diff --git a/policy-F16.patch b/policy-F16.patch index ec6758d..d7cffee 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -65286,7 +65286,7 @@ index 7c5d8d8..e6bb21e 100644 +') + diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..bc0bf43 100644 +index 3eca020..c0eaf5e 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,84 @@ policy_module(virt, 1.4.0) @@ -65688,7 +65688,7 @@ index 3eca020..bc0bf43 100644 miscfiles_read_localization(virtd_t) miscfiles_read_generic_certs(virtd_t) miscfiles_read_hwdata(virtd_t) -@@ -285,16 +423,30 @@ modutils_read_module_config(virtd_t) +@@ -285,16 +423,31 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) @@ -65700,6 +65700,7 @@ index 3eca020..bc0bf43 100644 seutil_read_default_contexts(virtd_t) +seutil_read_file_contexts(virtd_t) ++sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) sysnet_read_config(virtd_t) @@ -65719,7 +65720,7 @@ index 3eca020..bc0bf43 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -313,6 +465,10 @@ optional_policy(` +@@ -313,6 +466,10 @@ optional_policy(` ') optional_policy(` @@ -65730,7 +65731,7 @@ index 3eca020..bc0bf43 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -326,6 +482,14 @@ optional_policy(` +@@ -326,6 +483,14 @@ optional_policy(` optional_policy(` hal_dbus_chat(virtd_t) ') @@ -65745,7 +65746,7 @@ index 3eca020..bc0bf43 100644 ') optional_policy(` -@@ -334,11 +498,14 @@ optional_policy(` +@@ -334,11 +499,14 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_read_pid_files(virtd_t) dnsmasq_signull(virtd_t) @@ -65760,7 +65761,7 @@ index 3eca020..bc0bf43 100644 # Manages /etc/sysconfig/system-config-firewall iptables_manage_config(virtd_t) -@@ -360,11 +527,11 @@ optional_policy(` +@@ -360,11 +528,11 @@ optional_policy(` ') optional_policy(` @@ -65777,7 +65778,7 @@ index 3eca020..bc0bf43 100644 ') optional_policy(` -@@ -394,20 +561,36 @@ optional_policy(` +@@ -394,20 +562,36 @@ optional_policy(` # virtual domains common policy # @@ -65817,7 +65818,7 @@ index 3eca020..bc0bf43 100644 corecmd_exec_bin(virt_domain) corecmd_exec_shell(virt_domain) -@@ -418,10 +601,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain) +@@ -418,10 +602,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain) corenet_tcp_sendrecv_all_ports(virt_domain) corenet_tcp_bind_generic_node(virt_domain) corenet_tcp_bind_vnc_port(virt_domain) @@ -65830,7 +65831,7 @@ index 3eca020..bc0bf43 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +613,12 @@ dev_write_sound(virt_domain) +@@ -429,10 +614,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -65843,7 +65844,7 @@ index 3eca020..bc0bf43 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,25 +626,365 @@ files_search_all(virt_domain) +@@ -440,25 +627,365 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -71376,7 +71377,7 @@ index 354ce93..4738083 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 94fd8dd..ef5a3c8 100644 +index 94fd8dd..5a52670 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -79,6 +79,44 @@ interface(`init_script_domain',` @@ -72068,7 +72069,7 @@ index 94fd8dd..ef5a3c8 100644 + ') + + files_search_pids($1) -+ filetrans_pattern($1, init_var_run_t, $2, $3) ++ filetrans_pattern($1, init_var_run_t, $2, $3, $4) +') + +####################################### @@ -74730,13 +74731,14 @@ index a0b379d..2291a13 100644 - nscd_socket_use(sulogin_t) -') diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index 02f4c97..314efca 100644 +index 02f4c97..170e2e0 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc -@@ -17,12 +17,26 @@ +@@ -17,12 +17,27 @@ /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) ++/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) +/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) + +/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) @@ -74761,7 +74763,7 @@ index 02f4c97..314efca 100644 /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) /var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) -@@ -38,7 +52,7 @@ ifdef(`distro_suse', ` +@@ -38,7 +53,7 @@ ifdef(`distro_suse', ` /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) /var/log/.* gen_context(system_u:object_r:var_log_t,s0) @@ -74770,7 +74772,15 @@ index 02f4c97..314efca 100644 /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) -@@ -73,4 +87,8 @@ ifdef(`distro_redhat',` +@@ -66,6 +81,7 @@ ifdef(`distro_redhat',` + /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) + /var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0) + /var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) ++/var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) + + /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh) + /var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) +@@ -73,4 +89,9 @@ ifdef(`distro_redhat',` /var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) @@ -74779,8 +74789,9 @@ index 02f4c97..314efca 100644 /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) ++ diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 831b909..9889380 100644 +index 831b909..118f708 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -74865,7 +74876,7 @@ index 831b909..9889380 100644 ######################################## ## ## Send system log messages. -@@ -545,6 +602,44 @@ interface(`logging_send_syslog_msg',` +@@ -545,6 +602,45 @@ interface(`logging_send_syslog_msg',` ######################################## ## @@ -74884,6 +74895,7 @@ index 831b909..9889380 100644 + + allow $1 devlog_t:sock_file manage_sock_file_perms; + dev_filetrans($1, devlog_t, sock_file) ++ init_pid_filetrans($1, devlog_t, sock_file, "syslog") +') + +######################################## @@ -74910,7 +74922,7 @@ index 831b909..9889380 100644 ## Read the auditd configuration files. ## ## -@@ -734,7 +829,25 @@ interface(`logging_append_all_logs',` +@@ -734,7 +830,25 @@ interface(`logging_append_all_logs',` ') files_search_var($1) @@ -74937,7 +74949,7 @@ index 831b909..9889380 100644 ') ######################################## -@@ -817,7 +930,7 @@ interface(`logging_manage_all_logs',` +@@ -817,7 +931,7 @@ interface(`logging_manage_all_logs',` files_search_var($1) manage_files_pattern($1, logfile, logfile) @@ -74946,7 +74958,7 @@ index 831b909..9889380 100644 ') ######################################## -@@ -843,6 +956,44 @@ interface(`logging_read_generic_logs',` +@@ -843,6 +957,44 @@ interface(`logging_read_generic_logs',` ######################################## ## @@ -74991,7 +75003,7 @@ index 831b909..9889380 100644 ## Write generic log files. ## ## -@@ -944,9 +1095,13 @@ interface(`logging_admin_audit',` +@@ -944,9 +1096,13 @@ interface(`logging_admin_audit',` type auditd_initrc_exec_t; ') @@ -75006,7 +75018,7 @@ index 831b909..9889380 100644 manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) -@@ -990,10 +1145,15 @@ interface(`logging_admin_syslog',` +@@ -990,10 +1146,15 @@ interface(`logging_admin_syslog',` type syslogd_initrc_exec_t; ') @@ -75024,7 +75036,7 @@ index 831b909..9889380 100644 manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) -@@ -1015,6 +1175,8 @@ interface(`logging_admin_syslog',` +@@ -1015,6 +1176,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -78595,10 +78607,10 @@ index 0000000..0d3e625 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..75e7f1c +index 0000000..7581e7d --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,542 @@ +@@ -0,0 +1,543 @@ +## SELinux policy for systemd components + +####################################### @@ -78823,6 +78835,7 @@ index 0000000..75e7f1c + ') + + init_search_pid_dirs($1) ++ allow $1 systemd_logind_sessions_t:dir list_dir_perms; + read_files_pattern($1, systemd_logind_sessions_t, systemd_logind_sessions_t) +') + diff --git a/selinux-policy.spec b/selinux-policy.spec index c577be1..81cc614 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -16,7 +16,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 73%{?dist} +Release: 74%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,11 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Jan 11 2012 Miroslav Grepl 3.10.0-74 +- Add labeling for /var/run/systemd/journal/syslog +- libvirt sends signals to ifconfig +- Allow domains that read logind session files to list them + * Wed Jan 11 2012 Miroslav Grepl 3.10.0-73 - Fixed destined form libvirt-sandbox - Allow apps that list sysfs to also read sympolicy links in this filesystem