17917,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +plymouth_stream_connect(plymouth_t) + ++optional_policy(` ++ lvm_domtrans(plymouth_t) ++') ++ +ifdef(`hide_broken_symptoms', ` +optional_policy(` + hal_dontaudit_write_log(plymouth_t) @@ -28492,8 +28525,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.6.32/policy/modules/system/miscfiles.fc --- nsaserefpolicy/policy/modules/system/miscfiles.fc 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.fc 2009-10-09 09:06:59.000000000 -0400 -@@ -85,3 +85,5 @@ ++++ serefpolicy-3.6.32/policy/modules/system/miscfiles.fc 2009-11-16 11:12:18.000000000 -0500 +@@ -41,6 +41,7 @@ + + /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0) + ++/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) + /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) + /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) + /usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) +@@ -85,3 +86,5 @@ /var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) ') @@ -31335,7 +31376,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.gvfs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-11-13 11:30:14.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-11-16 11:06:46.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -32253,7 +32294,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol loadkeys_run($1_t,$1_r) ') ') -@@ -865,51 +950,93 @@ +@@ -865,51 +950,97 @@ userdom_restricted_user_template($1) @@ -32310,8 +32351,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + optional_policy(` + alsa_read_rw_config($1_usertype) + ') - -- xserver_restricted_role($1_r, $1_t) ++ + optional_policy(` + apache_role($1_r, $1_usertype) + ') @@ -32322,36 +32362,41 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + devicekit_dbus_chat_power($1_usertype) + ') +- xserver_restricted_role($1_r, $1_t) ++ optional_policy(` ++ fprintd_dbus_chat($1_t) ++ ') + optional_policy(` - alsa_read_rw_config($1_t) -+ fprintd_dbus_chat($1_t) ++ gnomeclock_dbus_chat($1_t) ') optional_policy(` - dbus_role_template($1, $1_r, $1_t) - dbus_system_bus_client($1_t) -+ gnomeclock_dbus_chat($1_t) -+ ') - - optional_policy(` -- consolekit_dbus_chat($1_t) + gnome_manage_config($1_usertype) + gnome_manage_gconf_home_files($1_usertype) + gnome_read_gconf_config($1_usertype) ++ ') + + optional_policy(` +- consolekit_dbus_chat($1_t) ++ openoffice_role_template($1, $1_r, $1_usertype) ') optional_policy(` - cups_dbus_chat($1_t) -+ openoffice_role_template($1, $1_r, $1_usertype) ++ policykit_role($1_r, $1_usertype) ') + + optional_policy(` -+ policykit_role($1_r, $1_usertype) ++ pulseaudio_role($1_r, $1_usertype) ') optional_policy(` - java_role($1_r, $1_t) -+ pulseaudio_role($1_r, $1_usertype) ++ rtkit_daemon_system_domain($1_usertype) ') optional_policy(` @@ -32360,7 +32405,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -943,8 +1070,8 @@ +@@ -943,8 +1074,8 @@ # Declarations # @@ -32370,7 +32415,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -953,58 +1080,67 @@ +@@ -953,58 +1084,67 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -32404,14 +32449,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - storage_raw_read_removable_device($1_t) + optional_policy(` + cdrecord_role($1_r, $1_t) -+ ') -+ -+ optional_policy(` -+ cron_role($1_r, $1_t) ') + + optional_policy(` -+ games_rw_data($1_usertype) ++ cron_role($1_r, $1_t) ') - tunable_policy(`user_dmesg',` @@ -32419,7 +32460,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - ',` - kernel_dontaudit_read_ring_buffer($1_t) + optional_policy(` -+ gpg_role($1_r, $1_usertype) ++ games_rw_data($1_usertype) ') - # Allow users to run TCP servers (bind to ports and accept connection from @@ -32429,28 +32470,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - corenet_tcp_bind_generic_node($1_t) - corenet_tcp_bind_generic_port($1_t) + optional_policy(` -+ gpm_stream_connect($1_usertype) ++ gpg_role($1_r, $1_usertype) ') optional_policy(` - netutils_run_ping_cond($1_t,$1_r) - netutils_run_traceroute_cond($1_t,$1_r) -+ execmem_role_template($1, $1_r, $1_t) ++ gpm_stream_connect($1_usertype) ') optional_policy(` - postgresql_role($1_r,$1_t) -+ java_role_template($1, $1_r, $1_t) ++ execmem_role_template($1, $1_r, $1_t) ') - # Run pppd in pppd_t by default for user optional_policy(` - ppp_run_cond($1_t,$1_r) -+ mono_role_template($1, $1_r, $1_t) ++ java_role_template($1, $1_r, $1_t) ') optional_policy(` - setroubleshoot_stream_connect($1_t) ++ mono_role_template($1, $1_r, $1_t) ++ ') ++ ++ optional_policy(` + mount_run($1_t, $1_r) + ') + @@ -32468,7 +32513,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1040,7 +1176,7 @@ +@@ -1040,7 +1180,7 @@ template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -32477,7 +32522,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1049,8 +1185,7 @@ +@@ -1049,8 +1189,7 @@ # # Inherit rules for ordinary users. @@ -32487,7 +32532,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1075,6 +1210,9 @@ +@@ -1075,6 +1214,9 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -32497,7 +32542,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1089,6 +1227,7 @@ +@@ -1089,6 +1231,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -32505,7 +32550,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1096,8 +1235,6 @@ +@@ -1096,8 +1239,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -32514,7 +32559,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1124,12 +1261,11 @@ +@@ -1124,12 +1265,11 @@ files_exec_usr_src_files($1_t) fs_getattr_all_fs($1_t) @@ -32529,7 +32574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_all_terms($1_t) auth_getattr_shadow($1_t) -@@ -1152,20 +1288,6 @@ +@@ -1152,20 +1292,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -32550,7 +32595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1211,6 +1333,7 @@ +@@ -1211,6 +1337,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -32558,7 +32603,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1276,11 +1399,15 @@ +@@ -1276,11 +1403,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -32574,7 +32619,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1391,12 +1518,13 @@ +@@ -1391,12 +1522,13 @@ ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -32589,7 +32634,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1429,6 +1557,14 @@ +@@ -1429,6 +1561,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -32604,7 +32649,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1444,9 +1580,11 @@ +@@ -1444,9 +1584,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -32616,7 +32661,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1503,6 +1641,42 @@ +@@ -1503,6 +1645,42 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -32659,7 +32704,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1577,6 +1751,8 @@ +@@ -1577,6 +1755,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -32668,7 +32713,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1619,6 +1795,24 @@ +@@ -1619,6 +1799,24 @@ ######################################## ## @@ -32693,7 +32738,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1670,6 +1864,7 @@ +@@ -1670,6 +1868,7 @@ type user_home_dir_t, user_home_t; ') @@ -32701,7 +32746,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1686,11 +1881,11 @@ +@@ -1686,11 +1885,11 @@ # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -32716,7 +32761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1797,19 +1992,32 @@ +@@ -1797,19 +1996,32 @@ # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -32756,7 +32801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1844,6 +2052,7 @@ +@@ -1844,6 +2056,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -32764,7 +32809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2196,7 +2405,7 @@ +@@ -2196,7 +2409,7 @@ ######################################## ## @@ -32773,7 +32818,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## temporary files. ## ## -@@ -2205,37 +2414,56 @@ +@@ -2205,31 +2418,50 @@ ## ## # @@ -32808,13 +32853,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) - allow $1 user_tmp_t:dir list_dir_perms; -- files_search_tmp($1) + dontaudit $1 user_tmp_t:file manage_file_perms; - ') - - ######################################## - ## --## Create, read, write, and delete user ++') ++ ++######################################## ++## +## Read user temporary symbolic links. +## +## @@ -32830,16 +32873,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) + allow $1 user_tmp_t:dir list_dir_perms; -+ files_search_tmp($1) -+') -+ -+######################################## -+## -+## Create, read, write, and delete user - ## temporary directories. - ## - ## -@@ -2276,6 +2504,46 @@ + files_search_tmp($1) + ') + +@@ -2276,6 +2508,46 @@ ######################################## ## ## Create, read, write, and delete user @@ -32886,7 +32923,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## temporary symbolic links. ## ## -@@ -2391,7 +2659,7 @@ +@@ -2391,7 +2663,7 @@ ######################################## ## @@ -32895,7 +32932,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2399,19 +2667,20 @@ +@@ -2399,19 +2671,20 @@ ## ## # @@ -32920,7 +32957,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2419,15 +2688,14 @@ +@@ -2419,15 +2692,14 @@ ## ## # @@ -32940,7 +32977,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2749,7 +3017,7 @@ +@@ -2749,7 +3021,7 @@ domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -32949,7 +32986,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow unpriv_userdomain $1:process sigchld; ') -@@ -2765,11 +3033,32 @@ +@@ -2765,11 +3037,32 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -32984,7 +33021,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2897,7 +3186,43 @@ +@@ -2897,7 +3190,43 @@ type user_tmp_t; ') @@ -33029,7 +33066,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2934,6 +3259,7 @@ +@@ -2934,6 +3263,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -33037,7 +33074,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -3064,3 +3390,578 @@ +@@ -3064,3 +3394,578 @@ allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 9c80438..2ea0dc9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 45%{?dist} +Release: 46%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -445,6 +445,17 @@ exit 0 %endif %changelog +* Mon Nov 16 2009 Dan Walsh 3.6.32-46 +- abrt needs more access to rpm pid files +- Abrt wants to execute its own tmp files +- abrt needs to write sysfs +- abrt needs to search all file system dirs +- logrotate and tmpreaper need to be able to manage abrt cache +- rtkit_daemon needs to be able to setsched on lots of user apps +- networkmanager creates dirs in /var/lib +- plymouth executes lvm tools + + * Fri Nov 13 2009 Dan Walsh 3.6.32-45 - Allow mount on dos file systems - fixes for upsmon and upsd to be able to retrieve pwnam and resolve addresses