From 617c9c8df8be84f9bfee73a38702ec5567b1b85f Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Dec 14 2012 23:45:23 +0000 Subject: - Allow svirt to use netlink_route_socket which was a part of auth_use_ns - Add additional labeling for /var/www/openshift/broker - Fix rhev policy - Allow openshift_initrc domain to dbus chat with systemd_logind - Allow httpd to getattr passenger log file if run_stickshift - Allow consolehelper-gtk to connect to xserver - Add labeling for the tmp-inst directory defined in pam_namespace.conf - Add lvm_metadata_t labeling for /etc/multipath --- diff --git a/policy-rawhide.patch b/policy-rawhide.patch index 336e460..0706dc0 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -117450,7 +117450,7 @@ index cf04cb5..09a61e6 100644 + ') +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index 8796ca3..c2055b3 100644 +index 8796ca3..cb02728 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -117583,7 +117583,7 @@ index 8796ca3..c2055b3 100644 # # /selinux # -@@ -178,13 +190,13 @@ ifdef(`distro_debian',` +@@ -178,13 +190,14 @@ ifdef(`distro_debian',` # # /srv # @@ -117596,10 +117596,11 @@ index 8796ca3..c2055b3 100644 # -/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) +/tmp gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) ++/tmp-inst gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) /tmp/.* <> /tmp/\.journal <> -@@ -194,9 +206,10 @@ ifdef(`distro_debian',` +@@ -194,9 +207,10 @@ ifdef(`distro_debian',` # # /usr # @@ -117611,7 +117612,7 @@ index 8796ca3..c2055b3 100644 /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -@@ -204,15 +217,9 @@ ifdef(`distro_debian',` +@@ -204,15 +218,9 @@ ifdef(`distro_debian',` /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0) @@ -117628,7 +117629,7 @@ index 8796ca3..c2055b3 100644 /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) -@@ -220,8 +227,6 @@ ifdef(`distro_debian',` +@@ -220,8 +228,6 @@ ifdef(`distro_debian',` /usr/tmp/.* <> ifndef(`distro_redhat',` @@ -117637,7 +117638,7 @@ index 8796ca3..c2055b3 100644 /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -229,7 +234,7 @@ ifndef(`distro_redhat',` +@@ -229,7 +235,7 @@ ifndef(`distro_redhat',` # # /var # @@ -117646,7 +117647,7 @@ index 8796ca3..c2055b3 100644 /var/.* gen_context(system_u:object_r:var_t,s0) /var/\.journal <> -@@ -237,11 +242,21 @@ ifndef(`distro_redhat',` +@@ -237,11 +243,21 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -117668,7 +117669,15 @@ index 8796ca3..c2055b3 100644 /var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/lost\+found/.* <> -@@ -264,3 +279,5 @@ ifndef(`distro_redhat',` +@@ -256,6 +272,7 @@ ifndef(`distro_redhat',` + + /var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) + /var/tmp -l gen_context(system_u:object_r:tmp_t,s0) ++/var/tmp-inst -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) + /var/tmp/.* <> + /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) + /var/tmp/lost\+found/.* <> +@@ -264,3 +281,5 @@ ifndef(`distro_redhat',` ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') @@ -137342,10 +137351,17 @@ index 0034021..c62bd95 100644 + kernel_dgram_send(syslog_client_type) +') diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc -index 879bb1e..0b3cc40 100644 +index 879bb1e..c11d48b 100644 --- a/policy/modules/system/lvm.fc +++ b/policy/modules/system/lvm.fc -@@ -28,23 +28,27 @@ ifdef(`distro_gentoo',` +@@ -23,28 +23,34 @@ ifdef(`distro_gentoo',` + /etc/lvmtab(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) + /etc/lvmtab\.d(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) + ++/etc/multipath(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) ++ + # + # /lib # /lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) /lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) @@ -137374,7 +137390,7 @@ index 879bb1e..0b3cc40 100644 /sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0) -@@ -88,8 +92,69 @@ ifdef(`distro_gentoo',` +@@ -88,8 +94,69 @@ ifdef(`distro_gentoo',` # # /usr # @@ -137446,7 +137462,7 @@ index 879bb1e..0b3cc40 100644 # # /var -@@ -97,5 +162,7 @@ ifdef(`distro_gentoo',` +@@ -97,5 +164,7 @@ ifdef(`distro_gentoo',` /var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index 69f8e07..efe0c0b 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -2132,7 +2132,7 @@ index 0000000..feabdf3 + files_getattr_all_sockets(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index fd9fa07..12398f6 100644 +index fd9fa07..cca43af 100644 --- a/apache.fc +++ b/apache.fc @@ -1,20 +1,37 @@ @@ -2289,7 +2289,7 @@ index fd9fa07..12398f6 100644 /var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) -@@ -109,3 +155,26 @@ ifdef(`distro_debian', ` +@@ -109,3 +155,34 @@ ifdef(`distro_debian', ` /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) @@ -2307,6 +2307,14 @@ index fd9fa07..12398f6 100644 + +/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + ++/var/www/openshift/console/tmp(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0) ++/var/www/openshift/console/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++ ++/var/www/openshift/broker/httpd/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/www/openshift/console/httpd/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/www/openshift/broker/httpd/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/www/openshift/console/httpd/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) ++ +/var/www/stickshift/[^/]*/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) @@ -3139,7 +3147,7 @@ index 6480167..7b2ad39 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 0833afb..3d0cc42 100644 +index 0833afb..2864927 100644 --- a/apache.te +++ b/apache.te @@ -18,6 +18,8 @@ policy_module(apache, 2.4.0) @@ -3956,7 +3964,7 @@ index 0833afb..3d0cc42 100644 ######################################## # # Apache helper local policy -@@ -633,7 +1033,42 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -633,7 +1033,43 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -3980,6 +3988,7 @@ index 0833afb..3d0cc42 100644 +optional_policy(` + tunable_policy(`httpd_run_stickshift', ` + passenger_manage_lib_files(httpd_t) ++ passenger_getattr_log_files(httpd_t) + ',` + passenger_domtrans(httpd_t) + passenger_read_lib_files(httpd_t) @@ -4000,7 +4009,7 @@ index 0833afb..3d0cc42 100644 ######################################## # -@@ -671,28 +1106,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -671,28 +1107,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -4044,7 +4053,7 @@ index 0833afb..3d0cc42 100644 ') ######################################## -@@ -702,6 +1139,7 @@ optional_policy(` +@@ -702,6 +1140,7 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -4052,7 +4061,7 @@ index 0833afb..3d0cc42 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -716,19 +1154,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -716,19 +1155,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -4081,7 +4090,7 @@ index 0833afb..3d0cc42 100644 files_read_usr_files(httpd_suexec_t) files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -738,15 +1184,14 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -738,15 +1185,14 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -4099,7 +4108,7 @@ index 0833afb..3d0cc42 100644 corenet_tcp_sendrecv_generic_if(httpd_suexec_t) corenet_udp_sendrecv_generic_if(httpd_suexec_t) corenet_tcp_sendrecv_generic_node(httpd_suexec_t) -@@ -757,13 +1202,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -757,13 +1203,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -4132,7 +4141,7 @@ index 0833afb..3d0cc42 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -786,6 +1249,25 @@ optional_policy(` +@@ -786,6 +1250,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -4158,7 +4167,7 @@ index 0833afb..3d0cc42 100644 ######################################## # # Apache system script local policy -@@ -806,12 +1288,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -806,12 +1289,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -4176,7 +4185,7 @@ index 0833afb..3d0cc42 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -820,18 +1307,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -820,18 +1308,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -4235,7 +4244,7 @@ index 0833afb..3d0cc42 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -839,14 +1358,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -839,14 +1359,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -4276,7 +4285,7 @@ index 0833afb..3d0cc42 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -854,15 +1398,26 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` +@@ -854,15 +1399,26 @@ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` optional_policy(` clamav_domtrans_clamscan(httpd_sys_script_t) @@ -4303,7 +4312,7 @@ index 0833afb..3d0cc42 100644 ') ######################################## -@@ -878,11 +1433,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t) +@@ -878,11 +1434,9 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t) kernel_dontaudit_list_proc(httpd_rotatelogs_t) kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t) @@ -4315,7 +4324,7 @@ index 0833afb..3d0cc42 100644 ######################################## # -@@ -908,11 +1461,138 @@ optional_policy(` +@@ -908,11 +1462,138 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -19019,7 +19028,7 @@ index e1d7dc5..66d42bb 100644 admin_pattern($1, dovecot_var_run_t) diff --git a/dovecot.te b/dovecot.te -index 2df7766..0022b87 100644 +index 2df7766..d4e008b 100644 --- a/dovecot.te +++ b/dovecot.te @@ -4,12 +4,12 @@ policy_module(dovecot, 1.14.0) @@ -19068,7 +19077,7 @@ index 2df7766..0022b87 100644 type dovecot_tmp_t; files_tmp_file(dovecot_tmp_t) -@@ -51,17 +53,36 @@ logging_log_file(dovecot_var_log_t) +@@ -51,17 +53,37 @@ logging_log_file(dovecot_var_log_t) type dovecot_var_run_t; files_pid_file(dovecot_var_run_t) @@ -19085,6 +19094,7 @@ index 2df7766..0022b87 100644 +kernel_read_all_sysctls(dovecot_domain) + +corecmd_exec_bin(dovecot_domain) ++corecmd_exec_shell(dovecot_domain) + +dev_read_sysfs(dovecot_domain) +dev_read_rand(dovecot_domain) @@ -19109,7 +19119,7 @@ index 2df7766..0022b87 100644 allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto }; domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) -@@ -72,7 +93,9 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms; +@@ -72,7 +94,9 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms; read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) @@ -19120,7 +19130,7 @@ index 2df7766..0022b87 100644 files_search_etc(dovecot_t) can_exec(dovecot_t, dovecot_exec_t) -@@ -94,15 +117,13 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) +@@ -94,15 +118,13 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) @@ -19139,7 +19149,7 @@ index 2df7766..0022b87 100644 corenet_all_recvfrom_netlabel(dovecot_t) corenet_tcp_sendrecv_generic_if(dovecot_t) corenet_tcp_sendrecv_generic_node(dovecot_t) -@@ -110,41 +131,36 @@ corenet_tcp_sendrecv_all_ports(dovecot_t) +@@ -110,41 +132,36 @@ corenet_tcp_sendrecv_all_ports(dovecot_t) corenet_tcp_bind_generic_node(dovecot_t) corenet_tcp_bind_mail_port(dovecot_t) corenet_tcp_bind_pop_port(dovecot_t) @@ -19187,7 +19197,7 @@ index 2df7766..0022b87 100644 userdom_dontaudit_use_unpriv_user_fds(dovecot_t) userdom_manage_user_home_content_dirs(dovecot_t) userdom_manage_user_home_content_files(dovecot_t) -@@ -153,10 +169,23 @@ userdom_manage_user_home_content_pipes(dovecot_t) +@@ -153,10 +170,23 @@ userdom_manage_user_home_content_pipes(dovecot_t) userdom_manage_user_home_content_sockets(dovecot_t) userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file }) @@ -19213,7 +19223,7 @@ index 2df7766..0022b87 100644 ') optional_policy(` -@@ -164,6 +193,11 @@ optional_policy(` +@@ -164,6 +194,11 @@ optional_policy(` ') optional_policy(` @@ -19225,7 +19235,7 @@ index 2df7766..0022b87 100644 seutil_sigchld_newrole(dovecot_t) ') -@@ -180,16 +214,17 @@ optional_policy(` +@@ -180,16 +215,17 @@ optional_policy(` # dovecot auth local policy # @@ -19247,7 +19257,7 @@ index 2df7766..0022b87 100644 manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) -@@ -198,31 +233,24 @@ allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; +@@ -198,31 +234,24 @@ allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) dovecot_stream_connect_auth(dovecot_auth_t) @@ -19284,7 +19294,7 @@ index 2df7766..0022b87 100644 optional_policy(` kerberos_use(dovecot_auth_t) -@@ -236,6 +264,8 @@ optional_policy(` +@@ -236,6 +265,8 @@ optional_policy(` optional_policy(` mysql_search_db(dovecot_auth_t) mysql_stream_connect(dovecot_auth_t) @@ -19293,7 +19303,7 @@ index 2df7766..0022b87 100644 ') optional_policy(` -@@ -243,6 +273,8 @@ optional_policy(` +@@ -243,6 +274,8 @@ optional_policy(` ') optional_policy(` @@ -19302,7 +19312,7 @@ index 2df7766..0022b87 100644 postfix_search_spool(dovecot_auth_t) ') -@@ -250,25 +282,32 @@ optional_policy(` +@@ -250,25 +283,32 @@ optional_policy(` # # dovecot deliver local policy # @@ -19345,7 +19355,7 @@ index 2df7766..0022b87 100644 dovecot_stream_connect_auth(dovecot_deliver_t) -@@ -283,24 +322,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t) +@@ -283,24 +323,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t) userdom_manage_user_home_content_sockets(dovecot_deliver_t) userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) @@ -21595,7 +21605,7 @@ index ebad8c4..640293e 100644 ') - diff --git a/fprintd.te b/fprintd.te -index 7df52c7..523df56 100644 +index 7df52c7..46499bd 100644 --- a/fprintd.te +++ b/fprintd.te @@ -7,7 +7,7 @@ policy_module(fprintd, 1.1.0) @@ -21635,7 +21645,7 @@ index 7df52c7..523df56 100644 userdom_use_user_ptys(fprintd_t) userdom_read_all_users_state(fprintd_t) -@@ -50,8 +49,13 @@ optional_policy(` +@@ -50,8 +49,17 @@ optional_policy(` ') optional_policy(` @@ -21648,6 +21658,10 @@ index 7df52c7..523df56 100644 policykit_dbus_chat(fprintd_t) policykit_domtrans_auth(fprintd_t) + policykit_dbus_chat_auth(fprintd_t) ++') ++ ++optional_policy(` ++ xserver_read_state_xdm(fprintd_t) ') diff --git a/ftp.fc b/ftp.fc index 69dcd2a..4d97da7 100644 @@ -34524,7 +34538,7 @@ index b397fde..c7c031d 100644 +') + diff --git a/mozilla.te b/mozilla.te -index d4fcb75..22603ee 100644 +index d4fcb75..72efe21 100644 --- a/mozilla.te +++ b/mozilla.te @@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0) @@ -34971,7 +34985,7 @@ index d4fcb75..22603ee 100644 +allow mozilla_plugin_config_t self:fifo_file rw_file_perms; +allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; + -+ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_config_t) ++ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t) + +dev_search_sysfs(mozilla_plugin_config_t) +dev_read_urand(mozilla_plugin_config_t) @@ -36849,7 +36863,7 @@ index c358d8f..1cc176c 100644 init_labeled_script_domtrans($1, munin_initrc_exec_t) domain_system_change_exemption($1) diff --git a/munin.te b/munin.te -index f17583b..4188970 100644 +index f17583b..dd96224 100644 --- a/munin.te +++ b/munin.te @@ -5,6 +5,8 @@ policy_module(munin, 1.8.0) @@ -36940,7 +36954,13 @@ index f17583b..4188970 100644 mta_read_queue(munin_t) ') -@@ -159,6 +170,7 @@ optional_policy(` +@@ -155,10 +166,13 @@ optional_policy(` + + optional_policy(` + netutils_domtrans_ping(munin_t) ++ netutils_signal_ping(munin_t) ++ netutils_kill_ping(munin_t) + ') optional_policy(` postfix_list_spool(munin_t) @@ -36948,7 +36968,7 @@ index f17583b..4188970 100644 ') optional_policy(` -@@ -182,6 +194,7 @@ optional_policy(` +@@ -182,6 +196,7 @@ optional_policy(` # local policy for disk plugins # @@ -36956,7 +36976,7 @@ index f17583b..4188970 100644 allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) -@@ -190,15 +203,15 @@ corecmd_exec_shell(disk_munin_plugin_t) +@@ -190,15 +205,15 @@ corecmd_exec_shell(disk_munin_plugin_t) corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t) @@ -36976,7 +36996,7 @@ index f17583b..4188970 100644 sysnet_read_config(disk_munin_plugin_t) -@@ -221,30 +234,47 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) +@@ -221,30 +236,47 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) dev_read_urand(mail_munin_plugin_t) @@ -37030,7 +37050,7 @@ index f17583b..4188970 100644 allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms; allow services_munin_plugin_t self:udp_socket create_socket_perms; allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; -@@ -255,13 +285,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) +@@ -255,13 +287,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) dev_read_urand(services_munin_plugin_t) dev_read_rand(services_munin_plugin_t) @@ -37045,7 +37065,7 @@ index f17583b..4188970 100644 cups_stream_connect(services_munin_plugin_t) ') -@@ -279,6 +306,10 @@ optional_policy(` +@@ -279,6 +308,10 @@ optional_policy(` ') optional_policy(` @@ -37056,7 +37076,7 @@ index f17583b..4188970 100644 postgresql_stream_connect(services_munin_plugin_t) ') -@@ -286,6 +317,18 @@ optional_policy(` +@@ -286,6 +319,18 @@ optional_policy(` snmp_read_snmp_var_lib_files(services_munin_plugin_t) ') @@ -37075,7 +37095,7 @@ index f17583b..4188970 100644 ################################## # # local policy for system plugins -@@ -295,12 +338,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; +@@ -295,12 +340,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) @@ -37091,7 +37111,7 @@ index f17583b..4188970 100644 dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) -@@ -313,3 +354,45 @@ init_read_utmp(system_munin_plugin_t) +@@ -313,3 +356,47 @@ init_read_utmp(system_munin_plugin_t) sysnet_exec_ifconfig(system_munin_plugin_t) term_getattr_unallocated_ttys(system_munin_plugin_t) @@ -37116,6 +37136,8 @@ index f17583b..4188970 100644 +# local policy for munin plugin domains +# + ++allow munin_plugin_domain self:process signal; ++ +allow munin_plugin_domain munin_exec_t:file read_file_perms; +allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms; + @@ -42863,10 +42885,10 @@ index 0000000..6e20e72 +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..a33452e +index 0000000..d97b009 --- /dev/null +++ b/openshift.te -@@ -0,0 +1,379 @@ +@@ -0,0 +1,383 @@ +policy_module(openshift,1.0.0) + +gen_require(` @@ -42938,6 +42960,7 @@ index 0000000..a33452e +# +# Template to create openshift_t and openshift_app_t +# ++ +openshift_service_domain_template(openshift) + +######################################## @@ -42947,6 +42970,8 @@ index 0000000..a33452e +unconfined_domain_noaudit(openshift_initrc_t) +mcs_process_set_categories(openshift_initrc_t) + ++systemd_dbus_chat_logind(openshift_initrc_t) ++ +manage_dirs_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t) +manage_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t) +manage_lnk_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t) @@ -43044,6 +43069,7 @@ index 0000000..a33452e + +dev_read_sysfs(openshift_domain) +dev_read_rand(openshift_domain) ++dev_read_urand(openshift_domain) +dev_dontaudit_append_rand(openshift_domain) +dev_dontaudit_write_urand(openshift_domain) +dev_dontaudit_getattr_all_blk_files(openshift_domain) @@ -44194,10 +44220,10 @@ index 545518d..677ac68 100644 /var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0) diff --git a/passenger.if b/passenger.if -index f68b573..8fb9cd3 100644 +index f68b573..c050b37 100644 --- a/passenger.if +++ b/passenger.if -@@ -18,6 +18,24 @@ interface(`passenger_domtrans',` +@@ -18,6 +18,42 @@ interface(`passenger_domtrans',` domtrans_pattern($1, passenger_exec_t, passenger_t) ') @@ -44219,10 +44245,28 @@ index f68b573..8fb9cd3 100644 + can_exec($1, passenger_exec_t) +') + ++####################################### ++## ++## Getattr passenger log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`passenger_getattr_log_files',` ++ gen_require(` ++ type passenger_log_t; ++ ') ++ ++ getattr_files_pattern($1, passenger_log_t, passenger_log_t) ++') ++ ######################################## ## ## Read passenger lib files -@@ -37,3 +55,84 @@ interface(`passenger_read_lib_files',` +@@ -37,3 +73,84 @@ interface(`passenger_read_lib_files',` read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) files_search_var_lib($1) ') @@ -54252,10 +54296,10 @@ index 0000000..e38693b +') diff --git a/realmd.te b/realmd.te new file mode 100644 -index 0000000..9015745 +index 0000000..c994751 --- /dev/null +++ b/realmd.te -@@ -0,0 +1,99 @@ +@@ -0,0 +1,103 @@ +policy_module(realmd, 1.0.0) + +######################################## @@ -54355,6 +54399,10 @@ index 0000000..9015745 + sssd_read_pid_files(realmd_t) + sssd_systemctl(realmd_t) +') ++ ++optional_policy(` ++ xserver_read_state_xdm(realmd_t) ++') diff --git a/remotelogin.te b/remotelogin.te index 0a76027..18f59a7 100644 --- a/remotelogin.te @@ -55403,19 +55451,23 @@ index 93c896a..8aa7362 100644 +') diff --git a/rhev.fc b/rhev.fc new file mode 100644 -index 0000000..3edbd2e +index 0000000..4b66adf --- /dev/null +++ b/rhev.fc -@@ -0,0 +1,9 @@ +@@ -0,0 +1,13 @@ +/usr/share/rhev-agent/rhev-agentd\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) +/usr/share/ovirt-guest-agent -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) + ++/usr/share/rhev-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) ++/usr/share/ovirt-guest-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) ++ +/usr/lib/systemd/system/ovirt-guest-agent.* -- gen_context(system_u:object_r:rhev_agentd_unit_file_t,s0) + +/var/run/rhev-agentd\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0) +/var/run/ovirt-guest-agent\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0) + +/var/log/rhev-agent(/.*)? gen_context(system_u:object_r:rhev_agentd_log_t,s0) ++/var/log/ovirt-guest-agent(/.*)? gen_context(system_u:object_r:rhev_agentd_log_t,s0) diff --git a/rhev.if b/rhev.if new file mode 100644 index 0000000..bf11e25 @@ -55500,10 +55552,10 @@ index 0000000..bf11e25 +') diff --git a/rhev.te b/rhev.te new file mode 100644 -index 0000000..e6c2344 +index 0000000..51b00c0 --- /dev/null +++ b/rhev.te -@@ -0,0 +1,110 @@ +@@ -0,0 +1,117 @@ +policy_module(rhev,1.0) + +######################################## @@ -55532,7 +55584,7 @@ index 0000000..e6c2344 +# rhev_agentd_t local policy +# + -+allow rhev_agentd_t self:capability sys_nice; ++allow rhev_agentd_t self:capability { setuid setgid sys_nice }; +allow rhev_agentd_t self:process setsched; + +allow rhev_agentd_t self:fifo_file rw_fifo_file_perms; @@ -55544,6 +55596,8 @@ index 0000000..e6c2344 +files_pid_filetrans(rhev_agentd_t, rhev_agentd_var_run_t, { dir file sock_file }) + +manage_files_pattern(rhev_agentd_t, rhev_agentd_log_t, rhev_agentd_log_t) ++manage_dirs_pattern(rhev_agentd_t, rhev_agentd_log_t, rhev_agentd_log_t) ++logging_log_filetrans(rhev_agentd_t, rhev_agentd_log_t, { dir file }) + +manage_dirs_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t) +manage_files_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t) @@ -55585,10 +55639,12 @@ index 0000000..e6c2344 +optional_policy(` + dbus_system_bus_client(rhev_agentd_t) + dbus_connect_system_bus(rhev_agentd_t) ++ dbus_session_bus_client(rhev_agentd_t) +') + +optional_policy(` + xserver_dbus_chat_xdm(rhev_agentd_t) ++ xserver_stream_connect(rhev_agentd_t) +') + +###################################### @@ -55599,13 +55655,16 @@ index 0000000..e6c2344 +optional_policy(` + userhelper_console_role_template(rhev_agentd, system_r, rhev_agentd_t) + -+ allow rhev_agentd_consolehelper_t rhev_agentd_log_t:file append; ++ allow rhev_agentd_consolehelper_t rhev_agentd_log_t:file rw_inherited_file_perms; ++ allow rhev_agentd_consolehelper_t rhev_agentd_tmp_t:file rw_inherited_file_perms; + + can_exec(rhev_agentd_consolehelper_t, rhev_agentd_exec_t) + kernel_read_system_state(rhev_agentd_consolehelper_t) + + term_use_virtio_console(rhev_agentd_consolehelper_t) + ++ corenet_tcp_connect_xserver_port(rhev_agentd_consolehelper_t) ++ + optional_policy(` + dbus_session_bus_client(rhev_agentd_consolehelper_t) + ') @@ -69944,7 +70003,7 @@ index 2124b6a..e55e393 100644 +/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index 6f0736b..fd143c4 100644 +index 6f0736b..d91242a 100644 --- a/virt.if +++ b/virt.if @@ -13,67 +13,30 @@ @@ -70495,14 +70554,14 @@ index 6f0736b..fd143c4 100644 +# +interface(`virt_transition_svirt',` + gen_require(` -+ type svirt_t; ++ attribute virt_domain; + type virt_bridgehelper_t; + type svirt_image_t; + type svirt_socket_t; + ') + -+ allow $1 svirt_t:process transition; -+ role $2 types svirt_t; ++ allow $1 virt_domain:process transition; ++ role $2 types virt_domain; + role $2 types virt_bridgehelper_t; + role $2 types svirt_socket_t; + @@ -70514,7 +70573,7 @@ index 6f0736b..fd143c4 100644 + virt_signal_svirt($1) + + optional_policy(` -+ ptchown_run(svirt_t, $2) ++ ptchown_run(virt_domain, $2) + ') +') + @@ -70770,7 +70829,7 @@ index 6f0736b..fd143c4 100644 + allow svirt_lxc_domain $1:process sigchld; ') diff --git a/virt.te b/virt.te -index 947bbc6..9154fef 100644 +index 947bbc6..ce27313 100644 --- a/virt.te +++ b/virt.te @@ -5,56 +5,104 @@ policy_module(virt, 1.5.0) @@ -70947,7 +71006,7 @@ index 947bbc6..9154fef 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -100,29 +167,50 @@ ifdef(`enable_mls',` +@@ -100,28 +167,53 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) ') @@ -70981,40 +71040,41 @@ index 947bbc6..9154fef 100644 +attribute svirt_lxc_domain; -allow svirt_t self:udp_socket create_socket_perms; -- --manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t) --manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t) --files_var_filetrans(svirt_t, svirt_cache_t, { file dir }) -- --read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t) +type virtd_lxc_t; +type virtd_lxc_exec_t; +init_system_domain(virtd_lxc_t, virtd_lxc_exec_t) --allow svirt_t svirt_image_t:dir search_dir_perms; --manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t) --manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t) --fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file) +-manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t) +-manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t) +-files_var_filetrans(svirt_t, svirt_cache_t, { file dir }) +type virt_lxc_var_run_t; +files_pid_file(virt_lxc_var_run_t) +typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t; --list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) --read_files_pattern(svirt_t, virt_content_t, virt_content_t) --dontaudit svirt_t virt_content_t:file write_file_perms; --dontaudit svirt_t virt_content_t:dir write; +-read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t) +# virt lxc container files +type svirt_lxc_file_t; +files_mountpoint(svirt_lxc_file_t) +-allow svirt_t svirt_image_t:dir search_dir_perms; +-manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t) +-manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t) +-fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file) +######################################## +# +# svirt local policy +# + +-list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) +-read_files_pattern(svirt_t, virt_content_t, virt_content_t) +-dontaudit svirt_t virt_content_t:file write_file_perms; +-dontaudit svirt_t virt_content_t:dir write; ++# it was a part of auth_use_nsswitch ++allow svirt_t self:netlink_route_socket r_netlink_socket_perms; + corenet_udp_sendrecv_generic_if(svirt_t) corenet_udp_sendrecv_generic_node(svirt_t) - corenet_udp_sendrecv_all_ports(svirt_t) -@@ -131,67 +219,65 @@ corenet_udp_bind_all_ports(svirt_t) +@@ -131,67 +223,65 @@ corenet_udp_bind_all_ports(svirt_t) corenet_tcp_bind_all_ports(svirt_t) corenet_tcp_connect_all_ports(svirt_t) @@ -71123,7 +71183,7 @@ index 947bbc6..9154fef 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -202,19 +288,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -202,19 +292,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -71158,7 +71218,7 @@ index 947bbc6..9154fef 100644 manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -225,16 +320,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -225,16 +324,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -71182,7 +71242,7 @@ index 947bbc6..9154fef 100644 corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) -@@ -247,22 +348,31 @@ corenet_tcp_connect_soundd_port(virtd_t) +@@ -247,22 +352,31 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -71216,7 +71276,7 @@ index 947bbc6..9154fef 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -270,6 +380,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -270,6 +384,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -71235,7 +71295,7 @@ index 947bbc6..9154fef 100644 mcs_process_set_categories(virtd_t) -@@ -284,7 +406,8 @@ term_use_ptmx(virtd_t) +@@ -284,7 +410,8 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -71245,7 +71305,7 @@ index 947bbc6..9154fef 100644 miscfiles_read_generic_certs(virtd_t) miscfiles_read_hwdata(virtd_t) -@@ -293,17 +416,33 @@ modutils_read_module_config(virtd_t) +@@ -293,17 +420,33 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) @@ -71279,7 +71339,7 @@ index 947bbc6..9154fef 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -322,6 +461,10 @@ optional_policy(` +@@ -322,6 +465,10 @@ optional_policy(` ') optional_policy(` @@ -71290,7 +71350,7 @@ index 947bbc6..9154fef 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -335,19 +478,34 @@ optional_policy(` +@@ -335,19 +482,34 @@ optional_policy(` optional_policy(` hal_dbus_chat(virtd_t) ') @@ -71326,7 +71386,7 @@ index 947bbc6..9154fef 100644 # Manages /etc/sysconfig/system-config-firewall iptables_manage_config(virtd_t) -@@ -362,6 +520,12 @@ optional_policy(` +@@ -362,6 +524,12 @@ optional_policy(` ') optional_policy(` @@ -71339,7 +71399,7 @@ index 947bbc6..9154fef 100644 policykit_dbus_chat(virtd_t) policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) -@@ -369,11 +533,11 @@ optional_policy(` +@@ -369,11 +537,11 @@ optional_policy(` ') optional_policy(` @@ -71356,7 +71416,7 @@ index 947bbc6..9154fef 100644 ') optional_policy(` -@@ -384,6 +548,7 @@ optional_policy(` +@@ -384,6 +552,7 @@ optional_policy(` kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) @@ -71364,7 +71424,7 @@ index 947bbc6..9154fef 100644 xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) xen_read_image_files(virtd_t) -@@ -402,35 +567,85 @@ optional_policy(` +@@ -402,35 +571,85 @@ optional_policy(` # # virtual domains common policy # @@ -71459,7 +71519,7 @@ index 947bbc6..9154fef 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -438,34 +653,599 @@ dev_write_sound(virt_domain) +@@ -438,34 +657,601 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -71481,12 +71541,14 @@ index 947bbc6..9154fef 100644 +fs_rw_inherited_nfs_files(virt_domain) +fs_rw_inherited_cifs_files(virt_domain) +fs_rw_inherited_noxattr_fs_files(virt_domain) - --term_use_all_terms(virt_domain) ++ +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +storage_raw_read_removable_device(virt_domain) + ++sysnet_read_config(virt_domain) + +-term_use_all_terms(virt_domain) +term_use_all_inherited_terms(virt_domain) term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) @@ -71525,7 +71587,7 @@ index 947bbc6..9154fef 100644 +tunable_policy(`virt_use_comm',` + term_use_unallocated_ttys(virt_domain) + dev_rw_printer(virt_domain) -+') + ') + +tunable_policy(`virt_use_fusefs',` + fs_manage_fusefs_dirs(virt_domain) @@ -71670,7 +71732,7 @@ index 947bbc6..9154fef 100644 + fs_manage_nfs_dirs(virsh_t) + fs_manage_nfs_files(virsh_t) + fs_read_nfs_symlinks(virsh_t) - ') ++') + +tunable_policy(`virt_use_samba',` + fs_manage_cifs_files(virsh_t) @@ -72897,22 +72959,132 @@ index fc0adf8..cf479f3 100644 # Manual transition from userhelper optional_policy(` diff --git a/wm.if b/wm.if -index b3efef7..efa6002 100644 +index b3efef7..c1be6ab 100644 --- a/wm.if +++ b/wm.if -@@ -75,7 +75,11 @@ template(`wm_role_template',` - application_signull($1_wm_t) +@@ -31,17 +31,14 @@ template(`wm_role_template',` + gen_require(` + type wm_exec_t; + class dbus send_msg; ++ attribute wm_domain; + ') - miscfiles_read_fonts($1_wm_t) -- miscfiles_read_localization($1_wm_t) -+ +- type $1_wm_t; ++ type $1_wm_t, wm_domain; + domain_type($1_wm_t) + domain_entry_file($1_wm_t, wm_exec_t) + role $2 types $1_wm_t; + +- allow $1_wm_t self:fifo_file rw_fifo_file_perms; +- allow $1_wm_t self:process getsched; +- allow $1_wm_t self:shm create_shm_perms; +- + allow $1_wm_t $3:unix_stream_socket connectto; + allow $3 $1_wm_t:unix_stream_socket connectto; + allow $3 $1_wm_t:process { signal sigchld signull }; +@@ -50,42 +47,18 @@ template(`wm_role_template',` + allow $1_wm_t $3:dbus send_msg; + allow $3 $1_wm_t:dbus send_msg; + +- domtrans_pattern($3, wm_exec_t, $1_wm_t) + userdom_manage_home_role($2, $1_wm_t) + userdom_manage_tmpfs_role($2, $1_wm_t) + userdom_manage_tmp_role($2, $1_wm_t) + userdom_exec_user_tmp_files($1_wm_t) +- kernel_read_system_state($1_wm_t) ++ domtrans_pattern($3, wm_exec_t, $1_wm_t) + + corecmd_bin_domtrans($1_wm_t, $3) + corecmd_shell_domtrans($1_wm_t, $3) + +- dev_read_urand($1_wm_t) +- +- files_read_etc_files($1_wm_t) +- files_read_usr_files($1_wm_t) +- +- fs_getattr_tmpfs($1_wm_t) +- +- mls_file_read_all_levels($1_wm_t) +- mls_file_write_all_levels($1_wm_t) +- mls_xwin_read_all_levels($1_wm_t) +- mls_xwin_write_all_levels($1_wm_t) +- mls_fd_use_all_levels($1_wm_t) +- + auth_use_nsswitch($1_wm_t) + +- application_signull($1_wm_t) +- +- miscfiles_read_fonts($1_wm_t) +- miscfiles_read_localization($1_wm_t) +- +- optional_policy(` +- dbus_system_bus_client($1_wm_t) +- dbus_session_bus_client($1_wm_t) +- ') +- +- optional_policy(` +- pulseaudio_stream_connect($1_wm_t) +- ') +- optional_policy(` - dbus_system_bus_client($1_wm_t) + xserver_role($2, $1_wm_t) + xserver_manage_core_devices($1_wm_t) +diff --git a/wm.te b/wm.te +index 19d447e..9c0a1c2 100644 +--- a/wm.te ++++ b/wm.te +@@ -1,5 +1,7 @@ + policy_module(wm, 1.2.0) + ++attribute wm_domain; ++ + ######################################## + # + # Declarations +@@ -7,3 +9,42 @@ policy_module(wm, 1.2.0) + + type wm_exec_t; + corecmd_executable_file(wm_exec_t) ++ ++allow wm_domain self:fifo_file rw_fifo_file_perms; ++allow wm_domain self:process getsched; ++allow wm_domain self:shm create_shm_perms; ++allow wm_domain self:unix_dgram_socket create_socket_perms; ++ ++kernel_read_system_state(wm_domain) ++ ++dev_read_urand(wm_domain) ++ ++files_read_etc_files(wm_domain) ++files_read_usr_files(wm_domain) ++ ++fs_getattr_tmpfs(wm_domain) ++ ++mls_file_read_all_levels(wm_domain) ++mls_file_write_all_levels(wm_domain) ++mls_xwin_read_all_levels(wm_domain) ++mls_xwin_write_all_levels(wm_domain) ++mls_fd_use_all_levels(wm_domain) ++ ++application_signull(wm_domain) ++ ++miscfiles_read_fonts(wm_domain) ++ ++optional_policy(` ++ dbus_system_bus_client(wm_domain) ++ dbus_session_bus_client(wm_domain) ++') ++ ++optional_policy(` ++ pulseaudio_stream_connect(wm_domain) ++') ++ ++optional_policy(` ++ xserver_manage_core_devices(wm_domain) ++') ++ ++ diff --git a/xen.fc b/xen.fc index 1a1b374..574794d 100644 --- a/xen.fc diff --git a/selinux-policy.spec b/selinux-policy.spec index 2f39a40..131a886 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.1 -Release: 64%{?dist} +Release: 65%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -524,6 +524,16 @@ SELinux Reference policy mls base module. %endif %changelog +* Sat Dec 15 2012 Miroslav Grepl 3.11.1-65 +- Allow svirt to use netlink_route_socket which was a part of auth_use_nsswitch +- Add additional labeling for /var/www/openshift/broker +- Fix rhev policy +- Allow openshift_initrc domain to dbus chat with systemd_logind +- Allow httpd to getattr passenger log file if run_stickshift +- Allow consolehelper-gtk to connect to xserver +- Add labeling for the tmp-inst directory defined in pam_namespace.conf +- Add lvm_metadata_t labeling for /etc/multipath + * Fri Dec 14 2012 Miroslav Grepl 3.11.1-64 - consoletype is no longer used