- Fixes for svirt
This commit is contained in:
parent
9ca87fc9d8
commit
6130d52b7c
@ -4524,8 +4524,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.10/policy/modules/kernel/devices.fc
|
||||
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-03-05 14:09:51.000000000 -0500
|
||||
+++ serefpolicy-3.6.10/policy/modules/kernel/devices.fc 2009-03-24 15:09:41.000000000 -0400
|
||||
@@ -91,6 +91,7 @@
|
||||
+++ serefpolicy-3.6.10/policy/modules/kernel/devices.fc 2009-03-25 08:24:42.000000000 -0400
|
||||
@@ -91,6 +90,7 @@
|
||||
/dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
@ -12127,7 +12127,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.10/policy/modules/services/hal.te
|
||||
--- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.10/policy/modules/services/hal.te 2009-03-24 10:36:54.000000000 -0400
|
||||
+++ serefpolicy-3.6.10/policy/modules/services/hal.te 2009-03-26 08:23:58.000000000 -0400
|
||||
@@ -49,6 +49,15 @@
|
||||
type hald_var_lib_t;
|
||||
files_type(hald_var_lib_t)
|
||||
@ -12251,7 +12251,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
miscfiles_read_localization(hald_mac_t)
|
||||
|
||||
########################################
|
||||
@@ -418,3 +459,49 @@
|
||||
@@ -415,6 +456,53 @@
|
||||
|
||||
dev_rw_input_dev(hald_keymap_t)
|
||||
|
||||
+files_read_etc_files(hald_keymap_t)
|
||||
files_read_usr_files(hald_keymap_t)
|
||||
|
||||
miscfiles_read_localization(hald_keymap_t)
|
||||
@ -21299,7 +21303,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.10/policy/modules/services/virt.te
|
||||
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.10/policy/modules/services/virt.te 2009-03-24 15:41:15.000000000 -0400
|
||||
+++ serefpolicy-3.6.10/policy/modules/services/virt.te 2009-03-26 14:25:09.000000000 -0400
|
||||
@@ -8,20 +8,18 @@
|
||||
|
||||
## <desc>
|
||||
@ -21338,7 +21342,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
type virt_log_t;
|
||||
logging_log_file(virt_log_t)
|
||||
@@ -48,17 +50,40 @@
|
||||
@@ -48,17 +50,39 @@
|
||||
type virtd_initrc_exec_t;
|
||||
init_script_file(virtd_initrc_exec_t)
|
||||
|
||||
@ -21351,7 +21355,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
+
|
||||
+virt_domain_template(svirt)
|
||||
+virtual_separated_domain(svirt_t)
|
||||
+role system_r types svirt_t;
|
||||
+
|
||||
+type svirt_cache_t;
|
||||
@ -21381,7 +21384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||
|
||||
@@ -67,7 +92,11 @@
|
||||
@@ -67,7 +91,11 @@
|
||||
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
|
||||
|
||||
@ -21394,7 +21397,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
|
||||
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
|
||||
@@ -86,6 +115,7 @@
|
||||
@@ -86,6 +114,7 @@
|
||||
kernel_read_network_state(virtd_t)
|
||||
kernel_rw_net_sysctls(virtd_t)
|
||||
kernel_load_module(virtd_t)
|
||||
@ -21402,7 +21405,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corecmd_exec_bin(virtd_t)
|
||||
corecmd_exec_shell(virtd_t)
|
||||
@@ -96,7 +126,7 @@
|
||||
@@ -96,7 +125,7 @@
|
||||
corenet_tcp_sendrecv_generic_node(virtd_t)
|
||||
corenet_tcp_sendrecv_all_ports(virtd_t)
|
||||
corenet_tcp_bind_generic_node(virtd_t)
|
||||
@ -21411,11 +21414,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
corenet_tcp_bind_vnc_port(virtd_t)
|
||||
corenet_tcp_connect_vnc_port(virtd_t)
|
||||
corenet_tcp_connect_soundd_port(virtd_t)
|
||||
@@ -104,21 +134,38 @@
|
||||
@@ -104,21 +133,39 @@
|
||||
|
||||
dev_read_sysfs(virtd_t)
|
||||
dev_read_rand(virtd_t)
|
||||
+dev_read_kvm(virtd_t)
|
||||
+dev_rw_kvm(virtd_t)
|
||||
+dev_getattr_all_chr_files(virtd_t)
|
||||
|
||||
# Init script handling
|
||||
@ -21440,6 +21443,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
fs_list_auto_mountpoints(virtd_t)
|
||||
+fs_getattr_xattr_fs(virtd_t)
|
||||
+fs_rw_anon_inodefs_files(virtd_t)
|
||||
|
||||
+storage_manage_fixed_disk(virtd_t)
|
||||
+storage_relabel_fixed_disk(virtd_t)
|
||||
@ -21451,19 +21455,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
term_getattr_pty_fs(virtd_t)
|
||||
term_use_ptmx(virtd_t)
|
||||
|
||||
@@ -129,6 +176,11 @@
|
||||
@@ -129,6 +176,13 @@
|
||||
|
||||
logging_send_syslog_msg(virtd_t)
|
||||
|
||||
+sysnet_domtrans_ifconfig(virtd_t)
|
||||
+
|
||||
+virtual_transition(virtd_t)
|
||||
+
|
||||
+userdom_dontaudit_list_admin_dir(virtd_t)
|
||||
+userdom_getattr_all_users(virtd_t)
|
||||
+userdom_search_user_home_content(virtd_t)
|
||||
userdom_read_all_users_state(virtd_t)
|
||||
|
||||
tunable_policy(`virt_use_nfs',`
|
||||
@@ -167,22 +219,34 @@
|
||||
@@ -167,22 +221,34 @@
|
||||
dnsmasq_domtrans(virtd_t)
|
||||
dnsmasq_signal(virtd_t)
|
||||
dnsmasq_kill(virtd_t)
|
||||
@ -21481,14 +21487,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
-#')
|
||||
+optional_policy(`
|
||||
+ kerberos_keytab_template(virtd, virtd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ lvm_domtrans(virtd_t)
|
||||
+')
|
||||
|
||||
optional_policy(`
|
||||
- qemu_domtrans(virtd_t)
|
||||
+ lvm_domtrans(virtd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ polkit_domtrans_auth(virtd_t)
|
||||
+ polkit_domtrans_resolve(virtd_t)
|
||||
+ polkit_read_lib(virtd_t)
|
||||
@ -21503,7 +21509,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -198,5 +262,76 @@
|
||||
@@ -198,5 +264,74 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -21524,8 +21530,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+#
|
||||
+# svirt local policy
|
||||
+#
|
||||
+domain_user_exemption_target(svirt_t)
|
||||
+allow virtd_t svirt_t:process { setsched transition signal signull sigkill };
|
||||
+
|
||||
+manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
|
||||
+manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
|
||||
@ -29350,8 +29354,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+# No application file contexts.
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.10/policy/modules/system/virtual.if
|
||||
--- nsaserefpolicy/policy/modules/system/virtual.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.10/policy/modules/system/virtual.if 2009-03-24 09:03:48.000000000 -0400
|
||||
@@ -0,0 +1,118 @@
|
||||
+++ serefpolicy-3.6.10/policy/modules/system/virtual.if 2009-03-26 14:24:01.000000000 -0400
|
||||
@@ -0,0 +1,110 @@
|
||||
+## <summary>Virtual machine emulator and virtualizer</summary>
|
||||
+
|
||||
+########################################
|
||||
@ -29385,32 +29389,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Make the specified type a virtual domain
|
||||
+## </summary>
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Make the specified type a virtual domain
|
||||
+## </p>
|
||||
+## <p>
|
||||
+## Gives the basic access required for a virtual operatins system
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+## <param name="type">
|
||||
+## <summary>
|
||||
+## Type granted access
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`virtual_separated_domain',`
|
||||
+ gen_require(`
|
||||
+ attribute virtualseparateddomain;
|
||||
+ ')
|
||||
+
|
||||
+ typeattribute $1 virtualseparateddomain;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Make the specified type usable as a virtual os image
|
||||
+## </summary>
|
||||
+## <param name="type">
|
||||
@ -29470,10 +29448,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ allow $1 virtual_image_type:file { relabelfrom relabelto };
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow domain to transition and control virtualdomain
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`virtual_transition',`
|
||||
+ gen_require(`
|
||||
+ attribute virtualdomain;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 virtualdomain:process { setsched transition signal signull sigkill };
|
||||
+')
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.10/policy/modules/system/virtual.te
|
||||
--- nsaserefpolicy/policy/modules/system/virtual.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.10/policy/modules/system/virtual.te 2009-03-24 09:03:48.000000000 -0400
|
||||
@@ -0,0 +1,80 @@
|
||||
+++ serefpolicy-3.6.10/policy/modules/system/virtual.te 2009-03-26 14:21:16.000000000 -0400
|
||||
@@ -0,0 +1,81 @@
|
||||
+
|
||||
+policy_module(virtualization, 1.1.2)
|
||||
+
|
||||
@ -29517,6 +29513,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+dev_rw_qemu(virtualdomain)
|
||||
+
|
||||
+domain_use_interactive_fds(virtualdomain)
|
||||
+domain_user_exemption_target(virtualdomain)
|
||||
+
|
||||
+files_read_etc_files(virtualdomain)
|
||||
+files_read_usr_files(virtualdomain)
|
||||
|
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.6.10
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -444,6 +444,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Mar 26 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-3
|
||||
- Fixes for svirt
|
||||
|
||||
* Thu Mar 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-2
|
||||
- Fixes to allow svirt read iso files in homedir
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user