* Tue Jul 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-8

- initrc is calling exportfs which is not confined so it attempts to read nfsd_files - Fixes for passenger running within openshift. - Add labeling for all tomcat6 dirs - Add support for tomcat6 - Allow cobblerd to read /etc/passwd - Allow jockey to read sysfs and and execute binaries with bin_t - Allow thum to use user terminals - Allow cgclear to read cgconfig config files - Fix bcf2g.fc - Remove sysnet_dns_name_resolve() from policies where auth_use_nsswitch() is used for other - Allow dbomatic to execute ruby - abrt_watch_log should be abrt_domain - Allow mozilla_plugin to connect to gatekeeper port
2012-07-03 23:11:32 +02:00 · 2012-07-03 23:11:32 +02:00 · 0f07ba7f55
parent 1de5de6450
commit 0f07ba7f55
3 changed files with 392 additions and 316 deletions
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@ -60457,7 +60457,7 @@ index db981df..b77f19f 100644
 +/usr/lib/ruby/gems/.*/agents(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/virtualbox/VBoxManage		--	gen_context(system_u:object_r:bin_t,s0)
 diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
-index 9e9263a..ba59ffd 100644
+index 9e9263a..c4dc1b6 100644
 --- a/policy/modules/kernel/corecommands.if
 +++ b/policy/modules/kernel/corecommands.if
@@ -122,6 +122,7 @@ interface(`corecmd_search_bin',`
@ -60534,7 +60534,18 @@ index 9e9263a..ba59ffd 100644
 	read_sock_files_pattern($1, bin_t, bin_t)
 ')
 
-@@ -362,6 +385,7 @@ interface(`corecmd_manage_bin_files',`
+@@ -345,6 +368,10 @@ interface(`corecmd_exec_bin',`
+ 	read_lnk_files_pattern($1, bin_t, bin_t)
+ 	list_dirs_pattern($1, bin_t, bin_t)
+ 	can_exec($1, bin_t)
+	#ifdef(`enable_mls',`',`
+	#	files_exec_usr_files($1)
+	#	libs_exec_lib_files($1)
+	#')
+ ')
+ 
+ ########################################
+@@ -362,6 +389,7 @@ interface(`corecmd_manage_bin_files',`
 		type bin_t;
 	')
 
@ -60542,7 +60553,7 @@ index 9e9263a..ba59ffd 100644
 	manage_files_pattern($1, bin_t, bin_t)
 ')
 
-@@ -398,6 +422,7 @@ interface(`corecmd_mmap_bin_files',`
+@@ -398,6 +426,7 @@ interface(`corecmd_mmap_bin_files',`
 		type bin_t;
 	')
 
@ -60550,7 +60561,7 @@ index 9e9263a..ba59ffd 100644
 	mmap_files_pattern($1, bin_t, bin_t)
 ')
 
-@@ -954,6 +979,24 @@ interface(`corecmd_exec_chroot',`
+@@ -954,6 +983,24 @@ interface(`corecmd_exec_chroot',`
 
 ########################################
 ## <summary>
@ -60575,7 +60586,7 @@ index 9e9263a..ba59ffd 100644
 ##	Get the attributes of all executable files.
 ## </summary>
 ## <param name="domain">
-@@ -1049,6 +1092,7 @@ interface(`corecmd_manage_all_executables',`
+@@ -1049,6 +1096,7 @@ interface(`corecmd_manage_all_executables',`
 		type bin_t;
 	')
 
@ -76848,7 +76859,7 @@ index 6ce867a..ee79c5a 100644
 +	userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
 ')
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index f12b8ff..2293c1b 100644
+index f12b8ff..3b80e52 100644
 --- a/policy/modules/system/authlogin.te
 +++ b/policy/modules/system/authlogin.te
@@ -5,22 +5,42 @@ policy_module(authlogin, 2.3.1)
@ -76957,7 +76968,7 @@ index f12b8ff..2293c1b 100644
 # Allow utemper to write to /tmp/.xses-*
 userdom_write_user_tmp_files(utempter_t)
 
-@@ -388,10 +416,74 @@ ifdef(`distro_ubuntu',`
+@@ -388,10 +416,79 @@ ifdef(`distro_ubuntu',`
 ')
 
 optional_policy(`
@ -76978,6 +76989,11 @@ index f12b8ff..2293c1b 100644
 +	')
 +')
 +
+######################################
+#
+# nsswitch_domain local policy
+#
+
 +auth_read_passwd(nsswitch_domain)
 +
 +# read /etc/nsswitch.conf
@ -78579,7 +78595,7 @@ index d26fe81..3ff8fef 100644
 +	allow $1 init_t:system undefined;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 5fb9683..0721079 100644
+index 5fb9683..a2c2556 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@ -79001,7 +79017,7 @@ index 5fb9683..0721079 100644
 
 init_write_initctl(initrc_t)
 
-@@ -265,20 +494,34 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -265,20 +494,35 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -79024,6 +79040,7 @@ index 5fb9683..0721079 100644
 +fs_manage_tmpfs_symlinks(initrc_t)
 +fs_delete_tmpfs_files(initrc_t)
 +fs_tmpfs_filetrans(initrc_t, initrc_state_t, file)
+fs_read_nfsd_files(initrc_t)
 
 corecmd_exec_all_executables(initrc_t)
 
@ -79040,7 +79057,7 @@ index 5fb9683..0721079 100644
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
-@@ -286,6 +529,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -286,6 +530,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
 
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)
@ -79048,7 +79065,7 @@ index 5fb9683..0721079 100644
 dev_write_kmsg(initrc_t)
 dev_write_rand(initrc_t)
 dev_write_urand(initrc_t)
-@@ -296,8 +540,10 @@ dev_write_framebuffer(initrc_t)
+@@ -296,8 +541,10 @@ dev_write_framebuffer(initrc_t)
 dev_read_realtime_clock(initrc_t)
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
@ -79059,7 +79076,7 @@ index 5fb9683..0721079 100644
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -305,17 +551,16 @@ dev_manage_generic_files(initrc_t)
+@@ -305,17 +552,16 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -79079,7 +79096,7 @@ index 5fb9683..0721079 100644
 domain_getsession_all_domains(initrc_t)
 domain_use_interactive_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
-@@ -323,6 +568,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -323,6 +569,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
 domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
 domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
 domain_dontaudit_getattr_all_pipes(initrc_t)
@ -79087,7 +79104,7 @@ index 5fb9683..0721079 100644
 
 files_getattr_all_dirs(initrc_t)
 files_getattr_all_files(initrc_t)
-@@ -330,8 +576,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -330,8 +577,10 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -79099,7 +79116,7 @@ index 5fb9683..0721079 100644
 files_delete_all_pids(initrc_t)
 files_delete_all_pid_dirs(initrc_t)
 files_read_etc_files(initrc_t)
-@@ -347,8 +595,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -347,8 +596,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -79113,7 +79130,7 @@ index 5fb9683..0721079 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -358,9 +610,12 @@ fs_mount_all_fs(initrc_t)
+@@ -358,9 +611,12 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -79127,7 +79144,7 @@ index 5fb9683..0721079 100644
 mcs_killall(initrc_t)
 mcs_process_set_categories(initrc_t)
 
-@@ -370,6 +625,7 @@ mls_process_read_up(initrc_t)
+@@ -370,6 +626,7 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -79135,7 +79152,7 @@ index 5fb9683..0721079 100644
 
 selinux_get_enforce_mode(initrc_t)
 
-@@ -381,6 +637,7 @@ term_use_all_terms(initrc_t)
+@@ -381,6 +638,7 @@ term_use_all_terms(initrc_t)
 term_reset_tty_labels(initrc_t)
 
 auth_rw_login_records(initrc_t)
@ -79143,7 +79160,7 @@ index 5fb9683..0721079 100644
 auth_setattr_login_records(initrc_t)
 auth_rw_lastlog(initrc_t)
 auth_read_pam_pid(initrc_t)
-@@ -401,18 +658,17 @@ logging_read_audit_config(initrc_t)
+@@ -401,18 +659,17 @@ logging_read_audit_config(initrc_t)
 
 miscfiles_read_localization(initrc_t)
 # slapd needs to read cert files from its initscript
@ -79165,7 +79182,7 @@ index 5fb9683..0721079 100644
 
 ifdef(`distro_debian',`
 	dev_setattr_generic_dirs(initrc_t)
-@@ -465,6 +721,10 @@ ifdef(`distro_gentoo',`
+@@ -465,6 +722,10 @@ ifdef(`distro_gentoo',`
 	sysnet_setattr_config(initrc_t)
 
 	optional_policy(`
@ -79176,7 +79193,7 @@ index 5fb9683..0721079 100644
 		alsa_read_lib(initrc_t)
 	')
 
-@@ -485,7 +745,7 @@ ifdef(`distro_redhat',`
+@@ -485,7 +746,7 @@ ifdef(`distro_redhat',`
 
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -79185,7 +79202,7 @@ index 5fb9683..0721079 100644
 	files_dontaudit_read_root_files(initrc_t)
 
 	# These seem to be from the initrd
-@@ -500,6 +760,7 @@ ifdef(`distro_redhat',`
+@@ -500,6 +761,7 @@ ifdef(`distro_redhat',`
 	files_create_boot_dirs(initrc_t)
 	files_create_boot_flag(initrc_t)
 	files_rw_boot_symlinks(initrc_t)
@ -79193,7 +79210,7 @@ index 5fb9683..0721079 100644
 	# wants to read /.fonts directory
 	files_read_default_files(initrc_t)
 	files_mountpoint(initrc_tmp_t)
-@@ -520,6 +781,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +782,7 @@ ifdef(`distro_redhat',`
 	miscfiles_rw_localization(initrc_t)
 	miscfiles_setattr_localization(initrc_t)
 	miscfiles_relabel_localization(initrc_t)
@ -79201,7 +79218,7 @@ index 5fb9683..0721079 100644
 
 	miscfiles_read_fonts(initrc_t)
 	miscfiles_read_hwdata(initrc_t)
-@@ -529,8 +791,35 @@ ifdef(`distro_redhat',`
+@@ -529,8 +792,35 @@ ifdef(`distro_redhat',`
 	')
 
 	optional_policy(`
@ -79237,7 +79254,7 @@ index 5fb9683..0721079 100644
 	')
 
 	optional_policy(`
-@@ -538,14 +827,27 @@ ifdef(`distro_redhat',`
+@@ -538,14 +828,27 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -79265,7 +79282,7 @@ index 5fb9683..0721079 100644
 	')
 ')
 
-@@ -556,6 +858,39 @@ ifdef(`distro_suse',`
+@@ -556,6 +859,39 @@ ifdef(`distro_suse',`
 	')
 ')
 
@ -79305,7 +79322,7 @@ index 5fb9683..0721079 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -568,6 +903,8 @@ optional_policy(`
+@@ -568,6 +904,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -79314,7 +79331,7 @@ index 5fb9683..0721079 100644
 ')
 
 optional_policy(`
-@@ -589,6 +926,7 @@ optional_policy(`
+@@ -589,6 +927,7 @@ optional_policy(`
 
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -79322,7 +79339,7 @@ index 5fb9683..0721079 100644
 ')
 
 optional_policy(`
-@@ -601,6 +939,17 @@ optional_policy(`
+@@ -601,6 +940,17 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -79340,7 +79357,7 @@ index 5fb9683..0721079 100644
 	dev_getattr_printer_dev(initrc_t)
 
 	cups_read_log(initrc_t)
-@@ -617,9 +966,13 @@ optional_policy(`
+@@ -617,9 +967,13 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -79354,7 +79371,7 @@ index 5fb9683..0721079 100644
 	')
 
 	optional_policy(`
-@@ -644,6 +997,10 @@ optional_policy(`
+@@ -644,6 +998,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -79365,7 +79382,7 @@ index 5fb9683..0721079 100644
 	gpm_setattr_gpmctl(initrc_t)
 ')
 
-@@ -661,6 +1018,15 @@ optional_policy(`
+@@ -661,6 +1019,15 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -79381,7 +79398,7 @@ index 5fb9683..0721079 100644
 	inn_exec_config(initrc_t)
 ')
 
-@@ -701,6 +1067,7 @@ optional_policy(`
+@@ -701,6 +1068,7 @@ optional_policy(`
 	lpd_list_spool(initrc_t)
 
 	lpd_read_config(initrc_t)
@ -79389,7 +79406,7 @@ index 5fb9683..0721079 100644
 ')
 
 optional_policy(`
-@@ -718,7 +1085,13 @@ optional_policy(`
+@@ -718,7 +1086,13 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -79403,7 +79420,7 @@ index 5fb9683..0721079 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
 
-@@ -741,6 +1114,10 @@ optional_policy(`
+@@ -741,6 +1115,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -79414,7 +79431,7 @@ index 5fb9683..0721079 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -750,10 +1127,20 @@ optional_policy(`
+@@ -750,10 +1128,20 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -79435,7 +79452,7 @@ index 5fb9683..0721079 100644
 	quota_manage_flags(initrc_t)
 ')
 
-@@ -762,6 +1149,10 @@ optional_policy(`
+@@ -762,6 +1150,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -79446,7 +79463,7 @@ index 5fb9683..0721079 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
 
-@@ -783,8 +1174,6 @@ optional_policy(`
+@@ -783,8 +1175,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
 
@ -79455,7 +79472,7 @@ index 5fb9683..0721079 100644
 ')
 
 optional_policy(`
-@@ -793,6 +1182,10 @@ optional_policy(`
+@@ -793,6 +1183,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -79466,7 +79483,7 @@ index 5fb9683..0721079 100644
 	# shorewall-init script run /var/lib/shorewall/firewall
 	shorewall_lib_domtrans(initrc_t)
 ')
-@@ -802,10 +1195,12 @@ optional_policy(`
+@@ -802,10 +1196,12 @@ optional_policy(`
 	squid_manage_logs(initrc_t)
 ')
 
@ -79479,7 +79496,7 @@ index 5fb9683..0721079 100644
 
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -817,7 +1212,6 @@ optional_policy(`
+@@ -817,7 +1213,6 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -79487,7 +79504,7 @@ index 5fb9683..0721079 100644
 	udev_manage_pid_files(initrc_t)
 	udev_manage_rules_files(initrc_t)
 ')
-@@ -827,12 +1221,30 @@ optional_policy(`
+@@ -827,12 +1222,30 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -79520,7 +79537,7 @@ index 5fb9683..0721079 100644
 
 	ifdef(`distro_redhat',`
 		# system-config-services causes avc messages that should be dontaudited
-@@ -842,6 +1254,18 @@ optional_policy(`
+@@ -842,6 +1255,18 @@ optional_policy(`
 	optional_policy(`
 		mono_domtrans(initrc_t)
 	')
@ -79539,7 +79556,7 @@ index 5fb9683..0721079 100644
 ')
 
 optional_policy(`
-@@ -857,6 +1281,10 @@ optional_policy(`
+@@ -857,6 +1282,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -79550,7 +79567,7 @@ index 5fb9683..0721079 100644
 	# Set device ownerships/modes.
 	xserver_setattr_console_pipes(initrc_t)
 
-@@ -867,3 +1295,165 @@ optional_policy(`
+@@ -867,3 +1296,165 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.11.0
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -491,6 +491,21 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Tue Jul 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-8
+- initrc is calling exportfs which is not confined so it attempts to read nfsd_files
+- Fixes for passenger running within openshift.
+- Add labeling for all tomcat6 dirs
+- Add support for tomcat6
+- Allow cobblerd to read /etc/passwd
+- Allow jockey to read sysfs and and execute binaries with bin_t
+- Allow thum to use user terminals
+- Allow cgclear to read cgconfig config files
+- Fix bcf2g.fc
+- Remove sysnet_dns_name_resolve() from policies where auth_use_nsswitch() is used for other domains
+- Allow dbomatic to execute ruby
+- abrt_watch_log should be abrt_domain
+- Allow mozilla_plugin to connect to gatekeeper port
+
 * Wed Jun 27 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-7
 - add ptrace_child access to process
 - remove files_read_etc_files() calling from all policies which have auth_use_nsswith()