- Allow avahi to access inotify

- Remove a lot of bogus security_t:filesystem avcs
2007-06-27 18:11:43 +00:00 · 2007-06-27 18:11:43 +00:00 · 1afb424363
commit 1afb424363
parent 269acb5ee8
1 changed files with 54 additions and 12 deletions
--- a/policy-20070525.patch
+++ b/policy-20070525.patch
@ -129,7 +129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 sere
 .TP
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.0.1/policy/flask/access_vectors
 --- nsaserefpolicy/policy/flask/access_vectors	2007-06-19 16:23:34.000000000 -0400
-+++ serefpolicy-3.0.1/policy/flask/access_vectors	2007-06-22 14:07:33.000000000 -0400
+++ serefpolicy-3.0.1/policy/flask/access_vectors	2007-06-26 16:20:20.000000000 -0400
@@ -598,6 +598,8 @@
 	shmempwd
 	shmemgrp
@ -2350,7 +2350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.1/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/kernel/filesystem.if	2007-06-19 17:06:27.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/kernel/filesystem.if	2007-06-27 10:04:58.000000000 -0400
@@ -1096,6 +1096,24 @@
 
 ########################################
@ -2660,7 +2660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te
 attribute privrangetrans;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.0.1/policy/modules/kernel/selinux.if
 --- nsaserefpolicy/policy/modules/kernel/selinux.if	2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/kernel/selinux.if	2007-06-19 17:06:27.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/kernel/selinux.if	2007-06-27 10:07:44.000000000 -0400
@@ -51,6 +51,44 @@
 
 ########################################
@ -2706,6 +2706,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
 ##	Search selinuxfs.
 ## </summary>
 ## <param name="domain">
+@@ -101,6 +139,7 @@
+ 		type security_t;
+ 	')
+ 
+	selinux_dontaudit_getattr_fs($1)
+ 	dontaudit $1 security_t:dir search_dir_perms;
+ 	dontaudit $1 security_t:file { getattr read };
+ ')
+@@ -122,6 +161,7 @@
+ 		type security_t;
+ 	')
+ 
+	selinux_get_fs_mount($1)
+ 	allow $1 security_t:dir list_dir_perms;
+ 	allow $1 security_t:file { getattr read };
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.0.1/policy/modules/kernel/storage.if
 --- nsaserefpolicy/policy/modules/kernel/storage.if	2007-06-15 14:54:30.000000000 -0400
 +++ serefpolicy-3.0.1/policy/modules/kernel/storage.if	2007-06-19 17:06:27.000000000 -0400
@ -3467,7 +3483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.0.1/policy/modules/services/apcupsd.te
 --- nsaserefpolicy/policy/modules/services/apcupsd.te	2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/apcupsd.te	2007-06-19 17:06:27.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/services/apcupsd.te	2007-06-27 08:33:56.000000000 -0400
@@ -16,6 +16,9 @@
 type apcupsd_log_t;
 logging_log_file(apcupsd_log_t)
@ -3603,6 +3619,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
 dev_read_urand(automount_t)
 
 domain_use_interactive_fds(automount_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.0.1/policy/modules/services/avahi.te
+--- nsaserefpolicy/policy/modules/services/avahi.te	2007-06-15 14:54:33.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/services/avahi.te	2007-06-27 10:05:15.000000000 -0400
+@@ -56,6 +56,7 @@
+ 
+ fs_getattr_all_fs(avahi_t)
+ fs_search_auto_mountpoints(avahi_t)
+fs_list_inotifyfs(avahi_t)
+ 
+ domain_use_interactive_fds(avahi_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.0.1/policy/modules/services/bind.fc
 --- nsaserefpolicy/policy/modules/services/bind.fc	2007-05-29 14:10:57.000000000 -0400
 +++ serefpolicy-3.0.1/policy/modules/services/bind.fc	2007-06-19 17:06:27.000000000 -0400
@ -6337,8 +6364,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
 	fs_search_auto_mountpoints($1_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.1/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/rpc.te	2007-06-20 06:34:45.000000000 -0400
-@@ -79,6 +79,7 @@
+++ serefpolicy-3.0.1/policy/modules/services/rpc.te	2007-06-27 10:08:39.000000000 -0400
+@@ -76,9 +76,11 @@
+ miscfiles_read_certs(rpcd_t)
+ 
+ seutil_dontaudit_search_config(rpcd_t)
+selinux_dontaudit_read_fs(rpcd_t)
 
 optional_policy(`
 	nis_read_ypserv_config(rpcd_t)
@ -6346,7 +6377,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
 ')
 
 ########################################
-@@ -91,6 +92,9 @@
+@@ -91,6 +93,9 @@
 allow nfsd_t exports_t:file { getattr read };
 allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
 
@ -6356,7 +6387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
 # for /proc/fs/nfs/exports - should we have a new type?
 kernel_read_system_state(nfsd_t) 
 kernel_read_network_state(nfsd_t) 
-@@ -123,6 +127,7 @@
+@@ -123,6 +128,7 @@
 tunable_policy(`nfs_export_all_rw',`
 	fs_read_noxattr_fs_files(nfsd_t) 
 	auth_manage_all_files_except_shadow(nfsd_t)
@ -6364,7 +6395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
 ')
 
 tunable_policy(`nfs_export_all_ro',`
-@@ -158,6 +163,11 @@
+@@ -158,6 +164,11 @@
 
 miscfiles_read_certs(gssd_t)
 
@ -7740,7 +7771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
 /sbin/partx		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.0.1/policy/modules/system/fstools.if
 --- nsaserefpolicy/policy/modules/system/fstools.if	2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/fstools.if	2007-06-19 17:06:27.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/system/fstools.if	2007-06-27 08:13:43.000000000 -0400
@@ -124,3 +124,22 @@
 
 	allow $1 swapfile_t:file getattr;
@ -9262,7 +9293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.1/policy/modules/system/udev.te
 --- nsaserefpolicy/policy/modules/system/udev.te	2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/udev.te	2007-06-22 11:39:51.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/system/udev.te	2007-06-27 08:08:02.000000000 -0400
@@ -68,8 +68,9 @@
 allow udev_t udev_tbl_t:file manage_file_perms;
 dev_filetrans(udev_t,udev_tbl_t,file)
@ -9314,7 +9345,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
 userdom_dontaudit_search_all_users_home_content(udev_t)
 
 ifdef(`distro_gentoo',`
-@@ -188,5 +202,24 @@
+@@ -178,6 +192,10 @@
+ ')
+ 
+ optional_policy(`
+	fstools_domtrans(udev_t)
+')
+
+optional_policy(`
+ 	hal_dgram_send(udev_t)
+ ')
+ 
+@@ -188,5 +206,24 @@
 ')
 
 optional_policy(`