rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Allow hal/pm-utils to look at /var/run/video.rom 

- Add ulogd policy
This commit is contained in:
Daniel J Walsh 2008-11-05 18:26:36 +00:00
parent 411a424e1c
commit 6a09cfb688
6 changed files with 400 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
booleans-minimum.conf
View File

@ -229,7 +229,7 @@ user_rw_noexattrfile=true
# Allow qemu to connect fully to the network
#
allow_qemu_full_network=true
qemu_full_network=true
# Allow nsplugin execmem/execstack for bad plugins
#

2
booleans-targeted.conf
View File

@ -229,7 +229,7 @@ user_rw_noexattrfile=true
# Allow qemu to connect fully to the network
#
allow_qemu_full_network=true
qemu_full_network=true
# Allow nsplugin execmem/execstack for bad plugins
#

7
modules-minimum.conf
View File

@ -1293,6 +1293,13 @@ userdomain = base
#
unconfined = module
# Layer: services
# Module: ulogd
#
#
#
ulogd = module
# Layer: apps
# Module: wine
#

7
modules-targeted.conf
View File

@ -1293,6 +1293,13 @@ userdomain = base
#
unconfined = module
# Layer: services
# Module: ulogd
#
#
#
ulogd = module
# Layer: apps
# Module: wine
#

428
policy-20080710.patch
View File

@ -16212,7 +16212,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.5.13/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/hal.te 2008-10-28 10:56:19.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/hal.te 2008-11-04 13:26:50.000000000 -0500
@@ -49,6 +49,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@ -16244,13 +16244,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rpc_search_nfs_state_data(hald_t)
')
@@ -300,12 +310,16 @@
@@ -300,12 +310,20 @@
vbetool_domtrans(hald_t)
')
+optional_policy(`
+ virt_manage_images(hald_t)
+')
+
+optional_policy(`
+ xserver_read_pid(hald_t)
+')
+
########################################
#
@ -16262,7 +16266,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow hald_acl_t self:process { getattr signal };
allow hald_acl_t self:fifo_file rw_fifo_file_perms;
@@ -344,13 +358,22 @@
@@ -344,13 +362,22 @@
libs_use_ld_so(hald_acl_t)
libs_use_shared_libs(hald_acl_t)
@ -16285,7 +16289,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
allow hald_t hald_mac_t:process signal;
allow hald_mac_t hald_t:unix_stream_socket connectto;
@@ -359,6 +382,8 @@
@@ -359,6 +386,8 @@
manage_files_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t)
files_search_var_lib(hald_mac_t)
@ -16294,7 +16298,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_system_state(hald_mac_t)
dev_read_raw_memory(hald_mac_t)
@@ -366,6 +391,9 @@
@@ -366,6 +395,9 @@
dev_read_sysfs(hald_mac_t)
files_read_usr_files(hald_mac_t)
@ -16304,7 +16308,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
libs_use_ld_so(hald_mac_t)
libs_use_shared_libs(hald_mac_t)
@@ -388,6 +416,8 @@
@@ -388,6 +420,8 @@
manage_files_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t)
files_search_var_lib(hald_sonypic_t)
@ -16313,7 +16317,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_usr_files(hald_sonypic_t)
libs_use_ld_so(hald_sonypic_t)
@@ -408,6 +438,8 @@
@@ -408,6 +442,8 @@
manage_files_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t)
files_search_var_lib(hald_keymap_t)
@ -16322,7 +16326,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_rw_input_dev(hald_keymap_t)
files_read_usr_files(hald_keymap_t)
@@ -419,4 +451,4 @@
@@ -419,4 +455,4 @@
# This is caused by a bug in hald and PolicyKit.
# Should be removed when this is fixed
@ -18611,16 +18615,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
openct_signull(pcscd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.5.13/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/pegasus.te 2008-10-28 10:56:19.000000000 -0400
@@ -66,6 +66,7 @@
+++ serefpolicy-3.5.13/policy/modules/services/pegasus.te 2008-11-04 12:06:18.000000000 -0500
@@ -30,7 +30,7 @@
# Local policy
#
-allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service };
+allow pegasus_t self:capability { chown ipc_lock sys_nice setuid setgid dac_override net_bind_service };
dontaudit pegasus_t self:capability sys_tty_config;
allow pegasus_t self:process signal;
allow pegasus_t self:fifo_file rw_fifo_file_perms;
@@ -66,6 +66,8 @@
kernel_read_system_state(pegasus_t)
kernel_search_vm_sysctl(pegasus_t)
kernel_read_net_sysctls(pegasus_t)
+kernel_read_xen_state(pegasus_t)
+kernel_write_xen_state(pegasus_t)
corenet_all_recvfrom_unlabeled(pegasus_t)
corenet_all_recvfrom_netlabel(pegasus_t)
@@ -96,13 +97,12 @@
@@ -96,13 +98,12 @@
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@ -18636,7 +18650,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_var_lib_symlinks(pegasus_t)
hostname_exec(pegasus_t)
@@ -118,7 +118,6 @@
@@ -118,7 +119,6 @@
miscfiles_read_localization(pegasus_t)
@ -18644,6 +18658,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
sysnet_domtrans_ifconfig(pegasus_t)
userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
@@ -130,6 +130,14 @@
')
optional_policy(`
+ samba_manage_config(pegasus_t)
+')
+
+optional_policy(`
+ ssh_exec(pegasus_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(pegasus_t)
seutil_dontaudit_read_config(pegasus_t)
')
@@ -141,3 +149,13 @@
optional_policy(`
unconfined_signull(pegasus_t)
')
+
+optional_policy(`
+ virt_domtrans(pegasus_t)
+ virt_manage_config(pegasus_t)
+')
+
+optional_policy(`
+ xen_stream_connect(pegasus_t)
+ xen_stream_connect_xenstore(pegasus_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.5.13/policy/modules/services/polkit.fc
--- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.13/policy/modules/services/polkit.fc 2008-10-28 10:56:19.000000000 -0400
@ -18896,8 +18939,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.5.13/policy/modules/services/polkit.te
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.13/policy/modules/services/polkit.te 2008-11-04 09:58:08.000000000 -0500
@@ -0,0 +1,231 @@
+++ serefpolicy-3.5.13/policy/modules/services/polkit.te 2008-11-05 11:49:03.000000000 -0500
@@ -0,0 +1,232 @@
+policy_module(polkit_auth, 1.0.0)
+
+########################################
@ -19062,6 +19105,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+logging_send_syslog_msg(polkit_grant_t)
+
+polkit_domtrans_auth(polkit_grant_t)
+polkit_domtrans_resolve(polkit_grant_t)
+
+manage_files_pattern(polkit_grant_t, polkit_var_run_t, polkit_var_run_t)
+
@ -21627,7 +21671,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.5.13/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/samba.if 2008-11-04 10:21:25.000000000 -0500
+++ serefpolicy-3.5.13/policy/modules/services/samba.if 2008-11-04 11:57:02.000000000 -0500
@@ -44,6 +44,44 @@
########################################
@ -22020,7 +22064,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.5.13/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2008-10-16 17:21:16.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/samba.te 2008-10-28 10:56:19.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/samba.te 2008-11-05 12:55:21.000000000 -0500
@@ -66,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
@ -22203,7 +22247,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -452,6 +493,7 @@
@@ -379,8 +420,10 @@
tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
+ auth_read_all_dirs_except_shadow(smbd_t)
auth_read_all_files_except_shadow(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
+ auth_read_all_dirs_except_shadow(nmbd_t)
auth_read_all_files_except_shadow(nmbd_t)
')
@@ -452,6 +495,7 @@
dev_getattr_mtrr_dev(nmbd_t)
fs_getattr_all_fs(nmbd_t)
@ -22211,7 +22266,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
@@ -536,6 +578,7 @@
@@ -536,6 +580,7 @@
storage_raw_write_fixed_disk(smbmount_t)
term_list_ptys(smbmount_t)
@ -22219,7 +22274,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_list_bin(smbmount_t)
@@ -547,32 +590,46 @@
@@ -547,32 +592,46 @@
auth_use_nsswitch(smbmount_t)
@ -22272,7 +22327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
@@ -592,6 +649,9 @@
@@ -592,6 +651,9 @@
files_pid_filetrans(swat_t, swat_var_run_t, file)
allow swat_t winbind_exec_t:file mmap_file_perms;
@ -22282,7 +22337,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
@@ -616,10 +676,12 @@
@@ -616,10 +678,12 @@
dev_read_urand(swat_t)
@ -22295,7 +22350,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
@@ -628,6 +690,7 @@
@@ -628,6 +692,7 @@
libs_use_shared_libs(swat_t)
logging_send_syslog_msg(swat_t)
@ -22303,7 +22358,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
@@ -645,6 +708,17 @@
@@ -645,6 +710,17 @@
kerberos_use(swat_t)
')
@ -22321,7 +22376,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Winbind local policy
@@ -694,6 +768,8 @@
@@ -694,6 +770,8 @@
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
files_pid_filetrans(winbind_t, winbind_var_run_t, file)
@ -22330,7 +22385,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_kernel_sysctls(winbind_t)
kernel_list_proc(winbind_t)
kernel_read_proc_symlinks(winbind_t)
@@ -780,8 +856,13 @@
@@ -780,8 +858,13 @@
miscfiles_read_localization(winbind_helper_t)
optional_policy(`
@ -22344,7 +22399,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -790,6 +871,16 @@
@@ -790,6 +873,16 @@
#
optional_policy(`
@ -22361,7 +22416,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
@@ -800,9 +891,46 @@
@@ -800,9 +893,46 @@
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@ -24432,6 +24487,209 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow tor_t self:fifo_file rw_fifo_file_perms;
allow tor_t self:unix_stream_socket create_stream_socket_perms;
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.fc serefpolicy-3.5.13/policy/modules/services/ulogd.fc
--- nsaserefpolicy/policy/modules/services/ulogd.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.13/policy/modules/services/ulogd.fc 2008-11-05 12:14:57.000000000 -0500
@@ -0,0 +1,10 @@
+
+/etc/rc\.d/init\.d/ulogd -- gen_context(system_u:object_r:ulogd_initrc_exec_t,s0)
+
+/etc/ulogd.conf -- gen_context(system_u:object_r:ulogd_etc_t,s0)
+
+/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0)
+
+/usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0)
+
+/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.if serefpolicy-3.5.13/policy/modules/services/ulogd.if
--- nsaserefpolicy/policy/modules/services/ulogd.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.13/policy/modules/services/ulogd.if 2008-11-05 12:14:57.000000000 -0500
@@ -0,0 +1,127 @@
+## <summary>policy for ulogd</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run ulogd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ulogd_domtrans',`
+ gen_require(`
+ type ulogd_t, ulogd_exec_t;
+ ')
+
+ domtrans_pattern($1,ulogd_exec_t,ulogd_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## ulogd configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+##
+#
+interface(`ulogd_read_config',`
+ gen_require(`
+ type ulogd_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, ulogd_etc_t, ulogd_etc_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read ulogd's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+##
+#
+interface(`ulogd_read_log',`
+ gen_require(`
+ type ulogd_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 ulogd_var_log_t:dir list_dir_perms;
+ read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append to ulogd's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+##
+#
+interface(`ulogd_append_log',`
+ gen_require(`
+ type ulogd_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 ulogd_var_log_t:dir list_dir_perms;
+ allow $1 ulogd_var_log_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an ulogd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the syslog domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ulogd_admin',`
+ gen_require(`
+ type ulogd_t, ulogd_etc_t;
+ type ulogd_var_log_t, ulogd_initrc_exec_t;
+ type ulogd_modules_t;
+ ')
+
+ allow $1 ulogd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ulogd_t)
+
+ init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 ulogd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_etc($1)
+ admin_pattern($1, ulogd_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, ulogd_var_log_t)
+
+ files_search_usr($1)
+ admin_pattern($1, ulogd_modules_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.5.13/policy/modules/services/ulogd.te
--- nsaserefpolicy/policy/modules/services/ulogd.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.13/policy/modules/services/ulogd.te 2008-11-05 12:14:57.000000000 -0500
@@ -0,0 +1,54 @@
+policy_module(ulogd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ulogd_t;
+type ulogd_exec_t;
+init_daemon_domain(ulogd_t, ulogd_exec_t)
+
+type ulogd_initrc_exec_t;
+init_script_file(ulogd_initrc_exec_t)
+
+# /usr/lib files
+type ulogd_modules_t;
+files_type(ulogd_modules_t)
+
+# config files
+type ulogd_etc_t;
+files_type(ulogd_etc_t)
+
+# log files
+type ulogd_var_log_t;
+logging_log_file(ulogd_var_log_t)
+
+########################################
+
+#
+# ulogd local policy
+#
+
+allow ulogd_t self:capability net_admin;
+allow ulogd_t self:netlink_nflog_socket create_socket_perms;
+
+# config files
+read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
+
+# modules for ulogd
+list_dirs_pattern(ulogd_t,ulogd_modules_t,ulogd_modules_t)
+mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
+
+# log files
+manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
+logging_log_filetrans(ulogd_t,ulogd_var_log_t, file )
+
+files_search_etc(ulogd_t)
+
+libs_use_ld_so(ulogd_t)
+libs_use_shared_libs(ulogd_t)
+
+miscfiles_read_localization(ulogd_t)
+
+permissive ulogd_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.5.13/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/virt.fc 2008-10-28 10:56:19.000000000 -0400
@ -24445,8 +24703,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.5.13/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2008-10-14 11:58:09.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/virt.if 2008-10-28 10:56:19.000000000 -0400
@@ -78,6 +78,24 @@
+++ serefpolicy-3.5.13/policy/modules/services/virt.if 2008-11-04 11:58:23.000000000 -0500
@@ -41,6 +41,27 @@
########################################
## <summary>
+## manage virt config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_config',`
+ gen_require(`
+ type virt_etc_t;
+ type virt_etc_rw_t;
+ ')
+
+ files_search_etc($1)
+ manage_files_pattern($1, virt_etc_t, virt_etc_t)
+ manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+')
+
+########################################
+## <summary>
## Read virt PID files.
## </summary>
## <param name="domain">
@@ -78,6 +99,24 @@
########################################
## <summary>
@ -24471,7 +24757,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Search virt lib directories.
## </summary>
## <param name="domain">
@@ -196,6 +214,35 @@
@@ -196,6 +235,35 @@
########################################
## <summary>
@ -24507,7 +24793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Allow domain to manage virt image files
## </summary>
## <param name="domain">
@@ -214,6 +261,7 @@
@@ -214,6 +282,7 @@
manage_dirs_pattern($1, virt_image_t, virt_image_t)
manage_files_pattern($1, virt_image_t, virt_image_t)
read_lnk_files_pattern($1, virt_image_t, virt_image_t)
@ -24515,7 +24801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs($1)
@@ -243,11 +291,17 @@
@@ -243,11 +312,17 @@
interface(`virt_admin',`
gen_require(`
type virtd_t;
@ -24779,7 +25065,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.13/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-10-08 19:00:27.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/xserver.if 2008-10-28 10:56:19.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/xserver.if 2008-11-04 13:27:32.000000000 -0500
@@ -16,6 +16,7 @@
gen_require(`
type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
@ -24990,11 +25276,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-
- files_read_etc_files($1_xauth_t)
- files_search_pids($1_xauth_t)
+ ps_process_pattern($2,xauth_t)
-
- fs_getattr_xattr_fs($1_xauth_t)
- fs_search_auto_mountpoints($1_xauth_t)
-
+ ps_process_pattern($2,xauth_t)
- # cjp: why?
- term_use_ptmx($1_xauth_t)
-
@ -25586,8 +25872,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
gen_require(`
- type $1_xauth_t, xauth_exec_t;
+ type xauth_t, xauth_exec_t;
+ ')
+
')
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
+')
+
@ -25619,9 +25906,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+template(`xserver_read_user_xauth',`
+ gen_require(`
+ type xauth_home_t;
')
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
+ ')
+
+ allow $2 xauth_home_t:file read_file_perms;
+')
+
@ -25871,7 +26157,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain complete control over the
## display.
@@ -1710,8 +2020,157 @@
@@ -1710,8 +2020,176 @@
#
interface(`xserver_unconfined',`
gen_require(`
@ -25884,6 +26170,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+########################################
+## <summary>
+## Read xserver files created in /var/run
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_read_pid',`
+ gen_require(`
+ type xserver_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, xserver_var_run_t, xserver_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute xserver files created in /var/run
+## </summary>
+## <param name="domain">
@ -25995,8 +26300,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+interface(`xserver_dontaudit_rw_xdm_home_files',`
+ gen_require(`
+ type xdm_home_t;
+ ')
+
')
- typeattribute $1 xserver_unconfined_type;
+ dontaudit $1 xdm_home_t:file rw_file_perms;
+')
+
@ -26015,9 +26321,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+interface(`xserver_use_xdm',`
+ gen_require(`
+ type xdm_t, xdm_tmp_t;
')
- typeattribute $1 xserver_unconfined_type;
+ ')
+
+ allow $1 xdm_t:fd use;
+ allow $1 xdm_t:fifo_file rw_fifo_file_perms;
+ dontaudit $1 xdm_t:tcp_socket { read write };
@ -27665,6 +27970,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ xserver_rw_xdm_home_files(daemon)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.5.13/policy/modules/system/ipsec.fc
--- nsaserefpolicy/policy/modules/system/ipsec.fc 2008-08-07 11:15:12.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/ipsec.fc 2008-11-05 10:40:04.000000000 -0500
@@ -26,6 +26,7 @@
/usr/local/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/local/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
/usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.5.13/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2008-10-16 17:21:16.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/ipsec.te 2008-10-28 10:56:19.000000000 -0400
@ -27811,7 +28127,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-08-13 15:24:56.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-10-28 10:56:19.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-11-05 11:29:07.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
@ -27909,7 +28225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') dnl end distro_redhat
#
@@ -310,3 +329,15 @@
@@ -310,3 +329,18 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@ -27925,6 +28241,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/sse2/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.5.13/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2008-10-14 11:58:09.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/libraries.te 2008-10-28 10:56:19.000000000 -0400
@ -33597,7 +33916,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.5.13/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2008-08-07 11:15:12.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/xen.if 2008-10-28 10:56:19.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/xen.if 2008-11-04 11:36:33.000000000 -0500
@@ -155,7 +155,7 @@
stream_connect_pattern($1,xenstored_var_run_t,xenstored_var_run_t,xenstored_t)
')
-########################################
+#######################################
## <summary>
## Connect to xend over an unix domain stream socket.
## </summary>
@@ -167,11 +167,14 @@
#
interface(`xen_stream_connect',`

7
selinux-policy.spec
View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
Release: 14%{?dist}
Release: 15%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -457,10 +457,15 @@ exit 0
%endif
%changelog
* Tue Nov 3 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-15
- Allow hal/pm-utils to look at /var/run/video.rom
- Add ulogd policy
* Tue Nov 3 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-14
- Additional fixes for cyphesis
- Fix certmaster file context
- Add policy for system-config-samba
- Allow hal to read /var/run/video.rom
* Mon Nov 3 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-13
- Allow dhcpc to restart ypbind