diff --git a/policy-F14.patch b/policy-F14.patch index a01e1ac..384f625 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -858,6 +858,16 @@ index aa0dcc6..0faba2a 100644 + dbus_read_config(prelink_t) + ') +') +diff --git a/policy/modules/admin/readahead.fc b/policy/modules/admin/readahead.fc +index 7077413..70edcd6 100644 +--- a/policy/modules/admin/readahead.fc ++++ b/policy/modules/admin/readahead.fc +@@ -1,3 +1,5 @@ + /usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) + /sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) + /var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0) ++/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) ++ diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te index 2df2f1d..c1aaa79 100644 --- a/policy/modules/admin/readahead.te @@ -1545,11 +1555,27 @@ index c368bdc..c927b85 100644 +type sudo_db_t; +files_type(sudo_db_t) + +diff --git a/policy/modules/admin/tmpreaper.fc b/policy/modules/admin/tmpreaper.fc +index 81077db..8208e86 100644 +--- a/policy/modules/admin/tmpreaper.fc ++++ b/policy/modules/admin/tmpreaper.fc +@@ -1,2 +1,3 @@ + /usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) + /usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) ++/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te -index 6a5004b..50cd538 100644 +index 6a5004b..c59c3cd 100644 --- a/policy/modules/admin/tmpreaper.te +++ b/policy/modules/admin/tmpreaper.te -@@ -25,8 +25,11 @@ fs_getattr_xattr_fs(tmpreaper_t) +@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0) + + type tmpreaper_t; + type tmpreaper_exec_t; ++init_system_domain(tmpreaper_t, tmpreaper_exec_t) + application_domain(tmpreaper_t, tmpreaper_exec_t) + role system_r types tmpreaper_t; + +@@ -25,8 +26,11 @@ fs_getattr_xattr_fs(tmpreaper_t) files_read_etc_files(tmpreaper_t) files_read_var_lib_files(tmpreaper_t) files_purge_tmp(tmpreaper_t) @@ -1561,7 +1587,7 @@ index 6a5004b..50cd538 100644 files_getattr_all_dirs(tmpreaper_t) files_getattr_all_files(tmpreaper_t) -@@ -52,7 +55,9 @@ optional_policy(` +@@ -52,7 +56,9 @@ optional_policy(` ') optional_policy(` @@ -1571,7 +1597,7 @@ index 6a5004b..50cd538 100644 apache_delete_cache_files(tmpreaper_t) apache_setattr_cache_dirs(tmpreaper_t) ') -@@ -66,6 +71,14 @@ optional_policy(` +@@ -66,6 +72,14 @@ optional_policy(` ') optional_policy(` @@ -7182,7 +7208,7 @@ index 82842a0..369c3b5 100644 dbus_system_bus_client($1_wm_t) dbus_session_bus_client($1_wm_t) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 0eb1d97..46af2a4 100644 +index 0eb1d97..303d994 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -9,8 +9,11 @@ @@ -7216,7 +7242,7 @@ index 0eb1d97..46af2a4 100644 /etc/profile.d(/.*)? gen_context(system_u:object_r:bin_t,s0) /etc/xen/qemu-ifup -- gen_context(system_u:object_r:bin_t,s0) /etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -109,6 +117,8 @@ ifdef(`distro_debian',` +@@ -109,11 +117,14 @@ ifdef(`distro_debian',` /etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0) ') @@ -7225,7 +7251,13 @@ index 0eb1d97..46af2a4 100644 # # /lib # -@@ -126,6 +136,8 @@ ifdef(`distro_gentoo',` + + /lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) ++/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0) + /lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0) + /lib64/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) + +@@ -126,6 +137,8 @@ ifdef(`distro_gentoo',` /lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0) /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0) ') @@ -7234,7 +7266,7 @@ index 0eb1d97..46af2a4 100644 # # /sbin -@@ -145,6 +157,12 @@ ifdef(`distro_gentoo',` +@@ -145,6 +158,12 @@ ifdef(`distro_gentoo',` /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -7247,7 +7279,7 @@ index 0eb1d97..46af2a4 100644 ifdef(`distro_gentoo',` /opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0) /opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -169,6 +187,7 @@ ifdef(`distro_gentoo',` +@@ -169,6 +188,7 @@ ifdef(`distro_gentoo',` /usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -7255,7 +7287,7 @@ index 0eb1d97..46af2a4 100644 /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -205,7 +224,8 @@ ifdef(`distro_gentoo',` +@@ -205,7 +225,8 @@ ifdef(`distro_gentoo',` /usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -7265,7 +7297,7 @@ index 0eb1d97..46af2a4 100644 /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) -@@ -218,8 +238,11 @@ ifdef(`distro_gentoo',` +@@ -218,8 +239,11 @@ ifdef(`distro_gentoo',` /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -7277,7 +7309,7 @@ index 0eb1d97..46af2a4 100644 /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/denyhosts/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -228,6 +251,8 @@ ifdef(`distro_gentoo',` +@@ -228,6 +252,8 @@ ifdef(`distro_gentoo',` /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -7286,7 +7318,7 @@ index 0eb1d97..46af2a4 100644 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -314,6 +339,7 @@ ifdef(`distro_redhat', ` +@@ -314,6 +340,7 @@ ifdef(`distro_redhat', ` /usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0) /usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0) /usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0) @@ -7294,7 +7326,7 @@ index 0eb1d97..46af2a4 100644 ') ifdef(`distro_suse', ` -@@ -340,3 +366,27 @@ ifdef(`distro_suse', ` +@@ -340,3 +367,27 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -8987,25 +9019,31 @@ index 07352a5..12e9ecf 100644 #Temporarily in policy until FC5 dissappears typealias etc_runtime_t alias firstboot_rw_t; diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc -index 59bae6a..16f0f9e 100644 +index 59bae6a..2e55e71 100644 --- a/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc -@@ -2,5 +2,10 @@ +@@ -2,5 +2,16 @@ /dev/shm/.* <> /cgroup -d gen_context(system_u:object_r:cgroup_t,s0) +/cgroup/.* <> ++/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) ++/lib/udev/devices/hugepages/.* <> ++ ++/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) ++/lib/udev/devices/shm/.* <> ++ +/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) /sys/fs/cgroup(/.*)? <> + +/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) +/dev/hugepages(/.*)? <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 437a42a..51d47a0 100644 +index 437a42a..c0e1d3a 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if -@@ -646,6 +646,7 @@ interface(`fs_search_cgroup_dirs',` +@@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',` ') search_dirs_pattern($1, cgroup_t, cgroup_t) @@ -9013,7 +9051,31 @@ index 437a42a..51d47a0 100644 dev_search_sysfs($1) ') -@@ -665,6 +666,7 @@ interface(`fs_list_cgroup_dirs', ` + ######################################## + ## ++## Relabelto cgroup directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_relabelto_cgroup_dirs',` ++ gen_require(` ++ type cgroup_t; ++ ++ ') ++ ++ relabelto_dirs_pattern($1, cgroup_t, cgroup_t) ++') ++ ++######################################## ++## + ## list cgroup directories. + ## + ## +@@ -665,6 +685,7 @@ interface(`fs_list_cgroup_dirs', ` ') list_dirs_pattern($1, cgroup_t, cgroup_t) @@ -9021,7 +9083,7 @@ index 437a42a..51d47a0 100644 dev_search_sysfs($1) ') -@@ -684,6 +686,7 @@ interface(`fs_delete_cgroup_dirs', ` +@@ -684,6 +705,7 @@ interface(`fs_delete_cgroup_dirs', ` ') delete_dirs_pattern($1, cgroup_t, cgroup_t) @@ -9029,7 +9091,7 @@ index 437a42a..51d47a0 100644 dev_search_sysfs($1) ') -@@ -704,6 +707,7 @@ interface(`fs_manage_cgroup_dirs',` +@@ -704,6 +726,7 @@ interface(`fs_manage_cgroup_dirs',` ') manage_dirs_pattern($1, cgroup_t, cgroup_t) @@ -9037,7 +9099,7 @@ index 437a42a..51d47a0 100644 dev_search_sysfs($1) ') -@@ -724,6 +728,7 @@ interface(`fs_read_cgroup_files',` +@@ -724,6 +747,7 @@ interface(`fs_read_cgroup_files',` ') read_files_pattern($1, cgroup_t, cgroup_t) @@ -9045,7 +9107,7 @@ index 437a42a..51d47a0 100644 dev_search_sysfs($1) ') -@@ -743,6 +748,7 @@ interface(`fs_write_cgroup_files', ` +@@ -743,6 +767,7 @@ interface(`fs_write_cgroup_files', ` ') write_files_pattern($1, cgroup_t, cgroup_t) @@ -9053,7 +9115,7 @@ index 437a42a..51d47a0 100644 dev_search_sysfs($1) ') -@@ -763,6 +769,7 @@ interface(`fs_rw_cgroup_files',` +@@ -763,6 +788,7 @@ interface(`fs_rw_cgroup_files',` ') rw_files_pattern($1, cgroup_t, cgroup_t) @@ -9061,7 +9123,7 @@ index 437a42a..51d47a0 100644 dev_search_sysfs($1) ') -@@ -803,6 +810,7 @@ interface(`fs_manage_cgroup_files',` +@@ -803,6 +829,7 @@ interface(`fs_manage_cgroup_files',` ') manage_files_pattern($1, cgroup_t, cgroup_t) @@ -9069,7 +9131,7 @@ index 437a42a..51d47a0 100644 dev_search_sysfs($1) ') -@@ -1227,6 +1235,24 @@ interface(`fs_dontaudit_append_cifs_files',` +@@ -1227,6 +1254,24 @@ interface(`fs_dontaudit_append_cifs_files',` ######################################## ## @@ -9094,7 +9156,7 @@ index 437a42a..51d47a0 100644 ## Do not audit attempts to read or ## write files on a CIFS or SMB filesystem. ## -@@ -1241,7 +1267,7 @@ interface(`fs_dontaudit_rw_cifs_files',` +@@ -1241,7 +1286,7 @@ interface(`fs_dontaudit_rw_cifs_files',` type cifs_t; ') @@ -9103,7 +9165,7 @@ index 437a42a..51d47a0 100644 ') ######################################## -@@ -1504,6 +1530,25 @@ interface(`fs_cifs_domtrans',` +@@ -1504,6 +1549,25 @@ interface(`fs_cifs_domtrans',` domain_auto_transition_pattern($1, cifs_t, $2) ') @@ -9129,7 +9191,7 @@ index 437a42a..51d47a0 100644 ####################################### ## ## Create, read, write, and delete dirs -@@ -1931,7 +1976,26 @@ interface(`fs_read_fusefs_symlinks',` +@@ -1931,7 +1995,26 @@ interface(`fs_read_fusefs_symlinks',` ######################################## ## @@ -9157,7 +9219,7 @@ index 437a42a..51d47a0 100644 ## ## ## -@@ -1946,6 +2010,41 @@ interface(`fs_rw_hugetlbfs_files',` +@@ -1946,6 +2029,41 @@ interface(`fs_rw_hugetlbfs_files',` rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') @@ -9199,7 +9261,7 @@ index 437a42a..51d47a0 100644 ######################################## ## -@@ -1999,6 +2098,7 @@ interface(`fs_list_inotifyfs',` +@@ -1999,6 +2117,7 @@ interface(`fs_list_inotifyfs',` ') allow $1 inotifyfs_t:dir list_dir_perms; @@ -9207,7 +9269,7 @@ index 437a42a..51d47a0 100644 ') ######################################## -@@ -2395,6 +2495,25 @@ interface(`fs_exec_nfs_files',` +@@ -2395,6 +2514,25 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -9233,7 +9295,7 @@ index 437a42a..51d47a0 100644 ## Append files ## on a NFS filesystem. ## -@@ -2435,6 +2554,24 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2435,6 +2573,24 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -9258,7 +9320,7 @@ index 437a42a..51d47a0 100644 ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2449,7 +2586,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2449,7 +2605,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -9267,7 +9329,7 @@ index 437a42a..51d47a0 100644 ') ######################################## -@@ -2637,6 +2774,24 @@ interface(`fs_dontaudit_read_removable_files',` +@@ -2637,6 +2793,24 @@ interface(`fs_dontaudit_read_removable_files',` ######################################## ## @@ -9292,7 +9354,7 @@ index 437a42a..51d47a0 100644 ## Read removable storage symbolic links. ## ## -@@ -2845,7 +3000,7 @@ interface(`fs_dontaudit_manage_nfs_files',` +@@ -2845,7 +3019,7 @@ interface(`fs_dontaudit_manage_nfs_files',` ######################################### ## ## Create, read, write, and delete symbolic links @@ -9301,7 +9363,7 @@ index 437a42a..51d47a0 100644 ## ## ## -@@ -3970,6 +4125,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -3970,6 +4144,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -9323,10 +9385,28 @@ index 437a42a..51d47a0 100644 + +######################################## +## ++## Relabelfrom directory on tmpfs filesystems. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_relabelfrom_tmpfs_dir',` ++ gen_require(` ++ type tmpfs_t; ++ ') ++ ++ relabelfrom_dirs_pattern($1, tmpfs_t, tmpfs_t) ++') ++ ++######################################## ++## ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4662,3 +4835,24 @@ interface(`fs_unconfined',` +@@ -4662,3 +4872,24 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -9807,6 +9887,16 @@ index 3723150..bde6daa 100644 allow $1 fixed_disk_device_t:blk_file create_blk_file_perms; dev_add_entry_generic_dirs($1) ') +diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc +index 3994e57..ee146ae 100644 +--- a/policy/modules/kernel/terminal.fc ++++ b/policy/modules/kernel/terminal.fc +@@ -40,3 +40,5 @@ ifdef(`distro_gentoo',` + # used by init scripts to initally populate udev /dev + /lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0) + ') ++ ++/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if index 492bf76..87a6942 100644 --- a/policy/modules/kernel/terminal.if @@ -38623,7 +38713,7 @@ index 8419a01..5865dba 100644 + allow $1 init_t:unix_stream_socket rw_stream_socket_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 698c11e..e90e509 100644 +index 698c11e..d92e0c3 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,27 @@ gen_require(` @@ -38713,7 +38803,7 @@ index 698c11e..e90e509 100644 # Early devtmpfs dev_rw_generic_chr_files(init_t) -@@ -127,9 +154,12 @@ domain_kill_all_domains(init_t) +@@ -127,9 +154,13 @@ domain_kill_all_domains(init_t) domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) @@ -38723,10 +38813,11 @@ index 698c11e..e90e509 100644 files_read_etc_files(init_t) +files_read_all_pids(init_t) ++files_read_system_conf_files(init_t) files_rw_generic_pids(init_t) files_dontaudit_search_isid_type_dirs(init_t) files_manage_etc_runtime_files(init_t) -@@ -162,12 +192,15 @@ init_domtrans_script(init_t) +@@ -162,12 +193,15 @@ init_domtrans_script(init_t) libs_rw_ld_so_cache(init_t) logging_send_syslog_msg(init_t) @@ -38742,7 +38833,7 @@ index 698c11e..e90e509 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; ') -@@ -178,7 +211,7 @@ ifdef(`distro_redhat',` +@@ -178,7 +212,7 @@ ifdef(`distro_redhat',` fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) ') @@ -38751,7 +38842,7 @@ index 698c11e..e90e509 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,12 +219,74 @@ tunable_policy(`init_upstart',` +@@ -186,12 +220,79 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -38769,6 +38860,8 @@ index 698c11e..e90e509 100644 + + kernel_list_unlabeled(init_t) + kernel_read_network_state(init_t) ++ kernel_rw_kernel_sysctl(init_t) ++ kernel_read_all_sysctls(init_t) + kernel_unmount_debugfs(init_t) + + dev_write_kmsg(init_t) @@ -38782,14 +38875,17 @@ index 698c11e..e90e509 100644 + + files_mounton_all_mountpoints(init_t) + files_manage_all_pids_dirs(init_t) ++ files_manage_urandom_seed(init_t) + + fs_manage_cgroup_dirs(init_t) + fs_manage_hugetlbfs_dirs(init_t) + fs_manage_tmpfs_dirs(init_t) ++ fs_relabelfrom_tmpfs_dir(init_t) + fs_mount_all_fs(init_t) + fs_list_auto_mountpoints(init_t) + fs_read_cgroup_files(init_t) + fs_write_cgroup_files(init_t) ++ fs_relabelto_cgroup_dirs(init_t) + fs_search_cgroup_dirs(daemon) + + selinux_compute_create_context(init_t) @@ -38826,7 +38922,7 @@ index 698c11e..e90e509 100644 ') optional_policy(` -@@ -199,10 +294,19 @@ optional_policy(` +@@ -199,10 +300,19 @@ optional_policy(` ') optional_policy(` @@ -38846,7 +38942,7 @@ index 698c11e..e90e509 100644 unconfined_domain(init_t) ') -@@ -212,7 +316,7 @@ optional_policy(` +@@ -212,7 +322,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -38855,7 +38951,7 @@ index 698c11e..e90e509 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,6 +345,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,6 +351,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -38863,7 +38959,7 @@ index 698c11e..e90e509 100644 can_exec(initrc_t, initrc_tmp_t) manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) -@@ -258,11 +363,23 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,11 +369,23 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -38887,7 +38983,7 @@ index 698c11e..e90e509 100644 corecmd_exec_all_executables(initrc_t) -@@ -291,6 +408,7 @@ dev_read_sound_mixer(initrc_t) +@@ -291,6 +414,7 @@ dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) dev_rw_lvm_control(initrc_t) @@ -38895,7 +38991,7 @@ index 698c11e..e90e509 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +416,13 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +422,13 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -38911,7 +39007,7 @@ index 698c11e..e90e509 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -323,8 +441,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +447,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -38923,7 +39019,7 @@ index 698c11e..e90e509 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +460,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +466,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -38937,7 +39033,7 @@ index 698c11e..e90e509 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +475,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +481,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -38946,7 +39042,7 @@ index 698c11e..e90e509 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +489,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +495,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -38954,7 +39050,7 @@ index 698c11e..e90e509 100644 selinux_get_enforce_mode(initrc_t) -@@ -380,6 +507,7 @@ auth_read_pam_pid(initrc_t) +@@ -380,6 +513,7 @@ auth_read_pam_pid(initrc_t) auth_delete_pam_pid(initrc_t) auth_delete_pam_console_data(initrc_t) auth_use_nsswitch(initrc_t) @@ -38962,7 +39058,7 @@ index 698c11e..e90e509 100644 libs_rw_ld_so_cache(initrc_t) libs_exec_lib_files(initrc_t) -@@ -394,13 +522,14 @@ logging_read_audit_config(initrc_t) +@@ -394,13 +528,14 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -38978,7 +39074,7 @@ index 698c11e..e90e509 100644 userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such -@@ -473,7 +602,7 @@ ifdef(`distro_redhat',` +@@ -473,7 +608,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -38987,7 +39083,7 @@ index 698c11e..e90e509 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -519,6 +648,19 @@ ifdef(`distro_redhat',` +@@ -519,6 +654,19 @@ ifdef(`distro_redhat',` optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -39007,7 +39103,7 @@ index 698c11e..e90e509 100644 ') optional_policy(` -@@ -526,10 +668,17 @@ ifdef(`distro_redhat',` +@@ -526,10 +674,17 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -39025,7 +39121,7 @@ index 698c11e..e90e509 100644 ') optional_policy(` -@@ -544,6 +693,35 @@ ifdef(`distro_suse',` +@@ -544,6 +699,35 @@ ifdef(`distro_suse',` ') ') @@ -39061,7 +39157,7 @@ index 698c11e..e90e509 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -556,6 +734,8 @@ optional_policy(` +@@ -556,6 +740,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -39070,7 +39166,7 @@ index 698c11e..e90e509 100644 ') optional_policy(` -@@ -572,6 +752,7 @@ optional_policy(` +@@ -572,6 +758,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -39078,7 +39174,7 @@ index 698c11e..e90e509 100644 ') optional_policy(` -@@ -584,6 +765,11 @@ optional_policy(` +@@ -584,6 +771,11 @@ optional_policy(` ') optional_policy(` @@ -39090,7 +39186,7 @@ index 698c11e..e90e509 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -600,6 +786,9 @@ optional_policy(` +@@ -600,6 +792,9 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -39100,7 +39196,7 @@ index 698c11e..e90e509 100644 optional_policy(` consolekit_dbus_chat(initrc_t) -@@ -701,7 +890,13 @@ optional_policy(` +@@ -701,7 +896,13 @@ optional_policy(` ') optional_policy(` @@ -39114,7 +39210,7 @@ index 698c11e..e90e509 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -724,6 +919,10 @@ optional_policy(` +@@ -724,6 +925,10 @@ optional_policy(` ') optional_policy(` @@ -39125,7 +39221,7 @@ index 698c11e..e90e509 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -745,6 +944,10 @@ optional_policy(` +@@ -745,6 +950,10 @@ optional_policy(` ') optional_policy(` @@ -39136,7 +39232,7 @@ index 698c11e..e90e509 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -766,8 +969,6 @@ optional_policy(` +@@ -766,8 +975,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -39145,7 +39241,7 @@ index 698c11e..e90e509 100644 ') optional_policy(` -@@ -776,14 +977,21 @@ optional_policy(` +@@ -776,14 +983,21 @@ optional_policy(` ') optional_policy(` @@ -39167,7 +39263,7 @@ index 698c11e..e90e509 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,11 +1013,19 @@ optional_policy(` +@@ -805,11 +1019,19 @@ optional_policy(` ') optional_policy(` @@ -39188,7 +39284,7 @@ index 698c11e..e90e509 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -819,6 +1035,25 @@ optional_policy(` +@@ -819,6 +1041,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -39214,7 +39310,7 @@ index 698c11e..e90e509 100644 ') optional_policy(` -@@ -844,3 +1079,55 @@ optional_policy(` +@@ -844,3 +1085,55 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index ba856b0..e0cb57e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.6 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -470,6 +470,12 @@ exit 0 %endif %changelog + +* Fri Oct 8 2010 Dan Walsh 3.9.6-2 +- Lots of fixes for systemd +- systemd now executes readahead and tmpwatch type scripts +- Needs to manage random seed + * Thu Oct 7 2010 Dan Walsh 3.9.6-1 - Allow smbd to use sys_admin - Remove duplicate file context for tcfmgr