diff --git a/policy-F16.patch b/policy-F16.patch index a9e1e08..cc32a50 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -66819,7 +66819,7 @@ index fbb5c5a..637eb37 100644 ') + diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 2e9318b..d6f54c3 100644 +index 2e9318b..b3e9826 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t) @@ -66935,7 +66935,7 @@ index 2e9318b..d6f54c3 100644 -allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; +dontaudit mozilla_plugin_t self:capability { sys_nice sys_tty_config }; + -+allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem }; ++allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem setrlimit }; +allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms; allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms; allow mozilla_plugin_t self:udp_socket create_socket_perms; @@ -78804,15 +78804,15 @@ index 97fcdac..b131b1b 100644 +') + diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index f125dc2..4fabc25 100644 +index f125dc2..20c042d 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -33,6 +33,8 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0); fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0); -+fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0); ++fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0); # Use the allocating task SID to label inodes in the following filesystem # types, and label the filesystem itself with the specified context. @@ -78861,36 +78861,7 @@ index f125dc2..4fabc25 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -230,14 +230,24 @@ genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0) - genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0) - - type fusefs_t; --fs_noxattr_type(fusefs_t) -+fs_type(fusefs_t) -+files_type(fusefs_t) - files_mountpoint(fusefs_t) -+files_poly_parent(fusefs_t) -+dev_associate(fusefs_t) -+ - allow fusefs_t self:filesystem associate; - allow fusefs_t fs_t:filesystem associate; --genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0) --genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0) --genfscon fusectl / gen_context(system_u:object_r:fusefs_t,s0) - -+# Use a transition SID based on the allocating task SID and the -+# filesystem SID to label inodes in the following filesystem types, -+# and label the filesystem itself with the specified context. -+# This is appropriate for pseudo filesystems like devpts and tmpfs -+# where we want to label objects with a derived type. -+fs_use_xattr fuse gen_context(system_u:object_r:fusefs_t,s0); -+fs_use_xattr fuseblk gen_context(system_u:object_r:fusefs_t,s0); -+fs_use_xattr fusectl gen_context(system_u:object_r:fusefs_t,s0); -+allow fusefs_t noxattrfs:filesystem associate; - # - # iso9660_t is the type for CD filesystems - # and their files. -@@ -254,6 +264,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -254,6 +254,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -78899,7 +78870,7 @@ index f125dc2..4fabc25 100644 files_mountpoint(removable_t) # -@@ -273,6 +285,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) +@@ -273,6 +275,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) @@ -93235,7 +93206,7 @@ index 0000000..d509142 +') diff --git a/policy/modules/services/condor.te b/policy/modules/services/condor.te new file mode 100644 -index 0000000..1237d07 +index 0000000..e1f7dcb --- /dev/null +++ b/policy/modules/services/condor.te @@ -0,0 +1,226 @@ @@ -93326,7 +93297,7 @@ index 0000000..1237d07 +corecmd_exec_bin(condor_domain) +corecmd_exec_shell(condor_domain) + -+#corenet_tcp_connect_condor_port(condor_domain) ++corenet_tcp_connect_condor_port(condor_domain) +corenet_tcp_connect_all_ephemeral_ports(condor_domain) + +domain_use_interactive_fds(condor_domain) @@ -130794,7 +130765,7 @@ index 7c5d8d8..c542fe7 100644 +') + diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..2e6e783 100644 +index 3eca020..b1d885a 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,87 @@ policy_module(virt, 1.4.0) @@ -131374,7 +131345,7 @@ index 3eca020..2e6e783 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,25 +650,399 @@ files_search_all(virt_domain) +@@ -440,25 +650,412 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -131744,11 +131715,14 @@ index 3eca020..2e6e783 100644 +allow virt_qmf_t self:tcp_socket create_stream_socket_perms; +allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; + ++can_exec(virt_qmf_t, virtd_exec_t) ++ +kernel_read_system_state(virt_qmf_t) +kernel_read_network_state(virt_qmf_t) + -+dev_list_sysfs(virt_qmf_t) +dev_read_sysfs(virt_qmf_t) ++dev_read_rand(virt_qmf_t) ++dev_read_urand(virt_qmf_t) + +corenet_tcp_connect_matahari_port(virt_qmf_t) + @@ -131760,6 +131734,16 @@ index 3eca020..2e6e783 100644 + +miscfiles_read_localization(virt_qmf_t) + ++sysnet_read_config(virt_qmf_t) ++ ++optional_policy(` ++ dbus_read_lib_files(virt_qmf_t) ++') ++ ++optional_policy(` ++ virt_stream_connect(virt_qmf_t) ++') ++ +######################################## +# +# virt_bridgehelper local policy @@ -145555,10 +145539,10 @@ index 0000000..a7e3666 + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..fdcabd1 +index 0000000..609e0e1 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,410 @@ +@@ -0,0 +1,411 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -145634,19 +145618,19 @@ index 0000000..fdcabd1 +init_halt(systemd_logind_t) +init_undefined(systemd_logind_t) + -+dev_read_sysfs(systemd_logind_t) -+dev_setattr_input_dev(systemd_logind_t) -+dev_setattr_mouse_dev(systemd_logind_t) -+dev_write_kmsg(systemd_logind_t) -+ +dev_getattr_all_chr_files(systemd_logind_t) +dev_getattr_all_blk_files(systemd_logind_t) ++dev_rw_sysfs(systemd_logind_t) ++dev_setattr_all_chr_files(systemd_logind_t) +dev_setattr_dri_dev(systemd_logind_t) ++dev_setattr_generic_usb_dev(systemd_logind_t) ++dev_setattr_input_dev(systemd_logind_t) +dev_setattr_kvm_dev(systemd_logind_t) ++dev_setattr_mouse_dev(systemd_logind_t) +dev_setattr_sound_dev(systemd_logind_t) -+dev_setattr_generic_usb_dev(systemd_logind_t) +dev_setattr_video_dev(systemd_logind_t) -+dev_setattr_all_chr_files(systemd_logind_t) ++dev_write_kmsg(systemd_logind_t) ++ + +domain_read_all_domains_state(systemd_logind_t) + @@ -145682,6 +145666,7 @@ index 0000000..fdcabd1 +miscfiles_read_localization(systemd_logind_t) + +udev_read_db(systemd_logind_t) ++udev_manage_rules_files(systemd_logind_t) + +userdom_read_all_users_state(systemd_logind_t) +userdom_use_user_ttys(systemd_logind_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 478fcd2..b939a10 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 115%{?dist} +Release: 116%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -489,6 +489,12 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Apr 15 2012 Miroslav Grepl 3.10.0-116 +- More access required for virt_qmf_t +- Additional assess required for systemd-logind to support multi-seat +- Allow mozilla_plugin to setrlimit +- Revert changes to fuse file system to stop deadlock + * Mon Apr 15 2012 Miroslav Grepl 3.10.0-115 - Allow condor domains to connect to ephemeral ports - More fixes for condor policy