From 7554dddb4fdd375e604a03bff8422d302e645b50 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh
Date: Apr 26 2010 18:37:50 +0000
Subject: - Allow initrc_t to read slapd_db_t Resolves: #585476
- Allow ipsec_mgmt to use unallocated devpts and to create /etc/resolv.conf
Resolves: #585963
---
diff --git a/policy-F13.patch b/policy-F13.patch
index 5f13ef2..5a1c439 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -5566,7 +5566,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.19/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/apps/qemu.te 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/apps/qemu.te 2010-04-26 14:21:03.000000000 -0400
@@ -50,6 +50,8 @@
#
# qemu local policy
@@ -7008,7 +7008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-03-05 17:14:56.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-04-22 11:50:15.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-04-26 11:35:42.000000000 -0400
@@ -49,7 +49,8 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -7023,8 +7023,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/etc/pm/power\d(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/etc/pm/sleep\d(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/etc/pm/power\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/etc/pm/sleep\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
/etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0)
/etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0)
@@ -7248,7 +7248,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.19/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-03-05 10:46:32.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2010-04-26 10:13:11.000000000 -0400
@@ -934,6 +934,42 @@
########################################
@@ -8676,7 +8676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.19/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-03-12 11:48:14.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-04-26 14:05:06.000000000 -0400
@@ -569,10 +569,10 @@
#
interface(`fs_mount_cgroup', `
@@ -13388,8 +13388,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.19/policy/modules/services/boinc.te
--- nsaserefpolicy/policy/modules/services/boinc.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-04-20 08:19:53.000000000 -0400
-@@ -0,0 +1,91 @@
++++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-04-26 10:13:28.000000000 -0400
+@@ -0,0 +1,92 @@
+
+policy_module(boinc,1.0.0)
+
@@ -13461,6 +13461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
+corenet_tcp_bind_boinc_port(boinc_t)
+corenet_tcp_connect_http_port(boinc_t)
+
++dev_list_sysfs(boinc_t)
+dev_read_rand(boinc_t)
+dev_read_urand(boinc_t)
+dev_read_sysfs(boinc_t)
@@ -17776,7 +17777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.19/policy/modules/services/git.te
--- nsaserefpolicy/policy/modules/services/git.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/git.te 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/git.te 2010-04-26 08:37:26.000000000 -0400
@@ -1,9 +1,193 @@
-policy_module(git, 1.0)
@@ -17962,7 +17963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
+
+optional_policy(`
+ apache_content_template(git)
-+ git_read_session_content_files(httpd_git_script_t)
++ git_read_all_content_files(httpd_git_script_t)
+ files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
+')
+
@@ -18217,7 +18218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
+#/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.7.19/policy/modules/services/ldap.if
--- nsaserefpolicy/policy/modules/services/ldap.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/ldap.if 2010-04-21 13:40:21.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/ldap.if 2010-04-26 10:03:48.000000000 -0400
@@ -1,5 +1,43 @@
## OpenLDAP directory server
@@ -18262,7 +18263,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
########################################
##
## Read the contents of the OpenLDAP
-@@ -71,6 +109,30 @@
+@@ -21,6 +59,25 @@
+
+ ########################################
+ ##
++## Read the contents of the OpenLDAP
++## database files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ldap_read_db_files',`
++ gen_require(`
++ type slapd_db_t;
++ ')
++
++ read_files_pattern($1, slapd_db_t, slapd_db_t)
++')
++
++########################################
++##
+ ## Read the OpenLDAP configuration files.
+ ##
+ ##
+@@ -71,6 +128,30 @@
files_search_pids($1)
allow $1 slapd_var_run_t:sock_file write;
allow $1 slapd_t:unix_stream_socket connectto;
@@ -24517,7 +24544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.19/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/samba.te 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/samba.te 2010-04-26 14:03:38.000000000 -0400
@@ -66,6 +66,13 @@
##
gen_tunable(samba_share_nfs, false)
@@ -24569,7 +24596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
kernel_read_network_state(smbd_t)
-@@ -306,6 +317,8 @@
+@@ -306,8 +317,11 @@
dev_read_urand(smbd_t)
dev_getattr_mtrr_dev(smbd_t)
dev_dontaudit_getattr_usbfs_dirs(smbd_t)
@@ -24577,8 +24604,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+dev_getattr_all_chr_files(smbd_t)
fs_getattr_all_fs(smbd_t)
++fs_getattr_all_dirs(smbd_t)
fs_get_xattr_fs_quotas(smbd_t)
-@@ -316,6 +329,7 @@
+ fs_search_auto_mountpoints(smbd_t)
+ fs_getattr_rpc_dirs(smbd_t)
+@@ -316,6 +330,7 @@
auth_use_nsswitch(smbd_t)
auth_domtrans_chk_passwd(smbd_t)
auth_domtrans_upd_passwd(smbd_t)
@@ -24586,7 +24616,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -325,6 +339,8 @@
+@@ -325,6 +340,8 @@
files_read_etc_runtime_files(smbd_t)
files_read_usr_files(smbd_t)
files_search_spool(smbd_t)
@@ -24595,7 +24625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
# Allow samba to list mnt_t for potential mounted dirs
files_list_mnt(smbd_t)
-@@ -337,10 +353,13 @@
+@@ -337,10 +354,13 @@
miscfiles_read_public_files(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)
@@ -24610,7 +24640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -352,19 +371,19 @@
+@@ -352,19 +372,19 @@
')
tunable_policy(`samba_domain_controller',`
@@ -24636,7 +24666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
# Support Samba sharing of NFS mount points
-@@ -376,6 +395,15 @@
+@@ -376,6 +396,15 @@
fs_manage_nfs_named_sockets(smbd_t)
')
@@ -24652,7 +24682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
optional_policy(`
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
-@@ -391,6 +419,11 @@
+@@ -391,6 +420,11 @@
')
optional_policy(`
@@ -24664,7 +24694,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
rpc_search_nfs_state_data(smbd_t)
')
-@@ -405,13 +438,15 @@
+@@ -405,13 +439,15 @@
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -24681,7 +24711,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
auth_read_all_files_except_shadow(nmbd_t)
')
-@@ -420,8 +455,8 @@
+@@ -420,8 +456,8 @@
auth_manage_all_files_except_shadow(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
auth_manage_all_files_except_shadow(nmbd_t)
@@ -24691,7 +24721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
########################################
#
-@@ -525,6 +560,7 @@
+@@ -525,6 +561,7 @@
allow smbcontrol_t winbind_t:process { signal signull };
@@ -24699,7 +24729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -536,6 +572,8 @@
+@@ -536,6 +573,8 @@
miscfiles_read_localization(smbcontrol_t)
@@ -24708,7 +24738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
########################################
#
# smbmount Local policy
-@@ -618,7 +656,7 @@
+@@ -618,7 +657,7 @@
# SWAT Local policy
#
@@ -24717,7 +24747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t self:process { setrlimit signal_perms };
allow swat_t self:fifo_file rw_fifo_file_perms;
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-@@ -626,23 +664,23 @@
+@@ -626,23 +665,23 @@
allow swat_t self:udp_socket create_socket_perms;
allow swat_t self:unix_stream_socket connectto;
@@ -24750,7 +24780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t smbd_exec_t:file mmap_file_perms ;
allow swat_t smbd_t:process signull;
-@@ -657,7 +695,8 @@
+@@ -657,7 +696,8 @@
files_pid_filetrans(swat_t, swat_var_run_t, file)
allow swat_t winbind_exec_t:file mmap_file_perms;
@@ -24760,7 +24790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -700,6 +739,8 @@
+@@ -700,6 +740,8 @@
miscfiles_read_localization(swat_t)
@@ -24769,7 +24799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -713,12 +754,23 @@
+@@ -713,12 +755,23 @@
kerberos_use(swat_t)
')
@@ -24794,7 +24824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process { signal_perms getsched setsched };
allow winbind_t self:fifo_file rw_fifo_file_perms;
-@@ -779,6 +831,9 @@
+@@ -779,6 +832,9 @@
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -24804,7 +24834,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
-@@ -788,7 +843,7 @@
+@@ -788,7 +844,7 @@
auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
@@ -24813,7 +24843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
domain_use_interactive_fds(winbind_t)
-@@ -866,6 +921,18 @@
+@@ -866,6 +922,18 @@
#
optional_policy(`
@@ -24832,7 +24862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -876,9 +943,12 @@
+@@ -876,9 +944,12 @@
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -26288,30 +26318,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.19/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2010-03-23 10:55:15.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/virt.fc 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/virt.fc 2010-04-26 14:21:28.000000000 -0400
@@ -14,16 +14,16 @@
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
-/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0)
-+/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0-mls_systemhigh)
++/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
-/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
-+/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh)
++/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
-/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
-+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh)
++/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.19/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2010-03-23 10:55:15.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/virt.if 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/virt.if 2010-04-26 14:24:32.000000000 -0400
@@ -21,6 +21,7 @@
type $1_t, virt_domain;
domain_type($1_t)
@@ -26320,19 +26350,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
role system_r types $1_t;
type $1_devpts_t;
-@@ -35,9 +36,11 @@
+@@ -35,9 +36,7 @@
type $1_image_t, virt_image_type;
files_type($1_image_t)
dev_node($1_image_t)
+-
+- type $1_var_run_t;
+- files_pid_file($1_var_run_t)
+ dev_associate_sysfs($1_image_t)
- type $1_var_run_t;
- files_pid_file($1_var_run_t)
-+ mls_trusted_object($1_var_run_t)
-
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty($1_t, $1_devpts_t)
-@@ -45,6 +48,7 @@
+@@ -45,6 +44,7 @@
manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
manage_files_pattern($1_t, $1_image_t, $1_image_t)
read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
@@ -26340,7 +26369,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
-@@ -192,6 +196,7 @@
+@@ -57,18 +57,6 @@
+ manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
+
+- stream_connect_pattern(virtd_t, $1_var_run_t, $1_var_run_t, virt_domain)
+- manage_dirs_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
+- manage_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
+- manage_sock_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
+-
+- manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
+- manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+- manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+- manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+- files_pid_filetrans($1_t, $1_var_run_t, { dir file })
+- stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t)
+-
+ optional_policy(`
+ xserver_rw_shm($1_t)
+ ')
+@@ -192,6 +180,7 @@
files_search_etc($1)
manage_files_pattern($1, virt_etc_t, virt_etc_t)
manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
@@ -26348,7 +26396,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
########################################
-@@ -516,3 +521,32 @@
+@@ -433,15 +422,15 @@
+ ##
+ ##
+ #
+-interface(`virt_manage_svirt_cache',`
++interface(`virt_manage_cache',`
+ gen_require(`
+- type svirt_cache_t;
++ type virt_cache_t;
+ ')
+
+ files_search_var($1)
+- manage_dirs_pattern($1, svirt_cache_t, svirt_cache_t)
+- manage_files_pattern($1, svirt_cache_t, svirt_cache_t)
+- manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t)
++ manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
++ manage_files_pattern($1, virt_cache_t, virt_cache_t)
++ manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
+ ')
+
+ ########################################
+@@ -516,3 +505,32 @@
virt_manage_log($1)
')
@@ -26383,7 +26452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.19/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-03-23 10:55:15.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-04-20 14:14:36.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-04-26 14:24:46.000000000 -0400
@@ -36,13 +36,6 @@
##
@@ -26398,6 +26467,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
## Allow virt to use usb devices
##
##
+@@ -51,12 +44,12 @@
+ virt_domain_template(svirt)
+ role system_r types svirt_t;
+
+-type svirt_cache_t;
+-files_type(svirt_cache_t)
+-
+ attribute virt_domain;
+ attribute virt_image_type;
+
++type virt_cache_t alias svirt_cache_t;
++files_type(virt_cache_t)
++
+ type virt_etc_t;
+ files_config_file(virt_etc_t)
+
@@ -74,6 +67,7 @@
type virt_log_t;
@@ -26406,7 +26491,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
type virt_var_run_t;
files_pid_file(virt_var_run_t)
-@@ -155,12 +149,9 @@
+@@ -90,6 +84,11 @@
+ type virtd_initrc_exec_t;
+ init_script_file(virtd_initrc_exec_t)
+
++type qemu_var_run_t;
++typealias qemu_var_run_t alias svirt_var_run_t;
++files_pid_file(qemu_var_run_t)
++mls_trusted_object(qemu_var_run_t)
++
+ ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
+ ')
+@@ -105,10 +104,6 @@
+
+ allow svirt_t self:udp_socket create_socket_perms;
+
+-manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
+-manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
+-files_var_filetrans(svirt_t, svirt_cache_t, { file dir })
+-
+ read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t)
+
+ allow svirt_t svirt_image_t:dir search_dir_perms;
+@@ -155,12 +150,9 @@
fs_manage_cifs_files(svirt_t)
')
@@ -26420,15 +26528,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
fs_manage_dos_dirs(svirt_t)
fs_manage_dos_files(svirt_t)
')
-@@ -194,6 +185,7 @@
+@@ -187,13 +179,16 @@
+ allow virtd_t self:tun_socket create_socket_perms;
+ allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+-manage_dirs_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
+-manage_files_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
++manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t)
++manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t)
+
+ manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
- allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
-+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
+-allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
++manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
++manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
++manage_sock_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
++stream_connect_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t, virt_domain)
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -205,6 +197,7 @@
+@@ -205,6 +200,7 @@
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -26436,7 +26556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
allow virtd_t virt_image_type:file { relabelfrom relabelto };
allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
-@@ -252,14 +245,20 @@
+@@ -252,14 +248,20 @@
# Init script handling
domain_use_interactive_fds(virtd_t)
domain_read_all_domains_state(virtd_t)
@@ -26458,7 +26578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -268,6 +267,14 @@
+@@ -268,6 +270,14 @@
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -26473,7 +26593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
mcs_process_set_categories(virtd_t)
storage_manage_fixed_disk(virtd_t)
-@@ -291,15 +298,22 @@
+@@ -291,15 +301,22 @@
logging_send_syslog_msg(virtd_t)
@@ -26496,7 +26616,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -370,6 +384,7 @@
+@@ -370,6 +387,7 @@
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -26504,7 +26624,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
')
optional_policy(`
-@@ -446,6 +461,10 @@
+@@ -407,6 +425,20 @@
+ allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
+ allow virt_domain self:tcp_socket create_stream_socket_perms;
+
++manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
++manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
++files_var_filetrans(virt_domain, virt_cache_t, { file dir })
++
++manage_dirs_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
++manage_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
++manage_sock_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
++manage_lnk_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
++files_pid_filetrans(virt_domain, qemu_var_run_t, { dir file })
++stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t)
++
++allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
++dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
++
+ append_files_pattern(virt_domain, virt_log_t, virt_log_t)
+
+ append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
+@@ -446,6 +478,10 @@
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -26515,6 +26656,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
+@@ -467,3 +503,4 @@
+ virt_read_content(virt_domain)
+ virt_stream_connect(virt_domain)
+ ')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.7.19/policy/modules/services/w3c.te
--- nsaserefpolicy/policy/modules/services/w3c.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.19/policy/modules/services/w3c.te 2010-04-14 10:48:18.000000000 -0400
@@ -28703,7 +28849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.19/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-03-18 10:35:11.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-04-22 08:33:38.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-04-26 14:20:49.000000000 -0400
@@ -17,6 +17,20 @@
##
gen_tunable(init_upstart, false)
@@ -28920,7 +29066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -517,6 +571,15 @@
+@@ -517,6 +571,19 @@
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -28933,10 +29079,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+
+ optional_policy(`
+ gnome_manage_gconf_config(initrc_t)
++ ')
++
++ optional_policy(`
++ ldap_read_db_files(initrc_t)
')
optional_policy(`
-@@ -542,6 +605,35 @@
+@@ -542,6 +609,35 @@
')
')
@@ -28972,7 +29122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -554,6 +646,8 @@
+@@ -554,6 +650,8 @@
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -28981,7 +29131,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -594,6 +688,7 @@
+@@ -594,6 +692,7 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -28989,7 +29139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -647,11 +742,6 @@
+@@ -647,11 +746,6 @@
')
optional_policy(`
@@ -29001,7 +29151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
kerberos_use(initrc_t)
')
-@@ -690,12 +780,22 @@
+@@ -690,12 +784,22 @@
')
optional_policy(`
@@ -29024,7 +29174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -718,6 +818,10 @@
+@@ -718,6 +822,10 @@
')
optional_policy(`
@@ -29035,7 +29185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -760,8 +864,6 @@
+@@ -760,8 +868,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -29044,7 +29194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -774,10 +876,12 @@
+@@ -774,10 +880,12 @@
squid_manage_logs(initrc_t)
')
@@ -29057,7 +29207,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -790,6 +894,7 @@
+@@ -790,6 +898,7 @@
optional_policy(`
udev_rw_db(initrc_t)
@@ -29065,23 +29215,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
udev_manage_pid_files(initrc_t)
')
-@@ -801,8 +906,15 @@
- virt_manage_svirt_cache(initrc_t)
+@@ -798,11 +907,18 @@
')
+ optional_policy(`
+- virt_manage_svirt_cache(initrc_t)
++ virt_manage_cache(initrc_t)
++')
++
+# Cron jobs used to start and stop services
+optional_policy(`
+ cron_rw_pipes(daemon)
+ cron_rw_inherited_user_spool_files(daemon)
-+')
-+
+ ')
+
optional_policy(`
unconfined_domain(initrc_t)
+ domain_role_change_exemption(initrc_t)
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -812,6 +924,25 @@
+@@ -812,6 +928,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -29107,7 +29261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -837,3 +968,34 @@
+@@ -837,3 +972,34 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -29144,7 +29298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.19/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-03-18 06:48:09.000000000 -0400
-+++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2010-04-14 10:48:18.000000000 -0400
++++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2010-04-26 11:46:12.000000000 -0400
@@ -73,7 +73,7 @@
#
@@ -29188,15 +29342,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# suppress audit messages about unnecessary socket access
# cjp: this seems excessive
domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
-@@ -291,6 +291,7 @@
+@@ -276,7 +276,7 @@
+ fs_list_tmpfs(ipsec_mgmt_t)
+
+ term_use_console(ipsec_mgmt_t)
+-term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
++term_use_all_terms(ipsec_mgmt_t)
+
+ init_use_script_ptys(ipsec_mgmt_t)
+ init_exec_script_files(ipsec_mgmt_t)
+@@ -291,7 +291,9 @@
seutil_dontaudit_search_config(ipsec_mgmt_t)
+sysnet_read_config(ipsec_mgmt_t)
sysnet_domtrans_ifconfig(ipsec_mgmt_t)
++sysnet_etc_filetrans_config(ipsec_t)
userdom_use_user_terminals(ipsec_mgmt_t)
-@@ -386,6 +387,8 @@
+
+@@ -386,6 +388,8 @@
sysnet_exec_ifconfig(racoon_t)
@@ -29205,7 +29370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -412,6 +415,7 @@
+@@ -412,6 +416,7 @@
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
@@ -29213,7 +29378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
-@@ -423,3 +427,4 @@
+@@ -423,3 +428,4 @@
seutil_read_config(setkey_t)
userdom_use_user_terminals(setkey_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 94a9ea1..80c4810 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 5%{?dist}
+Release: 6%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,12 @@ exit 0
%endif
%changelog
+* Mon Apr 26 2010 Dan Walsh 3.7.19-6
+- Allow initrc_t to read slapd_db_t
+Resolves: #585476
+- Allow ipsec_mgmt to use unallocated devpts and to create /etc/resolv.conf
+Resolves: #585963
+
* Thu Apr 22 2010 Dan Walsh 3.7.19-5
- Allow rlogind_t to search /root for .rhosts
Resolves: #582760