From c091457a61badb4df7d0299e829a68759904faec Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Aug 29 2012 11:22:49 +0000 Subject: * Wed Aug 29 2012 Miroslav Grepl 3.11.1-14 - Allow realmd to read resolv.conf - Add pegasus_cache_t type - Label /usr/sbin/fence_virtd as virsh_exec_t - Add policy for pkcsslotd - Add support for cpglockd - Allow polkit-agent-helper to read system-auth-ac - telepathy-idle wants to read gschemas.compiled - Allow plymouthd to getattr on fs_t - Add slpd policy - Allow ksysguardproces to read/write config_usr_t --- diff --git a/permissivedomains.pp b/permissivedomains.pp index 6f9e1d2..4f2f3f6 100644 Binary files a/permissivedomains.pp and b/permissivedomains.pp differ diff --git a/permissivedomains.te b/permissivedomains.te index 46ccb27..2e6674f 100644 --- a/permissivedomains.te +++ b/permissivedomains.te @@ -1,2 +1,27 @@ policy_module(permissivedomains,18) +optional_policy(` + gen_require(` + type sensord_t; + ') + + permissive sensord_t; +') + + +optional_policy(` + gen_require(` + type slpd_t; + ') + + permissive slpd_t; +') + +optional_policy(` + gen_require(` + type pkcsslotd_t; + ') + + permissive pkcsslotd_t; +') + diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index aacdc06..0869c84 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -23060,7 +23060,7 @@ index f5afe78..5701c86 100644 + type_transition $1 gkeyringd_exec_t:process $2; +') diff --git a/gnome.te b/gnome.te -index 783c5fb..9d2b881 100644 +index 783c5fb..fbd1f6c 100644 --- a/gnome.te +++ b/gnome.te @@ -6,11 +6,31 @@ policy_module(gnome, 2.2.0) @@ -23131,7 +23131,7 @@ index 783c5fb..9d2b881 100644 ############################## # # Local Policy -@@ -73,3 +114,165 @@ optional_policy(` +@@ -73,3 +114,167 @@ optional_policy(` xserver_use_xdm_fds(gconfd_t) xserver_rw_xdm_pipes(gconfd_t) ') @@ -23189,6 +23189,8 @@ index 783c5fb..9d2b881 100644 +allow gnomesystemmm_t self:capability sys_nice; +allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms; + ++rw_files_pattern(gnomesystemmm_t, config_usr_t, config_usr_t) ++ +kernel_read_system_state(gnomesystemmm_t) + +corecmd_search_bin(gnomesystemmm_t) @@ -39810,10 +39812,20 @@ index ceafba6..dbf1b71 100644 + udev_read_db(pcscd_t) +') diff --git a/pegasus.te b/pegasus.te -index 3185114..e196595 100644 +index 3185114..35dbccb 100644 --- a/pegasus.te +++ b/pegasus.te -@@ -16,7 +16,7 @@ type pegasus_tmp_t; +@@ -9,6 +9,9 @@ type pegasus_t; + type pegasus_exec_t; + init_daemon_domain(pegasus_t, pegasus_exec_t) + ++type pegasus_cache_t; ++files_type(pegasus_cache_t) ++ + type pegasus_data_t; + files_type(pegasus_data_t) + +@@ -16,7 +19,7 @@ type pegasus_tmp_t; files_tmp_file(pegasus_tmp_t) type pegasus_conf_t; @@ -39822,7 +39834,7 @@ index 3185114..e196595 100644 type pegasus_mof_t; files_type(pegasus_mof_t) -@@ -29,7 +29,7 @@ files_pid_file(pegasus_var_run_t) +@@ -29,7 +32,7 @@ files_pid_file(pegasus_var_run_t) # Local policy # @@ -39831,7 +39843,7 @@ index 3185114..e196595 100644 dontaudit pegasus_t self:capability sys_tty_config; allow pegasus_t self:process signal; allow pegasus_t self:fifo_file rw_fifo_file_perms; -@@ -38,7 +38,7 @@ allow pegasus_t self:unix_stream_socket create_stream_socket_perms; +@@ -38,9 +41,14 @@ allow pegasus_t self:unix_stream_socket create_stream_socket_perms; allow pegasus_t self:tcp_socket create_stream_socket_perms; allow pegasus_t pegasus_conf_t:dir rw_dir_perms; @@ -39839,8 +39851,15 @@ index 3185114..e196595 100644 +allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms rename_file_perms }; allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; ++manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) ++manage_files_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) ++manage_lnk_files_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) ++files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) ++ manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) -@@ -56,17 +56,20 @@ manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) + manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) + manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) +@@ -56,17 +64,20 @@ manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t) files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir }) @@ -39864,7 +39883,7 @@ index 3185114..e196595 100644 corenet_all_recvfrom_netlabel(pegasus_t) corenet_tcp_sendrecv_generic_if(pegasus_t) corenet_tcp_sendrecv_generic_node(pegasus_t) -@@ -95,11 +98,11 @@ files_getattr_all_dirs(pegasus_t) +@@ -95,11 +106,11 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -39877,7 +39896,7 @@ index 3185114..e196595 100644 files_list_var_lib(pegasus_t) files_read_var_lib_files(pegasus_t) files_read_var_lib_symlinks(pegasus_t) -@@ -121,10 +124,30 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t) +@@ -121,10 +132,30 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t) userdom_dontaudit_search_user_home_dirs(pegasus_t) optional_policy(` @@ -39908,7 +39927,7 @@ index 3185114..e196595 100644 seutil_sigchld_newrole(pegasus_t) seutil_dontaudit_read_config(pegasus_t) ') -@@ -136,3 +159,14 @@ optional_policy(` +@@ -136,3 +167,14 @@ optional_policy(` optional_policy(` unconfined_signull(pegasus_t) ') @@ -40750,6 +40769,254 @@ index 0000000..f29bf1d +miscfiles_read_localization(piranha_domain) + +sysnet_read_config(piranha_domain) +diff --git a/pkcsslotd.fc b/pkcsslotd.fc +new file mode 100644 +index 0000000..dd1b8f2 +--- /dev/null ++++ b/pkcsslotd.fc +@@ -0,0 +1,5 @@ ++/usr/lib/systemd/system/pkcsslotd.service -- gen_context(system_u:object_r:pkcsslotd_unit_file_t,s0) ++ ++/usr/sbin/pkcsslotd -- gen_context(system_u:object_r:pkcsslotd_exec_t,s0) ++ ++/var/lib/opencryptoki(/.*)? gen_context(system_u:object_r:pkcsslotd_var_lib_t,s0) +diff --git a/pkcsslotd.if b/pkcsslotd.if +new file mode 100644 +index 0000000..db15de4 +--- /dev/null ++++ b/pkcsslotd.if +@@ -0,0 +1,162 @@ ++ ++## policy for pkcsslotd ++ ++######################################## ++## ++## Transition to pkcsslotd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`pkcsslotd_domtrans',` ++ gen_require(` ++ type pkcsslotd_t, pkcsslotd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, pkcsslotd_exec_t, pkcsslotd_t) ++') ++ ++######################################## ++## ++## Search pkcsslotd lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pkcsslotd_search_lib',` ++ gen_require(` ++ type pkcsslotd_var_lib_t; ++ ') ++ ++ allow $1 pkcsslotd_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read pkcsslotd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pkcsslotd_read_lib_files',` ++ gen_require(` ++ type pkcsslotd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t) ++') ++ ++######################################## ++## ++## Manage pkcsslotd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pkcsslotd_manage_lib_files',` ++ gen_require(` ++ type pkcsslotd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t) ++') ++ ++######################################## ++## ++## Manage pkcsslotd lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pkcsslotd_manage_lib_dirs',` ++ gen_require(` ++ type pkcsslotd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t) ++') ++ ++######################################## ++## ++## Execute pkcsslotd server in the pkcsslotd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`pkcsslotd_systemctl',` ++ gen_require(` ++ type pkcsslotd_t; ++ type pkcsslotd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_password_run($1) ++ allow $1 pkcsslotd_unit_file_t:file read_file_perms; ++ allow $1 pkcsslotd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, pkcsslotd_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an pkcsslotd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`pkcsslotd_admin',` ++ gen_require(` ++ type pkcsslotd_t; ++ type pkcsslotd_var_lib_t; ++ type pkcsslotd_unit_file_t; ++ ') ++ ++ allow $1 pkcsslotd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, pkcsslotd_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, pkcsslotd_var_lib_t) ++ ++ pkcsslotd_systemctl($1) ++ admin_pattern($1, pkcsslotd_unit_file_t) ++ allow $1 pkcsslotd_unit_file_t:service all_service_perms; ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/pkcsslotd.te b/pkcsslotd.te +new file mode 100644 +index 0000000..25e0365 +--- /dev/null ++++ b/pkcsslotd.te +@@ -0,0 +1,63 @@ ++policy_module(pkcsslotd, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type pkcsslotd_t; ++type pkcsslotd_exec_t; ++init_daemon_domain(pkcsslotd_t, pkcsslotd_exec_t) ++ ++type pkcsslotd_var_lib_t; ++files_type(pkcsslotd_var_lib_t) ++ ++type pkcsslotd_unit_file_t; ++systemd_unit_file(pkcsslotd_unit_file_t) ++ ++type pkcsslotd_tmp_t; ++files_tmp_file(pkcsslotd_tmp_t) ++ ++type pkcsslotd_tmpfs_t; ++files_tmpfs_file(pkcsslotd_tmpfs_t) ++ ++type pkcsslotd_var_run_t; ++files_pid_file(pkcsslotd_var_run_t) ++ ++######################################## ++# ++# pkcsslotd local policy ++# ++ ++allow pkcsslotd_t self:capability { kill }; ++allow pkcsslotd_t self:process { fork }; ++ ++allow pkcsslotd_t self:fifo_file rw_fifo_file_perms; ++allow pkcsslotd_t self:sem create_sem_perms; ++allow pkcsslotd_t self:shm create_shm_perms; ++allow pkcsslotd_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(pkcsslotd_t, pkcsslotd_tmp_t, pkcsslotd_tmp_t) ++manage_files_pattern(pkcsslotd_t, pkcsslotd_tmp_t, pkcsslotd_tmp_t) ++files_tmp_filetrans(pkcsslotd_t, pkcsslotd_tmp_t, { file dir }) ++ ++manage_dirs_pattern(pkcsslotd_t, pkcsslotd_tmpfs_t, pkcsslotd_tmpfs_t) ++manage_files_pattern(pkcsslotd_t, pkcsslotd_tmpfs_t, pkcsslotd_tmpfs_t) ++fs_tmpfs_filetrans(pkcsslotd_t, pkcsslotd_tmpfs_t, { dir file }) ++ ++manage_dirs_pattern(pkcsslotd_t, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t) ++manage_files_pattern(pkcsslotd_t, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t) ++manage_lnk_files_pattern(pkcsslotd_t, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t) ++files_var_lib_filetrans(pkcsslotd_t, pkcsslotd_var_lib_t, { dir file lnk_file }) ++ ++manage_files_pattern(pkcsslotd_t, pkcsslotd_var_run_t, pkcsslotd_var_run_t) ++manage_dirs_pattern(pkcsslotd_t, pkcsslotd_var_run_t,pkcsslotd_var_run_t) ++files_pid_filetrans(pkcsslotd_t, pkcsslotd_var_run_t, { file dir }) ++ ++domain_use_interactive_fds(pkcsslotd_t) ++ ++files_read_etc_files(pkcsslotd_t) ++ ++logging_send_syslog_msg(pkcsslotd_t) ++ ++miscfiles_read_localization(pkcsslotd_t) diff --git a/plymouthd.fc b/plymouthd.fc index 5702ca4..498d856 100644 --- a/plymouthd.fc @@ -40861,7 +41128,7 @@ index 9759ed8..17c097d 100644 admin_pattern($1, plymouthd_var_run_t) ') diff --git a/plymouthd.te b/plymouthd.te -index 86700ed..1600742 100644 +index 86700ed..516c781 100644 --- a/plymouthd.te +++ b/plymouthd.te @@ -1,4 +1,4 @@ @@ -40904,7 +41171,12 @@ index 86700ed..1600742 100644 manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir }) -@@ -60,10 +68,34 @@ domain_use_interactive_fds(plymouthd_t) +@@ -57,13 +65,39 @@ dev_write_framebuffer(plymouthd_t) + + domain_use_interactive_fds(plymouthd_t) + ++fs_getattr_all_fs(plymouthd_t) ++ files_read_etc_files(plymouthd_t) files_read_usr_files(plymouthd_t) @@ -40939,7 +41211,7 @@ index 86700ed..1600742 100644 ######################################## # # Plymouth private policy -@@ -74,6 +106,7 @@ allow plymouth_t self:fifo_file rw_file_perms; +@@ -74,6 +108,7 @@ allow plymouth_t self:fifo_file rw_file_perms; allow plymouth_t self:unix_stream_socket create_stream_socket_perms; kernel_read_system_state(plymouth_t) @@ -41133,7 +41405,7 @@ index 48ff1e8..be00a65 100644 + allow $1 policykit_auth_t:process signal; ') diff --git a/policykit.te b/policykit.te -index 44db896..5bf2bf0 100644 +index 44db896..612b723 100644 --- a/policykit.te +++ b/policykit.te @@ -1,51 +1,73 @@ @@ -41223,7 +41495,7 @@ index 44db896..5bf2bf0 100644 rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t) policykit_domtrans_resolve(policykit_t) -@@ -56,56 +78,110 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) +@@ -56,56 +78,111 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir }) @@ -41322,6 +41594,7 @@ index 44db896..5bf2bf0 100644 +dev_read_video_dev(policykit_auth_t) -files_read_etc_files(policykit_auth_t) ++files_read_etc_runtime_files(policykit_auth_t) files_read_usr_files(policykit_auth_t) +files_search_home(policykit_auth_t) @@ -41348,7 +41621,7 @@ index 44db896..5bf2bf0 100644 dbus_session_bus_client(policykit_auth_t) optional_policy(` -@@ -118,14 +194,26 @@ optional_policy(` +@@ -118,14 +195,26 @@ optional_policy(` hal_read_state(policykit_auth_t) ') @@ -41377,7 +41650,7 @@ index 44db896..5bf2bf0 100644 allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; -@@ -142,22 +230,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t +@@ -142,22 +231,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t) @@ -41405,7 +41678,7 @@ index 44db896..5bf2bf0 100644 consolekit_dbus_chat(policykit_grant_t) ') ') -@@ -167,9 +253,8 @@ optional_policy(` +@@ -167,9 +254,8 @@ optional_policy(` # polkit_resolve local policy # @@ -41417,7 +41690,7 @@ index 44db896..5bf2bf0 100644 allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; -@@ -182,17 +267,10 @@ read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t +@@ -182,17 +268,10 @@ read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t can_exec(policykit_resolve_t, policykit_resolve_exec_t) corecmd_search_bin(policykit_resolve_t) @@ -41435,7 +41708,7 @@ index 44db896..5bf2bf0 100644 userdom_read_all_users_state(policykit_resolve_t) optional_policy(` -@@ -207,4 +285,3 @@ optional_policy(` +@@ -207,4 +286,3 @@ optional_policy(` kernel_search_proc(policykit_resolve_t) hal_read_state(policykit_resolve_t) ') @@ -48117,10 +48390,10 @@ index 0000000..48ea717 +') diff --git a/realmd.te b/realmd.te new file mode 100644 -index 0000000..3f5f701 +index 0000000..5b97fd2 --- /dev/null +++ b/realmd.te -@@ -0,0 +1,45 @@ +@@ -0,0 +1,47 @@ +policy_module(realmd, 1.0.0) + +######################################## @@ -48148,6 +48421,8 @@ index 0000000..3f5f701 + +miscfiles_read_localization(realmd_t) + ++sysnet_read_config(realmd_t) ++ +optional_policy(` + dbus_system_domain(realmd_t, realmd_exec_t) +') @@ -48286,19 +48561,24 @@ index d457736..eabdd78 100644 + stream_connect_pattern($1, resmgrd_var_run_t, resmgrd_var_run_t, resmgrd_t) ') diff --git a/rgmanager.fc b/rgmanager.fc -index 3c97ef0..d3de440 100644 +index 3c97ef0..9c7d1e3 100644 --- a/rgmanager.fc +++ b/rgmanager.fc -@@ -1,6 +1,8 @@ +@@ -1,7 +1,13 @@ ++/etc/rc\.d/init\.d/cpglockd -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0) +/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0) + ++/usr/sbin/cpglockd -- gen_context(system_u:object_r:rgmanager_exec_t,s0) /usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0) -/var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) ++/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) +/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) /var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0) ++/var/run/cpglockd\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) + /var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) diff --git a/rgmanager.if b/rgmanager.if index 7dc38d1..808f9c6 100644 --- a/rgmanager.if @@ -55498,6 +55778,158 @@ index a225c02..b53997a 100644 fs_getattr_all_fs(locate_t) fs_getattr_all_files(locate_t) +diff --git a/slpd.fc b/slpd.fc +new file mode 100644 +index 0000000..5064a4a +--- /dev/null ++++ b/slpd.fc +@@ -0,0 +1,7 @@ ++/etc/rc\.d/init\.d/slpd -- gen_context(system_u:object_r:slpd_initrc_exec_t,s0) ++ ++/usr/sbin/slpd -- gen_context(system_u:object_r:slpd_exec_t,s0) ++ ++/var/log/slpd\.log -- gen_context(system_u:object_r:slpd_var_log_t,s0) ++ ++/var/run/slpd\.pid -- gen_context(system_u:object_r:slpd_var_run_t,s0) +diff --git a/slpd.if b/slpd.if +new file mode 100644 +index 0000000..75931f8 +--- /dev/null ++++ b/slpd.if +@@ -0,0 +1,75 @@ ++ ++## OpenSLP server daemon to dynamically register services. ++ ++######################################## ++## ++## Transition to slpd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`slpd_domtrans',` ++ gen_require(` ++ type slpd_t, slpd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, slpd_exec_t, slpd_t) ++') ++ ++######################################## ++## ++## Execute slpd server in the slpd domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`slpd_initrc_domtrans',` ++ gen_require(` ++ type slpd_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, slpd_initrc_exec_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an slpd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`slpd_admin',` ++ gen_require(` ++ type slpd_t; ++ type slpd_initrc_exec_t; ++ ') ++ ++ allow $1 slpd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, slpd_t) ++ ++ slpd_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 slpd_initrc_exec_t system_r; ++ allow $2 system_r; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/slpd.te b/slpd.te +new file mode 100644 +index 0000000..a7a76a7 +--- /dev/null ++++ b/slpd.te +@@ -0,0 +1,52 @@ ++policy_module(slpd, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type slpd_t; ++type slpd_exec_t; ++init_daemon_domain(slpd_t, slpd_exec_t) ++ ++type slpd_initrc_exec_t; ++init_script_file(slpd_initrc_exec_t) ++ ++type slpd_var_log_t; ++logging_log_file(slpd_var_log_t) ++ ++type slpd_var_run_t; ++files_pid_file(slpd_var_run_t) ++ ++######################################## ++# ++# slpd local policy ++# ++ ++allow slpd_t self:capability { kill setgid setuid }; ++allow slpd_t self:process { fork signal }; ++allow slpd_t self:fifo_file rw_fifo_file_perms; ++allow slpd_t self:tcp_socket { create_socket_perms listen }; ++allow slpd_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_files_pattern(slpd_t, slpd_var_log_t, slpd_var_log_t) ++logging_log_filetrans(slpd_t, slpd_var_log_t, { file }) ++ ++manage_files_pattern(slpd_t, slpd_var_run_t, slpd_var_run_t) ++files_pid_filetrans(slpd_t, slpd_var_run_t, { file }) ++ ++corenet_all_recvfrom_netlabel(slpd_t) ++corenet_tcp_bind_generic_node(slpd_t) ++corenet_udp_bind_generic_node(slpd_t) ++corenet_tcp_bind_all_ports(slpd_t) ++corenet_udp_bind_all_ports(slpd_t) ++ ++domain_use_interactive_fds(slpd_t) ++ ++files_read_etc_files(slpd_t) ++ ++auth_use_nsswitch(slpd_t) ++ ++miscfiles_read_localization(slpd_t) ++ ++sysnet_dns_name_resolve(slpd_t) diff --git a/slrnpull.te b/slrnpull.te index e5e72fd..92eecec 100644 --- a/slrnpull.te @@ -58320,7 +58752,7 @@ index f09171e..18952a8 100644 + gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy") +') diff --git a/telepathy.te b/telepathy.te -index 964978b..b75b98c 100644 +index 964978b..f8bb7e4 100644 --- a/telepathy.te +++ b/telepathy.te @@ -7,16 +7,16 @@ policy_module(telepathy, 1.3.0) @@ -58422,7 +58854,15 @@ index 964978b..b75b98c 100644 corenet_tcp_sendrecv_generic_if(telepathy_idle_t) corenet_tcp_sendrecv_generic_node(telepathy_idle_t) corenet_tcp_connect_gatekeeper_port(telepathy_idle_t) -@@ -147,10 +159,13 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` +@@ -128,6 +140,7 @@ corenet_sendrecv_ircd_client_packets(telepathy_idle_t) + dev_read_rand(telepathy_idle_t) + + files_read_etc_files(telepathy_idle_t) ++files_read_usr_files(telepathy_idle_t) + + tunable_policy(`telepathy_connect_all_ports',` + corenet_tcp_connect_all_ports(telepathy_idle_t) +@@ -147,10 +160,13 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` allow telepathy_logger_t self:unix_stream_socket create_socket_perms; @@ -58436,7 +58876,7 @@ index 964978b..b75b98c 100644 files_read_etc_files(telepathy_logger_t) files_read_usr_files(telepathy_logger_t) -@@ -158,40 +173,58 @@ files_search_pids(telepathy_logger_t) +@@ -158,40 +174,58 @@ files_search_pids(telepathy_logger_t) fs_getattr_all_fs(telepathy_logger_t) @@ -58508,7 +58948,7 @@ index 964978b..b75b98c 100644 ') ####################################### -@@ -205,11 +238,13 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect }; +@@ -205,11 +239,13 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect }; manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) @@ -58523,7 +58963,7 @@ index 964978b..b75b98c 100644 corenet_tcp_sendrecv_generic_if(telepathy_msn_t) corenet_tcp_sendrecv_generic_node(telepathy_msn_t) corenet_tcp_bind_generic_node(telepathy_msn_t) -@@ -228,6 +263,8 @@ corecmd_read_bin_symlinks(telepathy_msn_t) +@@ -228,6 +264,8 @@ corecmd_read_bin_symlinks(telepathy_msn_t) files_read_etc_files(telepathy_msn_t) files_read_usr_files(telepathy_msn_t) @@ -58532,7 +58972,7 @@ index 964978b..b75b98c 100644 libs_exec_ldconfig(telepathy_msn_t) logging_send_syslog_msg(telepathy_msn_t) -@@ -246,6 +283,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` +@@ -246,6 +284,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` ') optional_policy(` @@ -58543,7 +58983,7 @@ index 964978b..b75b98c 100644 dbus_system_bus_client(telepathy_msn_t) optional_policy(` -@@ -264,7 +305,6 @@ manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_sa +@@ -264,7 +306,6 @@ manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_sa files_tmp_filetrans(telepathy_salut_t, telepathy_salut_tmp_t, sock_file) corenet_all_recvfrom_netlabel(telepathy_salut_t) @@ -58551,7 +58991,7 @@ index 964978b..b75b98c 100644 corenet_tcp_sendrecv_generic_if(telepathy_salut_t) corenet_tcp_sendrecv_generic_node(telepathy_salut_t) corenet_tcp_bind_generic_node(telepathy_salut_t) -@@ -302,7 +342,6 @@ allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen }; +@@ -302,7 +343,6 @@ allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen }; allow telepathy_sofiasip_t self:tcp_socket create_stream_socket_perms; corenet_all_recvfrom_netlabel(telepathy_sofiasip_t) @@ -58559,7 +58999,7 @@ index 964978b..b75b98c 100644 corenet_tcp_sendrecv_generic_if(telepathy_sofiasip_t) corenet_raw_sendrecv_generic_if(telepathy_sofiasip_t) corenet_raw_sendrecv_generic_node(telepathy_sofiasip_t) -@@ -361,10 +400,14 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms; +@@ -361,10 +401,14 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms; allow telepathy_domain self:tcp_socket create_socket_perms; allow telepathy_domain self:udp_socket create_socket_perms; @@ -58574,7 +59014,7 @@ index 964978b..b75b98c 100644 fs_search_auto_mountpoints(telepathy_domain) miscfiles_read_localization(telepathy_domain) -@@ -374,5 +417,23 @@ optional_policy(` +@@ -374,5 +418,23 @@ optional_policy(` ') optional_policy(` @@ -61458,7 +61898,7 @@ index 32a3c13..759f08c 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index 2124b6a..b52dc56 100644 +index 2124b6a..1b23633 100644 --- a/virt.fc +++ b/virt.fc @@ -1,6 +1,14 @@ @@ -61478,7 +61918,7 @@ index 2124b6a..b52dc56 100644 /etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) /etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) -@@ -12,18 +20,52 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t +@@ -12,18 +20,53 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) /etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) @@ -61490,6 +61930,7 @@ index 2124b6a..b52dc56 100644 +/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) +/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0) +/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) ++/usr/sbin/fence_virtd -- gen_context(system_u:object_r:virsh_exec_t,s0) -/var/cache/libvirt(/.*)? gen_context(system_u:object_r:svirt_cache_t,s0) +/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) diff --git a/selinux-policy.spec b/selinux-policy.spec index 6d1b7bb..7f1e0e4 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.1 -Release: 13%{?dist} +Release: 14%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -491,6 +491,18 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Aug 29 2012 Miroslav Grepl 3.11.1-14 +- Allow realmd to read resolv.conf +- Add pegasus_cache_t type +- Label /usr/sbin/fence_virtd as virsh_exec_t +- Add policy for pkcsslotd +- Add support for cpglockd +- Allow polkit-agent-helper to read system-auth-ac +- telepathy-idle wants to read gschemas.compiled +- Allow plymouthd to getattr on fs_t +- Add slpd policy +- Allow ksysguardproces to read/write config_usr_t + * Sat Aug 25 2012 Dan Walsh 3.11.1-13 - Fix labeling substitution so rpm will label /lib/systemd content correctly