From d11c0f54da33e58b692ad4ce5986913165a2a2c7 Mon Sep 17 00:00:00 2001 From: Miroslav Date: Nov 01 2011 11:30:19 +0000 Subject: - Fix abrt_manage_cache() interface - Make filetrans rules optional so base policy will build - Dontaudit chkpwd_t access to inherited TTYS - Make sure postfix content gets created with the correct label - Allow gnomeclock to read cgroup - Fixes for cloudform policy --- diff --git a/policy-F16.patch b/policy-F16.patch index 9083cd5..142d456 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -1937,10 +1937,10 @@ index 0000000..bd83148 +## No Interfaces diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te new file mode 100644 -index 0000000..c66d190 +index 0000000..0bd2028 --- /dev/null +++ b/policy/modules/admin/permissivedomains.te -@@ -0,0 +1,343 @@ +@@ -0,0 +1,349 @@ +policy_module(permissivedomains,16) + +optional_policy(` @@ -2283,7 +2283,13 @@ index 0000000..c66d190 + permissive chrome_sandbox_nacl_t; +') + ++optional_policy(` ++ gen_require(` ++ type matahari_sysconfigd_t; ++ ') + ++ permissive matahari_sysconfigd_t; ++') diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc index db46387..b665b08 100644 --- a/policy/modules/admin/portage.fc @@ -4664,10 +4670,10 @@ index 0000000..5901e21 +/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0) diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if new file mode 100644 -index 0000000..7cbe3a7 +index 0000000..1553356 --- /dev/null +++ b/policy/modules/apps/chrome.if -@@ -0,0 +1,131 @@ +@@ -0,0 +1,133 @@ + +## policy for chrome + @@ -4755,6 +4761,8 @@ index 0000000..7cbe3a7 + allow chrome_sandbox_t $2:unix_dgram_socket { read write }; + allow $2 chrome_sandbox_t:unix_dgram_socket { read write }; + allow chrome_sandbox_t $2:unix_stream_socket { getattr read write }; ++ allow chrome_sandbox_nacl_t $2:unix_stream_socket { getattr read write }; ++ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write }; + allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write }; + + allow $2 chrome_sandbox_t:shm rw_shm_perms; @@ -4801,10 +4809,10 @@ index 0000000..7cbe3a7 +') diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te new file mode 100644 -index 0000000..0eb3c23 +index 0000000..859eb9f --- /dev/null +++ b/policy/modules/apps/chrome.te -@@ -0,0 +1,173 @@ +@@ -0,0 +1,177 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -4889,6 +4897,7 @@ index 0000000..0eb3c23 +userdom_write_inherited_user_tmp_files(chrome_sandbox_t) +userdom_read_inherited_user_home_content_files(chrome_sandbox_t) +userdom_dontaudit_use_user_terminals(chrome_sandbox_t) ++userdom_search_user_home_content(chrome_sandbox_t) + +miscfiles_read_localization(chrome_sandbox_t) +miscfiles_read_fonts(chrome_sandbox_t) @@ -4950,6 +4959,8 @@ index 0000000..0eb3c23 +allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms; +allow chrome_sandbox_nacl_t self:shm create_shm_perms; +allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read }; ++allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read }; + +allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms; +allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms; @@ -4963,6 +4974,7 @@ index 0000000..0eb3c23 +dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero; + +domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t) ++ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t) + +kernel_read_system_state(chrome_sandbox_nacl_t) + @@ -7174,7 +7186,7 @@ index 40e0a2a..93d212c 100644 ## ## Send generic signals to user gpg processes. diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te -index 9050e8c..b5d4ca3 100644 +index 9050e8c..401a4ec 100644 --- a/policy/modules/apps/gpg.te +++ b/policy/modules/apps/gpg.te @@ -4,6 +4,7 @@ policy_module(gpg, 2.4.0) @@ -7249,7 +7261,7 @@ index 9050e8c..b5d4ca3 100644 mta_write_config(gpg_t) -@@ -142,6 +161,15 @@ tunable_policy(`use_samba_home_dirs',` +@@ -142,20 +161,33 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` @@ -7265,22 +7277,29 @@ index 9050e8c..b5d4ca3 100644 mozilla_read_user_home_files(gpg_t) mozilla_write_user_home_files(gpg_t) ') -@@ -151,10 +179,10 @@ optional_policy(` - xserver_rw_xdm_pipes(gpg_t) + + optional_policy(` +- xserver_use_xdm_fds(gpg_t) +- xserver_rw_xdm_pipes(gpg_t) ++ spamassassin_read_spamd_tmp_files(gpg_t) ') --optional_policy(` + optional_policy(` - cron_system_entry(gpg_t, gpg_exec_t) - cron_read_system_job_tmp_files(gpg_t) --') ++ xserver_use_xdm_fds(gpg_t) ++ xserver_rw_xdm_pipes(gpg_t) + ') + +#optional_policy(` +# cron_system_entry(gpg_t, gpg_exec_t) +# cron_read_system_job_tmp_files(gpg_t) +#') - ++ ######################################## # -@@ -191,7 +219,7 @@ files_read_etc_files(gpg_helper_t) + # GPG helper local policy +@@ -191,7 +223,7 @@ files_read_etc_files(gpg_helper_t) auth_use_nsswitch(gpg_helper_t) @@ -7289,7 +7308,7 @@ index 9050e8c..b5d4ca3 100644 tunable_policy(`use_nfs_home_dirs',` fs_dontaudit_rw_nfs_files(gpg_helper_t) -@@ -205,11 +233,12 @@ tunable_policy(`use_samba_home_dirs',` +@@ -205,11 +237,12 @@ tunable_policy(`use_samba_home_dirs',` # # GPG agent local policy # @@ -7303,7 +7322,7 @@ index 9050e8c..b5d4ca3 100644 allow gpg_agent_t self:fifo_file rw_fifo_file_perms; # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) -@@ -239,19 +268,20 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t) +@@ -239,19 +272,20 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t) miscfiles_read_localization(gpg_agent_t) # Write to the user domain tty. @@ -7326,7 +7345,7 @@ index 9050e8c..b5d4ca3 100644 userdom_manage_user_home_content_dirs(gpg_agent_t) userdom_manage_user_home_content_files(gpg_agent_t) ') -@@ -332,6 +362,10 @@ miscfiles_read_localization(gpg_pinentry_t) +@@ -332,6 +366,10 @@ miscfiles_read_localization(gpg_pinentry_t) # for .Xauthority userdom_read_user_home_content_files(gpg_pinentry_t) userdom_read_user_tmpfs_files(gpg_pinentry_t) @@ -7337,7 +7356,7 @@ index 9050e8c..b5d4ca3 100644 tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(gpg_pinentry_t) -@@ -342,11 +376,21 @@ tunable_policy(`use_samba_home_dirs',` +@@ -342,11 +380,21 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` @@ -7359,7 +7378,7 @@ index 9050e8c..b5d4ca3 100644 pulseaudio_exec(gpg_pinentry_t) pulseaudio_rw_home_files(gpg_pinentry_t) pulseaudio_setattr_home_dir(gpg_pinentry_t) -@@ -356,4 +400,28 @@ optional_policy(` +@@ -356,4 +404,28 @@ optional_policy(` optional_policy(` xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) @@ -15840,7 +15859,7 @@ index 6a1e4d1..3ded83e 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index fae1ab1..b949cfb 100644 +index fae1ab1..a60d2f8 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,21 @@ policy_module(domain, 1.9.1) @@ -15933,11 +15952,104 @@ index fae1ab1..b949cfb 100644 # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -160,3 +197,122 @@ allow unconfined_domain_type domain:key *; +@@ -158,5 +195,215 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; + # act on all domains keys + allow unconfined_domain_type domain:key *; ++dev_filetrans_all_named_dev(unconfined_domain_type) ++ # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) + ++storage_filetrans_all_named_dev(unconfined_domain_type) ++ ++term_filetrans_all_named_dev(unconfined_domain_type) ++ ++optional_policy(` ++ authlogin_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ alsa_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ apache_filetrans_home_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ bootloader_filetrans_config(unconfined_domain_type) ++') ++ ++optional_policy(` ++ gnome_filetrans_admin_home_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ devicekit_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ dnsmasq_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ kerberos_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ libs_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ miscfiles_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ mta_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ modules_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ networkmanager_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ nx_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ postfix_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ pulseaudio_filetrans_home_content(unconfined_domain_type) ++ pulseaudio_filetrans_admin_home_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ quota_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ sysnet_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ userdom_user_home_dir_filetrans_user_home_content(unconfined_domain_type, { dir file lnk_file fifo_file sock_file }) ++') ++ ++optional_policy(` ++ virt_filetrans_home_content(unconfined_domain_type) ++') ++ ++optional_policy(` ++ ssh_filetrans_admin_home_content(unconfined_domain_type) ++') ++ +selinux_getattr_fs(domain) +selinux_search_fs(domain) +selinux_dontaudit_read_fs(domain) @@ -21006,7 +21118,7 @@ index 2be17d2..b172ab4 100644 + userdom_execmod_user_home_files(staff_usertype) +') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index e14b961..2d6db89 100644 +index e14b961..c6aa0bc 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -24,20 +24,52 @@ ifndef(`enable_mls',` @@ -21150,14 +21262,14 @@ index e14b961..2d6db89 100644 - libs_run_ldconfig(sysadm_t, sysadm_r) + kerberos_exec_kadmind(sysadm_t) + kerberos_filetrans_named_content(sysadm_t) -+') -+ -+optional_policy(` -+ kudzu_run(sysadm_t, sysadm_r) ') optional_policy(` - lockdev_role(sysadm_r, sysadm_t) ++ kudzu_run(sysadm_t, sysadm_r) ++') ++ ++optional_policy(` + libs_run_ldconfig(sysadm_t, sysadm_r) ') @@ -21239,43 +21351,47 @@ index e14b961..2d6db89 100644 portage_run(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) ') -@@ -253,19 +334,19 @@ optional_policy(` +@@ -253,31 +334,32 @@ optional_policy(` ') optional_policy(` - pyzor_role(sysadm_r, sysadm_t) -+ prelink_run(sysadm_t, sysadm_r) ++ postfix_filetrans_named_content(sysadm_t) ') optional_policy(` - quota_run(sysadm_t, sysadm_r) -+ puppet_run_puppetca(sysadm_t, sysadm_r) ++ prelink_run(sysadm_t, sysadm_r) ') optional_policy(` - raid_run_mdadm(sysadm_r, sysadm_t) -+ quota_run(sysadm_t, sysadm_r) ++ puppet_run_puppetca(sysadm_t, sysadm_r) ') optional_policy(` - razor_role(sysadm_r, sysadm_t) ++ quota_run(sysadm_t, sysadm_r) + ') + + optional_policy(` +- rpc_domtrans_nfsd(sysadm_t) + raid_domtrans_mdadm(sysadm_t) ') optional_policy(` -@@ -274,10 +355,7 @@ optional_policy(` +- rpm_run(sysadm_t, sysadm_r) ++ rpc_domtrans_nfsd(sysadm_t) + ') optional_policy(` - rpm_run(sysadm_t, sysadm_r) --') -- --optional_policy(` - rssh_role(sysadm_r, sysadm_t) ++ rpm_run(sysadm_t, sysadm_r) + rpm_dbus_chat(sysadm_t, sysadm_r) ') optional_policy(` -@@ -302,12 +380,18 @@ optional_policy(` +@@ -302,12 +384,18 @@ optional_policy(` ') optional_policy(` @@ -21295,7 +21411,7 @@ index e14b961..2d6db89 100644 ') optional_policy(` -@@ -332,7 +416,10 @@ optional_policy(` +@@ -332,7 +420,10 @@ optional_policy(` ') optional_policy(` @@ -21307,7 +21423,7 @@ index e14b961..2d6db89 100644 ') optional_policy(` -@@ -343,19 +430,15 @@ optional_policy(` +@@ -343,19 +434,15 @@ optional_policy(` ') optional_policy(` @@ -21329,7 +21445,7 @@ index e14b961..2d6db89 100644 ') optional_policy(` -@@ -367,45 +450,45 @@ optional_policy(` +@@ -367,45 +454,45 @@ optional_policy(` ') optional_policy(` @@ -21386,7 +21502,7 @@ index e14b961..2d6db89 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -418,10 +501,6 @@ ifndef(`distro_redhat',` +@@ -418,10 +505,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -21397,7 +21513,7 @@ index e14b961..2d6db89 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) ') -@@ -439,6 +518,7 @@ ifndef(`distro_redhat',` +@@ -439,6 +522,7 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role(sysadm_r, sysadm_t) @@ -21405,7 +21521,7 @@ index e14b961..2d6db89 100644 ') optional_policy(` -@@ -446,11 +526,66 @@ ifndef(`distro_redhat',` +@@ -446,11 +530,66 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -22184,10 +22300,10 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..b1e60db +index 0000000..4163dc5 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,499 @@ +@@ -0,0 +1,442 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -22271,20 +22387,6 @@ index 0000000..b1e60db +files_create_default_dir(unconfined_t) +files_root_filetrans_default(unconfined_t, dir) + -+dev_filetrans_all_named_dev(unconfined_t) -+storage_filetrans_all_named_dev(unconfined_t) -+term_filetrans_all_named_dev(unconfined_t) -+ -+authlogin_filetrans_named_content(unconfined_t) -+ -+miscfiles_filetrans_named_content(unconfined_t) -+ -+sysnet_filetrans_named_content(unconfined_t) -+ -+optional_policy(` -+ ssh_filetrans_admin_home_content(unconfined_t) -+') -+ +mcs_killall(unconfined_t) +mcs_ptrace_all(unconfined_t) +mls_file_write_all_levels(unconfined_t) @@ -22293,8 +22395,6 @@ index 0000000..b1e60db +init_domtrans_script(unconfined_t) +init_telinit(unconfined_t) + -+lib_filetrans_named_content(unconfined_t) -+ +logging_send_syslog_msg(unconfined_t) +logging_run_auditctl(unconfined_t, unconfined_r) + @@ -22307,8 +22407,6 @@ index 0000000..b1e60db + +unconfined_domain_noaudit(unconfined_t) + -+userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }) -+ +usermanage_run_passwd(unconfined_t, unconfined_r) +usermanage_run_chfn(unconfined_t, unconfined_r) + @@ -22361,7 +22459,6 @@ index 0000000..b1e60db + devicekit_dbus_chat(unconfined_usertype) + devicekit_dbus_chat_disk(unconfined_usertype) + devicekit_dbus_chat_power(unconfined_usertype) -+ devicekit_filetrans_named_content(unconfined_usertype) + ') + + optional_policy(` @@ -22370,7 +22467,6 @@ index 0000000..b1e60db + + optional_policy(` + networkmanager_dbus_chat(unconfined_usertype) -+ networkmanager_filetrans_named_content(unconfined_usertype) + ') + + optional_policy(` @@ -22415,12 +22511,7 @@ index 0000000..b1e60db +') + +optional_policy(` -+ alsa_filetrans_named_content(unconfined_t) -+') -+ -+optional_policy(` + apache_run_helper(unconfined_t, unconfined_r) -+ apache_filetrans_home_content(unconfined_t) +') + +optional_policy(` @@ -22428,10 +22519,6 @@ index 0000000..b1e60db +') + +optional_policy(` -+ bootloader_filetrans_config(unconfined_t) -+') -+ -+optional_policy(` + chrome_role_notrans(unconfined_r, unconfined_usertype) + + tunable_policy(`unconfined_chrome_sandbox_transition',` @@ -22475,7 +22562,6 @@ index 0000000..b1e60db + optional_policy(` + gnomeclock_dbus_chat(unconfined_usertype) + gnome_dbus_chat_gconfdefault(unconfined_usertype) -+ gnome_filetrans_admin_home_content(unconfined_usertype) + gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t) + ') + @@ -22505,10 +22591,6 @@ index 0000000..b1e60db +') + +optional_policy(` -+ dnsmasq_filetrans_named_content(unconfined_t) -+') -+ -+optional_policy(` + firstboot_run(unconfined_t, unconfined_r) +') + @@ -22525,10 +22607,6 @@ index 0000000..b1e60db +') + +optional_policy(` -+ kerberos_filetrans_named_content(unconfined_t) -+') -+ -+optional_policy(` + livecd_run(unconfined_t, unconfined_r) +') + @@ -22542,7 +22620,6 @@ index 0000000..b1e60db + +optional_policy(` + modutils_run_update_mods(unconfined_t, unconfined_r) -+ modules_filetrans_named_content(unconfined_t) +') + +optional_policy(` @@ -22561,18 +22638,10 @@ index 0000000..b1e60db +') + +optional_policy(` -+ mta_filetrans_named_content(unconfined_t) -+') -+ -+optional_policy(` + ncftool_run(unconfined_t, unconfined_r) +') + +optional_policy(` -+ nx_filetrans_named_content(unconfined_t) -+') -+ -+optional_policy(` + oddjob_run_mkhomedir(unconfined_t, unconfined_r) +') + @@ -22585,15 +22654,6 @@ index 0000000..b1e60db +') + +optional_policy(` -+ pulseaudio_filetrans_admin_home_content(unconfined_usertype) -+ pulseaudio_filetrans_home_content(unconfined_usertype) -+') -+ -+optional_policy(` -+ quota_filetrans_named_content(unconfined_t) -+') -+ -+optional_policy(` + rpm_run(unconfined_t, unconfined_r) + # Allow SELinux aware applications to request rpm_script execution + rpm_transition_script(unconfined_t) @@ -22622,7 +22682,6 @@ index 0000000..b1e60db + +optional_policy(` + virt_transition_svirt(unconfined_t, unconfined_r) -+ virt_filetrans_home_content(unconfined_t) +') + +optional_policy(` @@ -23069,7 +23128,7 @@ index 1bd5812..0d7d8d1 100644 +/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) +/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if -index 0b827c5..6b739e6 100644 +index 0b827c5..b2d6129 100644 --- a/policy/modules/services/abrt.if +++ b/policy/modules/services/abrt.if @@ -71,6 +71,7 @@ interface(`abrt_read_state',` @@ -23090,7 +23149,7 @@ index 0b827c5..6b739e6 100644 ## ## ## -@@ -169,12 +169,51 @@ interface(`abrt_run_helper',` +@@ -169,12 +169,52 @@ interface(`abrt_run_helper',` ## ## # @@ -23139,11 +23198,12 @@ index 0b827c5..6b739e6 100644 ') manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) ++ manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) + manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t) ') #################################### -@@ -253,6 +292,24 @@ interface(`abrt_manage_pid_files',` +@@ -253,6 +293,24 @@ interface(`abrt_manage_pid_files',` manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t) ') @@ -23168,7 +23228,7 @@ index 0b827c5..6b739e6 100644 ##################################### ## ## All of the rules required to administrate -@@ -286,18 +343,116 @@ interface(`abrt_admin',` +@@ -286,18 +344,116 @@ interface(`abrt_admin',` role_transition $2 abrt_initrc_exec_t system_r; allow $2 system_r; @@ -24127,7 +24187,7 @@ index deca9d3..ae8c579 100644 ') diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc -index 9e39aa5..8002a1f 100644 +index 9e39aa5..a9959fa 100644 --- a/policy/modules/services/apache.fc +++ b/policy/modules/services/apache.fc @@ -1,13 +1,18 @@ @@ -24139,8 +24199,8 @@ index 9e39aa5..8002a1f 100644 /etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -/etc/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) -+/etc/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) ++/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) @@ -24191,8 +24251,8 @@ index 9e39aa5..8002a1f 100644 -/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -+/usr/share/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -+/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -24217,7 +24277,7 @@ index 9e39aa5..8002a1f 100644 /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) -/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/var/lib/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -29165,10 +29225,10 @@ index 6077339..d10acd2 100644 dev_manage_generic_blk_files(clogd_t) diff --git a/policy/modules/services/cloudform.fc b/policy/modules/services/cloudform.fc new file mode 100644 -index 0000000..2c745ea +index 0000000..b5058ac --- /dev/null +++ b/policy/modules/services/cloudform.fc -@@ -0,0 +1,16 @@ +@@ -0,0 +1,23 @@ +/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0) + @@ -29177,6 +29237,8 @@ index 0000000..2c745ea +/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0) +/usr/bin/thin -- gen_context(system_u:object_r:thin_exec_t,s0) + ++/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0) ++ +/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0) +/var/log/iwhd\.log -- gen_context(system_u:object_r:iwhd_log_t,s0) +/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0) @@ -29185,6 +29247,11 @@ index 0000000..2c745ea +/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0) +/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0) + ++/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0) ++ ++/var/run/aeolus/thin\.pid -- gen_context(system_u:object_r:thin_var_run_t,s0) ++ ++ diff --git a/policy/modules/services/cloudform.if b/policy/modules/services/cloudform.if new file mode 100644 index 0000000..917f8d4 @@ -29216,10 +29283,10 @@ index 0000000..917f8d4 +') diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te new file mode 100644 -index 0000000..1852397 +index 0000000..c7ee7dd --- /dev/null +++ b/policy/modules/services/cloudform.te -@@ -0,0 +1,201 @@ +@@ -0,0 +1,207 @@ +policy_module(cloudform, 1.0) + +######################################## @@ -29355,14 +29422,11 @@ index 0000000..1852397 +# mongod local policy +# + -+#WHY? -+allow mongod_t self:process execmem; -+ -+allow mongod_t self:process setsched; -+ -+allow mongod_t self:process { fork signal }; ++allow mongod_t self:process { setsched signal }; + ++allow mongod_t self:netlink_route_socket r_netlink_socket_perms; +allow mongod_t self:unix_stream_socket create_stream_socket_perms; ++allow mongod_t self:udp_socket create_socket_perms; + +manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t) +manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t) @@ -29377,12 +29441,21 @@ index 0000000..1852397 + +manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) +manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) ++#needed by dbomatic ++files_pid_filetrans(mongod_t, mongod_var_run_t, { file }) + +corenet_tcp_bind_generic_node(mongod_t) -+#temporary +corenet_tcp_bind_generic_port(mongod_t) + -+domain_use_interactive_fds(mongod_t) ++files_read_usr_files(mongod_t) ++ ++optional_policy(` ++ mysql_stream_connect(mongod_t) ++') ++ ++optional_policy(` ++ postgresql_stream_connect(mongod_t) ++') + +optional_policy(` + sysnet_dns_name_resolve(mongod_t) @@ -35304,7 +35377,7 @@ index e1d7dc5..673f185 100644 admin_pattern($1, dovecot_var_run_t) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te -index acf6d4f..87949e8 100644 +index acf6d4f..2fbb869 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t; @@ -35395,15 +35468,17 @@ index acf6d4f..87949e8 100644 postgresql_stream_connect(dovecot_t) ') -@@ -180,7 +196,7 @@ optional_policy(` +@@ -180,8 +196,8 @@ optional_policy(` # dovecot auth local policy # -allow dovecot_auth_t self:capability { chown dac_override setgid setuid }; -+allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid }; - allow dovecot_auth_t self:process { signal_perms getcap setcap }; +-allow dovecot_auth_t self:process { signal_perms getcap setcap }; ++allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice }; ++allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap }; allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; + allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; @@ -190,6 +206,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) @@ -38642,10 +38717,10 @@ index 671d8fd..25c7ab8 100644 + dontaudit gnomeclock_t $1:dbus send_msg; +') diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te -index 4fde46b..86ba356 100644 +index 4fde46b..8768e6b 100644 --- a/policy/modules/services/gnomeclock.te +++ b/policy/modules/services/gnomeclock.te -@@ -15,18 +15,23 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) +@@ -15,18 +15,24 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) # allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; @@ -38659,8 +38734,10 @@ index 4fde46b..86ba356 100644 corecmd_exec_bin(gnomeclock_t) +corecmd_exec_shell(gnomeclock_t) +corecmd_dontaudit_access_check_bin(gnomeclock_t) ++ ++dev_read_sysfs(gnomeclock_t) - files_read_etc_files(gnomeclock_t) +-files_read_etc_files(gnomeclock_t) +files_read_etc_runtime_files(gnomeclock_t) files_read_usr_files(gnomeclock_t) @@ -38672,7 +38749,7 @@ index 4fde46b..86ba356 100644 miscfiles_read_localization(gnomeclock_t) miscfiles_manage_localization(gnomeclock_t) -@@ -35,10 +40,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) +@@ -35,10 +41,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) userdom_read_all_users_state(gnomeclock_t) optional_policy(` @@ -41059,7 +41136,7 @@ index 3aa8fa7..40b10fa 100644 + ldap_systemctl($1) ') diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te -index 64fd1ff..211180e 100644 +index 64fd1ff..0f5d0b7 100644 --- a/policy/modules/services/ldap.te +++ b/policy/modules/services/ldap.te @@ -10,7 +10,7 @@ type slapd_exec_t; @@ -41119,6 +41196,14 @@ index 64fd1ff..211180e 100644 kernel_read_system_state(slapd_t) kernel_read_kernel_sysctls(slapd_t) +@@ -106,6 +123,7 @@ files_read_usr_files(slapd_t) + files_list_var_lib(slapd_t) + + auth_use_nsswitch(slapd_t) ++auth_rw_cache(slapd_t) + + logging_send_syslog_msg(slapd_t) + diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if index 771e04b..81d98b3 100644 --- a/policy/modules/services/likewise.if @@ -41984,13 +42069,14 @@ index 0000000..5b84980 +') diff --git a/policy/modules/services/matahari.fc b/policy/modules/services/matahari.fc new file mode 100644 -index 0000000..ac84e59 +index 0000000..7f36870 --- /dev/null +++ b/policy/modules/services/matahari.fc -@@ -0,0 +1,27 @@ +@@ -0,0 +1,30 @@ +/etc/rc\.d/init\.d/matahari-host gen_context(system_u:object_r:matahari_initrc_exec_t,s0) +/etc/rc\.d/init\.d/matahari-net gen_context(system_u:object_r:matahari_initrc_exec_t,s0) +/etc/rc\.d/init\.d/matahari-service gen_context(system_u:object_r:matahari_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/matahari-sysconfig gen_context(system_u:object_r:matahari_initrc_exec_t,s0) + +/usr/sbin/matahari-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0) + @@ -41998,6 +42084,8 @@ index 0000000..ac84e59 + +/usr/sbin/matahari-qmf-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0) + ++/usr/sbin/matahari-qmf-sysconfigd -- gen_context(system_u:object_r:matahari_sysconfigd_exec_t,s0) ++ +/usr/sbin/matahari-netd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0) + +/usr/sbin/matahari-dbus-networkd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0) @@ -42017,10 +42105,10 @@ index 0000000..ac84e59 +/var/run/matahari-broker\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0) diff --git a/policy/modules/services/matahari.if b/policy/modules/services/matahari.if new file mode 100644 -index 0000000..0432f2e +index 0000000..0d771fd --- /dev/null +++ b/policy/modules/services/matahari.if -@@ -0,0 +1,247 @@ +@@ -0,0 +1,250 @@ +## policy for matahari + +###################################### @@ -42039,10 +42127,10 @@ index 0000000..0432f2e + attribute matahari_domain; + ') + -+ ############################## -+ # -+ # Declarations -+ # ++ ############################## ++ # ++ # Declarations ++ # + + type matahari_$1_t, matahari_domain; + type matahari_$1_exec_t; @@ -42261,6 +42349,9 @@ index 0000000..0432f2e + allow $1 matahari_serviced_t:process { ptrace signal_perms }; + ps_process_pattern($1, matahari_serviced_t) + ++ allow $1 matahari_sysconfigd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, matahari_sysconfigd_t) ++ + files_search_var_lib($1) + admin_pattern($1, matahari_var_lib_t) + @@ -42270,10 +42361,10 @@ index 0000000..0432f2e +') diff --git a/policy/modules/services/matahari.te b/policy/modules/services/matahari.te new file mode 100644 -index 0000000..19d82c3 +index 0000000..215407c --- /dev/null +++ b/policy/modules/services/matahari.te -@@ -0,0 +1,83 @@ +@@ -0,0 +1,100 @@ +policy_module(matahari,1.0.0) + +######################################## @@ -42286,6 +42377,7 @@ index 0000000..19d82c3 +matahari_domain_template(hostd) +matahari_domain_template(netd) +matahari_domain_template(serviced) ++matahari_domain_template(sysconfigd) + +type matahari_initrc_exec_t; +init_script_file(matahari_initrc_exec_t) @@ -42330,9 +42422,25 @@ index 0000000..19d82c3 +# +# matahari_serviced local policy +# ++allow matahari_serviced_t self:process setpgid; ++ ++kernel_read_network_state(matahari_serviced_t) ++ ++dev_read_sysfs(matahari_serviced_t) + +domain_use_interactive_fds(matahari_serviced_t) -+init_spec_domtrans_script(matahari_serviced_t) ++ ++files_read_etc_runtime_files(matahari_serviced_t) ++ ++init_domtrans_script(matahari_serviced_t) ++ ++systemd_config_all_services(matahari_serviced_t) ++ ++######################################## ++# ++# matahari_sysconfigd local policy ++# ++dev_read_sysfs(matahari_sysconfigd_t) + +####################################### +# @@ -48079,7 +48187,7 @@ index 9759ed8..48a5431 100644 admin_pattern($1, plymouthd_var_run_t) ') diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te -index 06e217d..4f9a575 100644 +index 06e217d..ab25c8c 100644 --- a/policy/modules/services/plymouthd.te +++ b/policy/modules/services/plymouthd.te @@ -8,17 +8,21 @@ policy_module(plymouthd, 1.0.1) @@ -48116,7 +48224,7 @@ index 06e217d..4f9a575 100644 manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir }) -@@ -60,10 +68,25 @@ domain_use_interactive_fds(plymouthd_t) +@@ -60,10 +68,26 @@ domain_use_interactive_fds(plymouthd_t) files_read_etc_files(plymouthd_t) files_read_usr_files(plymouthd_t) @@ -48135,6 +48243,7 @@ index 06e217d..4f9a575 100644 + +optional_policy(` + xserver_xdm_manage_spool(plymouthd_t) ++ xserver_read_state_xdm(plymouthd_t) +') + +term_use_unallocated_ttys(plymouthd_t) @@ -48142,7 +48251,7 @@ index 06e217d..4f9a575 100644 ######################################## # # Plymouth private policy -@@ -74,6 +97,7 @@ allow plymouth_t self:fifo_file rw_file_perms; +@@ -74,6 +98,7 @@ allow plymouth_t self:fifo_file rw_file_perms; allow plymouth_t self:unix_stream_socket create_stream_socket_perms; kernel_read_system_state(plymouth_t) @@ -48150,7 +48259,7 @@ index 06e217d..4f9a575 100644 domain_use_interactive_fds(plymouth_t) -@@ -87,7 +111,7 @@ sysnet_read_config(plymouth_t) +@@ -87,7 +112,7 @@ sysnet_read_config(plymouth_t) plymouthd_stream_connect(plymouth_t) @@ -49046,7 +49155,7 @@ index a3e85c9..c0e0959 100644 /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if -index 46bee12..c22af86 100644 +index 46bee12..ca32d30 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -34,8 +34,9 @@ template(`postfix_domain_template',` @@ -49095,6 +49204,15 @@ index 46bee12..c22af86 100644 ') ######################################## +@@ -215,7 +219,7 @@ interface(`postfix_config_filetrans',` + ') + + files_search_etc($1) +- filetrans_pattern($1, postfix_etc_t, $2, $3) ++ filetrans_pattern($1, postfix_etc_t, $2, $3, $4) + ') + + ######################################## @@ -272,7 +276,8 @@ interface(`postfix_read_local_state',` type postfix_local_t; ') @@ -49282,7 +49400,7 @@ index 46bee12..c22af86 100644 ') ######################################## -@@ -621,3 +701,103 @@ interface(`postfix_domtrans_user_mail_handler',` +@@ -621,3 +701,125 @@ interface(`postfix_domtrans_user_mail_handler',` typeattribute $1 postfix_user_domtrans; ') @@ -49359,6 +49477,8 @@ index 46bee12..c22af86 100644 + admin_pattern($1, postfix_prng_t) + + admin_pattern($1, postfix_public_t) ++ ++ postfix_filetrans_named_content($1) +') + +######################################## @@ -49386,6 +49506,26 @@ index 46bee12..c22af86 100644 + postfix_domtrans_postdrop($1) + role $2 types postfix_postdrop_t; +') ++ ++######################################## ++## ++## Transition to postfix named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`postfix_filetrans_named_content',` ++ gen_require(` ++ type postfix_exec_t; ++ type postfix_prng_t; ++ ') ++ ++ postfix_config_filetrans($1, postfix_exec_t, file, "postfix-script") ++ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ++') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index a32c4b3..3a59bac 100644 --- a/policy/modules/services/postfix.te @@ -50251,7 +50391,7 @@ index b524673..921a60f 100644 + ppp_systemctl($1) ') diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te -index 2af42e7..399a452 100644 +index 2af42e7..20f5d6b 100644 --- a/policy/modules/services/ppp.te +++ b/policy/modules/services/ppp.te @@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0) @@ -50378,7 +50518,7 @@ index 2af42e7..399a452 100644 ') optional_policy(` -@@ -243,14 +252,17 @@ allow pptp_t pppd_log_t:file append_file_perms; +@@ -243,14 +252,18 @@ allow pptp_t pppd_log_t:file append_file_perms; allow pptp_t pptp_log_t:file manage_file_perms; logging_log_filetrans(pptp_t, pptp_log_t, file) @@ -50391,13 +50531,14 @@ index 2af42e7..399a452 100644 kernel_list_proc(pptp_t) +kernel_signal(pptp_t) kernel_read_kernel_sysctls(pptp_t) ++kernel_read_network_state(pptp_t) kernel_read_proc_symlinks(pptp_t) kernel_read_system_state(pptp_t) +kernel_signal(pptp_t) dev_read_sysfs(pptp_t) -@@ -265,9 +277,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t) +@@ -265,9 +278,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t) corenet_raw_sendrecv_generic_node(pptp_t) corenet_tcp_sendrecv_all_ports(pptp_t) corenet_tcp_bind_generic_node(pptp_t) @@ -60476,7 +60617,7 @@ index 32a3c13..7baeb6f 100644 optional_policy(` diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc -index 2124b6a..b944b61 100644 +index 2124b6a..d935248 100644 --- a/policy/modules/services/virt.fc +++ b/policy/modules/services/virt.fc @@ -1,5 +1,6 @@ @@ -60488,7 +60629,7 @@ index 2124b6a..b944b61 100644 HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) /etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) -@@ -12,18 +13,37 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t +@@ -12,18 +13,38 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) /etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) @@ -60521,6 +60662,7 @@ index 2124b6a..b944b61 100644 /var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) + +# support for AEOLUS project ++/usr/bin/imagefactory -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/imgfac\.py -- gen_context(system_u:object_r:virtd_exec_t,s0) +/var/cache/oz(/.*)? gen_context(system_u:object_r:virt_cache_t,s0) +/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) @@ -61075,7 +61217,7 @@ index 7c5d8d8..d711fd5 100644 +') + diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..d2d599b 100644 +index 3eca020..96e71d4 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,81 @@ policy_module(virt, 1.4.0) @@ -61608,7 +61750,7 @@ index 3eca020..d2d599b 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,25 +614,359 @@ files_search_all(virt_domain) +@@ -440,25 +614,362 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -61772,6 +61914,7 @@ index 3eca020..d2d599b 100644 +allow virtd_lxc_t self:packet_socket create_socket_perms; + +allow virtd_lxc_t virt_image_type:dir mounton; ++manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t) + +domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) +allow virtd_t virtd_lxc_t:process { signal signull sigkill }; @@ -61790,6 +61933,8 @@ index 3eca020..d2d599b 100644 +manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom }; + ++storage_manage_fixed_disk(virtd_lxc_t) ++ +kernel_read_network_state(virtd_lxc_t) +kernel_search_network_sysctl(virtd_lxc_t) +kernel_read_sysctl(virtd_lxc_t) @@ -65592,7 +65737,7 @@ index 73554ec..6a25dd6 100644 + logging_log_named_filetrans($1, wtmp_t, file, "wtmp") +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index b7a5f00..a53db2b 100644 +index b7a5f00..2c39af1 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,9 +5,25 @@ policy_module(authlogin, 2.2.1) @@ -65635,7 +65780,7 @@ index b7a5f00..a53db2b 100644 seutil_dontaudit_use_newrole_fds(chkpwd_t) -userdom_use_user_terminals(chkpwd_t) -+userdom_use_inherited_user_terminals(chkpwd_t) ++userdom_dontaudit_use_user_ttys(chkpwd_t) ifdef(`distro_ubuntu',` optional_policy(` @@ -68952,7 +69097,7 @@ index 560dc48..4986f1b 100644 +/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if -index 808ba93..8f5a243 100644 +index 808ba93..eb621fd 100644 --- a/policy/modules/system/libraries.if +++ b/policy/modules/system/libraries.if @@ -207,6 +207,23 @@ interface(`libs_search_lib',` @@ -69050,7 +69195,7 @@ index 808ba93..8f5a243 100644 +## +## +# -+interface(`lib_filetrans_named_content',` ++interface(`libs_filetrans_named_content',` + gen_require(` + type ld_so_cache_t; + ') @@ -72966,10 +73111,10 @@ index 0000000..db57bc7 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..79c358c +index 0000000..5571350 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,502 @@ +@@ -0,0 +1,503 @@ +## SELinux policy for systemd components + +####################################### @@ -73018,6 +73163,7 @@ index 0000000..79c358c + can_exec($1, systemd_systemctl_exec_t) + + fs_list_cgroup_dirs($1) ++ fs_read_cgroup_files($1) + systemd_list_unit_dirs($1) + init_list_pid_dirs($1) + init_read_state($1) @@ -75062,7 +75208,7 @@ index db75976..494ec08 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..af43357 100644 +index 4b2878a..9b49159 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -77186,10 +77332,16 @@ index 4b2878a..af43357 100644 ') ######################################## -@@ -2644,6 +3313,25 @@ interface(`userdom_dontaudit_use_user_terminals',` - dontaudit $1 user_devpts_t:chr_file rw_term_perms; - ') +@@ -2640,8 +3309,27 @@ interface(`userdom_dontaudit_use_user_terminals',` + type user_tty_device_t, user_devpts_t; + ') +- dontaudit $1 user_tty_device_t:chr_file rw_term_perms; +- dontaudit $1 user_devpts_t:chr_file rw_term_perms; ++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_term_perms; ++ dontaudit $1 user_devpts_t:chr_file rw_inherited_term_perms; ++') ++ + +######################################## +## @@ -77207,11 +77359,9 @@ index 4b2878a..af43357 100644 + ') + + allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms; -+') -+ + ') + ######################################## - ## - ## Execute a shell in all user domains. This @@ -2713,6 +3401,24 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -77387,6 +77537,15 @@ index 4b2878a..af43357 100644 ') ######################################## +@@ -3045,7 +3736,7 @@ interface(`userdom_dontaudit_use_user_ttys',` + type user_tty_device_t; + ') + +- dontaudit $1 user_tty_device_t:chr_file rw_file_perms; ++ dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms; + ') + + ######################################## @@ -3064,6 +3755,7 @@ interface(`userdom_read_all_users_state',` ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 5e85083..4376690 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -466,6 +466,14 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Nov 1 2011 Miroslav Grepl 3.10.0-53 +- Fix abrt_manage_cache() interface +- Make filetrans rules optional so base policy will build +- Dontaudit chkpwd_t access to inherited TTYS +- Make sure postfix content gets created with the correct label +- Allow gnomeclock to read cgroup +- Fixes for cloudform policy + * Thu Oct 27 2011 Miroslav Grepl 3.10.0-52 - Check in fixed for Chrome nacl support