rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Add policy-rawhide-contrib-apache-content.patch to re-write apache_content_template() by dwalsh

Browse Source
This commit is contained in:
Miroslav Grepl 2013-11-14 22:05:22 +01:00
parent 164fa392ee
commit 4fc70e284d
4 changed files with 2301 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
policy-rawhide-base.patch
View File

@ -5363,7 +5363,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index b191055..62570b0 100644
index b191055..6c1f7f5 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@ -5686,7 +5686,15 @@ index b191055..62570b0 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
@@ -295,12 +347,16 @@ network_port(zope, tcp,8021,s0)
@@ -288,19 +340,23 @@ network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
-network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
+network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, tcp,2608-2609,s0, udp,2600-2604,s0, udp,2606,s0, udp,2608-2609,s0)
network_port(zented, tcp,1229,s0, udp,1229,s0)
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
@ -44590,7 +44598,7 @@ index e79d545..101086d 100644
')
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 6e91317..260ea6c 100644
index 6e91317..64e135a 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@ -44687,7 +44695,7 @@ index 6e91317..260ea6c 100644
# Use (read and write) terminals
#
-define(`rw_term_perms', `{ getattr open read write append ioctl }')
+define(`rw_inherited_term_perms', `{ getattr read write append ioctl }')
+define(`rw_inherited_term_perms', `{ getattr lock read write append ioctl }')
+define(`rw_term_perms', `{ rw_inherited_term_perms open }')
#

2114
policy-rawhide-contrib-apache-content.patch Normal file
View File

File diff suppressed because it is too large Load Diff

223
policy-rawhide-contrib.patch
View File

@ -509,7 +509,7 @@ index 058d908..9d57403 100644
+')
+
diff --git a/abrt.te b/abrt.te
index eb50f07..6ba0357 100644
index eb50f07..15c0d4e 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@ -759,7 +759,7 @@ index eb50f07..6ba0357 100644
')
optional_policy(`
@@ -222,6 +237,16 @@ optional_policy(`
@@ -222,6 +237,20 @@ optional_policy(`
')
optional_policy(`
@ -767,6 +767,10 @@ index eb50f07..6ba0357 100644
+')
+
+optional_policy(`
+ mcelog_read_log(abrt_t)
+')
+
+optional_policy(`
+ mozilla_plugin_dontaudit_rw_tmp_files(abrt_t)
+ mozilla_plugin_read_rw_files(abrt_t)
+')
@ -776,7 +780,7 @@ index eb50f07..6ba0357 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
@@ -233,6 +258,7 @@ optional_policy(`
@@ -233,6 +262,7 @@ optional_policy(`
corecmd_exec_all_executables(abrt_t)
')
@ -784,7 +788,7 @@ index eb50f07..6ba0357 100644
optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
@@ -243,6 +269,7 @@ optional_policy(`
@@ -243,6 +273,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@ -792,7 +796,7 @@ index eb50f07..6ba0357 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
@@ -253,9 +280,17 @@ optional_policy(`
@@ -253,9 +284,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@ -811,7 +815,7 @@ index eb50f07..6ba0357 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
@@ -266,9 +301,13 @@ tunable_policy(`abrt_handle_event',`
@@ -266,9 +305,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@ -826,7 +830,7 @@ index eb50f07..6ba0357 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
@@ -281,6 +320,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
@@ -281,6 +324,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@ -834,7 +838,7 @@ index eb50f07..6ba0357 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -289,15 +329,20 @@ corecmd_read_all_executables(abrt_helper_t)
@@ -289,15 +333,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@ -855,7 +859,7 @@ index eb50f07..6ba0357 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
@@ -305,11 +350,25 @@ ifdef(`hide_broken_symptoms',`
@@ -305,11 +354,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@ -882,7 +886,7 @@ index eb50f07..6ba0357 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
@@ -327,10 +386,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
@@ -327,10 +390,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@ -896,7 +900,7 @@ index eb50f07..6ba0357 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
@@ -343,10 +404,11 @@ optional_policy(`
@@ -343,10 +408,11 @@ optional_policy(`
#######################################
#
@ -910,7 +914,7 @@ index eb50f07..6ba0357 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
@@ -365,38 +427,48 @@ corecmd_exec_shell(abrt_retrace_worker_t)
@@ -365,38 +431,48 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@ -962,7 +966,7 @@ index eb50f07..6ba0357 100644
#######################################
#
@@ -404,7 +476,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
@@ -404,7 +480,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@ -971,7 +975,7 @@ index eb50f07..6ba0357 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
@@ -413,16 +485,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
@@ -413,16 +489,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@ -1015,7 +1019,7 @@ index eb50f07..6ba0357 100644
')
#######################################
@@ -430,10 +528,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
@@ -430,10 +532,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
@ -21332,10 +21336,12 @@ index aa0ef6e..02bdb68 100644
+ rhsmcertd_rw_inherited_lock_files(dmidecode_t)
+')
diff --git a/dnsmasq.fc b/dnsmasq.fc
index 23ab808..4a801b5 100644
index 23ab808..84735a8 100644
--- a/dnsmasq.fc
+++ b/dnsmasq.fc
@@ -2,6 +2,8 @@
@@ -1,13 +1,16 @@
/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t,s0)
+/etc/dnsmasq\.d(/.*)? gen_context(system_u:object_r:dnsmasq_etc_t,s0)
/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
@ -21344,8 +21350,16 @@ index 23ab808..4a801b5 100644
/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
-/var/log/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
+/var/log/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
-/var/run/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+/var/run/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/dnsmasq.if b/dnsmasq.if
index 19aa0b8..1e8b244 100644
index 19aa0b8..e34a540 100644
--- a/dnsmasq.if
+++ b/dnsmasq.if
@@ -10,7 +10,6 @@
@ -21489,7 +21503,7 @@ index 19aa0b8..1e8b244 100644
read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
@@ -214,37 +292,46 @@ interface(`dnsmasq_create_pid_dirs',`
@@ -214,37 +292,49 @@ interface(`dnsmasq_create_pid_dirs',`
########################################
## <summary>
@ -21545,16 +21559,19 @@ index 19aa0b8..1e8b244 100644
+#
+interface(`dnsmasq_filetrans_named_content',`
+ gen_require(`
+ type dnsmasq_etc_t;
+ type dnsmasq_var_run_t;
+ ')
+
+ files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network")
+ files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid")
+ virt_pid_filetrans($1, dnsmasq_var_run_t, file, "network")
+ files_etc_filetrans($1, dnsmasq_etc_t, file, "dnsmasq.conf")
+ files_etc_filetrans($1, dnsmasq_etc_t, dir, "dnsmasq.d")
')
########################################
@@ -267,12 +354,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
@@ -267,12 +357,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
interface(`dnsmasq_admin',`
gen_require(`
type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
@ -21575,7 +21592,7 @@ index 19aa0b8..1e8b244 100644
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 dnsmasq_initrc_exec_t system_r;
@@ -281,9 +374,13 @@ interface(`dnsmasq_admin',`
@@ -281,9 +377,13 @@ interface(`dnsmasq_admin',`
files_list_var_lib($1)
admin_pattern($1, dnsmasq_lease_t)
@ -37952,6 +37969,36 @@ index e6136fd..f5203f5 100644
ifdef(`distro_debian',`
optional_policy(`
diff --git a/mcelog.if b/mcelog.if
index f89651e..ea89ab1 100644
--- a/mcelog.if
+++ b/mcelog.if
@@ -19,6 +19,25 @@ interface(`mcelog_domtrans',`
domtrans_pattern($1, mcelog_exec_t, mcelog_t)
')
+######################################
+## <summary>
+## Read mcelog logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mcelog_read_log',`
+ gen_require(`
+ type mcelog_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, mcelog_var_log_t, mcelog_var_log_t)
+')
+
########################################
## <summary>
## All of the rules required to
diff --git a/mcelog.te b/mcelog.te
index 59b3b3d..064c4fd 100644
--- a/mcelog.te
@ -66426,10 +66473,10 @@ index 83eb09e..b48c931 100644
+')
+
diff --git a/quantum.fc b/quantum.fc
index 70ab68b..1de192b 100644
index 70ab68b..32dec67 100644
--- a/quantum.fc
+++ b/quantum.fc
@@ -1,10 +1,26 @@
@@ -1,10 +1,28 @@
-/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:quantum_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/neutron.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
@ -66440,6 +66487,8 @@ index 70ab68b..1de192b 100644
-/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
+/usr/bin/neutron-dhcp-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-l3-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-lbaas-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-rootwrap -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-linuxbridge-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-openvswitch-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
+/usr/bin/neutron-ovs-cleanup -- gen_context(system_u:object_r:neutron_exec_t,s0)
@ -66779,7 +66828,7 @@ index afc0068..3105104 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
index 8644d8b..d850703 100644
index 8644d8b..b744b5d 100644
--- a/quantum.te
+++ b/quantum.te
@@ -5,92 +5,105 @@ policy_module(quantum, 1.1.0)
@ -66906,7 +66955,7 @@ index 8644d8b..d850703 100644
+logging_send_syslog_msg(neutron_t)
-miscfiles_read_localization(quantum_t)
+sysnet_domtrans_ifconfig(neutron_t)
+sysnet_exec_ifconfig(neutron_t)
-sysnet_domtrans_ifconfig(quantum_t)
+optional_policy(`
@ -92905,7 +92954,7 @@ index facdee8..73549fd 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
index f03dcf5..007e3ca 100644
index f03dcf5..d58e3de 100644
--- a/virt.te
+++ b/virt.te
@@ -1,150 +1,176 @@
@ -94330,7 +94379,7 @@ index f03dcf5..007e3ca 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
@@ -974,194 +1094,239 @@ selinux_compute_create_context(virtd_lxc_t)
@@ -974,194 +1094,246 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@ -94655,6 +94704,13 @@ index f03dcf5..007e3ca 100644
+allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+manage_dirs_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+manage_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+manage_fifo_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+manage_lnk_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+manage_sock_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+filetrans_pattern(sandbox_net_domain, virt_home_t, svirt_home_t, { dir sock_file file })
+
+term_use_generic_ptys(svirt_qemu_net_t)
+term_use_ptmx(svirt_qemu_net_t)
+
@ -94668,13 +94724,13 @@ index f03dcf5..007e3ca 100644
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
+
+kernel_read_irq_sysctls(svirt_qemu_net_t)
+
-allow svirt_prot_exec_t self:process { execmem execstack };
+dev_read_sysfs(svirt_qemu_net_t)
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
+dev_read_rand(svirt_qemu_net_t)
+dev_read_urand(svirt_qemu_net_t)
-allow svirt_prot_exec_t self:process { execmem execstack };
+
+files_read_kernel_modules(svirt_qemu_net_t)
+
+fs_noxattr_type(svirt_sandbox_file_t)
@ -94706,7 +94762,7 @@ index f03dcf5..007e3ca 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
@@ -1174,12 +1339,12 @@ dev_read_sysfs(virt_qmf_t)
@@ -1174,12 +1346,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@ -94721,7 +94777,7 @@ index f03dcf5..007e3ca 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
@@ -1192,9 +1357,8 @@ optional_policy(`
@@ -1192,9 +1364,8 @@ optional_policy(`
########################################
#
@ -94732,7 +94788,7 @@ index f03dcf5..007e3ca 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
@@ -1207,5 +1371,194 @@ kernel_read_network_state(virt_bridgehelper_t)
@@ -1207,5 +1378,193 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
@ -94928,7 +94984,6 @@ index f03dcf5..007e3ca 100644
+corenet_udp_bind_all_ports(sandbox_net_domain)
+corenet_tcp_bind_all_ports(sandbox_net_domain)
+corenet_tcp_connect_all_ports(sandbox_net_domain)
+
diff --git a/vlock.te b/vlock.te
index 6b72968..de409cc 100644
--- a/vlock.te
@ -98508,10 +98563,10 @@ index 3fded1c..5729b83 100644
-miscfiles_read_localization(zarafa_domain)
+dev_read_sysfs(zarafa_domain)
diff --git a/zebra.fc b/zebra.fc
index 28ee4ca..e1b30b2 100644
index 28ee4ca..bc37f76 100644
--- a/zebra.fc
+++ b/zebra.fc
@@ -1,21 +1,22 @@
@@ -1,21 +1,34 @@
-/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
-/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
-
@ -98525,18 +98580,30 @@ index 28ee4ca..e1b30b2 100644
-/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/babeld -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/isisd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
+
+/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0)
+
+/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
+/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
+/usr/lib/systemd/system/babeld.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0)
+/usr/lib/systemd/system/bgpd.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0)
+/usr/lib/systemd/system/isisd.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0)
+/usr/lib/systemd/system/ospf6d.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0)
+/usr/lib/systemd/system/ospfd.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0)
+/usr/lib/systemd/system/ripd.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0)
+/usr/lib/systemd/system/ripngd.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0)
+/usr/lib/systemd/system/zebra.* -- gen_context(system_u:object_r:zebra_unit_file_t,s0)
-/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/sbin/babeld -- gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/sbin/isisd -- gen_context(system_u:object_r:zebra_exec_t,s0)
/usr/sbin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
-/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
-/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
+/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0)
+
+/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
+/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
-/var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0)
-/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0)
@ -98548,7 +98615,7 @@ index 28ee4ca..e1b30b2 100644
-/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0)
+/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0)
diff --git a/zebra.if b/zebra.if
index 3416401..ef64e73 100644
index 3416401..676925c 100644
--- a/zebra.if
+++ b/zebra.if
@@ -1,8 +1,8 @@
@ -98580,8 +98647,33 @@ index 3416401..ef64e73 100644
## </summary>
## <param name="domain">
## <summary>
@@ -44,8 +43,8 @@ interface(`zebra_stream_connect',`
@@ -42,10 +41,33 @@ interface(`zebra_stream_connect',`
stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t)
')
+#######################################
+## <summary>
+## Execute zebra services in the zebra domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`zebra_systemctl',`
+ gen_require(`
+ type zebra_t;
+ type zebra_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ allow $1 zebra_unit_file_t:file read_file_perms;
+ allow $1 zebra_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, zebra_t)
+')
+
########################################
## <summary>
-## All of the rules required to
@ -98591,7 +98683,7 @@ index 3416401..ef64e73 100644
## </summary>
## <param name="domain">
## <summary>
@@ -54,7 +53,7 @@ interface(`zebra_stream_connect',`
@@ -54,7 +76,7 @@ interface(`zebra_stream_connect',`
## </param>
## <param name="role">
## <summary>
@ -98600,7 +98692,7 @@ index 3416401..ef64e73 100644
## </summary>
## </param>
## <rolecap/>
@@ -62,12 +61,14 @@ interface(`zebra_stream_connect',`
@@ -62,13 +84,16 @@ interface(`zebra_stream_connect',`
interface(`zebra_admin',`
gen_require(`
type zebra_t, zebra_tmp_t, zebra_log_t;
@ -98612,17 +98704,28 @@ index 3416401..ef64e73 100644
- allow $1 zebra_t:process { ptrace signal_perms };
+ allow $1 zebra_t:process signal_perms;
ps_process_pattern($1, zebra_t)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 zebra_t:process ptrace;
+ ')
+
init_labeled_script_domtrans($1, zebra_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 zebra_initrc_exec_t system_r;
@@ -85,4 +110,8 @@ interface(`zebra_admin',`
files_list_pids($1)
admin_pattern($1, zebra_var_run_t)
+
+ zebra_systemctl($1)
+ admin_pattern($1, zebra_unit_file_t)
+ allow $1 zebra_unit_file_t:service all_service_perms;
')
diff --git a/zebra.te b/zebra.te
index 2e80d04..dd1513f 100644
index 2e80d04..3a76167 100644
--- a/zebra.te
+++ b/zebra.te
@@ -6,19 +6,19 @@ policy_module(zebra, 1.13.0)
@@ -6,23 +6,26 @@ policy_module(zebra, 1.13.0)
#
## <desc>
@ -98648,7 +98751,14 @@ index 2e80d04..dd1513f 100644
type zebra_initrc_exec_t;
init_script_file(zebra_initrc_exec_t)
@@ -40,24 +40,24 @@ files_pid_file(zebra_var_run_t)
+type zebra_unit_file_t;
+systemd_unit_file(zebra_unit_file_t)
+
type zebra_log_t;
logging_log_file(zebra_log_t)
@@ -40,26 +43,27 @@ files_pid_file(zebra_var_run_t)
allow zebra_t self:capability { setgid setuid net_admin net_raw };
dontaudit zebra_t self:capability sys_tty_config;
allow zebra_t self:process { signal_perms getcap setcap };
@ -98676,11 +98786,16 @@ index 2e80d04..dd1513f 100644
manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
-allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms;
-files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file)
+# /tmp/.bgpd is such a bad idea!
allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms;
files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file)
+manage_sock_files_pattern(zebra_t, zebra_tmp_t, zebra_tmp_t)
+manage_files_pattern(zebra_t, zebra_tmp_t, zebra_tmp_t)
+files_tmp_filetrans(zebra_t, zebra_tmp_t, { file sock_file })
@@ -71,7 +71,6 @@ kernel_read_network_state(zebra_t)
manage_dirs_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
manage_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
@@ -71,7 +75,6 @@ kernel_read_network_state(zebra_t)
kernel_read_kernel_sysctls(zebra_t)
kernel_rw_net_sysctls(zebra_t)
@ -98688,7 +98803,7 @@ index 2e80d04..dd1513f 100644
corenet_all_recvfrom_netlabel(zebra_t)
corenet_tcp_sendrecv_generic_if(zebra_t)
corenet_udp_sendrecv_generic_if(zebra_t)
@@ -79,48 +78,44 @@ corenet_raw_sendrecv_generic_if(zebra_t)
@@ -79,48 +82,44 @@ corenet_raw_sendrecv_generic_if(zebra_t)
corenet_tcp_sendrecv_generic_node(zebra_t)
corenet_udp_sendrecv_generic_node(zebra_t)
corenet_raw_sendrecv_generic_node(zebra_t)
@ -98751,7 +98866,7 @@ index 2e80d04..dd1513f 100644
manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
')
@@ -139,3 +134,7 @@ optional_policy(`
@@ -139,3 +138,7 @@ optional_policy(`
optional_policy(`
udev_read_db(zebra_t)
')

7
selinux-policy.spec
View File

@ -19,12 +19,13 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 2%{?dist}
Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
patch: policy-rawhide-base.patch
patch1: policy-rawhide-contrib.patch
patch2: policy-rawhide-contrib-apache-content.patch
Source1: modules-targeted-base.conf
Source31: modules-targeted-contrib.conf
Source2: booleans-targeted.conf
@ -315,6 +316,7 @@ Based off of reference policy: Checked out revision 2.20091117
%prep
%setup -n serefpolicy-contrib-%{version} -q -b 29
%patch1 -p1
%patch2 -p1
contrib_path=`pwd`
%setup -n serefpolicy-%{version} -q
%patch -p1
@ -573,6 +575,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Thu Nov 14 2013 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-3
- Add policy-rawhide-contrib-apache-content.patch to re-write apache_content_template() by dwalsh
* Thu Nov 14 2013 Dan Walsh<dwalsh@redhat.com> 3.13.1-2
- Fix config.tgz to include lxc_contexts and systemd_contexts