From 7554dddb4fdd375e604a03bff8422d302e645b50 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Apr 26 2010 18:37:50 +0000 Subject: - Allow initrc_t to read slapd_db_t Resolves: #585476 - Allow ipsec_mgmt to use unallocated devpts and to create /etc/resolv.conf Resolves: #585963 --- diff --git a/policy-F13.patch b/policy-F13.patch index 5f13ef2..5a1c439 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -5566,7 +5566,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.19/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2010-02-22 08:30:53.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/qemu.te 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/apps/qemu.te 2010-04-26 14:21:03.000000000 -0400 @@ -50,6 +50,8 @@ # # qemu local policy @@ -7008,7 +7008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-03-05 17:14:56.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-04-22 11:50:15.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-04-26 11:35:42.000000000 -0400 @@ -49,7 +49,8 @@ /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0) @@ -7023,8 +7023,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/etc/pm/power\d(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/etc/pm/sleep\d(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/etc/pm/power\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/etc/pm/sleep\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) + /etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0) /etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0) @@ -7248,7 +7248,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.19/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2010-03-05 10:46:32.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2010-04-26 10:13:11.000000000 -0400 @@ -934,6 +934,42 @@ ######################################## @@ -8676,7 +8676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.19/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-03-12 11:48:14.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-04-26 14:05:06.000000000 -0400 @@ -569,10 +569,10 @@ # interface(`fs_mount_cgroup', ` @@ -13388,8 +13388,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.19/policy/modules/services/boinc.te --- nsaserefpolicy/policy/modules/services/boinc.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-04-20 08:19:53.000000000 -0400 -@@ -0,0 +1,91 @@ ++++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-04-26 10:13:28.000000000 -0400 +@@ -0,0 +1,92 @@ + +policy_module(boinc,1.0.0) + @@ -13461,6 +13461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +corenet_tcp_bind_boinc_port(boinc_t) +corenet_tcp_connect_http_port(boinc_t) + ++dev_list_sysfs(boinc_t) +dev_read_rand(boinc_t) +dev_read_urand(boinc_t) +dev_read_sysfs(boinc_t) @@ -17776,7 +17777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.19/policy/modules/services/git.te --- nsaserefpolicy/policy/modules/services/git.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/git.te 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/git.te 2010-04-26 08:37:26.000000000 -0400 @@ -1,9 +1,193 @@ -policy_module(git, 1.0) @@ -17962,7 +17963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git. + +optional_policy(` + apache_content_template(git) -+ git_read_session_content_files(httpd_git_script_t) ++ git_read_all_content_files(httpd_git_script_t) + files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) +') + @@ -18217,7 +18218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap +#/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.7.19/policy/modules/services/ldap.if --- nsaserefpolicy/policy/modules/services/ldap.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/ldap.if 2010-04-21 13:40:21.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/ldap.if 2010-04-26 10:03:48.000000000 -0400 @@ -1,5 +1,43 @@ ## OpenLDAP directory server @@ -18262,7 +18263,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap ######################################## ## ## Read the contents of the OpenLDAP -@@ -71,6 +109,30 @@ +@@ -21,6 +59,25 @@ + + ######################################## + ## ++## Read the contents of the OpenLDAP ++## database files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ldap_read_db_files',` ++ gen_require(` ++ type slapd_db_t; ++ ') ++ ++ read_files_pattern($1, slapd_db_t, slapd_db_t) ++') ++ ++######################################## ++## + ## Read the OpenLDAP configuration files. + ## + ## +@@ -71,6 +128,30 @@ files_search_pids($1) allow $1 slapd_var_run_t:sock_file write; allow $1 slapd_t:unix_stream_socket connectto; @@ -24517,7 +24544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.19/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/samba.te 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/samba.te 2010-04-26 14:03:38.000000000 -0400 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -24569,7 +24596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) kernel_read_network_state(smbd_t) -@@ -306,6 +317,8 @@ +@@ -306,8 +317,11 @@ dev_read_urand(smbd_t) dev_getattr_mtrr_dev(smbd_t) dev_dontaudit_getattr_usbfs_dirs(smbd_t) @@ -24577,8 +24604,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +dev_getattr_all_chr_files(smbd_t) fs_getattr_all_fs(smbd_t) ++fs_getattr_all_dirs(smbd_t) fs_get_xattr_fs_quotas(smbd_t) -@@ -316,6 +329,7 @@ + fs_search_auto_mountpoints(smbd_t) + fs_getattr_rpc_dirs(smbd_t) +@@ -316,6 +330,7 @@ auth_use_nsswitch(smbd_t) auth_domtrans_chk_passwd(smbd_t) auth_domtrans_upd_passwd(smbd_t) @@ -24586,7 +24616,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb domain_use_interactive_fds(smbd_t) domain_dontaudit_list_all_domains_state(smbd_t) -@@ -325,6 +339,8 @@ +@@ -325,6 +340,8 @@ files_read_etc_runtime_files(smbd_t) files_read_usr_files(smbd_t) files_search_spool(smbd_t) @@ -24595,7 +24625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb # Allow samba to list mnt_t for potential mounted dirs files_list_mnt(smbd_t) -@@ -337,10 +353,13 @@ +@@ -337,10 +354,13 @@ miscfiles_read_public_files(smbd_t) userdom_use_unpriv_users_fds(smbd_t) @@ -24610,7 +24640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ifdef(`hide_broken_symptoms', ` files_dontaudit_getattr_default_dirs(smbd_t) files_dontaudit_getattr_boot_dirs(smbd_t) -@@ -352,19 +371,19 @@ +@@ -352,19 +372,19 @@ ') tunable_policy(`samba_domain_controller',` @@ -24636,7 +24666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') # Support Samba sharing of NFS mount points -@@ -376,6 +395,15 @@ +@@ -376,6 +396,15 @@ fs_manage_nfs_named_sockets(smbd_t) ') @@ -24652,7 +24682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb optional_policy(` cups_read_rw_config(smbd_t) cups_stream_connect(smbd_t) -@@ -391,6 +419,11 @@ +@@ -391,6 +420,11 @@ ') optional_policy(` @@ -24664,7 +24694,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb rpc_search_nfs_state_data(smbd_t) ') -@@ -405,13 +438,15 @@ +@@ -405,13 +439,15 @@ tunable_policy(`samba_create_home_dirs',` allow smbd_t self:capability chown; userdom_create_user_home_dirs(smbd_t) @@ -24681,7 +24711,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb auth_read_all_files_except_shadow(nmbd_t) ') -@@ -420,8 +455,8 @@ +@@ -420,8 +456,8 @@ auth_manage_all_files_except_shadow(smbd_t) fs_read_noxattr_fs_files(nmbd_t) auth_manage_all_files_except_shadow(nmbd_t) @@ -24691,7 +24721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # -@@ -525,6 +560,7 @@ +@@ -525,6 +561,7 @@ allow smbcontrol_t winbind_t:process { signal signull }; @@ -24699,7 +24729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -536,6 +572,8 @@ +@@ -536,6 +573,8 @@ miscfiles_read_localization(smbcontrol_t) @@ -24708,7 +24738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # # smbmount Local policy -@@ -618,7 +656,7 @@ +@@ -618,7 +657,7 @@ # SWAT Local policy # @@ -24717,7 +24747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t self:process { setrlimit signal_perms }; allow swat_t self:fifo_file rw_fifo_file_perms; allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -@@ -626,23 +664,23 @@ +@@ -626,23 +665,23 @@ allow swat_t self:udp_socket create_socket_perms; allow swat_t self:unix_stream_socket connectto; @@ -24750,7 +24780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t smbd_exec_t:file mmap_file_perms ; allow swat_t smbd_t:process signull; -@@ -657,7 +695,8 @@ +@@ -657,7 +696,8 @@ files_pid_filetrans(swat_t, swat_var_run_t, file) allow swat_t winbind_exec_t:file mmap_file_perms; @@ -24760,7 +24790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -700,6 +739,8 @@ +@@ -700,6 +740,8 @@ miscfiles_read_localization(swat_t) @@ -24769,7 +24799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -713,12 +754,23 @@ +@@ -713,12 +755,23 @@ kerberos_use(swat_t) ') @@ -24794,7 +24824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb dontaudit winbind_t self:capability sys_tty_config; allow winbind_t self:process { signal_perms getsched setsched }; allow winbind_t self:fifo_file rw_fifo_file_perms; -@@ -779,6 +831,9 @@ +@@ -779,6 +832,9 @@ corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -24804,7 +24834,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) -@@ -788,7 +843,7 @@ +@@ -788,7 +844,7 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) @@ -24813,7 +24843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb domain_use_interactive_fds(winbind_t) -@@ -866,6 +921,18 @@ +@@ -866,6 +922,18 @@ # optional_policy(` @@ -24832,7 +24862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -876,9 +943,12 @@ +@@ -876,9 +944,12 @@ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -26288,30 +26318,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.19/policy/modules/services/virt.fc --- nsaserefpolicy/policy/modules/services/virt.fc 2010-03-23 10:55:15.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/virt.fc 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/virt.fc 2010-04-26 14:21:28.000000000 -0400 @@ -14,16 +14,16 @@ /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) -/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0) -+/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0-mls_systemhigh) ++/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) /var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) /var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) /var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) /var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) -+/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh) ++/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) /var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) /var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) -/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) -+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh) ++/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) /var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.19/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2010-03-23 10:55:15.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/virt.if 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/virt.if 2010-04-26 14:24:32.000000000 -0400 @@ -21,6 +21,7 @@ type $1_t, virt_domain; domain_type($1_t) @@ -26320,19 +26350,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt role system_r types $1_t; type $1_devpts_t; -@@ -35,9 +36,11 @@ +@@ -35,9 +36,7 @@ type $1_image_t, virt_image_type; files_type($1_image_t) dev_node($1_image_t) +- +- type $1_var_run_t; +- files_pid_file($1_var_run_t) + dev_associate_sysfs($1_image_t) - type $1_var_run_t; - files_pid_file($1_var_run_t) -+ mls_trusted_object($1_var_run_t) - allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr }; term_create_pty($1_t, $1_devpts_t) -@@ -45,6 +48,7 @@ +@@ -45,6 +44,7 @@ manage_dirs_pattern($1_t, $1_image_t, $1_image_t) manage_files_pattern($1_t, $1_image_t, $1_image_t) read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) @@ -26340,7 +26369,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt rw_blk_files_pattern($1_t, $1_image_t, $1_image_t) manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) -@@ -192,6 +196,7 @@ +@@ -57,18 +57,6 @@ + manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) + +- stream_connect_pattern(virtd_t, $1_var_run_t, $1_var_run_t, virt_domain) +- manage_dirs_pattern(virtd_t, $1_var_run_t, $1_var_run_t) +- manage_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t) +- manage_sock_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t) +- +- manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) +- manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) +- manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) +- manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t) +- files_pid_filetrans($1_t, $1_var_run_t, { dir file }) +- stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t) +- + optional_policy(` + xserver_rw_shm($1_t) + ') +@@ -192,6 +180,7 @@ files_search_etc($1) manage_files_pattern($1, virt_etc_t, virt_etc_t) manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) @@ -26348,7 +26396,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') ######################################## -@@ -516,3 +521,32 @@ +@@ -433,15 +422,15 @@ + ## + ## + # +-interface(`virt_manage_svirt_cache',` ++interface(`virt_manage_cache',` + gen_require(` +- type svirt_cache_t; ++ type virt_cache_t; + ') + + files_search_var($1) +- manage_dirs_pattern($1, svirt_cache_t, svirt_cache_t) +- manage_files_pattern($1, svirt_cache_t, svirt_cache_t) +- manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t) ++ manage_dirs_pattern($1, virt_cache_t, virt_cache_t) ++ manage_files_pattern($1, virt_cache_t, virt_cache_t) ++ manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) + ') + + ######################################## +@@ -516,3 +505,32 @@ virt_manage_log($1) ') @@ -26383,7 +26452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.19/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2010-03-23 10:55:15.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-04-20 14:14:36.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/virt.te 2010-04-26 14:24:46.000000000 -0400 @@ -36,13 +36,6 @@ ## @@ -26398,6 +26467,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ## Allow virt to use usb devices ##

## +@@ -51,12 +44,12 @@ + virt_domain_template(svirt) + role system_r types svirt_t; + +-type svirt_cache_t; +-files_type(svirt_cache_t) +- + attribute virt_domain; + attribute virt_image_type; + ++type virt_cache_t alias svirt_cache_t; ++files_type(virt_cache_t) ++ + type virt_etc_t; + files_config_file(virt_etc_t) + @@ -74,6 +67,7 @@ type virt_log_t; @@ -26406,7 +26491,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt type virt_var_run_t; files_pid_file(virt_var_run_t) -@@ -155,12 +149,9 @@ +@@ -90,6 +84,11 @@ + type virtd_initrc_exec_t; + init_script_file(virtd_initrc_exec_t) + ++type qemu_var_run_t; ++typealias qemu_var_run_t alias svirt_var_run_t; ++files_pid_file(qemu_var_run_t) ++mls_trusted_object(qemu_var_run_t) ++ + ifdef(`enable_mcs',` + init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) + ') +@@ -105,10 +104,6 @@ + + allow svirt_t self:udp_socket create_socket_perms; + +-manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t) +-manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t) +-files_var_filetrans(svirt_t, svirt_cache_t, { file dir }) +- + read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t) + + allow svirt_t svirt_image_t:dir search_dir_perms; +@@ -155,12 +150,9 @@ fs_manage_cifs_files(svirt_t) ') @@ -26420,15 +26528,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt fs_manage_dos_dirs(svirt_t) fs_manage_dos_files(svirt_t) ') -@@ -194,6 +185,7 @@ +@@ -187,13 +179,16 @@ + allow virtd_t self:tun_socket create_socket_perms; + allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms; + +-manage_dirs_pattern(virtd_t, svirt_cache_t, svirt_cache_t) +-manage_files_pattern(virtd_t, svirt_cache_t, svirt_cache_t) ++manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t) ++manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t) + + manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t) manage_files_pattern(virtd_t, virt_content_t, virt_content_t) - allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; -+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; +-allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; ++manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) ++manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) ++manage_sock_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) ++stream_connect_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t, virt_domain) read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -205,6 +197,7 @@ +@@ -205,6 +200,7 @@ manage_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -26436,7 +26556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt allow virtd_t virt_image_type:file { relabelfrom relabelto }; allow virtd_t virt_image_type:blk_file { relabelfrom relabelto }; -@@ -252,14 +245,20 @@ +@@ -252,14 +248,20 @@ # Init script handling domain_use_interactive_fds(virtd_t) domain_read_all_domains_state(virtd_t) @@ -26458,7 +26578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -268,6 +267,14 @@ +@@ -268,6 +270,14 @@ fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -26473,7 +26593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt mcs_process_set_categories(virtd_t) storage_manage_fixed_disk(virtd_t) -@@ -291,15 +298,22 @@ +@@ -291,15 +301,22 @@ logging_send_syslog_msg(virtd_t) @@ -26496,7 +26616,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -370,6 +384,7 @@ +@@ -370,6 +387,7 @@ qemu_signal(virtd_t) qemu_kill(virtd_t) qemu_setsched(virtd_t) @@ -26504,7 +26624,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') optional_policy(` -@@ -446,6 +461,10 @@ +@@ -407,6 +425,20 @@ + allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; + allow virt_domain self:tcp_socket create_stream_socket_perms; + ++manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) ++manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) ++files_var_filetrans(virt_domain, virt_cache_t, { file dir }) ++ ++manage_dirs_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) ++manage_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) ++manage_sock_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) ++manage_lnk_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) ++files_pid_filetrans(virt_domain, qemu_var_run_t, { dir file }) ++stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t) ++ ++allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; ++dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; ++ + append_files_pattern(virt_domain, virt_log_t, virt_log_t) + + append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) +@@ -446,6 +478,10 @@ fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -26515,6 +26656,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt term_use_all_terms(virt_domain) term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) +@@ -467,3 +503,4 @@ + virt_read_content(virt_domain) + virt_stream_connect(virt_domain) + ') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.7.19/policy/modules/services/w3c.te --- nsaserefpolicy/policy/modules/services/w3c.te 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.7.19/policy/modules/services/w3c.te 2010-04-14 10:48:18.000000000 -0400 @@ -28703,7 +28849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.19/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2010-03-18 10:35:11.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-04-22 08:33:38.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/init.te 2010-04-26 14:20:49.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart, false) @@ -28920,7 +29066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -517,6 +571,15 @@ +@@ -517,6 +571,19 @@ optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -28933,10 +29079,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t + + optional_policy(` + gnome_manage_gconf_config(initrc_t) ++ ') ++ ++ optional_policy(` ++ ldap_read_db_files(initrc_t) ') optional_policy(` -@@ -542,6 +605,35 @@ +@@ -542,6 +609,35 @@ ') ') @@ -28972,7 +29122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -554,6 +646,8 @@ +@@ -554,6 +650,8 @@ optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -28981,7 +29131,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -594,6 +688,7 @@ +@@ -594,6 +692,7 @@ dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -28989,7 +29139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` consolekit_dbus_chat(initrc_t) -@@ -647,11 +742,6 @@ +@@ -647,11 +746,6 @@ ') optional_policy(` @@ -29001,7 +29151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t kerberos_use(initrc_t) ') -@@ -690,12 +780,22 @@ +@@ -690,12 +784,22 @@ ') optional_policy(` @@ -29024,7 +29174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -718,6 +818,10 @@ +@@ -718,6 +822,10 @@ ') optional_policy(` @@ -29035,7 +29185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -760,8 +864,6 @@ +@@ -760,8 +868,6 @@ # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -29044,7 +29194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -774,10 +876,12 @@ +@@ -774,10 +880,12 @@ squid_manage_logs(initrc_t) ') @@ -29057,7 +29207,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -790,6 +894,7 @@ +@@ -790,6 +898,7 @@ optional_policy(` udev_rw_db(initrc_t) @@ -29065,23 +29215,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t udev_manage_pid_files(initrc_t) ') -@@ -801,8 +906,15 @@ - virt_manage_svirt_cache(initrc_t) +@@ -798,11 +907,18 @@ ') + optional_policy(` +- virt_manage_svirt_cache(initrc_t) ++ virt_manage_cache(initrc_t) ++') ++ +# Cron jobs used to start and stop services +optional_policy(` + cron_rw_pipes(daemon) + cron_rw_inherited_user_spool_files(daemon) -+') -+ + ') + optional_policy(` unconfined_domain(initrc_t) + domain_role_change_exemption(initrc_t) ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -812,6 +924,25 @@ +@@ -812,6 +928,25 @@ optional_policy(` mono_domtrans(initrc_t) ') @@ -29107,7 +29261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -837,3 +968,34 @@ +@@ -837,3 +972,34 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -29144,7 +29298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.19/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2010-03-18 06:48:09.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2010-04-26 11:46:12.000000000 -0400 @@ -73,7 +73,7 @@ # @@ -29188,15 +29342,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. # suppress audit messages about unnecessary socket access # cjp: this seems excessive domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t) -@@ -291,6 +291,7 @@ +@@ -276,7 +276,7 @@ + fs_list_tmpfs(ipsec_mgmt_t) + + term_use_console(ipsec_mgmt_t) +-term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t) ++term_use_all_terms(ipsec_mgmt_t) + + init_use_script_ptys(ipsec_mgmt_t) + init_exec_script_files(ipsec_mgmt_t) +@@ -291,7 +291,9 @@ seutil_dontaudit_search_config(ipsec_mgmt_t) +sysnet_read_config(ipsec_mgmt_t) sysnet_domtrans_ifconfig(ipsec_mgmt_t) ++sysnet_etc_filetrans_config(ipsec_t) userdom_use_user_terminals(ipsec_mgmt_t) -@@ -386,6 +387,8 @@ + +@@ -386,6 +388,8 @@ sysnet_exec_ifconfig(racoon_t) @@ -29205,7 +29370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -412,6 +415,7 @@ +@@ -412,6 +416,7 @@ files_read_etc_files(setkey_t) init_dontaudit_use_fds(setkey_t) @@ -29213,7 +29378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. # allow setkey to set the context for ipsec SAs and policy. ipsec_setcontext_default_spd(setkey_t) -@@ -423,3 +427,4 @@ +@@ -423,3 +428,4 @@ seutil_read_config(setkey_t) userdom_use_user_terminals(setkey_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 94a9ea1..80c4810 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,12 @@ exit 0 %endif %changelog +* Mon Apr 26 2010 Dan Walsh 3.7.19-6 +- Allow initrc_t to read slapd_db_t +Resolves: #585476 +- Allow ipsec_mgmt to use unallocated devpts and to create /etc/resolv.conf +Resolves: #585963 + * Thu Apr 22 2010 Dan Walsh 3.7.19-5 - Allow rlogind_t to search /root for .rhosts Resolves: #582760