rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Also sock_file trans rule is needed in lsm

Browse Source 
- Fix labeling for fetchmail pid files/dirs
- Add additional fixes for abrt-upload-watch
- Fix polipo.te
- Fix transition rules in asterisk policy
- Add fowner capability to networkmanager policy
- Allow polipo to connect to tor ports
- Cleanup lsmd.if
- Cleanup openhpid policy
- Fix kdump_read_crash() interface
- Make more domains as init domain
- Fix cupsd.te
- Fix requires in rpm_rw_script_inherited_pipes
- Fix interfaces in lsm.if
- Allow munin service plugins to manage own tmpfs files/dirs
- Allow virtd_t also relabel unix stream sockets for virt_image_type
- Make ktalk as init domain
- Fix to define ktalkd_unit_file_t correctly
- Fix ktalk.fc
- Add systemd support for talk-server
- Allow glusterd to create sock_file in /run
- Allow xdm_t to delete gkeyringd_tmp_t files on logout
- Add fixes for hypervkvp policy
- Add logwatch_can_sendmail boolean
- Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb
- Allow xdm_t to delete gkeyringd_tmp_t files on logout
This commit is contained in:
Miroslav Grepl 2013-09-03 22:42:22 +02:00
parent dea0c4af43
commit 22545a13fe
3 changed files with 605 additions and 212 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
policy-rawhide-base.patch
View File

@ -22589,7 +22589,7 @@ index 6bf0ecc..9b46e11 100644
+ dontaudit $1 xserver_log_t:dir search_dir_perms; + dontaudit $1 xserver_log_t:dir search_dir_perms;
+') +')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 2696452..b67997e 100644 index 2696452..93b05fa 100644
--- a/policy/modules/services/xserver.te --- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(` @@ -26,28 +26,59 @@ gen_require(`
@ -23403,7 +23403,7 @@ index 2696452..b67997e 100644
') ')
optional_policy(` optional_policy(`
@@ -514,12 +865,56 @@ optional_policy(` @@ -514,12 +865,57 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -23446,6 +23446,7 @@ index 2696452..b67997e 100644
+ gnome_stream_connect_gkeyringd(xdm_t) + gnome_stream_connect_gkeyringd(xdm_t)
+ gnome_exec_gstreamer_home_files(xdm_t) + gnome_exec_gstreamer_home_files(xdm_t)
+ gnome_exec_keyringd(xdm_t) + gnome_exec_keyringd(xdm_t)
+ gnome_delete_gkeyringd_tmp_content(xdm_t)
+ gnome_manage_config(xdm_t) + gnome_manage_config(xdm_t)
+ gnome_manage_gconf_home_files(xdm_t) + gnome_manage_gconf_home_files(xdm_t)
+ #gnome_filetrans_home_content(xdm_t) + #gnome_filetrans_home_content(xdm_t)
@ -23460,7 +23461,7 @@ index 2696452..b67997e 100644
hostname_exec(xdm_t) hostname_exec(xdm_t)
') ')
@@ -537,28 +932,78 @@ optional_policy(` @@ -537,28 +933,78 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -23548,7 +23549,7 @@ index 2696452..b67997e 100644
') ')
optional_policy(` optional_policy(`
@@ -570,6 +1015,14 @@ optional_policy(` @@ -570,6 +1016,14 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -23563,7 +23564,7 @@ index 2696452..b67997e 100644
xfs_stream_connect(xdm_t) xfs_stream_connect(xdm_t)
') ')
@@ -584,7 +1037,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; @@ -584,7 +1038,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@ -23572,7 +23573,7 @@ index 2696452..b67997e 100644
# setuid/setgid for the wrapper program to change UID # setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer # sys_rawio is for iopl access - should not be needed for frame-buffer
@@ -594,8 +1047,11 @@ allow xserver_t input_xevent_t:x_event send; @@ -594,8 +1048,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed. # execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack # NVIDIA Needs execstack
@ -23585,7 +23586,7 @@ index 2696452..b67997e 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use; allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:fifo_file rw_fifo_file_perms;
@@ -608,8 +1064,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -608,8 +1065,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms; allow xserver_t self:udp_socket create_socket_perms;
@ -23601,7 +23602,7 @@ index 2696452..b67997e 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
@@ -617,6 +1080,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) @@ -617,6 +1081,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@ -23612,7 +23613,7 @@ index 2696452..b67997e 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
@@ -628,12 +1095,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) @@ -628,12 +1096,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t) files_search_var_lib(xserver_t)
@ -23634,7 +23635,7 @@ index 2696452..b67997e 100644
kernel_read_system_state(xserver_t) kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t) kernel_read_device_sysctls(xserver_t)
@@ -641,12 +1115,12 @@ kernel_read_modprobe_sysctls(xserver_t) @@ -641,12 +1116,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted # Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t) kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t) kernel_write_proc_files(xserver_t)
@ -23648,7 +23649,7 @@ index 2696452..b67997e 100644
corenet_all_recvfrom_netlabel(xserver_t) corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t)
@@ -667,23 +1141,28 @@ dev_rw_apm_bios(xserver_t) @@ -667,23 +1142,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t) dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t) dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t) dev_manage_dri_dev(xserver_t)
@ -23680,7 +23681,7 @@ index 2696452..b67997e 100644
# brought on by rhgb # brought on by rhgb
files_search_mnt(xserver_t) files_search_mnt(xserver_t)
@@ -694,7 +1173,16 @@ fs_getattr_xattr_fs(xserver_t) @@ -694,7 +1174,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t) fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t) fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t) fs_search_ramfs(xserver_t)
@ -23698,7 +23699,7 @@ index 2696452..b67997e 100644
mls_xwin_read_to_clearance(xserver_t) mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t) selinux_validate_context(xserver_t)
@@ -708,20 +1196,18 @@ init_getpgid(xserver_t) @@ -708,20 +1197,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t) term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t)
@ -23722,7 +23723,7 @@ index 2696452..b67997e 100644
userdom_search_user_home_dirs(xserver_t) userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t) userdom_use_user_ttys(xserver_t)
@@ -729,8 +1215,6 @@ userdom_setattr_user_ttys(xserver_t) @@ -729,8 +1216,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t) userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t)
@ -23731,7 +23732,7 @@ index 2696452..b67997e 100644
ifndef(`distro_redhat',` ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack }; allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t) domain_mmap_low_uncond(xserver_t)
@@ -775,16 +1259,44 @@ optional_policy(` @@ -775,16 +1260,44 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -23777,7 +23778,7 @@ index 2696452..b67997e 100644
unconfined_domtrans(xserver_t) unconfined_domtrans(xserver_t)
') ')
@@ -793,6 +1305,10 @@ optional_policy(` @@ -793,6 +1306,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -23788,7 +23789,7 @@ index 2696452..b67997e 100644
xfs_stream_connect(xserver_t) xfs_stream_connect(xserver_t)
') ')
@@ -808,10 +1324,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; @@ -808,10 +1325,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!! # handle of a file inside the dir!!!
@ -23802,7 +23803,7 @@ index 2696452..b67997e 100644
# Label pid and temporary files with derived types. # Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
@@ -819,7 +1335,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) @@ -819,7 +1336,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp. # Run xkbcomp.
@ -23811,7 +23812,7 @@ index 2696452..b67997e 100644
can_exec(xserver_t, xkb_var_lib_t) can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server # VNC v4 module in X server
@@ -832,26 +1348,21 @@ init_use_fds(xserver_t) @@ -832,26 +1349,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail # to read ROLE_home_t - examine this in more detail
# (xauth?) # (xauth?)
userdom_read_user_home_content_files(xserver_t) userdom_read_user_home_content_files(xserver_t)
@ -23846,7 +23847,7 @@ index 2696452..b67997e 100644
') ')
optional_policy(` optional_policy(`
@@ -902,7 +1413,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy @@ -902,7 +1414,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows # operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -23855,7 +23856,7 @@ index 2696452..b67997e 100644
# operations allowed on all windows # operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
@@ -956,11 +1467,31 @@ allow x_domain self:x_resource { read write }; @@ -956,11 +1468,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver # can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr }; allow x_domain xserver_t:x_screen { getattr saver_getattr };
@ -23887,7 +23888,7 @@ index 2696452..b67997e 100644
tunable_policy(`! xserver_object_manager',` tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain), # should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals # but typeattribute doesnt work in conditionals
@@ -982,18 +1513,150 @@ tunable_policy(`! xserver_object_manager',` @@ -982,18 +1514,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *; allow x_domain xevent_type:{ x_event x_synthetic_event } *;
') ')

742
policy-rawhide-contrib.patch
View File

File diff suppressed because it is too large Load Diff

30
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.12.1 Version: 3.12.1
Release: 74%{?dist} Release: 75%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -563,6 +563,34 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Tue Sep 3 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-75
- Also sock_file trans rule is needed in lsm
- Fix labeling for fetchmail pid files/dirs
- Add additional fixes for abrt-upload-watch
- Fix polipo.te
- Fix transition rules in asterisk policy
- Add fowner capability to networkmanager policy
- Allow polipo to connect to tor ports
- Cleanup lsmd.if
- Cleanup openhpid policy
- Fix kdump_read_crash() interface
- Make more domains as init domain
- Fix cupsd.te
- Fix requires in rpm_rw_script_inherited_pipes
- Fix interfaces in lsm.if
- Allow munin service plugins to manage own tmpfs files/dirs
- Allow virtd_t also relabel unix stream sockets for virt_image_type
- Make ktalk as init domain
- Fix to define ktalkd_unit_file_t correctly
- Fix ktalk.fc
- Add systemd support for talk-server
- Allow glusterd to create sock_file in /run
- Allow xdm_t to delete gkeyringd_tmp_t files on logout
- Add fixes for hypervkvp policy
- Add logwatch_can_sendmail boolean
- Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb
- Allow xdm_t to delete gkeyringd_tmp_t files on logout
* Thu Aug 29 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-74 * Thu Aug 29 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-74
- Add selinux-policy-sandbox pkg - Add selinux-policy-sandbox pkg