From 5d168a352bfd7804b39320f1b00bd7f9928a6ef0 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Wed, 10 Nov 2010 11:04:39 +0100 Subject: [PATCH] - Allow groupd transition to fenced domain when executes fence_node - Fixes for rchs policy - Allow mpd to be able to read samba/nfs files --- policy-F15.patch | 42 ++++++++++++++++++++++++++++++------------ selinux-policy.spec | 7 ++++++- 2 files changed, 36 insertions(+), 13 deletions(-) diff --git a/policy-F15.patch b/policy-F15.patch index 9afa3e26..f8f4f667 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -24082,10 +24082,10 @@ index 0000000..311aaed +') diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te new file mode 100644 -index 0000000..68af4e8 +index 0000000..5391d10 --- /dev/null +++ b/policy/modules/services/mpd.te -@@ -0,0 +1,111 @@ +@@ -0,0 +1,121 @@ +policy_module(mpd, 1.0.0) + +######################################## @@ -24184,6 +24184,16 @@ index 0000000..68af4e8 +userdom_read_home_audio_files(mpd_t) +userdom_read_user_tmpfs_files(mpd_t) + ++tunable_policy(`use_samba_home_dirs',` ++ fs_read_cifs_files(mpd_t) ++ fs_read_cifs_symlinks(mpd_t) ++') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_read_nfs_files(mpd_t) ++ fs_read_nfs_symlinks(mpd_t) ++') ++ +optional_policy(` + dbus_system_bus_client(mpd_t) +') @@ -30843,7 +30853,7 @@ index de37806..229a3c7 100644 + read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te -index 93c896a..8d40ec9 100644 +index 93c896a..b6f0f45 100644 --- a/policy/modules/services/rhcs.te +++ b/policy/modules/services/rhcs.te @@ -6,13 +6,15 @@ policy_module(rhcs, 1.1.0) @@ -30876,7 +30886,7 @@ index 93c896a..8d40ec9 100644 ##################################### # # dlm_controld local policy -@@ -55,17 +61,13 @@ fs_manage_configfs_dirs(dlm_controld_t) +@@ -55,20 +61,17 @@ fs_manage_configfs_dirs(dlm_controld_t) init_rw_script_tmp_files(dlm_controld_t) @@ -30895,7 +30905,11 @@ index 93c896a..8d40ec9 100644 allow fenced_t self:tcp_socket create_stream_socket_perms; allow fenced_t self:udp_socket create_socket_perms; -@@ -82,7 +84,10 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) ++allow fenced_t self:unix_stream_socket connectto; + + can_exec(fenced_t, fenced_exec_t) + +@@ -82,7 +85,10 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) @@ -30906,7 +30920,7 @@ index 93c896a..8d40ec9 100644 corenet_tcp_connect_http_port(fenced_t) -@@ -104,9 +109,13 @@ tunable_policy(`fenced_can_network_connect',` +@@ -104,9 +110,13 @@ tunable_policy(`fenced_can_network_connect',` corenet_tcp_connect_all_ports(fenced_t) ') @@ -30921,7 +30935,7 @@ index 93c896a..8d40ec9 100644 ') optional_policy(` -@@ -120,7 +129,6 @@ optional_policy(` +@@ -120,7 +130,6 @@ optional_policy(` # allow gfs_controld_t self:capability { net_admin sys_resource }; @@ -30929,7 +30943,7 @@ index 93c896a..8d40ec9 100644 allow gfs_controld_t self:shm create_shm_perms; allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -139,10 +147,6 @@ storage_getattr_removable_dev(gfs_controld_t) +@@ -139,10 +148,6 @@ storage_getattr_removable_dev(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) optional_policy(` @@ -30940,15 +30954,19 @@ index 93c896a..8d40ec9 100644 lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) ') -@@ -154,7 +158,6 @@ optional_policy(` +@@ -154,9 +159,10 @@ optional_policy(` allow groupd_t self:capability { sys_nice sys_resource }; allow groupd_t self:process setsched; - allow groupd_t self:shm create_shm_perms; ++domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) ++ dev_list_sysfs(groupd_t) -@@ -168,8 +171,7 @@ init_rw_script_tmp_files(groupd_t) + + files_read_etc_files(groupd_t) +@@ -168,8 +174,7 @@ init_rw_script_tmp_files(groupd_t) # qdiskd local policy # @@ -30958,7 +30976,7 @@ index 93c896a..8d40ec9 100644 allow qdiskd_t self:tcp_socket create_stream_socket_perms; allow qdiskd_t self:udp_socket create_socket_perms; -@@ -207,10 +209,6 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -207,10 +212,6 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) optional_policy(` @@ -30969,7 +30987,7 @@ index 93c896a..8d40ec9 100644 netutils_domtrans_ping(qdiskd_t) ') -@@ -223,18 +221,24 @@ optional_policy(` +@@ -223,18 +224,24 @@ optional_policy(` # rhcs domains common policy # diff --git a/selinux-policy.spec b/selinux-policy.spec index 37811006..6253bd83 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.8 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,11 @@ exit 0 %endif %changelog +* Wed Nov 10 2010 Miroslav Grepl 3.9.8-4 +- Allow groupd transition to fenced domain when executes fence_node +- Fixes for rchs policy +- Allow mpd to be able to read samba/nfs files + * Tue Nov 9 2010 Dan Walsh 3.9.8-3 - Fix up corecommands.fc to match upstream - Make sure /lib/systemd/* is labeled init_exec_t