Allow named to connect to dirsrv by default

add ldapmap1_0 as a krb5_host_rcache_t file Google chrome developers asked me to add bootstrap policy for nacl stuff Allow rhev_agentd_t to getattr on mountpoints Postfix_smtpd_t needs access to milters and cleanup seems to read/write postfix_smtpd_t unix_stream_sockets
2011-10-25 09:12:49 -04:00 · 2011-10-25 09:12:49 -04:00 · 44066bd77a
commit 44066bd77a
parent 3dcddab74d
2 changed files with 114 additions and 39 deletions
--- a/policy-F16.patch
+++ b/policy-F16.patch
@ -4642,13 +4642,16 @@ index 46ea44f..f7183ef 100644
 # Handle nfs home dirs
 diff --git a/policy/modules/apps/chrome.fc b/policy/modules/apps/chrome.fc
 new file mode 100644
-index 0000000..1f468aa
+index 0000000..4401c36
 --- /dev/null
 +++ b/policy/modules/apps/chrome.fc
-@@ -0,0 +1,3 @@
+@@ -0,0 +1,6 @@
 + /opt/google/chrome/chrome-sandbox	--	gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
 +
 +/usr/lib/chromium-browser/chrome-sandbox	--	gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
+/opt/google/chrome/nacl_helper_bootstrap	--	gen_context(system_u:object_r:chrome_sandbox_bootstrap_exec_t,s0)
+/usr/lib/chromium-browser/nacl_helper_bootstrap	--	gen_context(system_u:object_r:chrome_sandbox_bootstrap_exec_t,s0)
 diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if
 new file mode 100644
 index 0000000..bacc639
@ -4784,10 +4787,10 @@ index 0000000..bacc639
 +')
 diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
 new file mode 100644
-index 0000000..df2b2a9
+index 0000000..e4b3381
 --- /dev/null
 +++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,125 @@
+@@ -0,0 +1,152 @@
 +policy_module(chrome,1.0.0)
 +
 +########################################
@ -4807,6 +4810,13 @@ index 0000000..df2b2a9
 +files_tmpfs_file(chrome_sandbox_tmpfs_t)
 +ubac_constrained(chrome_sandbox_tmpfs_t)
 +
+type chrome_sandbox_bootstrap_t;
+type chrome_sandbox_bootstrap_exec_t;
+application_domain(chrome_sandbox_bootstrap_t, chrome_sandbox_bootstrap_exec_t)
+role system_r types chrome_sandbox_bootstrap_t;
+
+permissive chrome_sandbox_bootstrap_t;
+
 +########################################
 +#
 +# chrome_sandbox local policy
@ -4819,6 +4829,7 @@ index 0000000..df2b2a9
 +allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
 +allow chrome_sandbox_t self:shm create_shm_perms;
 +allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
+dontaudit chrome_sandbox_t self:memprotect mmap_zero;
 +
 +manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
 +manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
@ -4913,6 +4924,25 @@ index 0000000..df2b2a9
 +optional_policy(`
 +	sandbox_use_ptys(chrome_sandbox_t)
 +')
+
+
+########################################
+#
+# chrome_sandbox_bootstrap local policy
+#
+
+allow chrome_sandbox_bootstrap_t self:fifo_file manage_fifo_file_perms;
+allow chrome_sandbox_bootstrap_t self:unix_stream_socket create_stream_socket_perms;
+domain_use_interactive_fds(chrome_sandbox_bootstrap_t)
+allow chrome_sandbox_t chrome_sandbox_bootstrap_t:process share;
+
+dontaudit chrome_sandbox_bootstrap_t self:memprotect mmap_zero;
+
+domtrans_pattern(chrome_sandbox_t, chrome_sandbox_bootstrap_exec_t, chrome_sandbox_bootstrap_t)
+
+files_read_etc_files(chrome_sandbox_bootstrap_t)
+
+miscfiles_read_localization(chrome_sandbox_bootstrap_t)
 diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te
 index 37475dd..7db4a01 100644
 --- a/policy/modules/apps/cpufreqselector.te
@ -23022,7 +23052,7 @@ index 1bd5812..0d7d8d1 100644
 +/var/cache/retrace-server(/.*)?						gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
 +/var/spool/retrace-server(/.*)?						gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
 diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
-index 0b827c5..46e3aa9 100644
+index 0b827c5..6b739e6 100644
 --- a/policy/modules/services/abrt.if
 +++ b/policy/modules/services/abrt.if
@@ -71,6 +71,7 @@ interface(`abrt_read_state',`
@ -23043,7 +23073,7 @@ index 0b827c5..46e3aa9 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -169,7 +169,45 @@ interface(`abrt_run_helper',`
+@@ -169,12 +169,51 @@ interface(`abrt_run_helper',`
 ##	</summary>
 ## </param>
 #
@ -23090,7 +23120,13 @@ index 0b827c5..46e3aa9 100644
 	gen_require(`
 		type abrt_var_cache_t;
 	')
-@@ -253,6 +291,24 @@ interface(`abrt_manage_pid_files',`
+ 
+ 	manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+	manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+ ')
+ 
+ ####################################
+@@ -253,6 +292,24 @@ interface(`abrt_manage_pid_files',`
 	manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
 ')
 
@ -23115,7 +23151,7 @@ index 0b827c5..46e3aa9 100644
 #####################################
 ## <summary>
 ##	All of the rules required to administrate
-@@ -286,18 +342,116 @@ interface(`abrt_admin',`
+@@ -286,18 +343,116 @@ interface(`abrt_admin',`
 	role_transition $2 abrt_initrc_exec_t system_r;
 	allow $2 system_r;
 
@ -26497,7 +26533,7 @@ index 44a1e3d..7802b7b 100644
 +	named_systemctl($1)
 ')
 diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
-index 4deca04..8d81308 100644
+index 4deca04..fc86505 100644
 --- a/policy/modules/services/bind.te
 +++ b/policy/modules/services/bind.te
@@ -6,16 +6,24 @@ policy_module(bind, 1.11.0)
@ -26571,7 +26607,18 @@ index 4deca04..8d81308 100644
 tunable_policy(`named_write_master_zones',`
 	manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
 	manage_files_pattern(named_t, named_zone_t, named_zone_t)
-@@ -198,18 +214,18 @@ allow ndc_t self:process { fork signal_perms };
+@@ -154,6 +170,10 @@ tunable_policy(`named_write_master_zones',`
+ ')
+ 
+ optional_policy(`
+	dirsrv_stream_connect(named_t)
+')
+
+optional_policy(`
+ 	init_dbus_chat_script(named_t)
+ 
+ 	sysnet_dbus_chat_dhcpc(named_t)
+@@ -198,18 +218,18 @@ allow ndc_t self:process { fork signal_perms };
 allow ndc_t self:fifo_file rw_fifo_file_perms;
 allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
 allow ndc_t self:tcp_socket create_socket_perms;
@ -26593,7 +26640,7 @@ index 4deca04..8d81308 100644
 kernel_read_kernel_sysctls(ndc_t)
 
 corenet_all_recvfrom_unlabeled(ndc_t)
-@@ -228,6 +244,8 @@ files_search_pids(ndc_t)
+@@ -228,6 +248,8 @@ files_search_pids(ndc_t)
 
 fs_getattr_xattr_fs(ndc_t)
 
@ -26602,7 +26649,7 @@ index 4deca04..8d81308 100644
 init_use_fds(ndc_t)
 init_use_script_ptys(ndc_t)
 
-@@ -235,24 +253,13 @@ logging_send_syslog_msg(ndc_t)
+@@ -235,24 +257,13 @@ logging_send_syslog_msg(ndc_t)
 
 miscfiles_read_localization(ndc_t)
 
@ -40010,7 +40057,7 @@ index da2127e..a666df2 100644
 +
 +sysnet_read_config(jabberd_domain)
 diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc
-index 3525d24..e065744 100644
+index 3525d24..033de90 100644
 --- a/policy/modules/services/kerberos.fc
 +++ b/policy/modules/services/kerberos.fc
@@ -8,7 +8,7 @@ HOME_DIR/\.k5login		--	gen_context(system_u:object_r:krb5_home_t,s0)
@ -40022,7 +40069,7 @@ index 3525d24..e065744 100644
 /etc/rc\.d/init\.d/kprop	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/krb524d	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/krb5kdc	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
-@@ -30,4 +30,7 @@ HOME_DIR/\.k5login		--	gen_context(system_u:object_r:krb5_home_t,s0)
+@@ -30,4 +30,8 @@ HOME_DIR/\.k5login		--	gen_context(system_u:object_r:krb5_home_t,s0)
 /var/log/krb5kdc\.log			gen_context(system_u:object_r:krb5kdc_log_t,s0)
 /var/log/kadmin(d)?\.log		gen_context(system_u:object_r:kadmind_log_t,s0)
 
@ -40030,8 +40077,9 @@ index 3525d24..e065744 100644
 +
 /var/tmp/host_0			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 +/var/tmp/HTTP_23		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/ldapmap1_0		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
-index 604f67b..e515121 100644
+index 604f67b..1b608a7 100644
 --- a/policy/modules/services/kerberos.if
 +++ b/policy/modules/services/kerberos.if
@@ -26,9 +26,9 @@
@ -40162,7 +40210,7 @@ index 604f67b..e515121 100644
 	')
 
 	allow $1 kadmind_t:process { ptrace signal_perms };
-@@ -378,3 +375,108 @@ interface(`kerberos_admin',`
+@@ -378,3 +375,109 @@ interface(`kerberos_admin',`
 
 	admin_pattern($1, krb5kdc_var_run_t)
 ')
@ -40270,6 +40318,7 @@ index 604f67b..e515121 100644
 +
 +	kerberos_tmp_filetrans_host_rcache($1, "host_0")
 +	kerberos_tmp_filetrans_host_rcache($1, "HTTP_23")
+	kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0")
 +')
 diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
 index 8edc29b..92dde2c 100644
@ -49319,7 +49368,7 @@ index 46bee12..c22af86 100644
 +	role $2 types postfix_postdrop_t;
 +')
 diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..318ef45 100644
+index a32c4b3..3a59bac 100644
 --- a/policy/modules/services/postfix.te
 +++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
@ -49466,7 +49515,14 @@ index a32c4b3..318ef45 100644
 manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
 manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
 manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -249,6 +274,10 @@ manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+@@ -243,12 +268,17 @@ stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t,
+ 
+ rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
+ write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
+allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
+ 
+ manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
+ manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
 manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
 files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
 
@ -49477,7 +49533,7 @@ index a32c4b3..318ef45 100644
 allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
 
 corecmd_exec_bin(postfix_cleanup_t)
-@@ -264,8 +293,8 @@ optional_policy(`
+@@ -264,8 +294,8 @@ optional_policy(`
 # Postfix local local policy
 #
 
@ -49487,7 +49543,7 @@ index a32c4b3..318ef45 100644
 
 # connect to master process
 stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
-@@ -273,6 +302,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+@@ -273,6 +303,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
 # for .forward - maybe we need a new type for it?
 rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
 
@ -49496,7 +49552,7 @@ index a32c4b3..318ef45 100644
 allow postfix_local_t postfix_spool_t:file rw_file_perms;
 
 corecmd_exec_shell(postfix_local_t)
-@@ -286,10 +317,15 @@ mta_read_aliases(postfix_local_t)
+@@ -286,10 +318,15 @@ mta_read_aliases(postfix_local_t)
 mta_delete_spool(postfix_local_t)
 # For reading spamassasin
 mta_read_config(postfix_local_t)
@ -49515,7 +49571,7 @@ index a32c4b3..318ef45 100644
 
 optional_policy(`
 	clamav_search_lib(postfix_local_t)
-@@ -297,6 +333,10 @@ optional_policy(`
+@@ -297,6 +334,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -49526,7 +49582,7 @@ index a32c4b3..318ef45 100644
 #	for postalias
 	mailman_manage_data_files(postfix_local_t)
 	mailman_append_log(postfix_local_t)
-@@ -304,9 +344,22 @@ optional_policy(`
+@@ -304,9 +345,22 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -49549,7 +49605,7 @@ index a32c4b3..318ef45 100644
 ########################################
 #
 # Postfix map local policy
-@@ -372,6 +425,7 @@ optional_policy(`
+@@ -372,6 +426,7 @@ optional_policy(`
 # Postfix pickup local policy
 #
 
@ -49557,7 +49613,7 @@ index a32c4b3..318ef45 100644
 allow postfix_pickup_t self:tcp_socket create_socket_perms;
 
 stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
-@@ -379,19 +433,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -379,19 +434,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
 rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
 rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
 
@ -49585,7 +49641,7 @@ index a32c4b3..318ef45 100644
 
 write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
 
-@@ -401,6 +462,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +463,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
 
 domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
 
@ -49594,7 +49650,7 @@ index a32c4b3..318ef45 100644
 optional_policy(`
 	dovecot_domtrans_deliver(postfix_pipe_t)
 ')
-@@ -420,6 +483,7 @@ optional_policy(`
+@@ -420,6 +484,7 @@ optional_policy(`
 
 optional_policy(`
 	spamassassin_domtrans_client(postfix_pipe_t)
@ -49602,7 +49658,7 @@ index a32c4b3..318ef45 100644
 ')
 
 optional_policy(`
-@@ -436,11 +500,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +501,17 @@ allow postfix_postdrop_t self:capability sys_resource;
 allow postfix_postdrop_t self:tcp_socket create;
 allow postfix_postdrop_t self:udp_socket create_socket_perms;
 
@ -49620,7 +49676,7 @@ index a32c4b3..318ef45 100644
 corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
 corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
 
-@@ -487,8 +557,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +558,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
 domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
 
 # to write the mailq output, it really should not need read access!
@ -49631,7 +49687,7 @@ index a32c4b3..318ef45 100644
 
 init_sigchld_script(postfix_postqueue_t)
 init_use_script_fds(postfix_postqueue_t)
-@@ -507,6 +577,8 @@ optional_policy(`
+@@ -507,6 +578,8 @@ optional_policy(`
 # Postfix qmgr local policy
 #
 
@ -49640,7 +49696,7 @@ index a32c4b3..318ef45 100644
 stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
 
 rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
-@@ -519,7 +591,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +592,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
 
 allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
 allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@ -49653,7 +49709,7 @@ index a32c4b3..318ef45 100644
 
 corecmd_exec_bin(postfix_qmgr_t)
 
-@@ -539,7 +615,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +616,9 @@ postfix_list_spool(postfix_showq_t)
 
 allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
 allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@ -49664,7 +49720,7 @@ index a32c4b3..318ef45 100644
 
 # to write the mailq output, it really should not need read access!
 term_use_all_ptys(postfix_showq_t)
-@@ -565,6 +643,14 @@ optional_policy(`
+@@ -565,6 +644,14 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -49679,7 +49735,7 @@ index a32c4b3..318ef45 100644
 	milter_stream_connect_all(postfix_smtp_t)
 ')
 
-@@ -588,10 +674,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +675,16 @@ corecmd_exec_bin(postfix_smtpd_t)
 
 # for OpenSSL certificates
 files_read_usr_files(postfix_smtpd_t)
@ -49696,7 +49752,18 @@ index a32c4b3..318ef45 100644
 ')
 
 optional_policy(`
-@@ -611,8 +703,8 @@ optional_policy(`
+@@ -599,6 +692,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+	milter_stream_connect_all(postfix_smtpd_t)
+')
+
+optional_policy(`
+ 	postgrey_stream_connect(postfix_smtpd_t)
+ ')
+ 
+@@ -611,8 +708,8 @@ optional_policy(`
 # Postfix virtual local policy
 #
 
@ -49706,7 +49773,7 @@ index a32c4b3..318ef45 100644
 
 allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
 
-@@ -630,3 +722,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +727,8 @@ mta_delete_spool(postfix_virtual_t)
 # For reading spamassasin
 mta_read_config(postfix_virtual_t)
 mta_manage_spool(postfix_virtual_t)
@ -53413,10 +53480,10 @@ index 0000000..bf11e25
 +')
 diff --git a/policy/modules/services/rhev.te b/policy/modules/services/rhev.te
 new file mode 100644
-index 0000000..23ba402
+index 0000000..1ec5e7c
 --- /dev/null
 +++ b/policy/modules/services/rhev.te
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,83 @@
 +policy_module(rhev,1.0)
 +
 +########################################
@ -53466,6 +53533,7 @@ index 0000000..23ba402
 +
 +term_use_virtio_console(rhev_agentd_t)
 +
+files_getattr_all_mountpoints(rhev_agentd_t)
 +files_read_usr_files(rhev_agentd_t)
 +
 +auth_use_nsswitch(rhev_agentd_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 47.1%{?dist}
+Release: 48%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -480,6 +480,13 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Mon Oct 24 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-48
+- Allow named to connect to dirsrv by default
+- add ldapmap1_0 as a krb5_host_rcache_t file
+- Google chrome developers asked me to add bootstrap policy for nacl stuff
+- Allow rhev_agentd_t to getattr on mountpoints
+- Postfix_smtpd_t needs access to milters and cleanup seems to read/write postfix_smtpd_t unix_stream_sockets
+
 * Mon Oct 24 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-47
 - Fixes for cloudform policies which need to connect to random ports
 - Make sure if an admin creates modules content it creates them with the correct label