From c6618b7c7c33a6964cfb11b19eb14b44a49ee99d Mon Sep 17 00:00:00 2001 From: Miroslav Date: Sep 13 2011 20:13:48 +0000 Subject: - Allow systemd-tmpfiles to set the correct labels on /var/run, /tmp and other files - We want any file type that is created in /tmp by a process running as initrc_t to be labeled initrc_tmp_t --- diff --git a/policy-F16.patch b/policy-F16.patch index 0baf745..91db857 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -62091,7 +62091,7 @@ index 94fd8dd..3e8f08e 100644 + read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..7902fbb 100644 +index 29a9565..cd829ed 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -62899,7 +62899,7 @@ index 29a9565..7902fbb 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -815,11 +1163,24 @@ optional_policy(` +@@ -815,11 +1163,26 @@ optional_policy(` ') optional_policy(` @@ -62922,10 +62922,12 @@ index 29a9565..7902fbb 100644 + mcs_socket_write_all_levels(initrc_t) + mcs_killall(initrc_t) + mcs_ptrace_all(initrc_t) ++ ++ files_tmp_filetrans(initrc_t, initrc_tmp_t, { dir_file_class_set }) ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -829,6 +1190,25 @@ optional_policy(` +@@ -829,6 +1192,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -62951,7 +62953,7 @@ index 29a9565..7902fbb 100644 ') optional_policy(` -@@ -844,6 +1224,10 @@ optional_policy(` +@@ -844,6 +1226,10 @@ optional_policy(` ') optional_policy(` @@ -62962,7 +62964,7 @@ index 29a9565..7902fbb 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -854,3 +1238,149 @@ optional_policy(` +@@ -854,3 +1240,149 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -68125,10 +68127,10 @@ index 0000000..fc8cac1 + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..3b03294 +index 0000000..ce732b0 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,353 @@ +@@ -0,0 +1,358 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -68313,6 +68315,7 @@ index 0000000..3b03294 +# + +allow systemd_tmpfiles_t self:capability { dac_override fowner chown fsetid }; ++allow systemd_tmpfiles_t self:process { setfscreate }; + +allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms; + @@ -68350,7 +68353,12 @@ index 0000000..3b03294 +files_relabel_all_tmp_files(systemd_tmpfiles_t) +files_list_lost_found(systemd_tmpfiles_t) + -+init_dgram_send(systemd_tmpfiles_t) ++mcs_file_read_all(systemd_tmpfiles_t) ++mcs_file_write_all(systemd_tmpfiles_t) ++mls_file_read_all_levels(systemd_tmpfiles_t) ++mls_file_write_all_levels(systemd_tmpfiles_t) ++ ++selinux_get_enforce_mode(systemd_tmpfiles_t) + +auth_manage_faillog(systemd_tmpfiles_t) +auth_relabel_faillog(systemd_tmpfiles_t) @@ -68360,12 +68368,8 @@ index 0000000..3b03294 +auth_setattr_login_records(systemd_tmpfiles_t) +auth_use_nsswitch(systemd_tmpfiles_t) + -+seutil_read_file_contexts(systemd_tmpfiles_t) -+ -+mcs_file_read_all(systemd_tmpfiles_t) -+mcs_file_write_all(systemd_tmpfiles_t) -+mls_file_read_all_levels(systemd_tmpfiles_t) -+mls_file_write_all_levels(systemd_tmpfiles_t) ++init_dgram_send(systemd_tmpfiles_t) ++init_rw_stream_sockets(systemd_tmpfiles_t) + +logging_create_devlog_dev(systemd_tmpfiles_t) +logging_send_syslog_msg(systemd_tmpfiles_t) @@ -68374,6 +68378,9 @@ index 0000000..3b03294 +miscfiles_relabel_man_pages(systemd_tmpfiles_t) +miscfiles_read_localization(systemd_tmpfiles_t) + ++seutil_read_config(systemd_tmpfiles_t) ++seutil_read_file_contexts(systemd_tmpfiles_t) ++ +ifdef(`distro_redhat',` + userdom_list_user_home_content(systemd_tmpfiles_t) + userdom_delete_user_home_content_dirs(systemd_tmpfiles_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 669de84..92fece9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 27%{?dist} +Release: 28%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,10 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Sep 13 2011 Miroslav Grepl 3.10.0-28 +- Allow systemd-tmpfiles to set the correct labels on /var/run, /tmp and other files +- We want any file type that is created in /tmp by a process running as initrc_t to be labeled initrc_tmp_t + * Tue Sep 13 2011 Miroslav Grepl 3.10.0-27 - Allow collectd to read hardware state information - Add loop_control_device_t