From 8f37e1b0d676cb8fe06a730061a2c82e4e1d206c Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Oct 04 2013 19:02:13 +0000 Subject: - init reload from systemd_localed_t - Allow domains that communicate with systemd_logind_sessions to use systemd_logind_t fd - Allow systemd_localed_t to ask systemd to reload the locale. - Add systemd_runtime_unit_file_t type for unit files that systemd creates in memory - Allow readahead to read /dev/urand - Fix lots of avcs about tuned - Any file names xenstored in /var/log should be treated as xenstored_var_log_t - Allow tuned to inderact with hugepages - Allow condor domains to list etc rw dirs --- diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 76f9c57..49eb805 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -13395,7 +13395,7 @@ index 3fe3cb8..5fe84a6 100644 + ') ') diff --git a/condor.te b/condor.te -index 3f2b672..39f85e7 100644 +index 3f2b672..ff94f23 100644 --- a/condor.te +++ b/condor.te @@ -34,6 +34,9 @@ files_tmp_file(condor_startd_tmp_t) @@ -13418,7 +13418,7 @@ index 3f2b672..39f85e7 100644 condor_domain_template(collector) condor_domain_template(negotiator) condor_domain_template(procd) -@@ -57,15 +63,20 @@ condor_domain_template(startd) +@@ -57,15 +63,21 @@ condor_domain_template(startd) # Global local policy # @@ -13434,6 +13434,7 @@ index 3f2b672..39f85e7 100644 +allow condor_domain self:unix_stream_socket create_stream_socket_perms; +allow condor_domain self:netlink_route_socket r_netlink_socket_perms; + ++allow condor_domain condor_etc_rw_t:dir list_dir_perms; +rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t) manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t) @@ -13444,7 +13445,7 @@ index 3f2b672..39f85e7 100644 logging_log_filetrans(condor_domain, condor_log_t, { dir file }) manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t) -@@ -86,13 +97,10 @@ allow condor_domain condor_master_t:tcp_socket getattr; +@@ -86,13 +98,10 @@ allow condor_domain condor_master_t:tcp_socket getattr; kernel_read_kernel_sysctls(condor_domain) kernel_read_network_state(condor_domain) @@ -13458,7 +13459,7 @@ index 3f2b672..39f85e7 100644 corenet_tcp_sendrecv_generic_if(condor_domain) corenet_tcp_sendrecv_generic_node(condor_domain) -@@ -106,9 +114,9 @@ dev_read_rand(condor_domain) +@@ -106,9 +115,9 @@ dev_read_rand(condor_domain) dev_read_sysfs(condor_domain) dev_read_urand(condor_domain) @@ -13470,7 +13471,7 @@ index 3f2b672..39f85e7 100644 tunable_policy(`condor_tcp_network_connect',` corenet_sendrecv_all_client_packets(condor_domain) -@@ -125,7 +133,7 @@ optional_policy(` +@@ -125,7 +134,7 @@ optional_policy(` # Master local policy # @@ -13479,7 +13480,7 @@ index 3f2b672..39f85e7 100644 allow condor_master_t condor_domain:process { sigkill signal }; -@@ -133,6 +141,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) +@@ -133,6 +142,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir }) @@ -13490,7 +13491,7 @@ index 3f2b672..39f85e7 100644 corenet_udp_sendrecv_generic_if(condor_master_t) corenet_udp_sendrecv_generic_node(condor_master_t) corenet_tcp_bind_generic_node(condor_master_t) -@@ -152,6 +164,8 @@ domain_read_all_domains_state(condor_master_t) +@@ -152,6 +165,8 @@ domain_read_all_domains_state(condor_master_t) auth_use_nsswitch(condor_master_t) @@ -13499,7 +13500,7 @@ index 3f2b672..39f85e7 100644 optional_policy(` mta_send_mail(condor_master_t) mta_read_config(condor_master_t) -@@ -169,6 +183,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; +@@ -169,6 +184,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; kernel_read_network_state(condor_collector_t) @@ -13508,7 +13509,7 @@ index 3f2b672..39f85e7 100644 ##################################### # # Negotiator local policy -@@ -178,6 +194,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; +@@ -178,6 +195,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms; allow condor_negotiator_t condor_master_t:udp_socket getattr; @@ -13517,7 +13518,7 @@ index 3f2b672..39f85e7 100644 ###################################### # # Procd local policy -@@ -185,7 +203,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr; +@@ -185,7 +204,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr; allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace }; @@ -13527,7 +13528,7 @@ index 3f2b672..39f85e7 100644 domain_read_all_domains_state(condor_procd_t) -@@ -201,6 +220,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; +@@ -201,6 +221,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; allow condor_schedd_t condor_var_lock_t:dir manage_file_perms; @@ -13536,7 +13537,7 @@ index 3f2b672..39f85e7 100644 domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t) domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t) -@@ -209,6 +230,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) +@@ -209,6 +231,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir }) @@ -13545,7 +13546,7 @@ index 3f2b672..39f85e7 100644 ##################################### # # Startd local policy -@@ -233,11 +256,10 @@ domain_read_all_domains_state(condor_startd_t) +@@ -233,11 +257,10 @@ domain_read_all_domains_state(condor_startd_t) mcs_process_set_categories(condor_startd_t) init_domtrans_script(condor_startd_t) @@ -13558,7 +13559,7 @@ index 3f2b672..39f85e7 100644 optional_policy(` ssh_basic_client_template(condor_startd, condor_startd_t, system_r) ssh_domtrans(condor_startd_t) -@@ -249,3 +271,7 @@ optional_policy(` +@@ -249,3 +272,7 @@ optional_policy(` kerberos_use(condor_startd_ssh_t) ') ') @@ -39226,10 +39227,10 @@ index 4462c0e..84944d1 100644 userdom_dontaudit_use_unpriv_user_fds(monopd_t) diff --git a/mozilla.fc b/mozilla.fc -index 6ffaba2..154cade 100644 +index 6ffaba2..adf8fe5 100644 --- a/mozilla.fc +++ b/mozilla.fc -@@ -1,38 +1,67 @@ +@@ -1,38 +1,68 @@ -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) @@ -39260,6 +39261,7 @@ index 6ffaba2..154cade 100644 +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.webex(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.gnashpluginrc gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/abc -- gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) @@ -39332,7 +39334,7 @@ index 6ffaba2..154cade 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..bb32d40 100644 +index 6194b80..37abdbe 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -40023,7 +40025,7 @@ index 6194b80..bb32d40 100644 ## ## ## -@@ -530,45 +499,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +499,54 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -40098,6 +40100,7 @@ index 6194b80..bb32d40 100644 + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".IBMERS") + userdom_user_home_dir_filetrans($1, mozilla_home_t, file, ".gnashpluginrc") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".webex") + gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla") ') + @@ -68647,7 +68650,7 @@ index 661bb88..06f69c4 100644 +') + diff --git a/readahead.te b/readahead.te -index f1512d6..bc627d7 100644 +index f1512d6..8ee7e70 100644 --- a/readahead.te +++ b/readahead.te @@ -15,6 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t; @@ -68658,7 +68661,7 @@ index f1512d6..bc627d7 100644 init_daemon_run_dir(readahead_var_run_t, "readahead") ######################################## -@@ -31,13 +32,17 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t) +@@ -31,13 +32,18 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t) manage_dirs_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t) manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t) @@ -68673,11 +68676,12 @@ index f1512d6..bc627d7 100644 -dev_read_sysfs(readahead_t) +dev_rw_sysfs(readahead_t) +dev_read_kmsg(readahead_t) ++dev_read_urand(readahead_t) +dev_write_kmsg(readahead_t) dev_getattr_generic_chr_files(readahead_t) dev_getattr_generic_blk_files(readahead_t) dev_getattr_all_chr_files(readahead_t) -@@ -51,12 +56,22 @@ domain_use_interactive_fds(readahead_t) +@@ -51,12 +57,22 @@ domain_use_interactive_fds(readahead_t) domain_read_all_domains_state(readahead_t) files_create_boot_flag(readahead_t) @@ -68700,7 +68704,7 @@ index f1512d6..bc627d7 100644 fs_getattr_all_fs(readahead_t) fs_search_auto_mountpoints(readahead_t) -@@ -66,13 +81,12 @@ fs_read_cgroup_files(readahead_t) +@@ -66,13 +82,12 @@ fs_read_cgroup_files(readahead_t) fs_read_tmpfs_files(readahead_t) fs_read_tmpfs_symlinks(readahead_t) fs_list_inotifyfs(readahead_t) @@ -68715,7 +68719,7 @@ index f1512d6..bc627d7 100644 mls_file_read_all_levels(readahead_t) storage_raw_read_fixed_disk(readahead_t) -@@ -84,13 +98,15 @@ auth_dontaudit_read_shadow(readahead_t) +@@ -84,13 +99,15 @@ auth_dontaudit_read_shadow(readahead_t) init_use_fds(readahead_t) init_use_script_ptys(readahead_t) init_getattr_initctl(readahead_t) @@ -89332,7 +89336,7 @@ index e29db63..061fb98 100644 domain_system_change_exemption($1) role_transition $2 tuned_initrc_exec_t system_r; diff --git a/tuned.te b/tuned.te -index 7116181..b957a0f 100644 +index 7116181..935ec1d 100644 --- a/tuned.te +++ b/tuned.te @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t) @@ -89361,7 +89365,7 @@ index 7116181..b957a0f 100644 read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t) -@@ -41,10 +47,12 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t) +@@ -41,14 +47,18 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t) files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile") manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t) @@ -89375,18 +89379,25 @@ index 7116181..b957a0f 100644 +manage_dirs_pattern(tuned_t, tuned_tmp_t, tuned_tmp_t) +manage_files_pattern(tuned_t, tuned_tmp_t, tuned_tmp_t) +files_tmp_filetrans(tuned_t, tuned_tmp_t, { file dir }) ++can_exec(tuned_t, tuned_tmp_t) manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) -@@ -57,6 +65,7 @@ kernel_request_load_module(tuned_t) + files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file }) ++can_exec(tuned_t, tuned_var_run_t) + + kernel_read_system_state(tuned_t) + kernel_read_network_state(tuned_t) +@@ -57,6 +67,8 @@ kernel_request_load_module(tuned_t) kernel_rw_kernel_sysctl(tuned_t) kernel_rw_hotplug_sysctls(tuned_t) kernel_rw_vm_sysctls(tuned_t) +kernel_setsched(tuned_t) ++kernel_rw_all_sysctls(tuned_t) corecmd_exec_bin(tuned_t) corecmd_exec_shell(tuned_t) -@@ -64,31 +73,53 @@ corecmd_exec_shell(tuned_t) +@@ -64,31 +76,55 @@ corecmd_exec_shell(tuned_t) dev_getattr_all_blk_files(tuned_t) dev_getattr_all_chr_files(tuned_t) dev_read_urand(tuned_t) @@ -89395,6 +89406,7 @@ index 7116181..b957a0f 100644 dev_rw_netcontrol(tuned_t) -files_read_usr_files(tuned_t) ++files_dontaudit_all_access_check(tuned_t) files_dontaudit_search_home(tuned_t) -files_dontaudit_list_tmp(tuned_t) +files_list_tmp(tuned_t) @@ -89402,6 +89414,7 @@ index 7116181..b957a0f 100644 -fs_getattr_xattr_fs(tuned_t) +fs_getattr_all_fs(tuned_t) +fs_search_all(tuned_t) ++fs_rw_hugetlbfs_files(tuned_t) + +auth_use_nsswitch(tuned_t) @@ -96042,10 +96055,10 @@ index 7c7f7fa..20ce90b 100644 + xserver_manage_core_devices(wm_domain) +') diff --git a/xen.fc b/xen.fc -index 42d83b0..7977c2c 100644 +index 42d83b0..5f18f6e 100644 --- a/xen.fc +++ b/xen.fc -@@ -1,38 +1,40 @@ +@@ -1,38 +1,41 @@ /dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0) -/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) @@ -96087,6 +96100,7 @@ index 42d83b0..7977c2c 100644 /var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) /var/log/xend\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) /var/log/xend-debug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) ++/var/log/xenstored.* gen_context(system_u:object_r:xenstored_var_log_t,s0) /var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0) /var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0) diff --git a/selinux-policy.spec b/selinux-policy.spec index e8add89..211029f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 86%{?dist} +Release: 87%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -571,6 +571,17 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Oct 4 2013 Miroslav Grepl 3.12.1-87 +- init reload from systemd_localed_t +- Allow domains that communicate with systemd_logind_sessions to use systemd_logind_t fd +- Allow systemd_localed_t to ask systemd to reload the locale. +- Add systemd_runtime_unit_file_t type for unit files that systemd creates in memory +- Allow readahead to read /dev/urand +- Fix lots of avcs about tuned +- Any file names xenstored in /var/log should be treated as xenstored_var_log_t +- Allow tuned to inderact with hugepages +- Allow condor domains to list etc rw dirs + * Fri Oct 4 2013 Miroslav Grepl 3.12.1-86 - Fix nscd_shm_use() - Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services.