From d53a7f6fe9f55e9c8d0f7460030f98a321c23002 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Sep 25 2012 20:00:17 +0000 Subject: * Tue Sep 25 2012 Miroslav Grepl 3.11.1-25 - Fix boolean name so subs will continue to work --- diff --git a/policy-rawhide.patch b/policy-rawhide.patch index ad1f04e..964ff7a 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -99793,7 +99793,7 @@ index f82f0ce..204bdc8 100644 /usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) /usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0) diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if -index 98b8b2d..c7bdbdc 100644 +index 98b8b2d..1da87ac 100644 --- a/policy/modules/admin/usermanage.if +++ b/policy/modules/admin/usermanage.if @@ -17,10 +17,6 @@ interface(`usermanage_domtrans_chfn',` @@ -99959,27 +99959,25 @@ index 98b8b2d..c7bdbdc 100644 ') ######################################## -@@ -270,11 +319,39 @@ interface(`usermanage_domtrans_useradd',` +@@ -270,11 +319,38 @@ interface(`usermanage_domtrans_useradd',` # interface(`usermanage_run_useradd',` gen_require(` - attribute_role useradd_roles; + #attribute_role useradd_roles; -+ type sysadm_passwd_t; ++ type useradd_t; ') -- usermanage_domtrans_useradd($1) -- roleattribute $2 useradd_roles; + #usermanage_domtrans_useradd($1) + #roleattribute $2 useradd_roles; + -+ usermanage_domtrans_admin_passwd($1) -+ role $2 types sysadm_passwd_t; -+ -+ optional_policy(` -+ nscd_run(sysadm_passwd_t, $2) -+ ') + usermanage_domtrans_useradd($1) +- roleattribute $2 useradd_roles; ++ role $2 types useradd_t; + ++ optional_policy(` ++ nscd_run(sysadm_passwd_t, $2) ++ ') +') + +######################################## @@ -114768,7 +114766,7 @@ index fc86b7c..ba6be42 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 130ced9..ff65b6f 100644 +index 130ced9..af3532c 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -114871,7 +114869,7 @@ index 130ced9..ff65b6f 100644 allow $2 xserver_tmpfs_t:file rw_file_perms; ') + -+ tunable_policy(`user_direct_dri',` ++ tunable_policy(`selinuxuser_direct_dri_enabled',` + dev_rw_dri($2) + ') + @@ -115067,7 +115065,7 @@ index 130ced9..ff65b6f 100644 allow $2 xserver_tmpfs_t:file rw_file_perms; ') + -+ tunable_policy(`user_direct_dri',` ++ tunable_policy(`selinuxuser_direct_dri_enabled',` + dev_rw_dri($2) + ') ') @@ -116105,7 +116103,7 @@ index 130ced9..ff65b6f 100644 + files_search_tmp($1) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index d40f750..10170d4 100644 +index d40f750..0a71fa1 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -116161,7 +116159,7 @@ index d40f750..10170d4 100644 +## Allow regular users direct dri device access +##

+## -+gen_tunable(user_direct_dri, false) ++gen_tunable(selinuxuser_direct_dri_enabled, false) + +attribute xdmhomewriter; +attribute x_userdomain; diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index e2346ae..fb640fa 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -15124,7 +15124,7 @@ index fb4bf82..126d543 100644 + dontaudit $1 session_bus_type:dbus send_msg; ') diff --git a/dbus.te b/dbus.te -index 625cb32..47d33d3 100644 +index 625cb32..082afa9 100644 --- a/dbus.te +++ b/dbus.te @@ -10,6 +10,7 @@ gen_require(` @@ -15239,18 +15239,17 @@ index 625cb32..47d33d3 100644 policykit_dbus_chat(system_dbusd_t) policykit_domtrans_auth(system_dbusd_t) policykit_search_lib(system_dbusd_t) -@@ -149,13 +180,157 @@ optional_policy(` - sysnet_domtrans_dhcpc(system_dbusd_t) +@@ -150,12 +181,156 @@ optional_policy(` ') -+#optional_policy(` + optional_policy(` + systemd_use_fds_logind(system_dbusd_t) + systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) + systemd_write_inhibit_pipes(system_dbusd_t) + systemd_start_power_services(system_dbusd_t) -+#') ++') + - optional_policy(` ++optional_policy(` udev_read_db(system_dbusd_t) ') @@ -53573,10 +53572,15 @@ index a63e9ee..8910c44 100644 + nis_use_ypbind(rpcbind_t) +') diff --git a/rpm.fc b/rpm.fc -index b2a0b6a..6167fe8 100644 +index b2a0b6a..ee55335 100644 --- a/rpm.fc +++ b/rpm.fc -@@ -6,6 +6,7 @@ +@@ -2,10 +2,12 @@ + /bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) + + /usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0) ++/usr/bin/dnf -- gen_context(system_u:object_r:rpm_exec_t,s0) + /usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -53584,7 +53588,7 @@ index b2a0b6a..6167fe8 100644 /usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) -@@ -20,12 +21,18 @@ +@@ -20,12 +22,18 @@ /usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) ifdef(`distro_redhat', ` @@ -53603,7 +53607,7 @@ index b2a0b6a..6167fe8 100644 ') /var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) -@@ -36,9 +43,10 @@ ifdef(`distro_redhat', ` +@@ -36,9 +44,10 @@ ifdef(`distro_redhat', ` /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) @@ -65187,10 +65191,10 @@ index 2124b6a..e18ac1c 100644 +/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --git a/virt.if b/virt.if -index 6f0736b..45bd376 100644 +index 6f0736b..d5b53ed 100644 --- a/virt.if +++ b/virt.if -@@ -13,39 +13,49 @@ +@@ -13,64 +13,61 @@ # template(`virt_domain_template',` gen_require(` @@ -65249,7 +65253,13 @@ index 6f0736b..45bd376 100644 manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) -@@ -57,20 +67,6 @@ template(`virt_domain_template',` + manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t) +- files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) ++ files_tmp_filetrans($1_t, $1_tmp_t, { file dir lnk_file }) ++ userdom_user_tmp_filetrans($1_t, $1_tmp_t, { dir file lnk_file }) + + manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) @@ -65270,7 +65280,7 @@ index 6f0736b..45bd376 100644 optional_policy(` xserver_rw_shm($1_t) ') -@@ -98,14 +94,32 @@ interface(`virt_image',` +@@ -98,14 +95,32 @@ interface(`virt_image',` dev_node($1) ') @@ -65305,7 +65315,7 @@ index 6f0736b..45bd376 100644 ## # interface(`virt_domtrans',` -@@ -116,9 +130,45 @@ interface(`virt_domtrans',` +@@ -116,9 +131,45 @@ interface(`virt_domtrans',` domtrans_pattern($1, virtd_exec_t, virtd_t) ') @@ -65352,7 +65362,7 @@ index 6f0736b..45bd376 100644 ## ## ## -@@ -166,13 +216,13 @@ interface(`virt_attach_tun_iface',` +@@ -166,13 +217,13 @@ interface(`virt_attach_tun_iface',` # interface(`virt_read_config',` gen_require(` @@ -65368,7 +65378,7 @@ index 6f0736b..45bd376 100644 ') ######################################## -@@ -187,13 +237,13 @@ interface(`virt_read_config',` +@@ -187,13 +238,13 @@ interface(`virt_read_config',` # interface(`virt_manage_config',` gen_require(` @@ -65384,7 +65394,7 @@ index 6f0736b..45bd376 100644 ') ######################################## -@@ -233,6 +283,24 @@ interface(`virt_read_content',` +@@ -233,6 +284,24 @@ interface(`virt_read_content',` ######################################## ## @@ -65409,7 +65419,7 @@ index 6f0736b..45bd376 100644 ## Read virt PID files. ## ## -@@ -252,6 +320,28 @@ interface(`virt_read_pid_files',` +@@ -252,6 +321,28 @@ interface(`virt_read_pid_files',` ######################################## ## @@ -65438,7 +65448,7 @@ index 6f0736b..45bd376 100644 ## Manage virt pid files. ## ## -@@ -263,10 +353,42 @@ interface(`virt_read_pid_files',` +@@ -263,10 +354,42 @@ interface(`virt_read_pid_files',` interface(`virt_manage_pid_files',` gen_require(` type virt_var_run_t; @@ -65481,7 +65491,7 @@ index 6f0736b..45bd376 100644 ') ######################################## -@@ -310,6 +432,24 @@ interface(`virt_read_lib_files',` +@@ -310,6 +433,24 @@ interface(`virt_read_lib_files',` ######################################## ## @@ -65506,7 +65516,7 @@ index 6f0736b..45bd376 100644 ## Create, read, write, and delete ## virt lib files. ## -@@ -354,9 +494,9 @@ interface(`virt_read_log',` +@@ -354,9 +495,9 @@ interface(`virt_read_log',` ## virt log files. ## ## @@ -65518,7 +65528,7 @@ index 6f0736b..45bd376 100644 ## # interface(`virt_append_log',` -@@ -390,6 +530,25 @@ interface(`virt_manage_log',` +@@ -390,6 +531,25 @@ interface(`virt_manage_log',` ######################################## ## @@ -65544,7 +65554,7 @@ index 6f0736b..45bd376 100644 ## Allow domain to read virt image files ## ## -@@ -410,6 +569,7 @@ interface(`virt_read_images',` +@@ -410,6 +570,7 @@ interface(`virt_read_images',` read_files_pattern($1, virt_image_type, virt_image_type) read_lnk_files_pattern($1, virt_image_type, virt_image_type) read_blk_files_pattern($1, virt_image_type, virt_image_type) @@ -65552,7 +65562,7 @@ index 6f0736b..45bd376 100644 tunable_policy(`virt_use_nfs',` fs_list_nfs($1) -@@ -426,6 +586,24 @@ interface(`virt_read_images',` +@@ -426,6 +587,24 @@ interface(`virt_read_images',` ######################################## ## @@ -65577,7 +65587,7 @@ index 6f0736b..45bd376 100644 ## Create, read, write, and delete ## svirt cache files. ## -@@ -435,15 +613,15 @@ interface(`virt_read_images',` +@@ -435,15 +614,15 @@ interface(`virt_read_images',` ## ## # @@ -65598,7 +65608,7 @@ index 6f0736b..45bd376 100644 ') ######################################## -@@ -468,18 +646,7 @@ interface(`virt_manage_images',` +@@ -468,18 +647,7 @@ interface(`virt_manage_images',` manage_files_pattern($1, virt_image_type, virt_image_type) read_lnk_files_pattern($1, virt_image_type, virt_image_type) rw_blk_files_pattern($1, virt_image_type, virt_image_type) @@ -65618,7 +65628,7 @@ index 6f0736b..45bd376 100644 ') ######################################## -@@ -502,10 +669,19 @@ interface(`virt_manage_images',` +@@ -502,10 +670,19 @@ interface(`virt_manage_images',` interface(`virt_admin',` gen_require(` type virtd_t, virtd_initrc_exec_t; @@ -65639,7 +65649,7 @@ index 6f0736b..45bd376 100644 init_labeled_script_domtrans($1, virtd_initrc_exec_t) domain_system_change_exemption($1) -@@ -517,4 +693,295 @@ interface(`virt_admin',` +@@ -517,4 +694,295 @@ interface(`virt_admin',` virt_manage_lib_files($1) virt_manage_log($1) diff --git a/segenman b/segenman index 6acd55d..3d234a7 100755 --- a/segenman +++ b/segenman @@ -897,8 +897,8 @@ if __name__ == '__main__': import argparse parser = argparse.ArgumentParser(description='Generate SELinux man pages') - parser.add_argument("-p", "--path", dest="path", required=True, default="/tmp", help="Path for SELinux man pages") - parser.add_argument("-r", "--version", dest="os_version", default="Fedora18",help="Version of OS") + parser.add_argument("-p", "--path", dest="path", default="/tmp", help="Path for SELinux man pages") + parser.add_argument("-v", "--version", dest="os_version", default="Fedora18",help="Version of OS") parser.add_argument("-l", "--list", dest="test_domains", default="", nargs="+", help="List of domains") try: @@ -907,9 +907,6 @@ if __name__ == '__main__': os_version = args.os_version path = args.path - print os_version - print path - if len(args.test_domains) == 0: test_domains = domains else: diff --git a/selinux-policy.spec b/selinux-policy.spec index f0a3908..0942879 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.1 -Release: 24%{?dist} +Release: 25%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -521,7 +521,10 @@ SELinux Reference policy mls base module. %endif %changelog -* Tue Sep 25 2012 Miroslav Grepl 3.11.1-24 +* Tue Sep 25 2012 Miroslav Grepl 3.11.1-25 +- Fix boolean name so subs will continue to work + +* Tue Sep 25 2012 Miroslav Grepl 3.11.1-24 - dbus needs to start getty unit files - Add interface to allow system_dbusd_t to start the poweroff service - xdm wants to exec telepathy apps @@ -532,7 +535,7 @@ SELinux Reference policy mls base module. - realmd needs to read /dev/urand - Allow readahead to delete /.readahead if labeled root_t, might get created before policy is loaded -* Thu Sep 20 2012 Miroslav Grepl 3.11.1-23 +* Thu Sep 20 2012 Miroslav Grepl 3.11.1-23 - Fixes to safe more rules - Re-write tomcat_domain_template() - Fix passenger labeling @@ -540,7 +543,7 @@ SELinux Reference policy mls base module. - Add ephemeral_port_t to the 'generic' port interfaces - Fix the names of postgresql booleans -* Tue Sep 18 2012 Miroslav Grepl 3.11.1-22 +* Tue Sep 18 2012 Miroslav Grepl 3.11.1-22 - Stop using attributes form netlabel_peer and syslog, auth_use_nsswitch setsup netlabel_peer - Move netlable_peer check out of booleans - Remove call to recvfrom_netlabel for kerberos call @@ -556,7 +559,7 @@ SELinux Reference policy mls base module. - Allow stapserver to search cgroups directories - Allow all postfix domains to talk to spamd -* Mon Sep 17 2012 Miroslav Grepl 3.11.1-21 +* Mon Sep 17 2012 Miroslav Grepl 3.11.1-21 - Add interfaces to ignore setattr until kernel fixes this to be checked after the DAC check - Change pam_t to pam_timestamp_t - Add dovecot_domain attribute and allow this attribute block_suspend capability2 @@ -566,17 +569,17 @@ SELinux Reference policy mls base module. - Make piranha-pulse as initrc domain - Update openshift instances to dontaudit setattr until the kernel is fixed. -* Fri Sep 14 2012 Miroslav Grepl 3.11.1-20 +* Fri Sep 14 2012 Miroslav Grepl 3.11.1-20 - Fix auth_login_pgm_domain() interface to allow domains also managed user tmp dirs because of #856880 related to pam_systemd - Remove pam_selinux.8 which conflicts with man page owned by the pam package - Allow glance-api to talk to mysql - ABRT wants to read Xorg.0.log if if it detects problem with Xorg - Fix gstreamer filename trans. interface -* Thu Sep 13 2012 Miroslav Grepl 3.11.1-19 +* Thu Sep 13 2012 Miroslav Grepl 3.11.1-19 - Man page fixes by Dan Walsh -* Tue Sep 11 2012 Miroslav Grepl 3.11.1-18 +* Tue Sep 11 2012 Miroslav Grepl 3.11.1-18 - Allow postalias to read postfix config files - Allow man2html to read man pages - Allow rhev-agentd to search all mountpoints @@ -588,7 +591,7 @@ SELinux Reference policy mls base module. - Fix /dev/twa labeling - Allow systemd to read modules config -* Mon Sep 10 2012 Miroslav Grepl 3.11.1-17 +* Mon Sep 10 2012 Miroslav Grepl 3.11.1-17 - Merge openshift policy - Allow xauth to read /dev/urandom - systemd needs to relabel content in /run/systemd directories