From e21330348f22fc44c4148563182cfafa2c4aab30 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Aug 05 2009 21:31:17 +0000 Subject: - Allow devicekit_disk to list inotify --- diff --git a/policy-F12.patch b/policy-F12.patch index 386e8c8..34e0cda 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -1142,6 +1142,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(awstats_t) sysnet_dns_name_resolve(awstats_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/calamaris.te serefpolicy-3.6.26/policy/modules/apps/calamaris.te +--- nsaserefpolicy/policy/modules/apps/calamaris.te 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/apps/calamaris.te 2009-08-05 16:42:44.000000000 -0400 +@@ -84,3 +84,7 @@ + optional_policy(` + nis_use_ypbind(calamaris_t) + ') ++ ++optional_policy(` ++ nscd_socket_use(calamaris_t) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.26/policy/modules/apps/cpufreqselector.te --- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 2009-07-28 13:28:33.000000000 -0400 +++ serefpolicy-3.6.26/policy/modules/apps/cpufreqselector.te 2009-07-30 15:33:08.000000000 -0400 @@ -4932,7 +4943,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.26/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/kernel/files.if 2009-07-30 15:33:08.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/kernel/files.if 2009-08-05 17:20:50.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -10117,7 +10128,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1 devicekit_t:process { ptrace signal_perms getattr }; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.26/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/devicekit.te 2009-07-30 15:33:08.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/devicekit.te 2009-08-05 16:52:16.000000000 -0400 @@ -36,12 +36,15 @@ manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) @@ -10155,7 +10166,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_setsched(devicekit_disk_t) corecmd_exec_bin(devicekit_disk_t) -@@ -79,11 +86,13 @@ +@@ -79,21 +86,26 @@ dev_rw_sysfs(devicekit_disk_t) dev_read_urand(devicekit_disk_t) dev_getattr_usbfs_dirs(devicekit_disk_t) @@ -10167,9 +10178,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_usr_files(devicekit_disk_t) +files_manage_isid_type_dirs(devicekit_disk_t) ++fs_list_inotifyfs(devicekit_disk_t) ++fs_manage_fusefs_dirs(devicekit_disk_t) fs_mount_all_fs(devicekit_disk_t) fs_unmount_all_fs(devicekit_disk_t) -@@ -94,6 +103,8 @@ +-fs_manage_fusefs_dirs(devicekit_disk_t) + + storage_raw_read_fixed_disk(devicekit_disk_t) + storage_raw_write_fixed_disk(devicekit_disk_t) storage_raw_read_removable_device(devicekit_disk_t) storage_raw_write_removable_device(devicekit_disk_t) @@ -10178,7 +10194,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(devicekit_disk_t) miscfiles_read_localization(devicekit_disk_t) -@@ -110,6 +121,7 @@ +@@ -110,6 +122,7 @@ ') optional_policy(` @@ -10186,7 +10202,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol policykit_domtrans_auth(devicekit_disk_t) policykit_read_lib(devicekit_disk_t) policykit_read_reload(devicekit_disk_t) -@@ -134,6 +146,19 @@ +@@ -134,6 +147,19 @@ udev_read_db(devicekit_disk_t) ') @@ -10206,7 +10222,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # DeviceKit-Power local policy -@@ -142,6 +167,7 @@ +@@ -142,6 +168,7 @@ allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice sys_ptrace }; allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; @@ -10214,7 +10230,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) -@@ -151,6 +177,7 @@ +@@ -151,6 +178,7 @@ kernel_read_system_state(devicekit_power_t) kernel_rw_hotplug_sysctls(devicekit_power_t) kernel_rw_kernel_sysctl(devicekit_power_t) @@ -10222,7 +10238,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(devicekit_power_t) corecmd_exec_shell(devicekit_power_t) -@@ -159,6 +186,7 @@ +@@ -159,6 +187,7 @@ domain_read_all_domains_state(devicekit_power_t) @@ -10230,7 +10246,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_rw_generic_usb_dev(devicekit_power_t) dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) -@@ -180,8 +208,11 @@ +@@ -180,8 +209,11 @@ ') optional_policy(` @@ -10243,7 +10259,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow devicekit_power_t devicekit_t:dbus send_msg; optional_policy(` -@@ -203,17 +234,23 @@ +@@ -203,17 +235,23 @@ optional_policy(` hal_domtrans_mac(devicekit_power_t) @@ -10709,7 +10725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.26/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/hal.te 2009-08-04 05:57:57.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/hal.te 2009-08-05 17:09:21.000000000 -0400 @@ -55,6 +55,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -10803,10 +10819,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow hald_dccm_t self:process getsched; allow hald_dccm_t self:tcp_socket create_stream_socket_perms; allow hald_dccm_t self:udp_socket create_socket_perms; -@@ -469,10 +491,17 @@ +@@ -469,10 +491,22 @@ manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) files_search_var_lib(hald_dccm_t) ++manage_dirs_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t) ++manage_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t) ++manage_sock_files_pattern(hald_dccm_t, hald_var_run_t, hald_var_run_t) ++files_pid_filetrans(hald_dccm_t, hald_var_run_t, { dir file sock_file }) ++ +manage_sock_files_pattern(hald_dccm_t, hald_tmp_t, hald_tmp_t) +files_tmp_filetrans(hald_dccm_t, hald_tmp_t, sock_file) + @@ -10821,7 +10842,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(hald_dccm_t) corenet_all_recvfrom_netlabel(hald_dccm_t) corenet_tcp_sendrecv_generic_if(hald_dccm_t) -@@ -484,6 +513,7 @@ +@@ -484,6 +518,7 @@ corenet_tcp_bind_generic_node(hald_dccm_t) corenet_udp_bind_generic_node(hald_dccm_t) corenet_udp_bind_dhcpc_port(hald_dccm_t) @@ -10829,7 +10850,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_dccm_port(hald_dccm_t) logging_send_syslog_msg(hald_dccm_t) -@@ -491,3 +521,9 @@ +@@ -491,3 +526,9 @@ files_read_usr_files(hald_dccm_t) miscfiles_read_localization(hald_dccm_t) @@ -13953,7 +13974,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.26/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/rpc.te 2009-07-30 15:33:09.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/rpc.te 2009-08-05 17:22:27.000000000 -0400 @@ -91,6 +91,8 @@ seutil_dontaudit_search_config(rpcd_t) @@ -13990,6 +14011,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`nfs_export_all_ro',` dev_getattr_all_blk_files(nfsd_t) +@@ -189,8 +197,10 @@ + fs_rw_rpc_sockets(gssd_t) + fs_read_rpc_files(gssd_t) + ++fs_list_inotifyfs(gssd_t) + files_list_tmp(gssd_t) + files_read_usr_symlinks(gssd_t) ++files_dontaudit_write_var_dirs(gssd_t) + + auth_use_nsswitch(gssd_t) + auth_manage_cache(gssd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.26/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.6.26/policy/modules/services/rsync.te 2009-07-30 15:33:09.000000000 -0400 @@ -16491,6 +16523,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send and receive messages from ## sssd over dbus. ## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.6.26/policy/modules/services/sysstat.te +--- nsaserefpolicy/policy/modules/services/sysstat.te 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/sysstat.te 2009-08-05 17:06:04.000000000 -0400 +@@ -19,7 +19,7 @@ + # Local policy + # + +-allow sysstat_t self:capability { sys_resource sys_tty_config }; ++allow sysstat_t self:capability { dac_override sys_resource sys_tty_config }; + dontaudit sysstat_t self:capability sys_admin; + allow sysstat_t self:fifo_file rw_fifo_file_perms; + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.26/policy/modules/services/uucp.te --- nsaserefpolicy/policy/modules/services/uucp.te 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.6.26/policy/modules/services/uucp.te 2009-07-30 15:33:09.000000000 -0400 @@ -16533,7 +16577,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.26/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.26/policy/modules/services/virt.if 2009-07-30 15:33:09.000000000 -0400 ++++ serefpolicy-3.6.26/policy/modules/services/virt.if 2009-08-05 16:59:48.000000000 -0400 @@ -103,7 +103,7 @@ ######################################## @@ -16631,7 +16675,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an virt environment ## -@@ -327,3 +364,54 @@ +@@ -327,3 +364,56 @@ virt_manage_log($1) ') @@ -16664,6 +16708,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_tmpfs_file($1_tmpfs_t) + + type $1_image_t, virt_image_type; ++ files_type($1_image_t) ++ dev_node($1_image_t) + + manage_dirs_pattern($1_t, $1_image_t, $1_image_t) + manage_files_pattern($1_t, $1_image_t, $1_image_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index a0a9a21..5a5d2a2 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.26 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -475,6 +475,9 @@ exit 0 %endif %changelog +* Wed Aug 5 2009 Dan Walsh 3.6.26-6 +- Allow devicekit_disk to list inotify + * Wed Aug 5 2009 Dan Walsh 3.6.26-5 - Allow svirt images to create sock_file in svirt_var_run_t