- Fixes for svirt

2009-03-27 00:01:52 +00:00 · 2009-03-27 00:01:52 +00:00 · 6130d52b7c
parent 9ca87fc9d8
commit 6130d52b7c
2 changed files with 52 additions and 52 deletions
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -4524,8 +4524,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.10/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2009-03-05 14:09:51.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/kernel/devices.fc	2009-03-24 15:09:41.000000000 -0400
+++ serefpolicy-3.6.10/policy/modules/kernel/devices.fc	2009-03-25 08:24:42.000000000 -0400
-@@ -91,6 +91,7 @@
+@@ -91,6 +90,7 @@
 /dev/sndstat		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
@ -12127,7 +12127,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.10/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/services/hal.te	2009-03-24 10:36:54.000000000 -0400
+++ serefpolicy-3.6.10/policy/modules/services/hal.te	2009-03-26 08:23:58.000000000 -0400
@@ -49,6 +49,15 @@
 type hald_var_lib_t;
 files_type(hald_var_lib_t)
@ -12251,7 +12251,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 miscfiles_read_localization(hald_mac_t)
 ########################################
-@@ -418,3 +459,49 @@
+@@ -415,6 +456,53 @@
 dev_rw_input_dev(hald_keymap_t)
 +files_read_etc_files(hald_keymap_t)
 files_read_usr_files(hald_keymap_t)
 miscfiles_read_localization(hald_keymap_t)
@ -21299,7 +21303,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.10/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/services/virt.te	2009-03-24 15:41:15.000000000 -0400
+++ serefpolicy-3.6.10/policy/modules/services/virt.te	2009-03-26 14:25:09.000000000 -0400
@@ -8,20 +8,18 @@
 ## <desc>
@ -21338,7 +21342,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 type virt_log_t;
 logging_log_file(virt_log_t)
-@@ -48,17 +50,40 @@
+@@ -48,17 +50,39 @@
 type virtd_initrc_exec_t;
 init_script_file(virtd_initrc_exec_t)
@ -21351,7 +21355,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +virt_domain_template(svirt)
 +virtual_separated_domain(svirt_t)
 +role system_r types svirt_t;
 +
 +type svirt_cache_t;
@ -21381,7 +21384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
 read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -67,7 +92,11 @@
+@@ -67,7 +91,11 @@
 manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
 filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@ -21394,7 +21397,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
 manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -86,6 +115,7 @@
+@@ -86,6 +114,7 @@
 kernel_read_network_state(virtd_t)
 kernel_rw_net_sysctls(virtd_t)
 kernel_load_module(virtd_t)
@ -21402,7 +21405,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corecmd_exec_bin(virtd_t)
 corecmd_exec_shell(virtd_t)
-@@ -96,7 +126,7 @@
+@@ -96,7 +125,7 @@
 corenet_tcp_sendrecv_generic_node(virtd_t)
 corenet_tcp_sendrecv_all_ports(virtd_t)
 corenet_tcp_bind_generic_node(virtd_t)
@ -21411,11 +21414,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_tcp_bind_vnc_port(virtd_t)
 corenet_tcp_connect_vnc_port(virtd_t)
 corenet_tcp_connect_soundd_port(virtd_t)
-@@ -104,21 +134,38 @@
+@@ -104,21 +133,39 @@
 dev_read_sysfs(virtd_t)
 dev_read_rand(virtd_t)
-+dev_read_kvm(virtd_t)
+dev_rw_kvm(virtd_t)
 +dev_getattr_all_chr_files(virtd_t)
 # Init script handling
@ -21440,6 +21443,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 fs_list_auto_mountpoints(virtd_t)
 +fs_getattr_xattr_fs(virtd_t)
 +fs_rw_anon_inodefs_files(virtd_t)
 +storage_manage_fixed_disk(virtd_t)
 +storage_relabel_fixed_disk(virtd_t)
@ -21451,19 +21455,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 term_getattr_pty_fs(virtd_t)
 term_use_ptmx(virtd_t)
-@@ -129,6 +176,11 @@
+@@ -129,6 +176,13 @@
 logging_send_syslog_msg(virtd_t)
 +sysnet_domtrans_ifconfig(virtd_t)
 +
 +virtual_transition(virtd_t)
 +
 +userdom_dontaudit_list_admin_dir(virtd_t)
 +userdom_getattr_all_users(virtd_t)
 +userdom_search_user_home_content(virtd_t)
 userdom_read_all_users_state(virtd_t)
 tunable_policy(`virt_use_nfs',`
-@@ -167,22 +219,34 @@
+@@ -167,22 +221,34 @@
 	dnsmasq_domtrans(virtd_t)
 	dnsmasq_signal(virtd_t)
 	dnsmasq_kill(virtd_t)
@ -21481,14 +21487,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -#')
 +optional_policy(`
 +	kerberos_keytab_template(virtd, virtd_t)
 +')
 +
 +optional_policy(`
 +	lvm_domtrans(virtd_t)
 +')
 optional_policy(`
 -	qemu_domtrans(virtd_t)
 +	lvm_domtrans(virtd_t)
 +')
 +
 +optional_policy(`
 +	polkit_domtrans_auth(virtd_t)
 +	polkit_domtrans_resolve(virtd_t)
 +	polkit_read_lib(virtd_t)
@ -21503,7 +21509,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -198,5 +262,76 @@
+@@ -198,5 +264,74 @@
 ')
 optional_policy(`
@ -21524,8 +21530,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +#
 +# svirt local policy
 +#
 +domain_user_exemption_target(svirt_t)
 +allow virtd_t svirt_t:process { setsched transition signal signull sigkill };
 +
 +manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
 +manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
@ -29350,8 +29354,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +# No application file contexts.
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.10/policy/modules/system/virtual.if
 --- nsaserefpolicy/policy/modules/system/virtual.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/system/virtual.if	2009-03-24 09:03:48.000000000 -0400
+++ serefpolicy-3.6.10/policy/modules/system/virtual.if	2009-03-26 14:24:01.000000000 -0400
-@@ -0,0 +1,118 @@
+@@ -0,0 +1,110 @@
 +## <summary>Virtual machine emulator and virtualizer</summary>
 +
 +########################################
@ -29385,32 +29389,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +########################################
 +## <summary>
 +##	Make the specified type a virtual domain
 +## </summary>
 +## <desc>
 +##	<p>
 +##	Make the specified type a virtual domain
 +##	</p>
 +##	<p>
 +##	Gives the basic access required for a virtual operatins system
 +##	</p>
 +## </desc>
 +## <param name="type">
 +##	<summary>
 +##	Type granted access
 +##	</summary>
 +## </param>
 +#
 +interface(`virtual_separated_domain',`
 +	gen_require(`
 +		attribute virtualseparateddomain;
 +	')
 +
 +	typeattribute $1 virtualseparateddomain;
 +')
 +
 +########################################
 +## <summary>
 +##	Make the specified type usable as a virtual os image
 +## </summary>
 +## <param name="type">
@ -29470,10 +29448,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	allow $1 virtual_image_type:file { relabelfrom relabelto };
 +')
 +
 +########################################
 +## <summary>
 +##	Allow domain to transition and control virtualdomain
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
 +interface(`virtual_transition',`
 +	gen_require(`
 +		attribute virtualdomain;
 +	')
 +
 +	allow $1 virtualdomain:process { setsched transition signal signull sigkill };
 +')
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.10/policy/modules/system/virtual.te
 --- nsaserefpolicy/policy/modules/system/virtual.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/system/virtual.te	2009-03-24 09:03:48.000000000 -0400
+++ serefpolicy-3.6.10/policy/modules/system/virtual.te	2009-03-26 14:21:16.000000000 -0400
-@@ -0,0 +1,80 @@
+@@ -0,0 +1,81 @@
 +
 +policy_module(virtualization, 1.1.2)
 +
@ -29517,6 +29513,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +dev_rw_qemu(virtualdomain)
 +
 +domain_use_interactive_fds(virtualdomain)
 +domain_user_exemption_target(virtualdomain)
 +
 +files_read_etc_files(virtualdomain)
 +files_read_usr_files(virtualdomain)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.10
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -444,6 +444,9 @@ exit 0
 %endif
 %changelog
 * Thu Mar 26 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-3
 - Fixes for svirt
 * Thu Mar 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-2
 - Fixes to allow svirt read iso files in homedir