diff --git a/.cvsignore b/.cvsignore index 5545237..6aa214a 100644 --- a/.cvsignore +++ b/.cvsignore @@ -173,3 +173,4 @@ serefpolicy-3.6.15.tgz serefpolicy-3.6.16.tgz serefpolicy-3.6.17.tgz serefpolicy-3.6.18.tgz +serefpolicy-3.6.19.tgz diff --git a/policy-F12.patch b/policy-F12.patch index 6ab49c0..2b884cb 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -1,3 +1,14 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Changelog serefpolicy-3.6.18/Changelog +--- nsaserefpolicy/Changelog 2009-06-22 17:07:19.000000000 -0400 ++++ serefpolicy-3.6.18/Changelog 2009-06-20 06:26:58.000000000 -0400 +@@ -29,7 +29,6 @@ + pingd (Dan Walsh) + psad (Dan Walsh) + portreserve (Dan Walsh) +- sssd (Dan Walsh) + ulogd (Dan Walsh) + webadm (Dan Walsh) + xguest (Dan Walsh) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.6.18/config/appconfig-mcs/default_contexts --- nsaserefpolicy/config/appconfig-mcs/default_contexts 2008-11-11 16:13:50.000000000 -0500 +++ serefpolicy-3.6.18/config/appconfig-mcs/default_contexts 2009-06-20 06:49:47.000000000 -0400 @@ -742,13 +753,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(readahead_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.18/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.6.18/policy/modules/admin/rpm.fc 2009-06-20 06:55:20.000000000 -0400 -@@ -9,9 +9,12 @@ - /usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) ++++ serefpolicy-3.6.18/policy/modules/admin/rpm.fc 2009-06-22 16:05:55.000000000 -0400 +@@ -4,14 +4,12 @@ + /usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) + +-/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) +/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) -+ + /usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) - @@ -757,7 +772,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0) ifdef(`distro_redhat', ` -@@ -21,15 +24,22 @@ +@@ -21,15 +19,22 @@ /usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -5380,7 +5395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +corecmd_executable_file(wm_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.18/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-06-12 09:08:48.000000000 -0400 -+++ serefpolicy-3.6.18/policy/modules/kernel/corecommands.fc 2009-06-20 06:49:47.000000000 -0400 ++++ serefpolicy-3.6.18/policy/modules/kernel/corecommands.fc 2009-06-22 16:05:49.000000000 -0400 @@ -139,6 +139,9 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -5762,18 +5777,43 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type lvm_control_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.18/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-06-12 09:08:48.000000000 -0400 -+++ serefpolicy-3.6.18/policy/modules/kernel/domain.if 2009-06-20 06:49:47.000000000 -0400 -@@ -65,7 +65,8 @@ - ') - - optional_policy(` ++++ serefpolicy-3.6.18/policy/modules/kernel/domain.if 2009-06-22 17:30:27.000000000 -0400 +@@ -44,34 +44,6 @@ + interface(`domain_type',` + # start with basic domain + domain_base_type($1) +- +- ifdef(`distro_redhat',` +- optional_policy(` +- unconfined_use_fds($1) +- ') +- ') +- +- # send init a sigchld and signull +- optional_policy(` +- init_sigchld($1) +- init_signull($1) +- ') +- +- # these seem questionable: +- +- optional_policy(` +- rpm_use_fds($1) +- rpm_read_pipes($1) +- ') +- +- optional_policy(` - selinux_dontaudit_getattr_fs($1) -+ selinux_getattr_fs($1) -+ selinux_search_fs($1) - selinux_dontaudit_read_fs($1) - ') +- selinux_dontaudit_read_fs($1) +- ') +- +- optional_policy(` +- seutil_dontaudit_read_config($1) +- ') + ') -@@ -1248,18 +1249,34 @@ + ######################################## +@@ -1248,18 +1220,34 @@ ## ## # @@ -5811,7 +5851,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Allow specified type to receive labeled ## networking packets from all domains, over ## all protocols (TCP, UDP, etc) -@@ -1280,6 +1297,24 @@ +@@ -1280,6 +1268,24 @@ ######################################## ## @@ -5838,7 +5878,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.18/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2009-06-12 09:08:48.000000000 -0400 -+++ serefpolicy-3.6.18/policy/modules/kernel/domain.te 2009-06-20 06:49:47.000000000 -0400 ++++ serefpolicy-3.6.18/policy/modules/kernel/domain.te 2009-06-22 17:32:55.000000000 -0400 @@ -5,6 +5,13 @@ # # Declarations @@ -5909,11 +5949,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -153,3 +174,50 @@ +@@ -153,3 +174,73 @@ # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) + ++selinux_getattr_fs(domain) ++selinux_search_fs(domain) ++selinux_dontaudit_read_fs(domain) ++ ++seutil_dontaudit_read_config(domain) ++ ++init_sigchld(domain) ++init_signull(domain) ++ ++ifdef(`distro_redhat',` ++ optional_policy(` ++ unconfined_use_fds(domain) ++ ') ++') ++ ++# these seem questionable: ++ ++optional_policy(` ++ rpm_use_fds(domain) ++ rpm_read_pipes(domain) ++') ++ ++ +tunable_policy(`allow_domain_fd_use',` + # Allow all domains to use fds past to them + allow domain domain:fd use; @@ -6512,7 +6575,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +permissive kernel_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.18/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.18/policy/modules/kernel/selinux.if 2009-06-20 06:49:47.000000000 -0400 ++++ serefpolicy-3.6.18/policy/modules/kernel/selinux.if 2009-06-22 17:16:37.000000000 -0400 @@ -40,7 +40,7 @@ # because of this statement, any module which @@ -12744,8 +12807,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.18/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.18/policy/modules/services/devicekit.te 2009-06-20 06:49:47.000000000 -0400 -@@ -0,0 +1,235 @@ ++++ serefpolicy-3.6.18/policy/modules/services/devicekit.te 2009-06-21 08:58:27.000000000 -0400 +@@ -0,0 +1,237 @@ +policy_module(devicekit,1.0.0) + +######################################## @@ -12893,6 +12956,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio }; +allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; ++allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; + +manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) +manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) @@ -12945,6 +13009,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` ++ polkit_dbus_chat(devicekit_disk_t) + polkit_domtrans_auth(devicekit_disk_t) + polkit_read_lib(devicekit_disk_t) + polkit_read_reload(devicekit_disk_t) @@ -15087,6 +15152,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) +manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.18/policy/modules/services/mysql.te +--- nsaserefpolicy/policy/modules/services/mysql.te 2009-05-21 08:43:08.000000000 -0400 ++++ serefpolicy-3.6.18/policy/modules/services/mysql.te 2009-06-22 17:04:01.000000000 -0400 +@@ -136,6 +136,8 @@ + + domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) + ++allow mysqld_safe_t mysqld_var_run_t:sock_file unlink; ++ + allow mysqld_safe_t mysqld_log_t:file manage_file_perms; + logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) + +@@ -152,7 +154,7 @@ + + miscfiles_read_localization(mysqld_safe_t) + +-mysql_append_db_files(mysqld_safe_t) ++mysql_manage_db_files(mysqld_safe_t) + mysql_read_config(mysqld_safe_t) + mysql_search_pid_files(mysqld_safe_t) + mysql_write_log(mysqld_safe_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.18/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.18/policy/modules/services/nagios.fc 2009-06-20 06:49:47.000000000 -0400 @@ -22119,41 +22205,39 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.18/policy/modules/services/sssd.fc ---- nsaserefpolicy/policy/modules/services/sssd.fc 1969-12-31 19:00:00.000000000 -0500 +--- nsaserefpolicy/policy/modules/services/sssd.fc 2009-06-22 17:07:19.000000000 -0400 +++ serefpolicy-3.6.18/policy/modules/services/sssd.fc 2009-06-20 06:49:47.000000000 -0400 -@@ -0,0 +1,6 @@ -+ -+/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) -+ +@@ -1,6 +1,6 @@ +-/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) + + /usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) + +-/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) +/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) -+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) + /var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0) +/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.18/policy/modules/services/sssd.if ---- nsaserefpolicy/policy/modules/services/sssd.if 1969-12-31 19:00:00.000000000 -0500 +--- nsaserefpolicy/policy/modules/services/sssd.if 2009-06-22 17:07:19.000000000 -0400 +++ serefpolicy-3.6.18/policy/modules/services/sssd.if 2009-06-20 06:49:47.000000000 -0400 -@@ -0,0 +1,249 @@ +@@ -1,4 +1,5 @@ +-## System Security Services Daemon + +## policy for sssd -+ -+######################################## -+## -+## Execute a domain transition to run sssd. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`sssd_domtrans',` -+ gen_require(` + + ######################################## + ## +@@ -12,12 +13,32 @@ + # + interface(`sssd_domtrans',` + gen_require(` +- type sssd_t, sssd_exec_t; + type sssd_t; + type sssd_exec_t; -+ ') -+ -+ domtrans_pattern($1,sssd_exec_t,sssd_t) -+') -+ + ') + + domtrans_pattern($1, sssd_exec_t, sssd_t) + ') + + +######################################## +## @@ -22173,106 +22257,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + init_labeled_script_domtrans($1,sssd_initrc_exec_t) +') + -+######################################## -+## -+## Read sssd PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sssd_read_pid_files',` -+ gen_require(` -+ type sssd_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 sssd_var_run_t:file read_file_perms; -+') -+ -+######################################## -+## -+## Manage sssd var_run files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ######################################## + ## + ## Read sssd PID files. +@@ -47,15 +68,17 @@ + ## + ## + # +-interface(`sssd_manage_pids',` +interface(`sssd_manage_var_run',` -+ gen_require(` -+ type sssd_var_run_t; -+ ') -+ -+ manage_dirs_pattern($1,sssd_var_run_t,sssd_var_run_t) -+ manage_files_pattern($1,sssd_var_run_t,sssd_var_run_t) + gen_require(` + type sssd_var_run_t; + ') + + manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t) + manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t) + manage_lnk_files_pattern($1,sssd_var_run_t,sssd_var_run_t) -+') -+ -+ -+######################################## -+## -+## Search sssd lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sssd_search_lib',` -+ gen_require(` -+ type sssd_var_lib_t; -+ ') -+ -+ allow $1 sssd_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read sssd lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sssd_read_lib_files',` -+ gen_require(` -+ type sssd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete -+## sssd lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sssd_manage_lib_files',` -+ gen_require(` -+ type sssd_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) -+') + ') + + -+######################################## -+## + ######################################## + ## + ## Search sssd lib directories. +@@ -116,6 +139,27 @@ + + ######################################## + ## +## Manage sssd var_lib files. +## +## @@ -22294,125 +22304,58 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## -+## Send and receive messages from -+## sssd over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sssd_dbus_chat',` -+ gen_require(` -+ type sssd_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 sssd_t:dbus send_msg; -+ allow sssd_t $1:dbus send_msg; -+') -+ -+ -+######################################## -+## -+## Connect to sssd over an unix stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sssd_stream_connect',` -+ gen_require(` -+ type sssd_t, sssd_var_lib_t; -+ ') -+ -+ files_search_pids($1) + ## Send and receive messages from + ## sssd over dbus. + ## +@@ -151,7 +196,8 @@ + ') + + files_search_pids($1) +- stream_connect_pattern($1, sssd_var_lib_t, sssd_var_lib_t, sssd_t) + write_sock_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) + allow $1 sssd_t:unix_stream_socket connectto; -+') -+ -+######################################## -+## -+## All of the rules required to administrate -+## an sssd environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the sssd domain. -+## -+## -+## -+## -+## The type of the user terminal. -+## -+## -+## -+# -+interface(`sssd_admin',` -+ gen_require(` -+ type sssd_t; -+ ') -+ -+ allow $1 sssd_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, sssd_t, sssd_t) -+ -+ -+ gen_require(` -+ type sssd_initrc_exec_t; -+ ') -+ -+ # Allow sssd_t to restart the apache service -+ sssd_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 sssd_initrc_exec_t system_r; -+ allow $2 system_r; -+ + ') + + ######################################## +@@ -194,7 +241,9 @@ + role_transition $2 sssd_initrc_exec_t system_r; + allow $2 system_r; + +- sssd_manage_pids($1) + sssd_manage_var_run($1) + + sssd_manage_var_lib($1) -+ -+') + +- sssd_manage_lib_files($1) + ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.18/policy/modules/services/sssd.te ---- nsaserefpolicy/policy/modules/services/sssd.te 1969-12-31 19:00:00.000000000 -0500 +--- nsaserefpolicy/policy/modules/services/sssd.te 2009-06-22 17:07:19.000000000 -0400 +++ serefpolicy-3.6.18/policy/modules/services/sssd.te 2009-06-20 06:49:47.000000000 -0400 -@@ -0,0 +1,74 @@ -+policy_module(sssd,1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type sssd_t; -+type sssd_exec_t; -+init_daemon_domain(sssd_t, sssd_exec_t) -+ +@@ -10,43 +9,54 @@ + type sssd_exec_t; + init_daemon_domain(sssd_t, sssd_exec_t) + +permissive sssd_t; + -+type sssd_initrc_exec_t; -+init_script_file(sssd_initrc_exec_t) -+ -+type sssd_var_run_t; -+files_pid_file(sssd_var_run_t) -+ + type sssd_initrc_exec_t; + init_script_file(sssd_initrc_exec_t) + +-type sssd_var_lib_t; +-files_type(sssd_var_lib_t) +- + type sssd_var_run_t; + files_pid_file(sssd_var_run_t) + +type sssd_var_lib_t; +files_type(sssd_var_lib_t) + -+######################################## -+# -+# sssd local policy -+# -+allow sssd_t self:capability { sys_nice setuid }; -+allow sssd_t self:process { setsched signal getsched }; + ######################################## + # + # sssd local policy + # + allow sssd_t self:capability { sys_nice setuid }; + allow sssd_t self:process { setsched signal getsched }; +allow sssd_t tmp_t:dir { read getattr open }; + +# Init script handling @@ -22420,45 +22363,39 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +# internal communication is often done using fifo and unix sockets. +allow sssd_t self:process signal; -+allow sssd_t self:fifo_file rw_file_perms; -+allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -+ -+manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) -+manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) -+files_pid_filetrans(sssd_t,sssd_var_run_t, { file dir }) -+ + allow sssd_t self:fifo_file rw_file_perms; + allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; + +-manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) +-manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) +-manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) +-files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } ) +- + manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) + manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) + files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) + +-kernel_read_system_state(sssd_t) +manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) +manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) +manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) +files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } ) -+ -+corecmd_exec_bin(sssd_t) -+ -+dev_read_urand(sssd_t) -+ + + corecmd_exec_bin(sssd_t) + + dev_read_urand(sssd_t) + +kernel_read_system_state(sssd_t) + -+files_list_tmp(sssd_t) -+files_read_etc_files(sssd_t) -+files_read_usr_files(sssd_t) -+ + files_list_tmp(sssd_t) + files_read_etc_files(sssd_t) + files_read_usr_files(sssd_t) + +fs_list_inotifyfs(sssd_t) + -+auth_use_nsswitch(sssd_t) -+auth_domtrans_chk_passwd(sssd_t) -+auth_domtrans_upd_passwd(sssd_t) -+ -+init_read_utmp(sssd_t) -+ -+logging_send_syslog_msg(sssd_t) -+logging_send_audit_msgs(sssd_t) -+ -+miscfiles_read_localization(sssd_t) -+ -+optional_policy(` -+ dbus_system_bus_client(sssd_t) -+ dbus_connect_system_bus(sssd_t) -+') + auth_use_nsswitch(sssd_t) + auth_domtrans_chk_passwd(sssd_t) + auth_domtrans_upd_passwd(sssd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.18/policy/modules/services/uucp.te --- nsaserefpolicy/policy/modules/services/uucp.te 2009-03-23 13:47:11.000000000 -0400 +++ serefpolicy-3.6.18/policy/modules/services/uucp.te 2009-06-20 06:49:47.000000000 -0400 @@ -23036,7 +22973,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.18/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.18/policy/modules/services/virt.te 2009-06-20 06:49:47.000000000 -0400 ++++ serefpolicy-3.6.18/policy/modules/services/virt.te 2009-06-22 18:01:06.000000000 -0400 @@ -8,19 +8,38 @@ ## @@ -23248,9 +23185,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + kerberos_keytab_template(virtd, virtd_t) +') - - optional_policy(` -- qemu_domtrans(virtd_t) ++ ++optional_policy(` + lvm_domtrans(virtd_t) +') + @@ -23259,8 +23195,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + polkit_domtrans_resolve(virtd_t) + polkit_read_lib(virtd_t) +') -+ -+optional_policy(` + + optional_policy(` +- qemu_domtrans(virtd_t) + qemu_spec_domtrans(virtd_t, svirt_t) qemu_read_state(virtd_t) qemu_signal(virtd_t) @@ -23269,7 +23206,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -195,8 +287,92 @@ +@@ -195,8 +287,94 @@ xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) @@ -23302,6 +23239,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_lnk_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) +files_pid_filetrans(svirt_t, svirt_var_run_t, { dir file }) + ++read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t) ++ +allow svirt_t svirt_image_t:dir search_dir_perms; +manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t) +manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t) @@ -26536,7 +26475,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.18/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.18/policy/modules/system/logging.te 2009-06-20 06:49:47.000000000 -0400 ++++ serefpolicy-3.6.18/policy/modules/system/logging.te 2009-06-22 13:05:34.000000000 -0400 @@ -126,7 +126,7 @@ allow auditd_t self:process { signal_perms setpgid setsched }; allow auditd_t self:file rw_file_perms; @@ -28368,7 +28307,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.18/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2009-04-07 15:53:36.000000000 -0400 -+++ serefpolicy-3.6.18/policy/modules/system/udev.te 2009-06-20 06:49:47.000000000 -0400 ++++ serefpolicy-3.6.18/policy/modules/system/udev.te 2009-06-22 13:05:54.000000000 -0400 @@ -50,6 +50,7 @@ allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -28377,7 +28316,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) -@@ -140,6 +141,7 @@ +@@ -111,6 +112,7 @@ + + fs_getattr_all_fs(udev_t) + fs_list_inotifyfs(udev_t) ++fs_rw_anon_inodefs_files(udev_t) + + mcs_ptrace_all(udev_t) + +@@ -140,6 +142,7 @@ logging_send_audit_msgs(udev_t) miscfiles_read_localization(udev_t) @@ -28385,7 +28332,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol modutils_domtrans_insmod(udev_t) # read modules.inputmap: -@@ -182,9 +184,11 @@ +@@ -182,9 +185,11 @@ # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(udev_t) @@ -28400,7 +28347,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -194,6 +198,10 @@ +@@ -194,6 +199,10 @@ ') optional_policy(` @@ -28411,7 +28358,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol brctl_domtrans(udev_t) ') -@@ -202,6 +210,10 @@ +@@ -202,6 +211,10 @@ ') optional_policy(` @@ -28422,7 +28369,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol consoletype_exec(udev_t) ') -@@ -210,6 +222,11 @@ +@@ -210,6 +223,11 @@ ') optional_policy(` @@ -28434,7 +28381,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol lvm_domtrans(udev_t) ') -@@ -219,6 +236,7 @@ +@@ -219,6 +237,7 @@ optional_policy(` hal_dgram_send(udev_t) @@ -28442,7 +28389,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -228,6 +246,10 @@ +@@ -228,6 +247,10 @@ ') optional_policy(` @@ -28453,7 +28400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -242,6 +264,10 @@ +@@ -242,6 +265,10 @@ ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index b2dc843..dfebdc7 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ %define CHECKPOLICYVER 2.0.16-3 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.6.18 +Version: 3.6.19 Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base @@ -183,7 +183,7 @@ fi; %description SELinux Reference Policy - modular. -Based off of reference policy: Checked out revision 3000. +Based off of reference policy: Checked out revision 3002. %build @@ -473,6 +473,10 @@ exit 0 %endif %changelog +* Sat Jun 20 2009 Dan Walsh 3.6.19-1 +- Update to upstream + * add sssd + * Sat Jun 20 2009 Dan Walsh 3.6.18-1 - Update to upstream * cleanup diff --git a/sources b/sources index 21b7b14..329c580 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -2513cf1675a62086dbd60387d6a74861 serefpolicy-3.6.18.tgz +c0dc13f604297fb85fc945cffae899e0 serefpolicy-3.6.19.tgz