Begin removing qemu_t domain, we really no longer need this domain.

systemd_passwd needs dac_overide to communicate with users TTY's Allow svirt_lxc domains to send kill signals within their container
2011-10-27 13:51:59 -04:00 · 2011-10-27 13:51:59 -04:00 · 26536c5d39
commit 26536c5d39
parent a1db2ce026
3 changed files with 46 additions and 37 deletions
--- a/policy-F16.patch
+++ b/policy-F16.patch
@ -20736,7 +20736,7 @@ index be4de58..7e8b6ec 100644
 init_exec(secadm_t)
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..2c588ca 100644
+index 2be17d2..b172ab4 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
@@ -8,12 +8,55 @@ policy_module(staff, 2.2.0)
@ -20795,7 +20795,7 @@ index 2be17d2..2c588ca 100644
 optional_policy(`
 	apache_role(staff_r, staff_t)
 ')
-@@ -27,19 +70,113 @@ optional_policy(`
+@@ -27,19 +70,107 @@ optional_policy(`
 ')
 optional_policy(`
@ -20883,12 +20883,6 @@ index 2be17d2..2c588ca 100644
 ')
 optional_policy(`
 +	qemu_run(staff_t, staff_r)
 +	virt_manage_tmpfs_files(staff_t)
 +	virt_filetrans_home_content(staff_t)
 +')
 +
 +optional_policy(`
 +	rtkit_scheduled(staff_t)
 +')
 +
@ -20911,7 +20905,7 @@ index 2be17d2..2c588ca 100644
 ')
 optional_policy(`
-@@ -48,10 +185,48 @@ optional_policy(`
+@@ -48,10 +179,48 @@ optional_policy(`
 ')
 optional_policy(`
@ -20960,7 +20954,7 @@ index 2be17d2..2c588ca 100644
 	xserver_role(staff_r, staff_t)
 ')
-@@ -89,18 +264,10 @@ ifndef(`distro_redhat',`
+@@ -89,18 +258,10 @@ ifndef(`distro_redhat',`
 	')
 	optional_policy(`
@ -20979,7 +20973,7 @@ index 2be17d2..2c588ca 100644
 		java_role(staff_r, staff_t)
 	')
-@@ -121,10 +288,6 @@ ifndef(`distro_redhat',`
+@@ -121,10 +282,6 @@ ifndef(`distro_redhat',`
 	')
 	optional_policy(`
@ -20990,7 +20984,7 @@ index 2be17d2..2c588ca 100644
 		pyzor_role(staff_r, staff_t)
 	')
-@@ -137,10 +300,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +294,6 @@ ifndef(`distro_redhat',`
 	')
 	optional_policy(`
@ -21001,7 +20995,7 @@ index 2be17d2..2c588ca 100644
 		spamassassin_role(staff_r, staff_t)
 	')
-@@ -172,3 +331,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +325,7 @@ ifndef(`distro_redhat',`
 		wireshark_role(staff_r, staff_t)
 	')
 ')
@ -61079,7 +61073,7 @@ index 7c5d8d8..d711fd5 100644
 +')
 +
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..148ce98 100644
+index 3eca020..d2d599b 100644
 --- a/policy/modules/services/virt.te
 +++ b/policy/modules/services/virt.te
@@ -5,56 +5,81 @@ policy_module(virt, 1.4.0)
@ -61528,10 +61522,15 @@ index 3eca020..148ce98 100644
 	# Manages /etc/sysconfig/system-config-firewall
 	iptables_manage_config(virtd_t)
-@@ -365,6 +519,12 @@ optional_policy(`
+@@ -360,11 +514,12 @@ optional_policy(`
- 	qemu_signal(virtd_t)
+ ')
- 	qemu_kill(virtd_t)
+ 
- 	qemu_setsched(virtd_t)
+ optional_policy(`
 -	qemu_domtrans(virtd_t)
 -	qemu_read_state(virtd_t)
 -	qemu_signal(virtd_t)
 -	qemu_kill(virtd_t)
 -	qemu_setsched(virtd_t)
 +	qemu_entry_type(virt_domain)
 +	qemu_exec(virt_domain)
 +')
@ -61541,7 +61540,7 @@ index 3eca020..148ce98 100644
 ')
 optional_policy(`
-@@ -394,20 +554,36 @@ optional_policy(`
+@@ -394,20 +549,36 @@ optional_policy(`
 # virtual domains common policy
 #
@ -61581,7 +61580,7 @@ index 3eca020..148ce98 100644
 corecmd_exec_bin(virt_domain)
 corecmd_exec_shell(virt_domain)
-@@ -418,10 +594,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +589,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
 corenet_tcp_sendrecv_all_ports(virt_domain)
 corenet_tcp_bind_generic_node(virt_domain)
 corenet_tcp_bind_vnc_port(virt_domain)
@ -61594,7 +61593,7 @@ index 3eca020..148ce98 100644
 dev_read_rand(virt_domain)
 dev_read_sound(virt_domain)
 dev_read_urand(virt_domain)
-@@ -429,10 +606,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +601,12 @@ dev_write_sound(virt_domain)
 dev_rw_ksm(virt_domain)
 dev_rw_kvm(virt_domain)
 dev_rw_qemu(virt_domain)
@ -61607,7 +61606,7 @@ index 3eca020..148ce98 100644
 files_read_usr_files(virt_domain)
 files_read_var_files(virt_domain)
 files_search_all(virt_domain)
-@@ -440,25 +619,360 @@ files_search_all(virt_domain)
+@@ -440,25 +614,359 @@ files_search_all(virt_domain)
 fs_getattr_tmpfs(virt_domain)
 fs_rw_anon_inodefs_files(virt_domain)
 fs_rw_tmpfs_files(virt_domain)
@ -61772,8 +61771,6 @@ index 3eca020..148ce98 100644
 +
 +allow virtd_lxc_t virt_image_type:dir mounton;
 +
 +allow virtd_lxc_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
 +
 +domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
 +allow virtd_t virtd_lxc_t:process { signal signull sigkill };
 +
@ -61846,11 +61843,12 @@ index 3eca020..148ce98 100644
 +#
 +# virt_lxc_domain local policy
 +#
-+allow svirt_lxc_domain self:capability { setuid setgid dac_override };
+allow svirt_lxc_domain self:capability { kill setuid setgid dac_override };
 +dontaudit svirt_lxc_domain self:capability sys_ptrace;
 +
 +allow virtd_t svirt_lxc_domain:process { signal_perms };
 +allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
 +
 +allow svirt_lxc_domain virtd_lxc_t:fd use;
 +allow svirt_lxc_domain virtd_lxc_var_run_t:dir search_dir_perms;
 +dontaudit svirt_lxc_domain virtd_lxc_t:unix_stream_socket { read write };
@ -73473,7 +73471,7 @@ index 0000000..79c358c
 +
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..a84b8e7
+index 0000000..84e0e66
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
@@ -0,0 +1,371 @@
@ -73624,7 +73622,7 @@ index 0000000..a84b8e7
 +# Local policy
 +#
 +
-+allow systemd_passwd_agent_t self:capability { chown sys_tty_config };
+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
 +allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
 +allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
 +
--- a/qemu.patch
+++ b/qemu.patch
@ -1,6 +1,6 @@
 diff -up serefpolicy-3.10.0/policy/modules/apps/qemu.te.qemu serefpolicy-3.10.0/policy/modules/apps/qemu.te
--- serefpolicy-3.10.0/policy/modules/apps/qemu.te.qemu	2011-10-26 10:41:20.413408329 -0400
+--- serefpolicy-3.10.0/policy/modules/apps/qemu.te.qemu	2011-10-27 10:18:21.010189947 -0400
-+++ serefpolicy-3.10.0/policy/modules/apps/qemu.te	2011-10-26 10:41:21.207408907 -0400
+++ serefpolicy-3.10.0/policy/modules/apps/qemu.te	2011-10-27 10:18:22.989187237 -0400
@@ -40,9 +40,7 @@ gen_tunable(qemu_use_nfs, true)
 ## </desc>
 gen_tunable(qemu_use_usb, true)
@ -12,8 +12,8 @@ diff -up serefpolicy-3.10.0/policy/modules/apps/qemu.te.qemu serefpolicy-3.10.0/
 ########################################
 diff -up serefpolicy-3.10.0/policy/modules/services/virt.if.qemu serefpolicy-3.10.0/policy/modules/services/virt.if
--- serefpolicy-3.10.0/policy/modules/services/virt.if.qemu	2011-10-26 10:41:21.180408888 -0400
+--- serefpolicy-3.10.0/policy/modules/services/virt.if.qemu	2011-10-27 10:18:22.901187358 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/virt.if	2011-10-26 10:41:21.208408908 -0400
+++ serefpolicy-3.10.0/policy/modules/services/virt.if	2011-10-27 10:18:22.992187233 -0400
@@ -16,10 +16,11 @@ template(`virt_domain_template',`
 		attribute virt_image_type, virt_domain;
 		attribute virt_tmpfs_type;
@ -50,9 +50,15 @@ diff -up serefpolicy-3.10.0/policy/modules/services/virt.if.qemu serefpolicy-3.1
 +')
 +
 diff -up serefpolicy-3.10.0/policy/modules/services/virt.te.qemu serefpolicy-3.10.0/policy/modules/services/virt.te
--- serefpolicy-3.10.0/policy/modules/services/virt.te.qemu	2011-10-26 10:41:21.181408889 -0400
+--- serefpolicy-3.10.0/policy/modules/services/virt.te.qemu	2011-10-27 10:18:22.903187356 -0400
-+++ serefpolicy-3.10.0/policy/modules/services/virt.te	2011-10-26 10:42:00.351437032 -0400
+++ serefpolicy-3.10.0/policy/modules/services/virt.te	2011-10-27 10:19:28.334099091 -0400
-@@ -78,6 +78,8 @@ attribute virt_domain;
+@@ -73,11 +73,14 @@ gen_tunable(virt_use_usb, true)
 virt_domain_template(svirt)
 role system_r types svirt_t;
 +typealias svirt_t alias qemu_t;
 attribute virt_domain;
 attribute virt_image_type;
 attribute virt_tmpfs_type;
@ -61,7 +67,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/virt.te.qemu serefpolicy-3.1
 type virt_cache_t alias svirt_cache_t;
 files_type(virt_cache_t)
-@@ -279,6 +281,8 @@ allow virtd_t virt_domain:process { geta
+@@ -279,6 +282,8 @@ allow virtd_t virt_domain:process { geta
 allow virt_domain virtd_t:fd use;
 dontaudit virt_domain virtd_t:unix_stream_socket { read write };
@ -70,7 +76,7 @@ diff -up serefpolicy-3.10.0/policy/modules/services/virt.te.qemu serefpolicy-3.1
 allow virtd_t qemu_var_run_t:file relabel_file_perms;
 manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
 manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
-@@ -514,16 +518,6 @@ optional_policy(`
+@@ -514,16 +519,6 @@ optional_policy(`
 ')
 optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 50.2%{?dist}
+Release: 51%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -483,6 +483,11 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Thu Oct 27 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-51
 -  Begin removing qemu_t domain, we really no longer need this domain.  
 - systemd_passwd needs dac_overide to communicate with users TTY's
 - Allow svirt_lxc domains to send kill signals within their container
 * Thu Oct 27 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-50.2
 - Remove qemu.pp again without causing a crash