From 5bd1f1afd6b4e0c8c81b42f47c51ad65693fd417 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mon, 13 Jan 2014 12:25:57 +0100 Subject: [PATCH] * Mon Jan 13 2014 Miroslav Grepl 3.13.1-13 - Remove file_t from the system and realias it with unlabeled_ --- policy-rawhide-base.patch | 465 +++++++++++++++++++++++++++-------- policy-rawhide-contrib.patch | 16 +- selinux-policy.spec | 7 +- 3 files changed, 377 insertions(+), 111 deletions(-) diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 5f3e71b6..5a49e8ce 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -9408,7 +9408,7 @@ index b876c48..27f60c6 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..5c44da2 100644 +index f962f76..68d8f79 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -10418,10 +10418,19 @@ index f962f76..5c44da2 100644 ') ######################################## -@@ -3150,6 +3686,25 @@ interface(`files_getattr_isid_type_dirs',` - - ######################################## - ## +@@ -3142,10 +3678,29 @@ interface(`files_etc_filetrans_etc_runtime',` + # + interface(`files_getattr_isid_type_dirs',` + gen_require(` +- type file_t; ++ type unlabeled_t; ++ ') ++ ++ allow $1 unlabeled_t:dir getattr; ++') ++ ++######################################## ++## +## Setattr of directories on new filesystems +## that have not yet been labeled. +## @@ -10433,21 +10442,63 @@ index f962f76..5c44da2 100644 +# +interface(`files_setattr_isid_type_dirs',` + gen_require(` -+ type file_t; ++ type unlabeled_t; + ') + +- allow $1 file_t:dir getattr; ++ allow $1 unlabeled_t:dir setattr; + ') + + ######################################## +@@ -3161,10 +3716,10 @@ interface(`files_getattr_isid_type_dirs',` + # + interface(`files_dontaudit_search_isid_type_dirs',` + gen_require(` +- type file_t; ++ type unlabeled_t; + ') + +- dontaudit $1 file_t:dir search_dir_perms; ++ dontaudit $1 unlabeled_t:dir search_dir_perms; + ') + + ######################################## +@@ -3180,10 +3735,10 @@ interface(`files_dontaudit_search_isid_type_dirs',` + # + interface(`files_list_isid_type_dirs',` + gen_require(` +- type file_t; ++ type unlabeled_t; + ') + +- allow $1 file_t:dir list_dir_perms; ++ allow $1 unlabeled_t:dir list_dir_perms; + ') + + ######################################## +@@ -3199,10 +3754,10 @@ interface(`files_list_isid_type_dirs',` + # + interface(`files_rw_isid_type_dirs',` + gen_require(` +- type file_t; ++ type unlabeled_t; + ') + +- allow $1 file_t:dir rw_dir_perms; ++ allow $1 unlabeled_t:dir rw_dir_perms; + ') + + ######################################## +@@ -3218,10 +3773,66 @@ interface(`files_rw_isid_type_dirs',` + # + interface(`files_delete_isid_type_dirs',` + gen_require(` +- type file_t; ++ type unlabeled_t; + ') + -+ allow $1 file_t:dir setattr; ++ delete_dirs_pattern($1, unlabeled_t, unlabeled_t) +') -+ -+######################################## -+## - ## Do not audit attempts to search directories on new filesystems - ## that have not yet been labeled. - ## -@@ -3223,6 +3778,62 @@ interface(`files_delete_isid_type_dirs',` - - delete_dirs_pattern($1, file_t, file_t) - ') +######################################## +## +## Execute files on new filesystems @@ -10461,10 +10512,10 @@ index f962f76..5c44da2 100644 +# +interface(`files_exec_isid_files',` + gen_require(` -+ type file_t; ++ type unlabeled_t; + ') + -+ can_exec($1, file_t) ++ can_exec($1, unlabeled_t) +') + +######################################## @@ -10480,10 +10531,10 @@ index f962f76..5c44da2 100644 +# +interface(`files_mounton_isid',` + gen_require(` -+ type file_t; ++ type unlabeled_t; + ') + -+ allow $1 file_t:dir mounton; ++ allow $1 unlabeled_t:dir mounton; +') + +######################################## @@ -10499,18 +10550,183 @@ index f962f76..5c44da2 100644 +# +interface(`files_relabelfrom_isid_type',` + gen_require(` -+ type file_t; ++ type unlabeled_t; + ') + +- delete_dirs_pattern($1, file_t, file_t) ++ dontaudit $1 unlabeled_t:dir_file_class_set relabelfrom; + ') + + ######################################## +@@ -3237,10 +3848,10 @@ interface(`files_delete_isid_type_dirs',` + # + interface(`files_manage_isid_type_dirs',` + gen_require(` +- type file_t; ++ type unlabeled_t; + ') + +- allow $1 file_t:dir manage_dir_perms; ++ allow $1 unlabeled_t:dir manage_dir_perms; + ') + + ######################################## +@@ -3256,10 +3867,10 @@ interface(`files_manage_isid_type_dirs',` + # + interface(`files_mounton_isid_type_dirs',` + gen_require(` +- type file_t; ++ type unlabeled_t; + ') + +- allow $1 file_t:dir { search_dir_perms mounton }; ++ allow $1 unlabeled_t:dir { search_dir_perms mounton }; + ') + + ######################################## +@@ -3275,10 +3886,10 @@ interface(`files_mounton_isid_type_dirs',` + # + interface(`files_read_isid_type_files',` + gen_require(` +- type file_t; ++ type unlabeled_t; + ') + +- allow $1 file_t:file read_file_perms; ++ allow $1 unlabeled_t:file read_file_perms; + ') + + ######################################## +@@ -3294,10 +3905,10 @@ interface(`files_read_isid_type_files',` + # + interface(`files_delete_isid_type_files',` + gen_require(` +- type file_t; ++ type unlabeled_t; + ') + +- delete_files_pattern($1, file_t, file_t) ++ delete_files_pattern($1, unlabeled_t, unlabeled_t) + ') + + ######################################## +@@ -3313,10 +3924,10 @@ interface(`files_delete_isid_type_files',` + # + interface(`files_delete_isid_type_symlinks',` + gen_require(` +- type file_t; ++ type unlabeled_t; + ') + +- delete_lnk_files_pattern($1, file_t, file_t) ++ delete_lnk_files_pattern($1, unlabeled_t, unlabeled_t) + ') + + ######################################## +@@ -3332,10 +3943,10 @@ interface(`files_delete_isid_type_symlinks',` + # + interface(`files_delete_isid_type_fifo_files',` + gen_require(` +- type file_t; ++ type unlabeled_t; + ') + +- delete_fifo_files_pattern($1, file_t, file_t) ++ delete_fifo_files_pattern($1, unlabeled_t, unlabeled_t) + ') + + ######################################## +@@ -3351,10 +3962,10 @@ interface(`files_delete_isid_type_fifo_files',` + # + interface(`files_delete_isid_type_sock_files',` + gen_require(` +- type file_t; ++ type unlabeled_t; + ') + +- delete_sock_files_pattern($1, file_t, file_t) ++ delete_sock_files_pattern($1, unlabeled_t, unlabeled_t) + ') + + ######################################## +@@ -3370,10 +3981,10 @@ interface(`files_delete_isid_type_sock_files',` + # + interface(`files_delete_isid_type_blk_files',` + gen_require(` +- type file_t; ++ type unlabeled_t; + ') + +- delete_blk_files_pattern($1, file_t, file_t) ++ delete_blk_files_pattern($1, unlabeled_t, unlabeled_t) + ') + + ######################################## +@@ -3389,10 +4000,10 @@ interface(`files_delete_isid_type_blk_files',` + # + interface(`files_dontaudit_write_isid_chr_files',` + gen_require(` +- type file_t; ++ type unlabeled_t; + ') + +- dontaudit $1 file_t:chr_file write; ++ dontaudit $1 unlabeled_t:chr_file write; + ') + + ######################################## +@@ -3408,10 +4019,10 @@ interface(`files_dontaudit_write_isid_chr_files',` + # + interface(`files_delete_isid_type_chr_files',` + gen_require(` +- type file_t; ++ type unlabeled_t; + ') + +- delete_chr_files_pattern($1, file_t, file_t) ++ delete_chr_files_pattern($1, unlabeled_t, unlabeled_t) + ') + + ######################################## +@@ -3427,10 +4038,10 @@ interface(`files_delete_isid_type_chr_files',` + # + interface(`files_manage_isid_type_files',` + gen_require(` +- type file_t; ++ type unlabeled_t; + ') + +- allow $1 file_t:file manage_file_perms; ++ allow $1 unlabeled_t:file manage_file_perms; + ') + + ######################################## +@@ -3446,10 +4057,10 @@ interface(`files_manage_isid_type_files',` + # + interface(`files_manage_isid_type_symlinks',` + gen_require(` +- type file_t; ++ type unlabeled_t; + ') + +- allow $1 file_t:lnk_file manage_lnk_file_perms; ++ allow $1 unlabeled_t:lnk_file manage_lnk_file_perms; + ') + + ######################################## +@@ -3465,10 +4076,29 @@ interface(`files_manage_isid_type_symlinks',` + # + interface(`files_rw_isid_type_blk_files',` + gen_require(` +- type file_t; ++ type unlabeled_t; + ') + -+ dontaudit $1 file_t:dir_file_class_set relabelfrom; ++ allow $1 unlabeled_t:blk_file rw_blk_file_perms; +') - - ######################################## - ## -@@ -3473,6 +4084,25 @@ interface(`files_rw_isid_type_blk_files',` - - ######################################## - ## ++ ++######################################## ++## +## rw any files inherited from another process +## on new filesystems that have not yet been labeled. +## @@ -10522,17 +10738,40 @@ index f962f76..5c44da2 100644 +# +interface(`files_rw_inherited_isid_type_files',` + gen_require(` -+ type file_t; -+ ') -+ -+ allow $1 file_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## - ## Create, read, write, and delete block device nodes - ## on new filesystems that have not yet been labeled. - ## ++ type unlabeled_t; + ') + +- allow $1 file_t:blk_file rw_blk_file_perms; ++ allow $1 unlabeled_t:file rw_inherited_file_perms; + ') + + ######################################## +@@ -3484,10 +4114,10 @@ interface(`files_rw_isid_type_blk_files',` + # + interface(`files_manage_isid_type_blk_files',` + gen_require(` +- type file_t; ++ type unlabeled_t; + ') + +- allow $1 file_t:blk_file manage_blk_file_perms; ++ allow $1 unlabeled_t:blk_file manage_blk_file_perms; + ') + + ######################################## +@@ -3503,10 +4133,10 @@ interface(`files_manage_isid_type_blk_files',` + # + interface(`files_manage_isid_type_chr_files',` + gen_require(` +- type file_t; ++ type unlabeled_t; + ') + +- allow $1 file_t:chr_file manage_chr_file_perms; ++ allow $1 unlabeled_t:chr_file manage_chr_file_perms; + ') + + ######################################## @@ -3814,20 +4444,38 @@ interface(`files_list_mnt',` ###################################### @@ -10939,7 +11178,7 @@ index f962f76..5c44da2 100644 ## ## ## -@@ -4482,44 +5384,134 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4482,59 +5384,149 @@ interface(`files_setattr_all_tmp_dirs',` ## ## # @@ -10989,19 +11228,23 @@ index f962f76..5c44da2 100644 ## -## Domain not to audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`files_dontaudit_getattr_all_tmp_files',` +interface(`files_read_inherited_tmp_files',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ + gen_require(` + attribute tmpfile; + ') + +- dontaudit $1 tmpfile:file getattr; + allow $1 tmpfile:file { append read_inherited_file_perms }; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Allow attempts to get the attributes +-## of all tmp files. +## Allow caller to append inherited tmp files. +## +## @@ -11084,9 +11327,24 @@ index f962f76..5c44da2 100644 +## +## +## Domain to not audit. - ## - ## - # ++## ++## ++# ++interface(`files_dontaudit_getattr_all_tmp_files',` ++ gen_require(` ++ attribute tmpfile; ++ ') ++ ++ dontaudit $1 tmpfile:file getattr; ++') ++ ++######################################## ++## ++## Allow attempts to get the attributes ++## of all tmp files. + ## + ## + ## @@ -4579,7 +5571,7 @@ interface(`files_relabel_all_tmp_files',` ## ## @@ -11491,7 +11749,7 @@ index f962f76..5c44da2 100644 ######################################## ## ## Do not audit attempts to search -@@ -6025,27 +7192,46 @@ interface(`files_dontaudit_search_pids',` +@@ -6025,21 +7192,40 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -11515,13 +11773,11 @@ index f962f76..5c44da2 100644 ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) + dontaudit $1 pidfile:dir search_dir_perms; - ') - - ######################################## - ## --## Read generic process ID files. ++') ++ ++######################################## ++## +## List the contents of the runtime process +## ID directories (/var/run). +## @@ -11537,15 +11793,9 @@ index f962f76..5c44da2 100644 + ') + + files_search_pids($1) -+ list_dirs_pattern($1, var_t, var_run_t) -+') -+ -+######################################## -+## -+## Read generic process ID files. - ## - ## - ## + list_dirs_pattern($1, var_t, var_run_t) + ') + @@ -6058,7 +7244,7 @@ interface(`files_read_generic_pids',` type var_t, var_run_t; ') @@ -12829,7 +13079,7 @@ index f962f76..5c44da2 100644 + allow $1 etc_t:service status; ') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te -index 1a03abd..0335af9 100644 +index 1a03abd..dfcd2ad 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -5,12 +5,16 @@ policy_module(files, 1.18.1) @@ -12849,7 +13099,7 @@ index 1a03abd..0335af9 100644 # For labeling types that are to be polyinstantiated attribute polydir; -@@ -48,28 +52,45 @@ attribute usercanread; +@@ -48,47 +52,55 @@ attribute usercanread; # type boot_t; files_mountpoint(boot_t) @@ -12897,15 +13147,19 @@ index 1a03abd..0335af9 100644 files_type(etc_runtime_t) #Temporarily in policy until FC5 dissappears typealias etc_runtime_t alias firstboot_rw_t; -@@ -81,6 +102,7 @@ typealias etc_runtime_t alias firstboot_rw_t; - # - type file_t; - files_mountpoint(file_t) -+files_base_file(file_t) - kernel_rootfs_mountpoint(file_t) - sid file gen_context(system_u:object_r:file_t,s0) -@@ -89,6 +111,7 @@ sid file gen_context(system_u:object_r:file_t,s0) + # +-# file_t is the default type of a file that has not yet been +-# assigned an extended attribute (EA) value (when using a filesystem +-# that supports EAs). +-# +-type file_t; +-files_mountpoint(file_t) +-kernel_rootfs_mountpoint(file_t) +-sid file gen_context(system_u:object_r:file_t,s0) +- +-# + # home_root_t is the type for the directory where user home directories # are created # type home_root_t; @@ -12913,7 +13167,7 @@ index 1a03abd..0335af9 100644 files_mountpoint(home_root_t) files_poly_parent(home_root_t) -@@ -96,12 +119,13 @@ files_poly_parent(home_root_t) +@@ -96,12 +108,13 @@ files_poly_parent(home_root_t) # lost_found_t is the type for the lost+found directories. # type lost_found_t; @@ -12928,7 +13182,7 @@ index 1a03abd..0335af9 100644 files_mountpoint(mnt_t) # -@@ -123,6 +147,7 @@ files_type(readable_t) +@@ -123,6 +136,7 @@ files_type(readable_t) # root_t is the type for rootfs and the root directory. # type root_t; @@ -12936,7 +13190,7 @@ index 1a03abd..0335af9 100644 files_mountpoint(root_t) files_poly_parent(root_t) kernel_rootfs_mountpoint(root_t) -@@ -133,45 +158,54 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0) +@@ -133,45 +147,54 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0) # type src_t; files_mountpoint(src_t) @@ -12991,7 +13245,7 @@ index 1a03abd..0335af9 100644 files_lock_file(var_lock_t) files_mountpoint(var_lock_t) -@@ -180,6 +214,7 @@ files_mountpoint(var_lock_t) +@@ -180,6 +203,7 @@ files_mountpoint(var_lock_t) # used for pid and other runtime files. # type var_run_t; @@ -12999,7 +13253,7 @@ index 1a03abd..0335af9 100644 files_pid_file(var_run_t) files_mountpoint(var_run_t) -@@ -187,7 +222,9 @@ files_mountpoint(var_run_t) +@@ -187,7 +211,9 @@ files_mountpoint(var_run_t) # var_spool_t is the type of /var/spool # type var_spool_t; @@ -13009,7 +13263,7 @@ index 1a03abd..0335af9 100644 ######################################## # -@@ -224,12 +261,13 @@ fs_associate_tmpfs(tmpfsfile) +@@ -224,12 +250,13 @@ fs_associate_tmpfs(tmpfsfile) # # Create/access any file in a labeled filesystem; @@ -15284,7 +15538,7 @@ index e100d88..2b0a5b3 100644 + list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) ') diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 8dbab4c..88cbe95 100644 +index 8dbab4c..b33d885 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -15335,15 +15589,22 @@ index 8dbab4c..88cbe95 100644 # /proc/sys/dev directory and files type sysctl_dev_t, sysctl_type; genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) -@@ -165,6 +178,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) +@@ -165,6 +178,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) type unlabeled_t; fs_associate(unlabeled_t) sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) +allow unlabeled_t self:filesystem associate; ++ ++# Need the following because we are type alias of file_t. ++files_mountpoint(unlabeled_t) ++files_base_file(unlabeled_t) ++kernel_rootfs_mountpoint(unlabeled_t) ++sid file gen_context(system_u:object_r:unlabeled_t,s0) ++typealias unlabeled_t alias file_t; # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -@@ -189,6 +203,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) +@@ -189,6 +210,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) # kernel local policy # @@ -15351,7 +15612,7 @@ index 8dbab4c..88cbe95 100644 allow kernel_t self:capability ~sys_module; allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow kernel_t self:shm create_shm_perms; -@@ -233,7 +248,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; +@@ -233,7 +255,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; corenet_in_generic_if(unlabeled_t) corenet_in_generic_node(unlabeled_t) @@ -15359,7 +15620,7 @@ index 8dbab4c..88cbe95 100644 corenet_all_recvfrom_netlabel(kernel_t) # Kernel-generated traffic e.g., ICMP replies: corenet_raw_sendrecv_all_if(kernel_t) -@@ -244,17 +258,21 @@ corenet_tcp_sendrecv_all_if(kernel_t) +@@ -244,17 +265,21 @@ corenet_tcp_sendrecv_all_if(kernel_t) corenet_tcp_sendrecv_all_nodes(kernel_t) corenet_raw_send_generic_node(kernel_t) corenet_send_all_packets(kernel_t) @@ -15385,7 +15646,7 @@ index 8dbab4c..88cbe95 100644 # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem -@@ -263,7 +281,8 @@ fs_unmount_all_fs(kernel_t) +@@ -263,7 +288,8 @@ fs_unmount_all_fs(kernel_t) selinux_load_policy(kernel_t) @@ -15395,7 +15656,7 @@ index 8dbab4c..88cbe95 100644 corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -277,25 +296,49 @@ files_list_root(kernel_t) +@@ -277,25 +303,49 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -15445,7 +15706,7 @@ index 8dbab4c..88cbe95 100644 ') optional_policy(` -@@ -305,6 +348,19 @@ optional_policy(` +@@ -305,6 +355,19 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(kernel_t) @@ -15465,7 +15726,7 @@ index 8dbab4c..88cbe95 100644 ') optional_policy(` -@@ -312,6 +368,10 @@ optional_policy(` +@@ -312,6 +375,10 @@ optional_policy(` ') optional_policy(` @@ -15476,7 +15737,7 @@ index 8dbab4c..88cbe95 100644 # nfs kernel server needs kernel UDP access. It is less risky and painful # to just give it everything. allow kernel_t self:tcp_socket create_stream_socket_perms; -@@ -332,9 +392,6 @@ optional_policy(` +@@ -332,9 +399,6 @@ optional_policy(` sysnet_read_config(kernel_t) @@ -15486,7 +15747,7 @@ index 8dbab4c..88cbe95 100644 rpc_udp_rw_nfs_sockets(kernel_t) tunable_policy(`nfs_export_all_ro',` -@@ -343,9 +400,7 @@ optional_policy(` +@@ -343,9 +407,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -15497,7 +15758,7 @@ index 8dbab4c..88cbe95 100644 ') tunable_policy(`nfs_export_all_rw',` -@@ -354,7 +409,7 @@ optional_policy(` +@@ -354,7 +416,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -15506,7 +15767,7 @@ index 8dbab4c..88cbe95 100644 ') ') -@@ -367,6 +422,15 @@ optional_policy(` +@@ -367,6 +429,15 @@ optional_policy(` unconfined_domain_noaudit(kernel_t) ') @@ -15522,7 +15783,7 @@ index 8dbab4c..88cbe95 100644 ######################################## # # Unlabeled process local policy -@@ -409,4 +473,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *; +@@ -409,4 +480,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *; allow kern_unconfined unlabeled_t:filesystem *; allow kern_unconfined unlabeled_t:association *; allow kern_unconfined unlabeled_t:packet *; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index cf9c3c25..107f50a6 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -71040,7 +71040,7 @@ index 951db7f..c0cabe8 100644 + files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf") ') diff --git a/raid.te b/raid.te -index c99753f..5e27523 100644 +index c99753f..2eb5455 100644 --- a/raid.te +++ b/raid.te @@ -15,6 +15,15 @@ role mdadm_roles types mdadm_t; @@ -71059,7 +71059,7 @@ index c99753f..5e27523 100644 type mdadm_var_run_t alias mdadm_map_t; files_pid_file(mdadm_var_run_t) dev_associate(mdadm_var_run_t) -@@ -25,23 +34,34 @@ dev_associate(mdadm_var_run_t) +@@ -25,44 +34,64 @@ dev_associate(mdadm_var_run_t) # allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; @@ -71098,10 +71098,12 @@ index c99753f..5e27523 100644 corecmd_exec_bin(mdadm_t) corecmd_exec_shell(mdadm_t) -@@ -49,20 +69,29 @@ corecmd_exec_shell(mdadm_t) + dev_rw_sysfs(mdadm_t) - dev_dontaudit_getattr_all_blk_files(mdadm_t) - dev_dontaudit_getattr_all_chr_files(mdadm_t) +-dev_dontaudit_getattr_all_blk_files(mdadm_t) +-dev_dontaudit_getattr_all_chr_files(mdadm_t) ++dev_dontaudit_read_all_blk_files(mdadm_t) ++dev_dontaudit_read_all_chr_files(mdadm_t) +dev_read_crash(mdadm_t) +dev_read_framebuffer(mdadm_t) dev_read_realtime_clock(mdadm_t) @@ -76722,7 +76724,7 @@ index 0bf13c2..d59aef7 100644 type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t; type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t; diff --git a/rpc.te b/rpc.te -index 2da9fca..11e7bfe 100644 +index 2da9fca..2497a03 100644 --- a/rpc.te +++ b/rpc.te @@ -6,22 +6,20 @@ policy_module(rpc, 1.15.1) @@ -77028,7 +77030,7 @@ index 2da9fca..11e7bfe 100644 miscfiles_read_generic_certs(gssd_t) userdom_signal_all_users(gssd_t) -+userdom_read_all_users_keys(gssd_t) ++userdom_manage_all_users_keys(gssd_t) -tunable_policy(`allow_gssd_read_tmp',` +tunable_policy(`gssd_read_tmp',` diff --git a/selinux-policy.spec b/selinux-policy.spec index bc8d8e5a..bc5e1462 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 12%{?dist} +Release: 13%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -576,7 +576,10 @@ SELinux Reference policy mls base module. %endif %changelog -* Mon Jan 9 2014 Miroslav Grepl 3.13.1-12 +* Mon Jan 13 2014 Miroslav Grepl 3.13.1-13 +- Remove file_t from the system and realias it with unlabeled_t + +* Thu Jan 9 2014 Miroslav Grepl 3.13.1-12 - Add gluster fixes - Remove ability to transition to unconfined_t from confined domains - Additional allow rules to get libvirt-lxc containers working with docker