From 7f8bb18f2520c716601cf6ad4b0f939ab69d25ef Mon Sep 17 00:00:00 2001 From: Miroslav Date: Oct 21 2011 11:12:49 +0000 Subject: - Fixes for systemd - Add FIPS suppport for dirsrv --- diff --git a/policy-F15.patch b/policy-F15.patch index 1ccd846..49ebd04 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -10303,7 +10303,7 @@ index 82842a0..4111a1d 100644 dbus_system_bus_client($1_wm_t) dbus_session_bus_client($1_wm_t) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 34c9d01..9856a93 100644 +index 34c9d01..56a3b80 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -72,7 +72,9 @@ ifdef(`distro_redhat',` @@ -10336,7 +10336,15 @@ index 34c9d01..9856a93 100644 /lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0) /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -177,6 +177,8 @@ ifdef(`distro_gentoo',` +@@ -166,6 +166,7 @@ ifdef(`distro_gentoo',` + /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) + + /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/opt/google/chrome(/.*)? gen_context(system_u:object_r:bin_t,s0) + + /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) + +@@ -177,6 +178,8 @@ ifdef(`distro_gentoo',` /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -10345,7 +10353,7 @@ index 34c9d01..9856a93 100644 # # /usr # -@@ -198,6 +200,7 @@ ifdef(`distro_gentoo',` +@@ -198,6 +201,7 @@ ifdef(`distro_gentoo',` /usr/lib/wicd/monitor\.py -- gen_context(system_u:object_r:bin_t, s0) /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) @@ -10353,7 +10361,7 @@ index 34c9d01..9856a93 100644 /usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -232,6 +235,9 @@ ifdef(`distro_gentoo',` +@@ -232,6 +236,9 @@ ifdef(`distro_gentoo',` /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0) @@ -10363,7 +10371,7 @@ index 34c9d01..9856a93 100644 /usr/lib(64)?/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) -@@ -244,9 +250,13 @@ ifdef(`distro_gentoo',` +@@ -244,9 +251,13 @@ ifdef(`distro_gentoo',` /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -10377,7 +10385,7 @@ index 34c9d01..9856a93 100644 /usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -283,6 +293,7 @@ ifdef(`distro_gentoo',` +@@ -283,6 +294,7 @@ ifdef(`distro_gentoo',` /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) @@ -10385,7 +10393,7 @@ index 34c9d01..9856a93 100644 /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -307,6 +318,7 @@ ifdef(`distro_redhat', ` +@@ -307,6 +319,7 @@ ifdef(`distro_redhat', ` /usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -10393,7 +10401,7 @@ index 34c9d01..9856a93 100644 /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -316,9 +328,11 @@ ifdef(`distro_redhat', ` +@@ -316,9 +329,11 @@ ifdef(`distro_redhat', ` /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -18560,7 +18568,7 @@ index c0f858d..d639ae0 100644 accountsd_manage_lib_files($1) diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te -index 1632f10..f6e570c 100644 +index 1632f10..5bc08d2 100644 --- a/policy/modules/services/accountsd.te +++ b/policy/modules/services/accountsd.te @@ -8,6 +8,8 @@ policy_module(accountsd, 1.0.0) @@ -18572,7 +18580,7 @@ index 1632f10..f6e570c 100644 type accountsd_var_lib_t; files_type(accountsd_var_lib_t) -@@ -32,6 +34,7 @@ files_read_usr_files(accountsd_t) +@@ -32,10 +34,12 @@ files_read_usr_files(accountsd_t) files_read_mnt_files(accountsd_t) fs_list_inotifyfs(accountsd_t) @@ -18580,7 +18588,12 @@ index 1632f10..f6e570c 100644 fs_read_noxattr_fs_files(accountsd_t) auth_use_nsswitch(accountsd_t) -@@ -55,3 +58,8 @@ optional_policy(` + auth_read_shadow(accountsd_t) ++auth_read_login_records(accountsd_t) + + miscfiles_read_localization(accountsd_t) + +@@ -55,3 +59,8 @@ optional_policy(` optional_policy(` policykit_dbus_chat(accountsd_t) ') @@ -24635,10 +24648,36 @@ index 7d2cf85..92b621a 100644 optional_policy(` diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if -index 9971337..f081899 100644 +index 9971337..536e2d1 100644 --- a/policy/modules/services/courier.if +++ b/policy/modules/services/courier.if -@@ -138,6 +138,7 @@ interface(`courier_read_config',` +@@ -104,6 +104,25 @@ interface(`courier_domtrans_authdaemon',` + domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t) + ') + ++####################################### ++## ++## Connect to courier-authdaemon over an unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`courier_stream_connect_authdaemon',` ++ gen_require(` ++ type courier_authdaemon_t, courier_spool_t; ++ ') ++ ++ files_search_spool($1) ++ stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t) ++') ++ + ######################################## + ## + ## Execute the courier POP3 and IMAP server with +@@ -138,6 +157,7 @@ interface(`courier_read_config',` type courier_etc_t; ') @@ -24646,7 +24685,7 @@ index 9971337..f081899 100644 read_files_pattern($1, courier_etc_t, courier_etc_t) ') -@@ -157,6 +158,7 @@ interface(`courier_manage_spool_dirs',` +@@ -157,6 +177,7 @@ interface(`courier_manage_spool_dirs',` type courier_spool_t; ') @@ -24654,7 +24693,7 @@ index 9971337..f081899 100644 manage_dirs_pattern($1, courier_spool_t, courier_spool_t) ') -@@ -176,6 +178,7 @@ interface(`courier_manage_spool_files',` +@@ -176,6 +197,7 @@ interface(`courier_manage_spool_files',` type courier_spool_t; ') @@ -24662,7 +24701,7 @@ index 9971337..f081899 100644 manage_files_pattern($1, courier_spool_t, courier_spool_t) ') -@@ -194,6 +197,7 @@ interface(`courier_read_spool',` +@@ -194,6 +216,7 @@ interface(`courier_read_spool',` type courier_spool_t; ') @@ -27532,10 +27571,10 @@ index 0000000..9d8f5de +') diff --git a/policy/modules/services/dirsrv.te b/policy/modules/services/dirsrv.te new file mode 100644 -index 0000000..1f4cf3b +index 0000000..399dbdb --- /dev/null +++ b/policy/modules/services/dirsrv.te -@@ -0,0 +1,179 @@ +@@ -0,0 +1,186 @@ +policy_module(dirsrv,1.0.0) + +######################################## @@ -27590,7 +27629,7 @@ index 0000000..1f4cf3b +# +allow dirsrv_t self:process { getsched setsched setfscreate signal_perms}; +allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner }; -+allow dirsrv_t self:fifo_file rw_fifo_file_perms; ++allow dirsrv_t self:fifo_file manage_fifo_file_perms; +allow dirsrv_t self:sem create_sem_perms; +allow dirsrv_t self:tcp_socket create_stream_socket_perms; + @@ -27625,8 +27664,10 @@ index 0000000..1f4cf3b +manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t) +manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t) +files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir }) ++allow dirsrv_t dirsrv_tmp_t:file relabel_file_perms; + +kernel_read_system_state(dirsrv_t) ++ernel_read_kernel_sysctls(dirsrv_t) + +corecmd_search_sbin(dirsrv_t) + @@ -27665,6 +27706,11 @@ index 0000000..1f4cf3b + kerberos_use(dirsrv_t) +') + ++# FIPS mode ++optional_policy(` ++ prelink_exec(dirsrv_t) ++') ++ +optional_policy(` + rpcbind_stream_connect(dirsrv_t) +') @@ -28730,7 +28776,7 @@ index f590a1f..26a6299 100644 + admin_pattern($1, fail2ban_tmp_t) ') diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te -index 2a69e5e..aae90fa 100644 +index 2a69e5e..284cdfd 100644 --- a/policy/modules/services/fail2ban.te +++ b/policy/modules/services/fail2ban.te @@ -23,12 +23,22 @@ files_type(fail2ban_var_lib_t) @@ -28787,7 +28833,7 @@ index 2a69e5e..aae90fa 100644 files_read_etc_files(fail2ban_t) files_read_etc_runtime_files(fail2ban_t) -@@ -94,5 +110,36 @@ optional_policy(` +@@ -94,5 +110,40 @@ optional_policy(` ') optional_policy(` @@ -28802,6 +28848,10 @@ index 2a69e5e..aae90fa 100644 + libs_exec_ldconfig(fail2ban_t) +') + ++optional_policy(` ++ shorewall_domtrans(fail2ban_t) ++') ++ +######################################## +# +# fail2ban client local policy @@ -34407,7 +34457,7 @@ index 343cee3..5991e63 100644 + ') +') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te -index 64268e4..fe56f9b 100644 +index 64268e4..6a85cd6 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -20,8 +20,8 @@ files_type(etc_aliases_t) @@ -34458,7 +34508,7 @@ index 64268e4..fe56f9b 100644 optional_policy(` apache_read_squirrelmail_data(system_mail_t) -@@ -92,17 +87,28 @@ optional_policy(` +@@ -92,25 +87,42 @@ optional_policy(` apache_dontaudit_rw_stream_sockets(system_mail_t) apache_dontaudit_rw_tcp_sockets(system_mail_t) apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) @@ -34488,7 +34538,12 @@ index 64268e4..fe56f9b 100644 clamav_stream_connect(system_mail_t) clamav_append_log(system_mail_t) ') -@@ -111,6 +117,8 @@ optional_policy(` + + optional_policy(` ++ courier_stream_connect_authdaemon(system_mail_t) ++') ++ ++optional_policy(` cron_read_system_job_tmp_files(system_mail_t) cron_dontaudit_write_pipes(system_mail_t) cron_rw_system_job_stream_sockets(system_mail_t) @@ -34497,7 +34552,7 @@ index 64268e4..fe56f9b 100644 ') optional_policy(` -@@ -124,12 +132,9 @@ optional_policy(` +@@ -124,12 +136,9 @@ optional_policy(` ') optional_policy(` @@ -34512,7 +34567,7 @@ index 64268e4..fe56f9b 100644 ') optional_policy(` -@@ -146,6 +151,10 @@ optional_policy(` +@@ -146,6 +155,10 @@ optional_policy(` ') optional_policy(` @@ -34523,7 +34578,7 @@ index 64268e4..fe56f9b 100644 nagios_read_tmp_files(system_mail_t) ') -@@ -158,22 +167,13 @@ optional_policy(` +@@ -158,22 +171,13 @@ optional_policy(` files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) domain_use_interactive_fds(system_mail_t) @@ -34549,7 +34604,7 @@ index 64268e4..fe56f9b 100644 ') optional_policy(` -@@ -189,6 +189,10 @@ optional_policy(` +@@ -189,6 +193,10 @@ optional_policy(` ') optional_policy(` @@ -34560,7 +34615,7 @@ index 64268e4..fe56f9b 100644 smartmon_read_tmp_files(system_mail_t) ') -@@ -199,7 +203,7 @@ optional_policy(` +@@ -199,7 +207,7 @@ optional_policy(` arpwatch_search_data(mailserver_delivery) arpwatch_manage_tmp_files(mta_user_agent) @@ -34569,7 +34624,7 @@ index 64268e4..fe56f9b 100644 arpwatch_dontaudit_rw_packet_sockets(mta_user_agent) ') -@@ -220,7 +224,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -220,7 +228,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -34579,7 +34634,7 @@ index 64268e4..fe56f9b 100644 read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) -@@ -242,6 +247,10 @@ optional_policy(` +@@ -242,6 +251,10 @@ optional_policy(` ') optional_policy(` @@ -34590,7 +34645,7 @@ index 64268e4..fe56f9b 100644 # so MTA can access /var/lib/mailman/mail/wrapper files_search_var_lib(mailserver_delivery) -@@ -249,11 +258,20 @@ optional_policy(` +@@ -249,11 +262,20 @@ optional_policy(` mailman_read_data_symlinks(mailserver_delivery) ') @@ -34611,7 +34666,7 @@ index 64268e4..fe56f9b 100644 domain_use_interactive_fds(user_mail_t) userdom_use_user_terminals(user_mail_t) -@@ -292,3 +310,44 @@ optional_policy(` +@@ -292,3 +314,44 @@ optional_policy(` postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -46092,7 +46147,7 @@ index 2dad3c8..a24b7af 100644 optional_policy(` diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if -index 941380a..6dbfc01 100644 +index 941380a..ce8c972 100644 --- a/policy/modules/services/sssd.if +++ b/policy/modules/services/sssd.if @@ -5,9 +5,9 @@ @@ -46123,7 +46178,23 @@ index 941380a..6dbfc01 100644 ') ######################################## -@@ -225,21 +225,15 @@ interface(`sssd_stream_connect',` +@@ -148,6 +148,7 @@ interface(`sssd_read_lib_files',` + + files_search_var_lib($1) + read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) ++ read_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) + ') + + ######################################## +@@ -168,6 +169,7 @@ interface(`sssd_manage_lib_files',` + + files_search_var_lib($1) + manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) ++ manage_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) + ') + + ######################################## +@@ -225,21 +227,15 @@ interface(`sssd_stream_connect',` ## The role to be allowed to manage the sssd domain. ## ## @@ -46149,7 +46220,7 @@ index 941380a..6dbfc01 100644 # Allow sssd_t to restart the apache service sssd_initrc_domtrans($1) diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te -index 8ffa257..f6ef6a9 100644 +index 8ffa257..22b6731 100644 --- a/policy/modules/services/sssd.te +++ b/policy/modules/services/sssd.te @@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t) @@ -46166,16 +46237,18 @@ index 8ffa257..f6ef6a9 100644 allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t) -@@ -39,7 +41,7 @@ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t) +@@ -38,8 +40,9 @@ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t) + manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) ++manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) -files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } ) +files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir }) manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) logging_log_filetrans(sssd_t, sssd_var_log_t, file) -@@ -48,10 +50,15 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) +@@ -48,10 +51,15 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) @@ -46191,7 +46264,7 @@ index 8ffa257..f6ef6a9 100644 dev_read_urand(sssd_t) domain_read_all_domains_state(sssd_t) -@@ -60,6 +67,7 @@ domain_obj_id_change_exemption(sssd_t) +@@ -60,6 +68,7 @@ domain_obj_id_change_exemption(sssd_t) files_list_tmp(sssd_t) files_read_etc_files(sssd_t) files_read_usr_files(sssd_t) @@ -46199,7 +46272,7 @@ index 8ffa257..f6ef6a9 100644 fs_list_inotifyfs(sssd_t) -@@ -69,7 +77,7 @@ seutil_read_file_contexts(sssd_t) +@@ -69,7 +78,7 @@ seutil_read_file_contexts(sssd_t) mls_file_read_to_clearance(sssd_t) @@ -46208,7 +46281,7 @@ index 8ffa257..f6ef6a9 100644 auth_domtrans_chk_passwd(sssd_t) auth_domtrans_upd_passwd(sssd_t) -@@ -79,6 +87,12 @@ logging_send_syslog_msg(sssd_t) +@@ -79,6 +88,12 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_localization(sssd_t) @@ -46221,7 +46294,7 @@ index 8ffa257..f6ef6a9 100644 optional_policy(` dbus_system_bus_client(sssd_t) -@@ -87,4 +101,28 @@ optional_policy(` +@@ -87,4 +102,28 @@ optional_policy(` optional_policy(` kerberos_manage_host_rcache(sssd_t) @@ -55918,7 +55991,7 @@ index 58bc27f..c3fe956 100644 + allow $1 lvm_t:process signull; +') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index a0a0ebf..2b53ee6 100644 +index a0a0ebf..71df206 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -56078,7 +56151,7 @@ index a0a0ebf..2b53ee6 100644 bootloader_rw_tmp_files(lvm_t) ') -@@ -331,14 +362,26 @@ optional_policy(` +@@ -331,14 +362,27 @@ optional_policy(` ') optional_policy(` @@ -56098,7 +56171,8 @@ index a0a0ebf..2b53ee6 100644 ') optional_policy(` -+ systemd_passwd_agent_dev_template(lvm) ++ #systemd_passwd_agent_dev_template(lvm) ++ systemd_manage_passwd_run(lvm_t) +') + +optional_policy(` @@ -58625,7 +58699,7 @@ index df32316..0f71f92 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 0000000..c7476cb +index 0000000..dade60b --- /dev/null +++ b/policy/modules/system/systemd.fc @@ -0,0 +1,14 @@ @@ -58640,15 +58714,15 @@ index 0000000..c7476cb +/lib/systemd/system(/.*)? -- gen_context(system_u:object_r:systemd_unit_file_t,s0) +/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0) + -+/var/run/systemd/ask-password-block/[^/]* -p gen_context(system_u:object_r:systemd_device_t,s0) -+/dev/\.systemd/ask-password-block/[^/]* -p gen_context(system_u:object_r:systemd_device_t,s0) ++/var/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0) ++/var/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0) + diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..fe2a3fd +index 0000000..8e06a02 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,322 @@ +@@ -0,0 +1,345 @@ +## SELinux policy for systemd components + +####################################### @@ -58943,6 +59017,29 @@ index 0000000..fe2a3fd + +###################################### +## ++## Send generic signals to systemd_passwd_agent processes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_manage_passwd_run',` ++ gen_require(` ++ type systemd_passwd_agent_t; ++ type systemd_passwd_var_run_t; ++ ') ++ ++ manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) ++ manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) ++ ++ allow systemd_passwd_agent_t $1:process signull; ++ allow systemd_passwd_agent_t $1:unix_dgram_socket sendto; ++') ++ ++###################################### ++## +## Template for temporary sockets and files in /dev/.systemd/ask-password +## which are used by systemd-passwd-agent +## @@ -58973,10 +59070,10 @@ index 0000000..fe2a3fd +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..2437352 +index 0000000..48c24ba --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,225 @@ +@@ -0,0 +1,227 @@ + +policy_module(systemd, 1.0.0) + @@ -59032,9 +59129,11 @@ index 0000000..2437352 +allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal }; +allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms; + -+allow systemd_passwd_agent_t systemd_device_t:fifo_file manage_fifo_file_perms; -+dev_filetrans(systemd_passwd_agent_t, systemd_device_t, fifo_file) -+init_pid_filetrans(systemd_passwd_agent_t, systemd_device_t, fifo_file) ++manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); ++manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); ++manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); ++manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); ++init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file }) + +kernel_stream_connect(systemd_passwd_agent_t) + diff --git a/selinux-policy.spec b/selinux-policy.spec index 41b7857..622da55 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 43%{?dist} +Release: 44%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,10 @@ exit 0 %endif %changelog +* Fri Oct 21 2011 Miroslav Grepl 3.9.16-44 +- Fixes for systemd +- Add FIPS suppport for dirsrv + * Tue Oct 11 2011 Miroslav Grepl 3.9.16-43 - Allow sa-update to update rules - Allow sa-update to read spamd tmp file