- Merge with upstream

2010-08-27 08:58:04 -04:00 · 2010-08-27 08:58:04 -04:00 · 59475c2524
commit 59475c2524
parent ba77266a14
1 changed files with 69 additions and 55 deletions
--- a/policy-F14.patch
+++ b/policy-F14.patch
@ -7091,7 +7091,7 @@ index 3b2da10..7eed11d 100644
 +#
 +/sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index cac0c64..9223f7d 100644
+index cac0c64..d0aaa1c 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
@@ -461,6 +461,24 @@ interface(`dev_getattr_generic_chr_files',`
@ -7287,7 +7287,32 @@ index cac0c64..9223f7d 100644
 ##	Get the attributes of sysfs directories.
 ## </summary>
 ## <param name="domain">
-@@ -3851,6 +3995,24 @@ interface(`dev_read_usbmon_dev',`
+@@ -3682,6 +3826,24 @@ interface(`dev_rw_sysfs',`
+ 
+ ########################################
+ ## <summary>
+##	Allow caller to modify hardware state information.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_sysfs_dirs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	manage_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
+ ##	Read from pseudo random number generator devices (e.g., /dev/urandom).
+ ## </summary>
+ ## <desc>
+@@ -3851,6 +4013,24 @@ interface(`dev_read_usbmon_dev',`
 
 ########################################
 ## <summary>
@ -7312,7 +7337,7 @@ index cac0c64..9223f7d 100644
 ##	Mount a usbfs filesystem.
 ## </summary>
 ## <param name="domain">
-@@ -4161,11 +4323,10 @@ interface(`dev_write_video_dev',`
+@@ -4161,11 +4341,10 @@ interface(`dev_write_video_dev',`
 #
 interface(`dev_rw_vhost',`
 	gen_require(`
@ -14184,7 +14209,7 @@ index 1cf6c4e..90c60df 100644
 -/var/lib/cobbler(/.*)?		gen_context(system_u:object_r:cobbler_var_lib_t, s0)
 -/var/log/cobbler(/.*)?		gen_context(system_u:object_r:cobbler_var_log_t, s0)
 diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if
-index 293e08d..a57fe37 100644
+index 293e08d..1bdfe84 100644
 --- a/policy/modules/services/cobbler.if
 +++ b/policy/modules/services/cobbler.if
@@ -26,6 +26,7 @@ interface(`cobblerd_domtrans',`
@ -14260,7 +14285,7 @@ index 293e08d..a57fe37 100644
 	files_search_var_lib($1)
 ')
 
-@@ -137,12 +140,51 @@ interface(`cobbler_manage_lib_files',`
+@@ -137,12 +140,33 @@ interface(`cobbler_manage_lib_files',`
 		type cobbler_var_lib_t;
 	')
 
@ -14272,24 +14297,6 @@ index 293e08d..a57fe37 100644
 
 ########################################
 ## <summary>
-+##	dontaudit read and write Cobbler log files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`cobbler_dontaudit_rw_log',`
-+	gen_require(`
-+		type cobbler_var_log_t;
-+	')
-+
-+	dontaudit $1 cobbler_var_log_t:file rw_inherited_files_perms;
-+')
-+
-+########################################
-+## <summary>
 +##	Do not audit attempts to read and write
 +##	Cobbler log files (leaked fd).
 +## </summary>
@ -14312,7 +14319,7 @@ index 293e08d..a57fe37 100644
 ##	All of the rules required to administrate
 ##	an cobblerd environment
 ## </summary>
-@@ -162,6 +204,9 @@ interface(`cobblerd_admin',`
+@@ -162,6 +186,9 @@ interface(`cobblerd_admin',`
 	gen_require(`
 		type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
 		type cobbler_etc_t, cobblerd_initrc_exec_t;
@ -14322,7 +14329,7 @@ index 293e08d..a57fe37 100644
 	')
 
 	allow $1 cobblerd_t:process { ptrace signal_perms getattr };
-@@ -176,10 +221,18 @@ interface(`cobblerd_admin',`
+@@ -176,10 +203,18 @@ interface(`cobblerd_admin',`
 	logging_search_logs($1)
 	admin_pattern($1, cobbler_var_log_t)
 
@ -28994,7 +29001,7 @@ index f6aafe7..7da8294 100644
 +	allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index bd45076..cd266c0 100644
+index bd45076..a1b6d56 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@ -29108,7 +29115,7 @@ index bd45076..cd266c0 100644
 	corecmd_shell_domtrans(init_t, initrc_t)
 ',`
 	# Run the shell in the sysadm role for single-user mode.
-@@ -185,15 +216,73 @@ tunable_policy(`init_upstart',`
+@@ -185,15 +216,80 @@ tunable_policy(`init_upstart',`
 	sysadm_shell_domtrans(init_t)
 ')
 
@ -29116,7 +29123,7 @@ index bd45076..cd266c0 100644
 +modutils_domtrans_insmod(init_t)
 +
 +tunable_policy(`init_systemd',`
-+	allow init_t self:unix_dgram_socket create_socket_perms;
+	allow init_t self:unix_dgram_socket { create_socket_perms sendto };
 +	allow init_t self:process { setsockcreate setfscreate };
 +	allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
 +	allow init_t self:netlink_kobject_uevent_socket create_socket_perms; 
@ -29135,6 +29142,7 @@ index bd45076..cd266c0 100644
 +	dev_read_generic_chr_files(init_t)
 +	dev_relabelfrom_generic_chr_files(init_t)
 +	dev_relabel_autofs_dev(init_t)
+	dev_manage_sysfs_dirs(init_t)
 +
 +	files_mounton_all_mountpoints(init_t)
 +	files_manage_all_pids_dirs(init_t)
@ -29145,16 +29153,22 @@ index bd45076..cd266c0 100644
 +	fs_list_auto_mountpoints(init_t)
 +	fs_read_cgroup_files(init_t)
 +	fs_write_cgroup_files(init_t)
+	fs_search_cgroup_dirs(daemon)
 +
 +	selinux_compute_create_context(init_t)
 +	selinux_validate_context(init_t)
 +	selinux_unmount_fs(init_t)
 +
+	storage_getattr_removable_dev(init_t)
+
 +	init_read_script_state(init_t)
 +
 +	seutil_read_file_contexts(init_t)
 +
-+	storage_getattr_removable_dev(init_t)
+	optional_policy(`
+		plymouthd_stream_connect(init_t)
+		plymouthd_exec_plymouth(init_t)
+	')
 +')
 +
 optional_policy(`
@ -29182,7 +29196,7 @@ index bd45076..cd266c0 100644
 	nscd_socket_use(init_t)
 ')
 
-@@ -202,6 +291,10 @@ optional_policy(`
+@@ -202,6 +298,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -29193,7 +29207,7 @@ index bd45076..cd266c0 100644
 	unconfined_domain(init_t)
 ')
 
-@@ -211,7 +304,7 @@ optional_policy(`
+@@ -211,7 +311,7 @@ optional_policy(`
 #
 
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -29202,7 +29216,7 @@ index bd45076..cd266c0 100644
 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
-@@ -240,6 +333,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -240,6 +340,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 
 allow initrc_t initrc_var_run_t:file manage_file_perms;
 files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -29210,7 +29224,7 @@ index bd45076..cd266c0 100644
 
 can_exec(initrc_t, initrc_tmp_t)
 manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -257,11 +351,22 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -257,11 +358,22 @@ kernel_change_ring_buffer_level(initrc_t)
 kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
@ -29233,7 +29247,7 @@ index bd45076..cd266c0 100644
 
 corecmd_exec_all_executables(initrc_t)
 
-@@ -297,11 +402,13 @@ dev_manage_generic_files(initrc_t)
+@@ -297,11 +409,13 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
@ -29247,7 +29261,7 @@ index bd45076..cd266c0 100644
 domain_sigchld_all_domains(initrc_t)
 domain_read_all_domains_state(initrc_t)
 domain_getattr_all_domains(initrc_t)
-@@ -320,8 +427,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -320,8 +434,10 @@ files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
 files_purge_tmp(initrc_t)
@ -29259,7 +29273,7 @@ index bd45076..cd266c0 100644
 files_delete_all_pids(initrc_t)
 files_delete_all_pid_dirs(initrc_t)
 files_read_etc_files(initrc_t)
-@@ -337,8 +446,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -337,8 +453,12 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
@ -29273,7 +29287,7 @@ index bd45076..cd266c0 100644
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
-@@ -348,6 +461,8 @@ fs_mount_all_fs(initrc_t)
+@@ -348,6 +468,8 @@ fs_mount_all_fs(initrc_t)
 fs_unmount_all_fs(initrc_t)
 fs_remount_all_fs(initrc_t)
 fs_getattr_all_fs(initrc_t)
@ -29282,7 +29296,7 @@ index bd45076..cd266c0 100644
 
 # initrc_t needs to do a pidof which requires ptrace
 mcs_ptrace_all(initrc_t)
-@@ -360,6 +475,7 @@ mls_process_read_up(initrc_t)
+@@ -360,6 +482,7 @@ mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
 mls_fd_share_all_levels(initrc_t)
@ -29290,7 +29304,7 @@ index bd45076..cd266c0 100644
 
 selinux_get_enforce_mode(initrc_t)
 
-@@ -391,13 +507,14 @@ logging_read_audit_config(initrc_t)
+@@ -391,13 +514,14 @@ logging_read_audit_config(initrc_t)
 
 miscfiles_read_localization(initrc_t)
 # slapd needs to read cert files from its initscript
@ -29306,7 +29320,7 @@ index bd45076..cd266c0 100644
 userdom_read_user_home_content_files(initrc_t)
 # Allow access to the sysadm TTYs. Note that this will give access to the
 # TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -470,7 +587,7 @@ ifdef(`distro_redhat',`
+@@ -470,7 +594,7 @@ ifdef(`distro_redhat',`
 
 	# Red Hat systems seem to have a stray
 	# fd open from the initrd
@ -29315,7 +29329,7 @@ index bd45076..cd266c0 100644
 	files_dontaudit_read_root_files(initrc_t)
 
 	# These seem to be from the initrd
-@@ -516,6 +633,19 @@ ifdef(`distro_redhat',`
+@@ -516,6 +640,19 @@ ifdef(`distro_redhat',`
 	optional_policy(`
 		bind_manage_config_dirs(initrc_t)
 		bind_write_config(initrc_t)
@ -29335,7 +29349,7 @@ index bd45076..cd266c0 100644
 	')
 
 	optional_policy(`
-@@ -523,10 +653,17 @@ ifdef(`distro_redhat',`
+@@ -523,10 +660,17 @@ ifdef(`distro_redhat',`
 		rpc_write_exports(initrc_t)
 		rpc_manage_nfs_state_data(initrc_t)
 	')
@ -29353,7 +29367,7 @@ index bd45076..cd266c0 100644
 	')
 
 	optional_policy(`
-@@ -541,6 +678,35 @@ ifdef(`distro_suse',`
+@@ -541,6 +685,35 @@ ifdef(`distro_suse',`
 	')
 ')
 
@ -29389,7 +29403,7 @@ index bd45076..cd266c0 100644
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -553,6 +719,8 @@ optional_policy(`
+@@ -553,6 +726,8 @@ optional_policy(`
 optional_policy(`
 	apache_read_config(initrc_t)
 	apache_list_modules(initrc_t)
@ -29398,7 +29412,7 @@ index bd45076..cd266c0 100644
 ')
 
 optional_policy(`
-@@ -569,6 +737,7 @@ optional_policy(`
+@@ -569,6 +744,7 @@ optional_policy(`
 
 optional_policy(`
 	cgroup_stream_connect_cgred(initrc_t)
@ -29406,7 +29420,7 @@ index bd45076..cd266c0 100644
 ')
 
 optional_policy(`
-@@ -581,6 +750,11 @@ optional_policy(`
+@@ -581,6 +757,11 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -29418,7 +29432,7 @@ index bd45076..cd266c0 100644
 	dev_getattr_printer_dev(initrc_t)
 
 	cups_read_log(initrc_t)
-@@ -597,6 +771,7 @@ optional_policy(`
+@@ -597,6 +778,7 @@ optional_policy(`
 	dbus_connect_system_bus(initrc_t)
 	dbus_system_bus_client(initrc_t)
 	dbus_read_config(initrc_t)
@ -29426,7 +29440,7 @@ index bd45076..cd266c0 100644
 
 	optional_policy(`
 		consolekit_dbus_chat(initrc_t)
-@@ -698,7 +873,12 @@ optional_policy(`
+@@ -698,7 +880,12 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -29439,7 +29453,7 @@ index bd45076..cd266c0 100644
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
 
-@@ -721,6 +901,10 @@ optional_policy(`
+@@ -721,6 +908,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -29450,7 +29464,7 @@ index bd45076..cd266c0 100644
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)
 ')
-@@ -742,6 +926,10 @@ optional_policy(`
+@@ -742,6 +933,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -29461,7 +29475,7 @@ index bd45076..cd266c0 100644
 	fs_write_ramfs_sockets(initrc_t)
 	fs_search_ramfs(initrc_t)
 
-@@ -763,8 +951,6 @@ optional_policy(`
+@@ -763,8 +958,6 @@ optional_policy(`
 	# bash tries ioctl for some reason
 	files_dontaudit_ioctl_all_pids(initrc_t)
 
@ -29470,7 +29484,7 @@ index bd45076..cd266c0 100644
 ')
 
 optional_policy(`
-@@ -773,14 +959,21 @@ optional_policy(`
+@@ -773,14 +966,21 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -29492,7 +29506,7 @@ index bd45076..cd266c0 100644
 
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -802,11 +995,19 @@ optional_policy(`
+@@ -802,11 +1002,19 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -29513,7 +29527,7 @@ index bd45076..cd266c0 100644
 
 	ifdef(`distro_redhat',`
 		# system-config-services causes avc messages that should be dontaudited
-@@ -816,6 +1017,25 @@ optional_policy(`
+@@ -816,6 +1024,25 @@ optional_policy(`
 	optional_policy(`
 		mono_domtrans(initrc_t)
 	')
@ -29539,7 +29553,7 @@ index bd45076..cd266c0 100644
 ')
 
 optional_policy(`
-@@ -841,3 +1061,55 @@ optional_policy(`
+@@ -841,3 +1068,55 @@ optional_policy(`
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')