rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Mon Jan 13 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-13

Browse Source 
- Remove file_t from the system and realias it with unlabeled_
This commit is contained in:
Miroslav Grepl 2014-01-13 12:25:57 +01:00
parent 0a96c38442
commit 5bd1f1afd6
3 changed files with 377 additions and 111 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

465
policy-rawhide-base.patch
View File

@ -9408,7 +9408,7 @@ index b876c48..27f60c6 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index f962f76..5c44da2 100644
index f962f76..68d8f79 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@ -10418,10 +10418,19 @@ index f962f76..5c44da2 100644
')
########################################
@@ -3150,6 +3686,25 @@ interface(`files_getattr_isid_type_dirs',`
########################################
## <summary>
@@ -3142,10 +3678,29 @@ interface(`files_etc_filetrans_etc_runtime',`
#
interface(`files_getattr_isid_type_dirs',`
gen_require(`
- type file_t;
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Setattr of directories on new filesystems
+## that have not yet been labeled.
+## </summary>
@ -10433,21 +10442,63 @@ index f962f76..5c44da2 100644
+#
+interface(`files_setattr_isid_type_dirs',`
+ gen_require(`
+ type file_t;
+ type unlabeled_t;
')
- allow $1 file_t:dir getattr;
+ allow $1 unlabeled_t:dir setattr;
')
########################################
@@ -3161,10 +3716,10 @@ interface(`files_getattr_isid_type_dirs',`
#
interface(`files_dontaudit_search_isid_type_dirs',`
gen_require(`
- type file_t;
+ type unlabeled_t;
')
- dontaudit $1 file_t:dir search_dir_perms;
+ dontaudit $1 unlabeled_t:dir search_dir_perms;
')
########################################
@@ -3180,10 +3735,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
#
interface(`files_list_isid_type_dirs',`
gen_require(`
- type file_t;
+ type unlabeled_t;
')
- allow $1 file_t:dir list_dir_perms;
+ allow $1 unlabeled_t:dir list_dir_perms;
')
########################################
@@ -3199,10 +3754,10 @@ interface(`files_list_isid_type_dirs',`
#
interface(`files_rw_isid_type_dirs',`
gen_require(`
- type file_t;
+ type unlabeled_t;
')
- allow $1 file_t:dir rw_dir_perms;
+ allow $1 unlabeled_t:dir rw_dir_perms;
')
########################################
@@ -3218,10 +3773,66 @@ interface(`files_rw_isid_type_dirs',`
#
interface(`files_delete_isid_type_dirs',`
gen_require(`
- type file_t;
+ type unlabeled_t;
+ ')
+
+ allow $1 file_t:dir setattr;
+ delete_dirs_pattern($1, unlabeled_t, unlabeled_t)
+')
+
+########################################
+## <summary>
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
## </summary>
@@ -3223,6 +3778,62 @@ interface(`files_delete_isid_type_dirs',`
delete_dirs_pattern($1, file_t, file_t)
')
+########################################
+## <summary>
+## Execute files on new filesystems
@ -10461,10 +10512,10 @@ index f962f76..5c44da2 100644
+#
+interface(`files_exec_isid_files',`
+ gen_require(`
+ type file_t;
+ type unlabeled_t;
+ ')
+
+ can_exec($1, file_t)
+ can_exec($1, unlabeled_t)
+')
+
+########################################
@ -10480,10 +10531,10 @@ index f962f76..5c44da2 100644
+#
+interface(`files_mounton_isid',`
+ gen_require(`
+ type file_t;
+ type unlabeled_t;
+ ')
+
+ allow $1 file_t:dir mounton;
+ allow $1 unlabeled_t:dir mounton;
+')
+
+########################################
@ -10499,18 +10550,183 @@ index f962f76..5c44da2 100644
+#
+interface(`files_relabelfrom_isid_type',`
+ gen_require(`
+ type file_t;
+ type unlabeled_t;
')
- delete_dirs_pattern($1, file_t, file_t)
+ dontaudit $1 unlabeled_t:dir_file_class_set relabelfrom;
')
########################################
@@ -3237,10 +3848,10 @@ interface(`files_delete_isid_type_dirs',`
#
interface(`files_manage_isid_type_dirs',`
gen_require(`
- type file_t;
+ type unlabeled_t;
')
- allow $1 file_t:dir manage_dir_perms;
+ allow $1 unlabeled_t:dir manage_dir_perms;
')
########################################
@@ -3256,10 +3867,10 @@ interface(`files_manage_isid_type_dirs',`
#
interface(`files_mounton_isid_type_dirs',`
gen_require(`
- type file_t;
+ type unlabeled_t;
')
- allow $1 file_t:dir { search_dir_perms mounton };
+ allow $1 unlabeled_t:dir { search_dir_perms mounton };
')
########################################
@@ -3275,10 +3886,10 @@ interface(`files_mounton_isid_type_dirs',`
#
interface(`files_read_isid_type_files',`
gen_require(`
- type file_t;
+ type unlabeled_t;
')
- allow $1 file_t:file read_file_perms;
+ allow $1 unlabeled_t:file read_file_perms;
')
########################################
@@ -3294,10 +3905,10 @@ interface(`files_read_isid_type_files',`
#
interface(`files_delete_isid_type_files',`
gen_require(`
- type file_t;
+ type unlabeled_t;
')
- delete_files_pattern($1, file_t, file_t)
+ delete_files_pattern($1, unlabeled_t, unlabeled_t)
')
########################################
@@ -3313,10 +3924,10 @@ interface(`files_delete_isid_type_files',`
#
interface(`files_delete_isid_type_symlinks',`
gen_require(`
- type file_t;
+ type unlabeled_t;
')
- delete_lnk_files_pattern($1, file_t, file_t)
+ delete_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
')
########################################
@@ -3332,10 +3943,10 @@ interface(`files_delete_isid_type_symlinks',`
#
interface(`files_delete_isid_type_fifo_files',`
gen_require(`
- type file_t;
+ type unlabeled_t;
')
- delete_fifo_files_pattern($1, file_t, file_t)
+ delete_fifo_files_pattern($1, unlabeled_t, unlabeled_t)
')
########################################
@@ -3351,10 +3962,10 @@ interface(`files_delete_isid_type_fifo_files',`
#
interface(`files_delete_isid_type_sock_files',`
gen_require(`
- type file_t;
+ type unlabeled_t;
')
- delete_sock_files_pattern($1, file_t, file_t)
+ delete_sock_files_pattern($1, unlabeled_t, unlabeled_t)
')
########################################
@@ -3370,10 +3981,10 @@ interface(`files_delete_isid_type_sock_files',`
#
interface(`files_delete_isid_type_blk_files',`
gen_require(`
- type file_t;
+ type unlabeled_t;
')
- delete_blk_files_pattern($1, file_t, file_t)
+ delete_blk_files_pattern($1, unlabeled_t, unlabeled_t)
')
########################################
@@ -3389,10 +4000,10 @@ interface(`files_delete_isid_type_blk_files',`
#
interface(`files_dontaudit_write_isid_chr_files',`
gen_require(`
- type file_t;
+ type unlabeled_t;
')
- dontaudit $1 file_t:chr_file write;
+ dontaudit $1 unlabeled_t:chr_file write;
')
########################################
@@ -3408,10 +4019,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
#
interface(`files_delete_isid_type_chr_files',`
gen_require(`
- type file_t;
+ type unlabeled_t;
')
- delete_chr_files_pattern($1, file_t, file_t)
+ delete_chr_files_pattern($1, unlabeled_t, unlabeled_t)
')
########################################
@@ -3427,10 +4038,10 @@ interface(`files_delete_isid_type_chr_files',`
#
interface(`files_manage_isid_type_files',`
gen_require(`
- type file_t;
+ type unlabeled_t;
')
- allow $1 file_t:file manage_file_perms;
+ allow $1 unlabeled_t:file manage_file_perms;
')
########################################
@@ -3446,10 +4057,10 @@ interface(`files_manage_isid_type_files',`
#
interface(`files_manage_isid_type_symlinks',`
gen_require(`
- type file_t;
+ type unlabeled_t;
')
- allow $1 file_t:lnk_file manage_lnk_file_perms;
+ allow $1 unlabeled_t:lnk_file manage_lnk_file_perms;
')
########################################
@@ -3465,10 +4076,29 @@ interface(`files_manage_isid_type_symlinks',`
#
interface(`files_rw_isid_type_blk_files',`
gen_require(`
- type file_t;
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 file_t:dir_file_class_set relabelfrom;
+ allow $1 unlabeled_t:blk_file rw_blk_file_perms;
+')
########################################
## <summary>
@@ -3473,6 +4084,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
## <summary>
+
+########################################
+## <summary>
+## rw any files inherited from another process
+## on new filesystems that have not yet been labeled.
+## </summary>
@ -10522,17 +10738,40 @@ index f962f76..5c44da2 100644
+#
+interface(`files_rw_inherited_isid_type_files',`
+ gen_require(`
+ type file_t;
+ ')
+
+ allow $1 file_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
## </summary>
+ type unlabeled_t;
')
- allow $1 file_t:blk_file rw_blk_file_perms;
+ allow $1 unlabeled_t:file rw_inherited_file_perms;
')
########################################
@@ -3484,10 +4114,10 @@ interface(`files_rw_isid_type_blk_files',`
#
interface(`files_manage_isid_type_blk_files',`
gen_require(`
- type file_t;
+ type unlabeled_t;
')
- allow $1 file_t:blk_file manage_blk_file_perms;
+ allow $1 unlabeled_t:blk_file manage_blk_file_perms;
')
########################################
@@ -3503,10 +4133,10 @@ interface(`files_manage_isid_type_blk_files',`
#
interface(`files_manage_isid_type_chr_files',`
gen_require(`
- type file_t;
+ type unlabeled_t;
')
- allow $1 file_t:chr_file manage_chr_file_perms;
+ allow $1 unlabeled_t:chr_file manage_chr_file_perms;
')
########################################
@@ -3814,20 +4444,38 @@ interface(`files_list_mnt',`
######################################
@ -10939,7 +11178,7 @@ index f962f76..5c44da2 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4482,44 +5384,134 @@ interface(`files_setattr_all_tmp_dirs',`
@@ -4482,59 +5384,149 @@ interface(`files_setattr_all_tmp_dirs',`
## </summary>
## </param>
#
@ -10989,19 +11228,23 @@ index f962f76..5c44da2 100644
## <summary>
-## Domain not to audit.
+## Domain allowed access.
+## </summary>
+## </param>
+#
## </summary>
## </param>
#
-interface(`files_dontaudit_getattr_all_tmp_files',`
+interface(`files_read_inherited_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
gen_require(`
attribute tmpfile;
')
- dontaudit $1 tmpfile:file getattr;
+ allow $1 tmpfile:file { append read_inherited_file_perms };
+')
+
+########################################
+## <summary>
')
########################################
## <summary>
-## Allow attempts to get the attributes
-## of all tmp files.
+## Allow caller to append inherited tmp files.
+## </summary>
+## <param name="domain">
@ -11084,9 +11327,24 @@ index f962f76..5c44da2 100644
+## <param name="domain">
+## <summary>
+## Domain to not audit.
## </summary>
## </param>
#
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+ dontaudit $1 tmpfile:file getattr;
+')
+
+########################################
+## <summary>
+## Allow attempts to get the attributes
+## of all tmp files.
## </summary>
## <param name="domain">
## <summary>
@@ -4579,7 +5571,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
@ -11491,7 +11749,7 @@ index f962f76..5c44da2 100644
########################################
## <summary>
## Do not audit attempts to search
@@ -6025,27 +7192,46 @@ interface(`files_dontaudit_search_pids',`
@@ -6025,21 +7192,40 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@ -11515,13 +11773,11 @@ index f962f76..5c44da2 100644
')
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- list_dirs_pattern($1, var_t, var_run_t)
+ dontaudit $1 pidfile:dir search_dir_perms;
')
########################################
## <summary>
-## Read generic process ID files.
+')
+
+########################################
+## <summary>
+## List the contents of the runtime process
+## ID directories (/var/run).
+## </summary>
@ -11537,15 +11793,9 @@ index f962f76..5c44da2 100644
+ ')
+
+ files_search_pids($1)
+ list_dirs_pattern($1, var_t, var_run_t)
+')
+
+########################################
+## <summary>
+## Read generic process ID files.
## </summary>
## <param name="domain">
## <summary>
list_dirs_pattern($1, var_t, var_run_t)
')
@@ -6058,7 +7244,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
@ -12829,7 +13079,7 @@ index f962f76..5c44da2 100644
+ allow $1 etc_t:service status;
')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 1a03abd..0335af9 100644
index 1a03abd..dfcd2ad 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -5,12 +5,16 @@ policy_module(files, 1.18.1)
@ -12849,7 +13099,7 @@ index 1a03abd..0335af9 100644
# For labeling types that are to be polyinstantiated
attribute polydir;
@@ -48,28 +52,45 @@ attribute usercanread;
@@ -48,47 +52,55 @@ attribute usercanread;
#
type boot_t;
files_mountpoint(boot_t)
@ -12897,15 +13147,19 @@ index 1a03abd..0335af9 100644
files_type(etc_runtime_t)
#Temporarily in policy until FC5 dissappears
typealias etc_runtime_t alias firstboot_rw_t;
@@ -81,6 +102,7 @@ typealias etc_runtime_t alias firstboot_rw_t;
#
type file_t;
files_mountpoint(file_t)
+files_base_file(file_t)
kernel_rootfs_mountpoint(file_t)
sid file gen_context(system_u:object_r:file_t,s0)
@@ -89,6 +111,7 @@ sid file gen_context(system_u:object_r:file_t,s0)
#
-# file_t is the default type of a file that has not yet been
-# assigned an extended attribute (EA) value (when using a filesystem
-# that supports EAs).
-#
-type file_t;
-files_mountpoint(file_t)
-kernel_rootfs_mountpoint(file_t)
-sid file gen_context(system_u:object_r:file_t,s0)
-
-#
# home_root_t is the type for the directory where user home directories
# are created
#
type home_root_t;
@ -12913,7 +13167,7 @@ index 1a03abd..0335af9 100644
files_mountpoint(home_root_t)
files_poly_parent(home_root_t)
@@ -96,12 +119,13 @@ files_poly_parent(home_root_t)
@@ -96,12 +108,13 @@ files_poly_parent(home_root_t)
# lost_found_t is the type for the lost+found directories.
#
type lost_found_t;
@ -12928,7 +13182,7 @@ index 1a03abd..0335af9 100644
files_mountpoint(mnt_t)
#
@@ -123,6 +147,7 @@ files_type(readable_t)
@@ -123,6 +136,7 @@ files_type(readable_t)
# root_t is the type for rootfs and the root directory.
#
type root_t;
@ -12936,7 +13190,7 @@ index 1a03abd..0335af9 100644
files_mountpoint(root_t)
files_poly_parent(root_t)
kernel_rootfs_mountpoint(root_t)
@@ -133,45 +158,54 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
@@ -133,45 +147,54 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
#
type src_t;
files_mountpoint(src_t)
@ -12991,7 +13245,7 @@ index 1a03abd..0335af9 100644
files_lock_file(var_lock_t)
files_mountpoint(var_lock_t)
@@ -180,6 +214,7 @@ files_mountpoint(var_lock_t)
@@ -180,6 +203,7 @@ files_mountpoint(var_lock_t)
# used for pid and other runtime files.
#
type var_run_t;
@ -12999,7 +13253,7 @@ index 1a03abd..0335af9 100644
files_pid_file(var_run_t)
files_mountpoint(var_run_t)
@@ -187,7 +222,9 @@ files_mountpoint(var_run_t)
@@ -187,7 +211,9 @@ files_mountpoint(var_run_t)
# var_spool_t is the type of /var/spool
#
type var_spool_t;
@ -13009,7 +13263,7 @@ index 1a03abd..0335af9 100644
########################################
#
@@ -224,12 +261,13 @@ fs_associate_tmpfs(tmpfsfile)
@@ -224,12 +250,13 @@ fs_associate_tmpfs(tmpfsfile)
#
# Create/access any file in a labeled filesystem;
@ -15284,7 +15538,7 @@ index e100d88..2b0a5b3 100644
+ list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 8dbab4c..88cbe95 100644
index 8dbab4c..b33d885 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -25,6 +25,9 @@ attribute kern_unconfined;
@ -15335,15 +15589,22 @@ index 8dbab4c..88cbe95 100644
# /proc/sys/dev directory and files
type sysctl_dev_t, sysctl_type;
genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
@@ -165,6 +178,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
@@ -165,6 +178,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
type unlabeled_t;
fs_associate(unlabeled_t)
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+allow unlabeled_t self:filesystem associate;
+
+# Need the following because we are type alias of file_t.
+files_mountpoint(unlabeled_t)
+files_base_file(unlabeled_t)
+kernel_rootfs_mountpoint(unlabeled_t)
+sid file gen_context(system_u:object_r:unlabeled_t,s0)
+typealias unlabeled_t alias file_t;
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -189,6 +203,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -189,6 +210,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
# kernel local policy
#
@ -15351,7 +15612,7 @@ index 8dbab4c..88cbe95 100644
allow kernel_t self:capability ~sys_module;
allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow kernel_t self:shm create_shm_perms;
@@ -233,7 +248,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
@@ -233,7 +255,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
corenet_in_generic_if(unlabeled_t)
corenet_in_generic_node(unlabeled_t)
@ -15359,7 +15620,7 @@ index 8dbab4c..88cbe95 100644
corenet_all_recvfrom_netlabel(kernel_t)
# Kernel-generated traffic e.g., ICMP replies:
corenet_raw_sendrecv_all_if(kernel_t)
@@ -244,17 +258,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
@@ -244,17 +265,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
corenet_tcp_sendrecv_all_nodes(kernel_t)
corenet_raw_send_generic_node(kernel_t)
corenet_send_all_packets(kernel_t)
@ -15385,7 +15646,7 @@ index 8dbab4c..88cbe95 100644
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
@@ -263,7 +281,8 @@ fs_unmount_all_fs(kernel_t)
@@ -263,7 +288,8 @@ fs_unmount_all_fs(kernel_t)
selinux_load_policy(kernel_t)
@ -15395,7 +15656,7 @@ index 8dbab4c..88cbe95 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
@@ -277,25 +296,49 @@ files_list_root(kernel_t)
@@ -277,25 +303,49 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@ -15445,7 +15706,7 @@ index 8dbab4c..88cbe95 100644
')
optional_policy(`
@@ -305,6 +348,19 @@ optional_policy(`
@@ -305,6 +355,19 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(kernel_t)
@ -15465,7 +15726,7 @@ index 8dbab4c..88cbe95 100644
')
optional_policy(`
@@ -312,6 +368,10 @@ optional_policy(`
@@ -312,6 +375,10 @@ optional_policy(`
')
optional_policy(`
@ -15476,7 +15737,7 @@ index 8dbab4c..88cbe95 100644
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
allow kernel_t self:tcp_socket create_stream_socket_perms;
@@ -332,9 +392,6 @@ optional_policy(`
@@ -332,9 +399,6 @@ optional_policy(`
sysnet_read_config(kernel_t)
@ -15486,7 +15747,7 @@ index 8dbab4c..88cbe95 100644
rpc_udp_rw_nfs_sockets(kernel_t)
tunable_policy(`nfs_export_all_ro',`
@@ -343,9 +400,7 @@ optional_policy(`
@@ -343,9 +407,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@ -15497,7 +15758,7 @@ index 8dbab4c..88cbe95 100644
')
tunable_policy(`nfs_export_all_rw',`
@@ -354,7 +409,7 @@ optional_policy(`
@@ -354,7 +416,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@ -15506,7 +15767,7 @@ index 8dbab4c..88cbe95 100644
')
')
@@ -367,6 +422,15 @@ optional_policy(`
@@ -367,6 +429,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@ -15522,7 +15783,7 @@ index 8dbab4c..88cbe95 100644
########################################
#
# Unlabeled process local policy
@@ -409,4 +473,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
@@ -409,4 +480,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
allow kern_unconfined unlabeled_t:filesystem *;
allow kern_unconfined unlabeled_t:association *;
allow kern_unconfined unlabeled_t:packet *;

16
policy-rawhide-contrib.patch
View File

@ -71040,7 +71040,7 @@ index 951db7f..c0cabe8 100644
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
')
diff --git a/raid.te b/raid.te
index c99753f..5e27523 100644
index c99753f..2eb5455 100644
--- a/raid.te
+++ b/raid.te
@@ -15,6 +15,15 @@ role mdadm_roles types mdadm_t;
@ -71059,7 +71059,7 @@ index c99753f..5e27523 100644
type mdadm_var_run_t alias mdadm_map_t;
files_pid_file(mdadm_var_run_t)
dev_associate(mdadm_var_run_t)
@@ -25,23 +34,34 @@ dev_associate(mdadm_var_run_t)
@@ -25,44 +34,64 @@ dev_associate(mdadm_var_run_t)
#
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
@ -71098,10 +71098,12 @@ index c99753f..5e27523 100644
corecmd_exec_bin(mdadm_t)
corecmd_exec_shell(mdadm_t)
@@ -49,20 +69,29 @@ corecmd_exec_shell(mdadm_t)
dev_rw_sysfs(mdadm_t)
dev_dontaudit_getattr_all_blk_files(mdadm_t)
dev_dontaudit_getattr_all_chr_files(mdadm_t)
-dev_dontaudit_getattr_all_blk_files(mdadm_t)
-dev_dontaudit_getattr_all_chr_files(mdadm_t)
+dev_dontaudit_read_all_blk_files(mdadm_t)
+dev_dontaudit_read_all_chr_files(mdadm_t)
+dev_read_crash(mdadm_t)
+dev_read_framebuffer(mdadm_t)
dev_read_realtime_clock(mdadm_t)
@ -76722,7 +76724,7 @@ index 0bf13c2..d59aef7 100644
type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
diff --git a/rpc.te b/rpc.te
index 2da9fca..11e7bfe 100644
index 2da9fca..2497a03 100644
--- a/rpc.te
+++ b/rpc.te
@@ -6,22 +6,20 @@ policy_module(rpc, 1.15.1)
@ -77028,7 +77030,7 @@ index 2da9fca..11e7bfe 100644
miscfiles_read_generic_certs(gssd_t)
userdom_signal_all_users(gssd_t)
+userdom_read_all_users_keys(gssd_t)
+userdom_manage_all_users_keys(gssd_t)
-tunable_policy(`allow_gssd_read_tmp',`
+tunable_policy(`gssd_read_tmp',`

7
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 12%{?dist}
Release: 13%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -576,7 +576,10 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Mon Jan 9 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-12
* Mon Jan 13 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-13
- Remove file_t from the system and realias it with unlabeled_t
* Thu Jan 9 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-12
- Add gluster fixes
- Remove ability to transition to unconfined_t from confined domains
- Additional allow rules to get libvirt-lxc containers working with docker