- Fix cyphesis file context

This commit is contained in:
Daniel J Walsh 2008-11-05 20:34:06 +00:00
parent 6a09cfb688
commit 074b12f275
3 changed files with 44 additions and 27 deletions

View File

@ -1003,6 +1003,13 @@ logwatch = base
#
setrans = base
# Layer: services
# Module: setroubleshoot
#
# Policy for the SELinux troubleshooting utility
#
setroubleshoot = base
# Layer: services
# Module: openvpn
#

View File

@ -8400,7 +8400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.5.13/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2008-10-08 19:00:23.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/kernel/storage.fc 2008-10-28 10:56:19.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/kernel/storage.fc 2008-11-05 13:22:07.000000000 -0500
@@ -36,7 +36,7 @@
/dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0)
/dev/ps3d.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@ -14165,13 +14165,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.fc serefpolicy-3.5.13/policy/modules/services/cyphesis.fc
--- nsaserefpolicy/policy/modules/services/cyphesis.fc 2008-09-03 11:05:02.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/cyphesis.fc 2008-11-04 09:54:55.000000000 -0500
+++ serefpolicy-3.5.13/policy/modules/services/cyphesis.fc 2008-11-05 15:12:14.000000000 -0500
@@ -1 +1,6 @@
/usr/bin/cyphesis -- gen_context(system_u:object_r:cyphesis_exec_t,s0)
+
+/var/log/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_log_t,s0)
+
+/var/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_run_t,s0)
+/var/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_var_run_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.5.13/policy/modules/services/dbus.fc
--- nsaserefpolicy/policy/modules/services/dbus.fc 2008-08-07 11:15:11.000000000 -0400
@ -26338,7 +26338,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.13/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-10-16 17:21:16.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/xserver.te 2008-10-29 13:26:13.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/xserver.te 2008-11-05 15:24:47.000000000 -0500
@@ -8,6 +8,14 @@
## <desc>
@ -26443,7 +26443,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xserver_common_domain_template(xdm)
xserver_common_x_domain_template(xdm, xdm, xdm_t)
init_system_domain(xdm_xserver_t, xserver_exec_t)
@@ -140,8 +193,9 @@
@@ -140,13 +193,14 @@
# XDM Local policy
#
@ -26455,6 +26455,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow xdm_t self:unix_dgram_socket create_socket_perms;
+allow xdm_t self:unix_dgram_socket { create_socket_perms sendto };
allow xdm_t self:tcp_socket create_stream_socket_perms;
allow xdm_t self:udp_socket create_socket_perms;
allow xdm_t self:socket create_socket_perms;
@@ -154,6 +208,12 @@
allow xdm_t self:key { search link write };
@ -26477,7 +26483,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
@@ -176,15 +238,31 @@
@@ -176,15 +238,32 @@
manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@ -26497,6 +26503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
-files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file)
+manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
+files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir })
+# Read machine-id
@ -26511,7 +26518,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
@@ -198,6 +276,7 @@
@@ -198,6 +277,7 @@
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
@ -26519,7 +26526,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xdm_xserver_tmp_t, xdm_xserver_tmp_t, xdm_xserver_t)
@@ -229,6 +308,7 @@
@@ -229,6 +309,7 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_all_nodes(xdm_t)
corenet_udp_bind_all_nodes(xdm_t)
@ -26527,7 +26534,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_connect_all_ports(xdm_t)
corenet_sendrecv_all_client_packets(xdm_t)
# xdm tries to bind to biff_port_t
@@ -241,6 +321,7 @@
@@ -241,6 +322,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@ -26535,7 +26542,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
@@ -253,14 +334,17 @@
@@ -253,14 +335,17 @@
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
@ -26555,7 +26562,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
@@ -271,9 +355,13 @@
@@ -271,9 +356,13 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@ -26569,7 +26576,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
@@ -282,6 +370,7 @@
@@ -282,6 +371,7 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@ -26577,7 +26584,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_setattr_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
@@ -290,6 +379,7 @@
@@ -290,6 +380,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@ -26585,7 +26592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
@@ -301,21 +391,26 @@
@@ -301,21 +392,26 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
@ -26617,7 +26624,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xserver_rw_session_template(xdm, xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
@@ -348,10 +443,12 @@
@@ -348,10 +444,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@ -26630,7 +26637,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -359,6 +456,22 @@
@@ -359,6 +457,22 @@
')
optional_policy(`
@ -26653,7 +26660,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
@@ -382,16 +495,34 @@
@@ -382,16 +496,34 @@
')
optional_policy(`
@ -26689,7 +26696,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
@@ -411,6 +542,10 @@
@@ -411,6 +543,10 @@
')
optional_policy(`
@ -26700,7 +26707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xfs_stream_connect(xdm_t)
')
@@ -427,7 +562,7 @@
@@ -427,7 +563,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@ -26709,7 +26716,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t)
@@ -439,6 +574,15 @@
@@ -439,6 +575,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@ -26725,7 +26732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
@@ -450,10 +594,19 @@
@@ -450,10 +595,19 @@
# xdm_xserver_t may no longer have any reason
# to read ROLE_home_t - examine this in more detail
# (xauth?)
@ -26746,7 +26753,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_xserver_t)
fs_manage_nfs_files(xdm_xserver_t)
@@ -468,8 +621,19 @@
@@ -468,8 +622,19 @@
optional_policy(`
dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t)
@ -26766,7 +26773,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
resmgr_stream_connect(xdm_t)
@@ -481,8 +645,25 @@
@@ -481,8 +646,25 @@
')
optional_policy(`
@ -26794,7 +26801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifndef(`distro_redhat',`
allow xdm_xserver_t self:process { execheap execmem };
@@ -491,7 +672,6 @@
@@ -491,7 +673,6 @@
ifdef(`distro_rhel4',`
allow xdm_xserver_t self:process { execheap execmem };
')
@ -26802,7 +26809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
@@ -512,6 +692,27 @@
@@ -512,6 +693,27 @@
allow xserver_unconfined_type { x_domain x_server_domain }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@ -26830,7 +26837,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`TODO',`
# Need to further investigate these permissions and
# perhaps define derived types.
@@ -544,3 +745,70 @@
@@ -544,3 +746,70 @@
#
allow pam_t xdm_t:fifo_file { getattr ioctl write };
') dnl end TODO

View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
Release: 15%{?dist}
Release: 16%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -457,6 +457,9 @@ exit 0
%endif
%changelog
* Wed Nov 5 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-16
- Fix cyphesis file context
* Tue Nov 3 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-15
- Allow hal/pm-utils to look at /var/run/video.rom
- Add ulogd policy