diff --git a/policy-F16.patch b/policy-F16.patch index 4f45abe..0d78818 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -18995,7 +18995,7 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..fc2c9ec +index 0000000..db35ff1 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te @@ -0,0 +1,553 @@ @@ -19376,9 +19376,9 @@ index 0000000..fc2c9ec + lpd_run_checkpc(unconfined_t, unconfined_r) +') + -+optional_policy(` -+ mock_role(unconfined_r, unconfined_t) -+') ++#optional_policy(` ++# mock_role(unconfined_r, unconfined_t) ++#') + +optional_policy(` + modutils_run_update_mods(unconfined_t, unconfined_r) @@ -30908,10 +30908,10 @@ index 9bd812b..c4abec3 100644 ## an dnsmasq environment ## diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te -index fdaeeba..df87ba8 100644 +index fdaeeba..d707dde 100644 --- a/policy/modules/services/dnsmasq.te +++ b/policy/modules/services/dnsmasq.te -@@ -48,8 +48,9 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) +@@ -48,11 +48,13 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t) logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file) @@ -30922,7 +30922,11 @@ index fdaeeba..df87ba8 100644 kernel_read_kernel_sysctls(dnsmasq_t) kernel_read_system_state(dnsmasq_t) -@@ -88,6 +89,8 @@ logging_send_syslog_msg(dnsmasq_t) ++kernel_request_load_module(dnsmasq_t) + + corenet_all_recvfrom_unlabeled(dnsmasq_t) + corenet_all_recvfrom_netlabel(dnsmasq_t) +@@ -88,6 +90,8 @@ logging_send_syslog_msg(dnsmasq_t) miscfiles_read_localization(dnsmasq_t) @@ -30931,7 +30935,7 @@ index fdaeeba..df87ba8 100644 userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) userdom_dontaudit_search_user_home_dirs(dnsmasq_t) -@@ -96,7 +99,16 @@ optional_policy(` +@@ -96,7 +100,16 @@ optional_policy(` ') optional_policy(` @@ -30948,7 +30952,7 @@ index fdaeeba..df87ba8 100644 ') optional_policy(` -@@ -114,4 +126,5 @@ optional_policy(` +@@ -114,4 +127,5 @@ optional_policy(` optional_policy(` virt_manage_lib_files(dnsmasq_t) virt_read_pid_files(dnsmasq_t) @@ -32461,6 +32465,21 @@ index 6537214..7d64c0a 100644 ps_process_pattern($1, fetchmail_t) files_list_etc($1) +diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te +index 3459d93..c39305a 100644 +--- a/policy/modules/services/fetchmail.te ++++ b/policy/modules/services/fetchmail.te +@@ -88,6 +88,10 @@ userdom_dontaudit_use_unpriv_user_fds(fetchmail_t) + userdom_dontaudit_search_user_home_dirs(fetchmail_t) + + optional_policy(` ++ kerberos_use(fetchmail_t) ++') ++ ++optional_policy(` + procmail_domtrans(fetchmail_t) + ') + diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te index 9b7036a..4770f61 100644 --- a/policy/modules/services/finger.te @@ -33809,7 +33828,7 @@ index 671d8fd..25c7ab8 100644 + dontaudit gnomeclock_t $1:dbus send_msg; +') diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te -index 4fde46b..b9032a7 100644 +index 4fde46b..eac72e4 100644 --- a/policy/modules/services/gnomeclock.te +++ b/policy/modules/services/gnomeclock.te @@ -9,24 +9,32 @@ type gnomeclock_t; @@ -33848,7 +33867,7 @@ index 4fde46b..b9032a7 100644 miscfiles_read_localization(gnomeclock_t) miscfiles_manage_localization(gnomeclock_t) -@@ -35,12 +43,51 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) +@@ -35,12 +43,47 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) userdom_read_all_users_state(gnomeclock_t) optional_policy(` @@ -33888,17 +33907,13 @@ index 4fde46b..b9032a7 100644 +files_dontaudit_remove_etc_dir(gnomeclock_systemctl_t) +files_manage_etc_symlinks(gnomeclock_systemctl_t) + -+fs_dontaudit_search_cgroup_dirs(gnomeclock_systemctl_t) -+ -+# needed by systemctl -+init_stream_connect(gnomeclock_systemctl_t) -+init_read_state(gnomeclock_systemctl_t) -+init_list_pid_dirs(gnomeclock_systemctl_t) ++miscfiles_read_localization(gnomeclock_systemctl_t) + +systemd_dontaudit_read_unit_files(gnomeclock_systemctl_t) + +optional_policy(` -+ ntpd_read_unit_file(gnomeclock_systemctl_t) ++ ntp_read_unit_file(gnomeclock_systemctl_t) ++ ntp_read_state(gnomeclock_systemctl_t) +') diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if index 7d97298..d6b2959 100644 @@ -35809,7 +35824,7 @@ index 6fd0b4c..b733e45 100644 - ') diff --git a/policy/modules/services/ksmtuned.te b/policy/modules/services/ksmtuned.te -index a73b7a1..7fa55e8 100644 +index a73b7a1..677998f 100644 --- a/policy/modules/services/ksmtuned.te +++ b/policy/modules/services/ksmtuned.te @@ -9,6 +9,9 @@ type ksmtuned_t; @@ -35833,13 +35848,14 @@ index a73b7a1..7fa55e8 100644 manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t) files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file) -@@ -31,9 +38,16 @@ kernel_read_system_state(ksmtuned_t) +@@ -31,9 +38,17 @@ kernel_read_system_state(ksmtuned_t) dev_rw_sysfs(ksmtuned_t) domain_read_all_domains_state(ksmtuned_t) +domain_dontaudit_read_all_domains_state(ksmtuned_t) corecmd_exec_bin(ksmtuned_t) ++corecmd_exec_shell(ksmtuned_t) files_read_etc_files(ksmtuned_t) @@ -36274,7 +36290,7 @@ index 49e04e5..69db026 100644 /usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0) diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te -index 6a78de1..0aebce6 100644 +index 6a78de1..a32fbe8 100644 --- a/policy/modules/services/lircd.te +++ b/policy/modules/services/lircd.te @@ -13,7 +13,7 @@ type lircd_initrc_exec_t; @@ -36294,7 +36310,7 @@ index 6a78de1..0aebce6 100644 allow lircd_t self:fifo_file rw_fifo_file_perms; allow lircd_t self:unix_dgram_socket create_socket_perms; allow lircd_t self:tcp_socket create_stream_socket_perms; -@@ -44,13 +45,13 @@ corenet_tcp_bind_lirc_port(lircd_t) +@@ -44,13 +45,14 @@ corenet_tcp_bind_lirc_port(lircd_t) corenet_tcp_sendrecv_all_ports(lircd_t) corenet_tcp_connect_lirc_port(lircd_t) @@ -36304,6 +36320,7 @@ index 6a78de1..0aebce6 100644 dev_filetrans_lirc(lircd_t) dev_rw_lirc(lircd_t) dev_rw_input_dev(lircd_t) ++dev_read_sysfs(lircd_t) -files_read_etc_files(lircd_t) +files_read_config_files(lircd_t) @@ -40586,7 +40603,7 @@ index e79dccc..50202ef 100644 /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if -index e80f8c0..be0d107 100644 +index e80f8c0..d90ed98 100644 --- a/policy/modules/services/ntp.if +++ b/policy/modules/services/ntp.if @@ -98,6 +98,25 @@ interface(`ntp_initrc_domtrans',` @@ -40603,7 +40620,7 @@ index e80f8c0..be0d107 100644 +## +## +# -+interface(`ntpd_read_unit_file',` ++interface(`ntp_read_unit_file',` + gen_require(` + type ntpd_unit_file_t; + ') @@ -40615,7 +40632,33 @@ index e80f8c0..be0d107 100644 ######################################## ## ## Read and write ntpd shared memory. -@@ -140,11 +159,10 @@ interface(`ntp_rw_shm',` +@@ -122,6 +141,25 @@ interface(`ntp_rw_shm',` + + ######################################## + ## ++## Allow the domain to read ntpd state files in /proc. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ntp_read_state',` ++ gen_require(` ++ type ntpd_t; ++ ') ++ ++ kernel_search_proc($1) ++ ps_process_pattern($1, ntpd_t) ++') ++ ++######################################## ++## + ## All of the rules required to administrate + ## an ntp environment + ## +@@ -140,11 +178,10 @@ interface(`ntp_rw_shm',` interface(`ntp_admin',` gen_require(` type ntpd_t, ntpd_tmp_t, ntpd_log_t; @@ -64720,10 +64763,10 @@ index 0000000..3248032 + diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..7501ef8 +index 0000000..d46fb42 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,377 @@ +@@ -0,0 +1,376 @@ +## SELinux policy for systemd components + +####################################### @@ -64741,17 +64784,16 @@ index 0000000..7501ef8 + gen_require(` + type systemd_systemctl_exec_t; + role system_r; ++ attribute systemctl_domain; + ') + -+ type $1_systemctl_t; ++ type $1_systemctl_t, systemctl_domain; + domain_type($1_systemctl_t) + domain_entry_file($1_systemctl_t, systemd_systemctl_exec_t) + + role system_r types $1_systemctl_t; + + domtrans_pattern($1_t, systemd_systemctl_exec_t , $1_systemctl_t) -+ -+ init_use_fds($1_t) +') + +######################################## @@ -65103,10 +65145,10 @@ index 0000000..7501ef8 + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..0185280 +index 0000000..d079aca --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,319 @@ +@@ -0,0 +1,337 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -65115,6 +65157,8 @@ index 0000000..0185280 +# + +attribute systemd_unit_file_type; ++attribute systemd_domain; ++attribute systemctl_domain; + +# New in f16 +permissive systemd_logger_t; @@ -65426,6 +65470,22 @@ index 0000000..0185280 +logging_send_syslog_msg(systemd_logger_t) + +miscfiles_read_localization(systemd_logger_t) ++ ++ ++######################################## ++# ++# systemd_sysctl domains local policy ++# ++fs_list_cgroup_dirs(systemctl_domain) ++fs_read_cgroup_files(systemctl_domain) ++ ++# needed by systemctl ++init_stream_connect(systemctl_domain) ++init_read_state(systemctl_domain) ++init_list_pid_dirs(systemctl_domain) ++init_use_fds(systemctl_domain) ++ ++miscfiles_read_localization(systemctl_domain) diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc index 0291685..7e94f4b 100644 --- a/policy/modules/system/udev.fc diff --git a/selinux-policy.spec b/selinux-policy.spec index d73f51d..c875d24 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 15%{?dist} +Release: 16%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,8 +466,13 @@ SELinux Reference policy mls base module. %endif %changelog -* Wed Aug 3 2011 Miroslav Grepl 3.10.0-15 -- Fix fc_sort error +* Thu Aug 4 2011 Miroslav Grepl 3.10.0-16 +- fetchmail can use kerberos +- ksmtuned reads in shell programs +- gnome_systemctl_t reads the process state of ntp +- dnsmasq_t asks the kernel to load multiple kernel modules +- Add rules for domains executing systemctl +- Bogus text within fc file * Wed Aug 3 2011 Miroslav Grepl 3.10.0-14 - Add cfengine policy