- Fix dhcpc startup of service

2007-08-10 20:04:48 +00:00 · 2007-08-10 20:04:48 +00:00 · 60a9ef60f0
parent bf33202534
commit 60a9ef60f0
2 changed files with 136 additions and 26 deletions
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -468,7 +468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloa
 optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.0.5/policy/modules/admin/consoletype.te
 --- nsaserefpolicy/policy/modules/admin/consoletype.te	2007-07-25 10:37:43.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/admin/consoletype.te	2007-08-07 09:39:49.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/admin/consoletype.te	2007-08-10 15:47:06.000000000 -0400
@@ -8,9 +8,11 @@
 
 type consoletype_t;
@ -504,6 +504,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console
 	logrotate_dontaudit_use_fds(consoletype_t)
 ')
 
+@@ -114,3 +120,7 @@
+ 	xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
+ 	xen_dontaudit_use_fds(consoletype_t)
+ ')
+
+optional_policy(`
+	unconfined_use_terminals(consoletype_t)
+')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.0.5/policy/modules/admin/kudzu.te
 --- nsaserefpolicy/policy/modules/admin/kudzu.te	2007-05-29 14:10:59.000000000 -0400
 +++ serefpolicy-3.0.5/policy/modules/admin/kudzu.te	2007-08-07 09:39:49.000000000 -0400
@ -656,8 +664,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.0.5/policy/modules/admin/netutils.te
 --- nsaserefpolicy/policy/modules/admin/netutils.te	2007-07-25 10:37:43.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/admin/netutils.te	2007-08-07 09:39:49.000000000 -0400
-@@ -113,6 +113,7 @@
+++ serefpolicy-3.0.5/policy/modules/admin/netutils.te	2007-08-10 15:49:00.000000000 -0400
+@@ -94,9 +94,14 @@
+ ')
+ 
+ optional_policy(`
+	unconfined_dontaudit_use_terminals(netutils_t)
+')
+
+optional_policy(`
+ 	xen_append_log(netutils_t)
+ ')
+ 
+
+ ########################################
+ #
+ # Ping local policy
+@@ -113,6 +118,7 @@
 corenet_tcp_sendrecv_all_if(ping_t)
 corenet_raw_sendrecv_all_if(ping_t)
 corenet_raw_sendrecv_all_nodes(ping_t)
@ -3145,7 +3168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.5/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/apache.if	2007-08-07 09:39:49.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/apache.if	2007-08-10 15:52:40.000000000 -0400
@@ -18,10 +18,6 @@
 		attribute httpd_script_exec_type;
 		type httpd_t, httpd_suexec_t, httpd_log_t;
@ -4997,7 +5020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.0.5/policy/modules/services/dbus.te
 --- nsaserefpolicy/policy/modules/services/dbus.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/dbus.te	2007-08-07 09:39:49.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/dbus.te	2007-08-10 15:24:38.000000000 -0400
@@ -23,6 +23,9 @@
 type system_dbusd_var_run_t;
 files_pid_file(system_dbusd_var_run_t)
@ -5017,6 +5040,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 manage_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t)
 manage_sock_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t)
 files_pid_filetrans(system_dbusd_t,system_dbusd_var_run_t,file)
+@@ -116,9 +121,18 @@
+ ')
+ 
+ optional_policy(`
+	rhgb_use_ptys(system_dbusd_t)
+')
+
+optional_policy(`
+ 	sysnet_domtrans_dhcpc(system_dbusd_t)
+ ')
+ 
+ optional_policy(`
+ 	udev_read_db(system_dbusd_t)
+ ')
+
+optional_policy(`
+	unconfined_use_terminals(system_dbusd_t)
+')
+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.0.5/policy/modules/services/dhcp.te
 --- nsaserefpolicy/policy/modules/services/dhcp.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.5/policy/modules/services/dhcp.te	2007-08-07 09:39:49.000000000 -0400
@ -5961,7 +6003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.5/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/networkmanager.te	2007-08-10 11:35:13.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/networkmanager.te	2007-08-10 15:24:52.000000000 -0400
@@ -41,6 +41,8 @@
 kernel_read_kernel_sysctls(NetworkManager_t)
 kernel_load_module(NetworkManager_t)
@ -5983,14 +6025,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 	ppp_domtrans(NetworkManager_t)
 	ppp_read_pid_files(NetworkManager_t)
 	ppp_signal(NetworkManager_t)
-@@ -166,6 +173,7 @@
+@@ -166,8 +173,10 @@
 ')
 
 optional_policy(`
 +	unconfined_rw_pipes(NetworkManager_t)
 	# Read gnome-keyring
 	unconfined_read_home_content_files(NetworkManager_t)
+	unconfined_use_terminals(NetworkManager_t)
 ')
+ 
+ optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.0.5/policy/modules/services/nis.fc
 --- nsaserefpolicy/policy/modules/services/nis.fc	2007-05-29 14:10:57.000000000 -0400
 +++ serefpolicy-3.0.5/policy/modules/services/nis.fc	2007-08-07 09:39:49.000000000 -0400
@ -6133,6 +6178,51 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
 +/etc/ntp/crypto(/.*)?         gen_context(system_u:object_r:ntpd_key_t,s0)
 +/etc/ntp/keys              -- gen_context(system_u:object_r:ntpd_key_t,s0)
 +
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.0.5/policy/modules/services/ntp.if
+--- nsaserefpolicy/policy/modules/services/ntp.if	2007-05-29 14:10:57.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/ntp.if	2007-08-10 15:57:31.000000000 -0400
+@@ -53,3 +53,41 @@
+ 	corecmd_search_bin($1)
+ 	domtrans_pattern($1,ntpdate_exec_t,ntpd_t)
+ ')
+
+########################################
+## <summary>
+##	Allow the specified domain to manage
+##	ntp pid file
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ntp_manage_pid',`
+	gen_require(`
+		type ntpd_var_run_t;
+	')
+	manage_files_pattern($1,ntpd_var_run_t,ntpd_var_run_t)
+	files_pid_filetrans($1,ntpd_var_run_t,file)
+')
+
+########################################
+## <summary>
+##	Send generic signals to the ntp domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ntp_signal',`
+	gen_require(`
+		type ntpd_t;
+	')
+
+	allow $1 ntpd_t:process signal;
+')
+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.0.5/policy/modules/services/ntp.te
 --- nsaserefpolicy/policy/modules/services/ntp.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.5/policy/modules/services/ntp.te	2007-08-07 09:39:49.000000000 -0400
@ -7373,6 +7463,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 +	allow $1 sendmail_t:process signal;
 +')
 +
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.5/policy/modules/services/sendmail.te
+--- nsaserefpolicy/policy/modules/services/sendmail.te	2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/sendmail.te	2007-08-10 13:14:09.000000000 -0400
+@@ -130,6 +130,10 @@
+ ')
+ 
+ optional_policy(`
+	rhgb_use_ptys(sendmail_t)
+')
+
+optional_policy(`
+ 	seutil_sigchld_newrole(sendmail_t)
+ ')
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.0.5/policy/modules/services/setroubleshoot.if
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.if	2007-05-29 14:10:57.000000000 -0400
 +++ serefpolicy-3.0.5/policy/modules/services/setroubleshoot.if	2007-08-07 09:39:49.000000000 -0400
@ -9912,7 +10016,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
 /var/spool/texmf(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.5/policy/modules/system/modutils.te
 --- nsaserefpolicy/policy/modules/system/modutils.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/modutils.te	2007-08-07 09:39:49.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/modutils.te	2007-08-10 14:08:13.000000000 -0400
@@ -42,7 +42,7 @@
 # insmod local policy
 #
@ -9975,7 +10079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
 	hotplug_search_config(insmod_t)
 ')
 
-@@ -149,6 +163,7 @@
+@@ -149,10 +163,12 @@
 
 optional_policy(`
 	rpm_rw_pipes(insmod_t)
@ -9983,7 +10087,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
 ')
 
 optional_policy(`
-@@ -179,6 +194,7 @@
+ 	unconfined_dontaudit_rw_pipes(insmod_t)
+	unconfined_dontaudit_use_terminals(insmod_t)
+ ')
+ 
+ optional_policy(`
+@@ -179,6 +195,7 @@
 
 files_read_kernel_symbol_table(depmod_t)
 files_read_kernel_modules(depmod_t)
@ -9991,7 +10100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
 
 fs_getattr_xattr_fs(depmod_t)
 
-@@ -205,9 +221,12 @@
+@@ -205,9 +222,12 @@
 userdom_read_staff_home_content_files(depmod_t)
 userdom_read_sysadm_home_content_files(depmod_t)
 
@ -10738,7 +10847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.5/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/unconfined.if	2007-08-07 09:39:49.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/unconfined.if	2007-08-10 15:24:16.000000000 -0400
@@ -12,14 +12,13 @@
 #
 interface(`unconfined_domain_noaudit',`
@ -11119,7 +11228,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +corecmd_exec_all_executables(unconfined_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.5/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/userdomain.if	2007-08-10 11:57:57.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/userdomain.if	2007-08-10 13:44:41.000000000 -0400
@@ -62,6 +62,10 @@
 
 	allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
@ -11679,14 +11788,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	domain_interactive_fd($1_t)
 
 	typeattribute $1_devpts_t user_ptynode;
-@@ -985,15 +1051,53 @@
+@@ -985,15 +1051,51 @@
 	typeattribute $1_tmp_t user_tmpfile;
 	typeattribute $1_tty_device_t user_ttynode;
 
 -	userdom_poly_home_template($1)
 -	userdom_poly_tmp_template($1)
-+	auth_exec_pam($1_t)
-+
 +	optional_policy(`
 +		loadkeys_run($1_t,$1_r,$1_tty_device_t)
 +	')
@ -11737,7 +11844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 
 	# port access is audited even if dac would not have allowed it, so dontaudit it here
 	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1024,20 +1128,12 @@
+@@ -1024,20 +1126,12 @@
 		kernel_dontaudit_read_ring_buffer($1_t)
 	')
 
@ -11764,7 +11871,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 
 	optional_policy(`
-@@ -1054,17 +1150,6 @@
+@@ -1054,17 +1148,6 @@
 		setroubleshoot_stream_connect($1_t)
 	')
 
@ -11782,7 +11889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 #######################################
-@@ -1102,6 +1187,8 @@
+@@ -1102,6 +1185,8 @@
 		class passwd { passwd chfn chsh rootok crontab };
 	')
 
@ -11791,7 +11898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	##############################
 	#
 	# Declarations
-@@ -1127,7 +1214,7 @@
+@@ -1127,7 +1212,7 @@
 	# $1_t local policy
 	#
 
@ -11800,7 +11907,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	allow $1_t self:process { setexec setfscreate };
 
 	# Set password information for other users.
-@@ -1139,7 +1226,11 @@
+@@ -1139,7 +1224,11 @@
 	# Manipulate other users crontab.
 	allow $1_t self:passwd crontab;
 
@ -11813,7 +11920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
-@@ -1902,6 +1993,41 @@
+@@ -1902,6 +1991,41 @@
 
 ########################################
 ## <summary>
@ -11855,7 +11962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ##	Do not audit attempts to set the
 ##	attributes of user home files.
 ## </summary>
-@@ -3078,7 +3204,7 @@
+@@ -3078,7 +3202,7 @@
 #
 template(`userdom_tmp_filetrans_user_tmp',`
 	gen_require(`
@ -11864,7 +11971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 
 	files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -5323,7 +5449,7 @@
+@@ -5323,7 +5447,7 @@
 		attribute user_tmpfile;
 	')
 
@ -11873,7 +11980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -5559,3 +5685,280 @@
+@@ -5559,3 +5683,280 @@
 interface(`userdom_unconfined',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.5
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -360,6 +360,9 @@ exit 0
 %endif

 %changelog
+* Fri Aug 10 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-5
+- Fix dhcpc startup of service 
+
 * Fri Aug 10 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-4
 - Fix dbus chat to not happen for xguest and guest users