From ffc913c51419352e7f25fe6deb890328746498fa Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Sep 02 2010 14:29:16 +0000 Subject: - Allow clmvd to create tmpfs files --- diff --git a/policy-F13.patch b/policy-F13.patch index 34dd0cc..1533331 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -10621,7 +10621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy +/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.19/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-08-10 16:52:17.722085152 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-09-02 13:53:43.031083801 +0200 @@ -559,6 +559,24 @@ ######################################## @@ -10660,11 +10660,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') - allow $1 cifs_t:filesystem getattr; -+ allow $1 cgroup_t:filesystem getattr; - ') - - ######################################## - ## +-') +- +-######################################## +-## -## list dirs on cgroup -## file systems. -## @@ -10681,10 +10680,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy - ') - - list_dirs_pattern($1, cgroup_t, cgroup_t) --') -- --######################################## --## ++ allow $1 cgroup_t:filesystem getattr; + ') + + ######################################## + ## -## Do not audit attempts to read -## dirs on a CIFS or SMB filesystem. +## list dirs on cgroup @@ -10938,7 +10938,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## ## ## -@@ -3870,6 +4018,24 @@ +@@ -3812,6 +3960,24 @@ + rw_files_pattern($1, tmpfs_t, tmpfs_t) + ') + ++####################################### ++## ++## Delete generic tmpfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_delete_tmpfs_files',` ++ gen_require(` ++ type tmpfs_t; ++ ') ++ ++ allow $1 tmpfs_t:file delete_file_perms; ++') ++ + ######################################## + ## + ## Read tmpfs link files. +@@ -3870,6 +4036,24 @@ ######################################## ## @@ -10963,7 +10988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4432,6 +4598,44 @@ +@@ -4432,6 +4616,44 @@ ######################################## ## @@ -11008,7 +11033,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Do not audit attempts to get the attributes ## of all files with a filesystem type. ## -@@ -4549,3 +4753,24 @@ +@@ -4549,3 +4771,24 @@ relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs) ') @@ -18329,8 +18354,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.19/policy/modules/services/corosync.te --- nsaserefpolicy/policy/modules/services/corosync.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2010-08-04 14:57:52.139335328 +0200 -@@ -0,0 +1,140 @@ ++++ serefpolicy-3.7.19/policy/modules/services/corosync.te 2010-09-02 12:55:05.057085167 +0200 +@@ -0,0 +1,145 @@ + +policy_module(corosync,1.0.0) + @@ -18444,6 +18469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro + +tunable_policy(`allow_corosync_rw_tmpfs',` + fs_rw_tmpfs_files(corosync_t) ++ fs_delete_tmpfs_files(corosync_t) +') + +optional_policy(` @@ -18455,6 +18481,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro +') + +optional_policy(` ++ lvm_rw_clvmd_tmpfs_files(corosync_t) ++') ++ ++optional_policy(` + # to communication with RHCS + rhcs_rw_cluster_shm(corosync_t) + rhcs_rw_cluster_semaphores(corosync_t) @@ -22397,7 +22427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.19/policy/modules/services/kerberos.if --- nsaserefpolicy/policy/modules/services/kerberos.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/kerberos.if 2010-05-28 09:42:00.117610715 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/kerberos.if 2010-09-02 15:07:11.046335422 +0200 @@ -74,7 +74,7 @@ ') @@ -30716,8 +30746,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.7.19/policy/modules/services/rlogin.te --- nsaserefpolicy/policy/modules/services/rlogin.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/rlogin.te 2010-05-28 09:42:00.174610693 +0200 -@@ -89,6 +89,7 @@ ++++ serefpolicy-3.7.19/policy/modules/services/rlogin.te 2010-09-02 15:07:41.711106623 +0200 +@@ -69,6 +69,7 @@ + fs_getattr_xattr_fs(rlogind_t) + fs_search_auto_mountpoints(rlogind_t) + ++auth_login_pgm_domain(rlogind_t) + auth_domtrans_chk_passwd(rlogind_t) + auth_rw_login_records(rlogind_t) + auth_use_nsswitch(rlogind_t) +@@ -89,6 +90,7 @@ userdom_setattr_user_ptys(rlogind_t) # cjp: this is egregious userdom_read_user_home_content_files(rlogind_t) @@ -38165,7 +38203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc /sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.19/policy/modules/system/lvm.if --- nsaserefpolicy/policy/modules/system/lvm.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/lvm.if 2010-05-28 09:42:00.505610658 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/lvm.if 2010-09-02 13:55:45.873084762 +0200 @@ -34,7 +34,7 @@ type lvm_exec_t; ') @@ -38175,10 +38213,54 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if can_exec($1, lvm_exec_t) ') +@@ -123,3 +123,22 @@ + corecmd_search_bin($1) + domtrans_pattern($1, clvmd_exec_t, clvmd_t) + ') ++ ++###################################### ++## ++## Read and write to clvmd temporary file system. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lvm_rw_clvmd_tmpfs_files',` ++ gen_require(` ++ type clvmd_tmpfs_t; ++ ') ++ ++ allow $1 clvmd_tmpfs_t:file rw_file_perms; ++ allow $1 clvmd_tmpfs_t:file unlink; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.19/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/lvm.te 2010-05-28 09:42:00.505610658 +0200 -@@ -142,6 +142,11 @@ ++++ serefpolicy-3.7.19/policy/modules/system/lvm.te 2010-09-02 13:43:13.984335270 +0200 +@@ -13,6 +13,9 @@ + type clvmd_initrc_exec_t; + init_script_file(clvmd_initrc_exec_t) + ++type clvmd_tmpfs_t; ++files_tmpfs_file(clvmd_tmpfs_t) ++ + type clvmd_var_run_t; + files_pid_file(clvmd_var_run_t) + +@@ -57,6 +60,10 @@ + allow clvmd_t self:tcp_socket create_stream_socket_perms; + allow clvmd_t self:udp_socket create_socket_perms; + ++manage_dirs_pattern(clvmd_t, clvmd_tmpfs_t, clvmd_tmpfs_t) ++manage_files_pattern(clvmd_t, clvmd_tmpfs_t,clvmd_tmpfs_t) ++fs_tmpfs_filetrans(clvmd_t, clvmd_tmpfs_t, { dir file }) ++ + manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t) + files_pid_filetrans(clvmd_t, clvmd_var_run_t, file) + +@@ -142,6 +149,11 @@ ') optional_policy(` @@ -38190,7 +38272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te ccs_stream_connect(clvmd_t) ') -@@ -171,6 +176,7 @@ +@@ -171,6 +183,7 @@ allow lvm_t self:process { sigchld sigkill sigstop signull signal }; # LVM will complain a lot if it cannot set its priority. allow lvm_t self:process setsched; @@ -38198,7 +38280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te allow lvm_t self:file rw_file_perms; allow lvm_t self:fifo_file manage_fifo_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; -@@ -218,6 +224,7 @@ +@@ -218,6 +231,7 @@ # it has no reason to need this kernel_dontaudit_getattr_core_if(lvm_t) kernel_use_fds(lvm_t) @@ -38206,7 +38288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te kernel_search_debugfs(lvm_t) corecmd_exec_bin(lvm_t) -@@ -244,6 +251,7 @@ +@@ -244,6 +258,7 @@ dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -38214,7 +38296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t) -@@ -253,8 +261,9 @@ +@@ -253,8 +268,9 @@ files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) @@ -38225,7 +38307,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te fs_search_auto_mountpoints(lvm_t) fs_list_tmpfs(lvm_t) fs_read_tmpfs_symlinks(lvm_t) -@@ -264,6 +273,7 @@ +@@ -264,6 +280,7 @@ mls_file_read_all_levels(lvm_t) mls_file_write_to_clearance(lvm_t) @@ -38233,7 +38315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) -@@ -311,6 +321,11 @@ +@@ -311,6 +328,11 @@ ') optional_policy(` @@ -38245,7 +38327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te bootloader_rw_tmp_files(lvm_t) ') -@@ -331,6 +346,10 @@ +@@ -331,6 +353,10 @@ ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 7a93695..414de03 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 53%{?dist} +Release: 54%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,9 @@ exit 0 %endif %changelog +* Thu Sep 2 2010 Miroslav Grepl 3.7.19-54 +- Allow clmvd to create tmpfs files + * Wed Sep 1 2010 Miroslav Grepl 3.7.19-53 - Fixes for jabberd policy - Fixes for sandbox policy