rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Handle /var/db/sudo 

- Allow pulseaudio to read alsa config
- Allow init to send initrc_t dbus messages
This commit is contained in:
Dan Walsh 2010-09-08 21:24:49 -04:00
parent 64d84cf8ec
commit 6e2d7f3a82
2 changed files with 215 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

287
policy-F14.patch
View File

@ -1545,11 +1545,38 @@ index a0aa8c5..1b60ad8 100644
ifdef(`distro_redhat',`
# RHEL5 and possibly newer releases incl. Fedora
diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc
index 7bddc02..2b59ed0 100644
--- a/policy/modules/admin/sudo.fc
+++ b/policy/modules/admin/sudo.fc
@@ -1,2 +1,4 @@
/usr/bin/sudo(edit)? -- gen_context(system_u:object_r:sudo_exec_t,s0)
+
+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 5f44f1b..e753ac9 100644
index 5f44f1b..464a11e 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -76,6 +76,8 @@ template(`sudo_role_template',`
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
gen_require(`
type sudo_exec_t;
+ type sudo_db_t;
attribute sudodomain;
')
@@ -47,6 +48,9 @@ template(`sudo_role_template',`
ubac_constrained($1_sudo_t)
role $2 types $1_sudo_t;
+ manage_dirs_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
+ manage_files_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
+
##############################
#
# Local Policy
@@ -76,6 +80,8 @@ template(`sudo_role_template',`
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_sudo_t, $3)
corecmd_bin_domtrans($1_sudo_t, $3)
@ -1558,7 +1585,15 @@ index 5f44f1b..e753ac9 100644
allow $3 $1_sudo_t:fd use;
allow $3 $1_sudo_t:fifo_file rw_file_perms;
allow $3 $1_sudo_t:process signal_perms;
@@ -134,12 +136,16 @@ template(`sudo_role_template',`
@@ -111,6 +117,7 @@ template(`sudo_role_template',`
term_relabel_all_ttys($1_sudo_t)
term_relabel_all_ptys($1_sudo_t)
+ term_getattr_pty_fs($1_sudo_t)
auth_run_chk_passwd($1_sudo_t, $2)
# sudo stores a token in the pam_pid directory
@@ -134,12 +141,16 @@ template(`sudo_role_template',`
userdom_manage_user_tmp_symlinks($1_sudo_t)
userdom_use_user_terminals($1_sudo_t)
# for some PAM modules and for cwd
@ -1576,6 +1611,18 @@ index 5f44f1b..e753ac9 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_sudo_t)
')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
index c368bdc..c927b85 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -7,3 +7,7 @@ attribute sudodomain;
type sudo_exec_t;
application_executable_file(sudo_exec_t)
+
+type sudo_db_t;
+files_type(sudo_db_t)
+
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
index 6a5004b..50cd538 100644
--- a/policy/modules/admin/tmpreaper.te
@ -4880,7 +4927,7 @@ index 2ba7787..3b0d3be 100644
allow pulseaudio_t $2:dbus { acquire_svc send_msg };
')
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
index 5c2680c..88fc6f6 100644
index 5c2680c..db96581 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -44,6 +44,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
@ -4900,7 +4947,7 @@ index 5c2680c..88fc6f6 100644
can_exec(pulseaudio_t, pulseaudio_exec_t)
@@ -94,11 +95,6 @@ logging_send_syslog_msg(pulseaudio_t)
@@ -94,10 +95,9 @@ logging_send_syslog_msg(pulseaudio_t)
miscfiles_read_localization(pulseaudio_t)
@ -4908,11 +4955,13 @@ index 5c2680c..88fc6f6 100644
-userdom_manage_user_home_content_files(pulseaudio_t)
-userdom_manage_user_tmp_files(pulseaudio_t)
-userdom_manage_user_tmpfs_files(pulseaudio_t)
-
+optional_policy(`
+ alsa_read_rw_config(pulseaudio_t)
+')
optional_policy(`
bluetooth_stream_connect(pulseaudio_t)
')
@@ -131,6 +127,10 @@ optional_policy(`
@@ -131,6 +131,10 @@ optional_policy(`
')
optional_policy(`
@ -4923,7 +4972,7 @@ index 5c2680c..88fc6f6 100644
policykit_domtrans_auth(pulseaudio_t)
policykit_read_lib(pulseaudio_t)
policykit_read_reload(pulseaudio_t)
@@ -148,3 +148,7 @@ optional_policy(`
@@ -148,3 +152,7 @@ optional_policy(`
xserver_read_xdm_pid(pulseaudio_t)
xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')
@ -4932,10 +4981,35 @@ index 5c2680c..88fc6f6 100644
+ sandbox_manage_tmpfs_files(pulseaudio_t)
+')
diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
index c1d5f50..95bb89d 100644
index c1d5f50..8d8d961 100644
--- a/policy/modules/apps/qemu.if
+++ b/policy/modules/apps/qemu.if
@@ -275,6 +275,67 @@ interface(`qemu_domtrans_unconfined',`
@@ -157,6 +157,24 @@ interface(`qemu_domtrans',`
########################################
## <summary>
+## Execute a qemu in the callers domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_exec',`
+ gen_require(`
+ type qemu_exec_t;
+ ')
+
+ can_exec($1, qemu_exec_t)
+')
+
+########################################
+## <summary>
## Execute qemu in the qemu domain.
## </summary>
## <param name="domain">
@@ -275,6 +293,67 @@ interface(`qemu_domtrans_unconfined',`
########################################
## <summary>
@ -5003,7 +5077,7 @@ index c1d5f50..95bb89d 100644
## Manage qemu temporary dirs.
## </summary>
## <param name="domain">
@@ -308,3 +369,24 @@ interface(`qemu_manage_tmp_files',`
@@ -308,3 +387,24 @@ interface(`qemu_manage_tmp_files',`
manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
@ -15274,7 +15348,7 @@ index 35241ed..cbd01be 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index f35b243..38a83ea 100644
index f35b243..c72dd92 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -63,9 +63,12 @@ init_script_file(crond_initrc_exec_t)
@ -15569,7 +15643,7 @@ index f35b243..38a83ea 100644
+rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+allow cronjob_t user_cron_spool_t:file manage_lnk_file_perms;
+allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
tunable_policy(`fcron_crond', `
allow crond_t user_cron_spool_t:file manage_file_perms;
@ -15786,7 +15860,7 @@ index 2a0f1c1..ab82c3c 100644
snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 39e901a..e385f2f 100644
index 39e901a..63c82b7 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -42,8 +42,10 @@ template(`dbus_role_template',`
@ -15880,6 +15954,29 @@ index 39e901a..e385f2f 100644
ifdef(`hide_broken_symptoms', `
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
@@ -479,3 +503,22 @@ interface(`dbus_unconfined',`
typeattribute $1 dbusd_unconfined;
')
+
+########################################
+## <summary>
+## Delete all dbus pid files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_delete_pid_files',`
+ gen_require(`
+ type dbus_var_run_t;
+ ')
+
+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+')
+
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index b738e94..4b3d9c4 100644
--- a/policy/modules/services/dbus.te
@ -26466,7 +26563,7 @@ index 7c5d8d8..1a0701b 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 3cce663..8f0fac9 100644
index 3cce663..5a77c23 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -4,6 +4,7 @@ policy_module(virt, 1.4.0)
@ -26477,7 +26574,21 @@ index 3cce663..8f0fac9 100644
## <desc>
## <p>
@@ -50,12 +51,12 @@ gen_tunable(virt_use_usb, true)
@@ -42,6 +43,13 @@ gen_tunable(virt_use_sysfs, false)
## <desc>
## <p>
+## Allow virtual machine to interact with the xserver
+## </p>
+## </desc>
+gen_tunable(virt_use_xserver, false)
+
+## <desc>
+## <p>
## Allow virt to use usb devices
## </p>
## </desc>
@@ -50,12 +58,12 @@ gen_tunable(virt_use_usb, true)
virt_domain_template(svirt)
role system_r types svirt_t;
@ -26493,7 +26604,7 @@ index 3cce663..8f0fac9 100644
type virt_etc_t;
files_config_file(virt_etc_t)
@@ -65,20 +66,25 @@ files_type(virt_etc_rw_t)
@@ -65,20 +73,25 @@ files_type(virt_etc_rw_t)
# virt Image files
type virt_image_t; # customizable
virt_image(virt_image_t)
@ -26520,7 +26631,7 @@ index 3cce663..8f0fac9 100644
type virtd_t;
type virtd_exec_t;
@@ -89,6 +95,11 @@ domain_subj_id_change_exemption(virtd_t)
@@ -89,6 +102,11 @@ domain_subj_id_change_exemption(virtd_t)
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@ -26532,7 +26643,7 @@ index 3cce663..8f0fac9 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
@@ -104,15 +115,12 @@ ifdef(`enable_mls',`
@@ -104,15 +122,12 @@ ifdef(`enable_mls',`
allow svirt_t self:udp_socket create_socket_perms;
@ -26549,7 +26660,7 @@ index 3cce663..8f0fac9 100644
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
@@ -147,11 +155,15 @@ tunable_policy(`virt_use_fusefs',`
@@ -147,11 +162,15 @@ tunable_policy(`virt_use_fusefs',`
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@ -26565,7 +26676,7 @@ index 3cce663..8f0fac9 100644
')
tunable_policy(`virt_use_sysfs',`
@@ -160,6 +172,7 @@ tunable_policy(`virt_use_sysfs',`
@@ -160,11 +179,22 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@ -26573,17 +26684,22 @@ index 3cce663..8f0fac9 100644
fs_manage_dos_dirs(svirt_t)
fs_manage_dos_files(svirt_t)
')
@@ -168,28 +181,39 @@ optional_policy(`
xen_rw_image_files(svirt_t)
')
optional_policy(`
+ tunable_policy(`virt_use_xserver',`
+ xserver_stream_connect(svirt_t)
+ ')
+')
+
+optional_policy(`
+ xen_rw_image_files(svirt_t)
+')
+
########################################
#
# virtd local policy
+optional_policy(`
xen_rw_image_files(svirt_t)
')
@@ -174,22 +204,29 @@ optional_policy(`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@ -26616,7 +26732,7 @@ index 3cce663..8f0fac9 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
@@ -200,9 +224,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -200,9 +237,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@ -26632,7 +26748,7 @@ index 3cce663..8f0fac9 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
@@ -220,6 +250,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -220,6 +263,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
@ -26640,7 +26756,7 @@ index 3cce663..8f0fac9 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
@@ -243,18 +274,27 @@ dev_read_rand(virtd_t)
@@ -243,18 +287,27 @@ dev_read_rand(virtd_t)
dev_rw_kvm(virtd_t)
dev_getattr_all_chr_files(virtd_t)
dev_rw_mtrr(virtd_t)
@ -26669,7 +26785,7 @@ index 3cce663..8f0fac9 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
@@ -262,6 +302,17 @@ fs_rw_anon_inodefs_files(virtd_t)
@@ -262,6 +315,17 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@ -26687,7 +26803,7 @@ index 3cce663..8f0fac9 100644
mcs_process_set_categories(virtd_t)
@@ -286,15 +337,24 @@ modutils_manage_module_config(virtd_t)
@@ -286,15 +350,24 @@ modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@ -26712,15 +26828,16 @@ index 3cce663..8f0fac9 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
@@ -365,6 +425,7 @@ optional_policy(`
@@ -365,6 +438,8 @@ optional_policy(`
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
+ qemu_entry_type(virt_domain)
+ qemu_exec(virt_domain)
')
optional_policy(`
@@ -402,6 +463,19 @@ allow virt_domain self:unix_stream_socket create_stream_socket_perms;
@@ -402,6 +477,19 @@ allow virt_domain self:unix_stream_socket create_stream_socket_perms;
allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
allow virt_domain self:tcp_socket create_stream_socket_perms;
@ -26740,7 +26857,7 @@ index 3cce663..8f0fac9 100644
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
@@ -422,6 +496,7 @@ corenet_rw_tun_tap_dev(virt_domain)
@@ -422,6 +510,7 @@ corenet_rw_tun_tap_dev(virt_domain)
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@ -26748,7 +26865,7 @@ index 3cce663..8f0fac9 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
@@ -429,10 +504,12 @@ dev_write_sound(virt_domain)
@@ -429,10 +518,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@ -26761,7 +26878,7 @@ index 3cce663..8f0fac9 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
@@ -440,6 +517,11 @@ files_search_all(virt_domain)
@@ -440,6 +531,11 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@ -26773,7 +26890,7 @@ index 3cce663..8f0fac9 100644
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
@@ -457,8 +539,121 @@ optional_policy(`
@@ -457,8 +553,121 @@ optional_policy(`
')
optional_policy(`
@ -29943,7 +30060,7 @@ index f6aafe7..f28524b 100644
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index abab4cf..a80b4c7 100644
index abab4cf..d96bf27 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@ -30058,7 +30175,7 @@ index abab4cf..a80b4c7 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
@@ -186,23 +217,92 @@ tunable_policy(`init_upstart',`
@@ -186,12 +217,74 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@ -30091,6 +30208,7 @@ index abab4cf..a80b4c7 100644
+ files_manage_all_pids_dirs(init_t)
+
+ fs_manage_cgroup_dirs(init_t)
+ fs_manage_hugetlbfs_dirs(init_t)
+ fs_manage_tmpfs_dirs(init_t)
+ fs_mount_all_fs(init_t)
+ fs_list_auto_mountpoints(init_t)
@ -30120,18 +30238,19 @@ index abab4cf..a80b4c7 100644
+optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
')
optional_policy(`
+ dbus_delete_pid_files(init_t)
+')
+
+optional_policy(`
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
+ # The master process of dovecot will manage this file.
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
+')
+
+optional_policy(`
nscd_socket_use(init_t)
')
optional_policy(`
@@ -199,10 +292,19 @@ optional_policy(`
')
optional_policy(`
@ -30151,7 +30270,7 @@ index abab4cf..a80b4c7 100644
unconfined_domain(init_t)
')
@@ -212,7 +312,7 @@ optional_policy(`
@@ -212,7 +314,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -30160,7 +30279,7 @@ index abab4cf..a80b4c7 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
@@ -241,6 +341,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
@@ -241,6 +343,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -30168,7 +30287,7 @@ index abab4cf..a80b4c7 100644
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
@@ -258,11 +359,22 @@ kernel_change_ring_buffer_level(initrc_t)
@@ -258,11 +361,22 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@ -30191,7 +30310,7 @@ index abab4cf..a80b4c7 100644
corecmd_exec_all_executables(initrc_t)
@@ -291,6 +403,7 @@ dev_read_sound_mixer(initrc_t)
@@ -291,6 +405,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@ -30199,7 +30318,7 @@ index abab4cf..a80b4c7 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
@@ -298,13 +411,13 @@ dev_manage_generic_files(initrc_t)
@@ -298,13 +413,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@ -30215,7 +30334,7 @@ index abab4cf..a80b4c7 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -323,8 +436,10 @@ files_getattr_all_symlinks(initrc_t)
@@ -323,8 +438,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@ -30227,7 +30346,7 @@ index abab4cf..a80b4c7 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
@@ -340,8 +455,12 @@ files_list_isid_type_dirs(initrc_t)
@@ -340,8 +457,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@ -30241,7 +30360,7 @@ index abab4cf..a80b4c7 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
@@ -351,6 +470,8 @@ fs_mount_all_fs(initrc_t)
@@ -351,6 +472,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@ -30250,7 +30369,7 @@ index abab4cf..a80b4c7 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
@@ -363,6 +484,7 @@ mls_process_read_up(initrc_t)
@@ -363,6 +486,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@ -30258,7 +30377,7 @@ index abab4cf..a80b4c7 100644
selinux_get_enforce_mode(initrc_t)
@@ -394,13 +516,14 @@ logging_read_audit_config(initrc_t)
@@ -394,13 +518,14 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@ -30274,7 +30393,7 @@ index abab4cf..a80b4c7 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
@@ -473,7 +596,7 @@ ifdef(`distro_redhat',`
@@ -473,7 +598,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@ -30283,7 +30402,7 @@ index abab4cf..a80b4c7 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
@@ -519,6 +642,19 @@ ifdef(`distro_redhat',`
@@ -519,6 +644,19 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@ -30303,7 +30422,7 @@ index abab4cf..a80b4c7 100644
')
optional_policy(`
@@ -526,10 +662,17 @@ ifdef(`distro_redhat',`
@@ -526,10 +664,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@ -30321,7 +30440,7 @@ index abab4cf..a80b4c7 100644
')
optional_policy(`
@@ -544,6 +687,35 @@ ifdef(`distro_suse',`
@@ -544,6 +689,35 @@ ifdef(`distro_suse',`
')
')
@ -30357,7 +30476,7 @@ index abab4cf..a80b4c7 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
@@ -556,6 +728,8 @@ optional_policy(`
@@ -556,6 +730,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@ -30366,7 +30485,7 @@ index abab4cf..a80b4c7 100644
')
optional_policy(`
@@ -572,6 +746,7 @@ optional_policy(`
@@ -572,6 +748,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@ -30374,7 +30493,7 @@ index abab4cf..a80b4c7 100644
')
optional_policy(`
@@ -584,6 +759,11 @@ optional_policy(`
@@ -584,6 +761,11 @@ optional_policy(`
')
optional_policy(`
@ -30386,15 +30505,17 @@ index abab4cf..a80b4c7 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
@@ -600,6 +780,7 @@ optional_policy(`
@@ -600,6 +782,9 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
+ dbus_manage_lib_files(initrc_t)
+
+ init_dbus_chat(initrc_t)
optional_policy(`
consolekit_dbus_chat(initrc_t)
@@ -701,7 +882,13 @@ optional_policy(`
@@ -701,7 +886,13 @@ optional_policy(`
')
optional_policy(`
@ -30408,7 +30529,7 @@ index abab4cf..a80b4c7 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -724,6 +911,10 @@ optional_policy(`
@@ -724,6 +915,10 @@ optional_policy(`
')
optional_policy(`
@ -30419,7 +30540,7 @@ index abab4cf..a80b4c7 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
@@ -745,6 +936,10 @@ optional_policy(`
@@ -745,6 +940,10 @@ optional_policy(`
')
optional_policy(`
@ -30430,7 +30551,7 @@ index abab4cf..a80b4c7 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
@@ -766,8 +961,6 @@ optional_policy(`
@@ -766,8 +965,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@ -30439,7 +30560,7 @@ index abab4cf..a80b4c7 100644
')
optional_policy(`
@@ -776,14 +969,21 @@ optional_policy(`
@@ -776,14 +973,21 @@ optional_policy(`
')
optional_policy(`
@ -30461,7 +30582,7 @@ index abab4cf..a80b4c7 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
@@ -805,11 +1005,19 @@ optional_policy(`
@@ -805,11 +1009,19 @@ optional_policy(`
')
optional_policy(`
@ -30482,7 +30603,7 @@ index abab4cf..a80b4c7 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
@@ -819,6 +1027,25 @@ optional_policy(`
@@ -819,6 +1031,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@ -30508,7 +30629,7 @@ index abab4cf..a80b4c7 100644
')
optional_policy(`
@@ -844,3 +1071,55 @@ optional_policy(`
@@ -844,3 +1075,55 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@ -34278,7 +34399,7 @@ index 025348a..59bc26b 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index a054cf5..9f316ca 100644
index a054cf5..4867243 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto;
@ -34320,7 +34441,15 @@ index a054cf5..9f316ca 100644
mcs_ptrace_all(udev_t)
@@ -216,11 +222,16 @@ optional_policy(`
@@ -186,6 +192,7 @@ ifdef(`distro_redhat',`
fs_manage_tmpfs_chr_files(udev_t)
fs_relabel_tmpfs_blk_file(udev_t)
fs_relabel_tmpfs_chr_file(udev_t)
+ fs_manage_hugetlbfs_dirs(udev_t)
term_search_ptys(udev_t)
@@ -216,11 +223,16 @@ optional_policy(`
')
optional_policy(`
@ -34337,7 +34466,7 @@ index a054cf5..9f316ca 100644
')
optional_policy(`
@@ -233,6 +244,10 @@ optional_policy(`
@@ -233,6 +245,10 @@ optional_policy(`
')
optional_policy(`
@ -34348,7 +34477,7 @@ index a054cf5..9f316ca 100644
lvm_domtrans(udev_t)
')
@@ -259,6 +274,10 @@ optional_policy(`
@@ -259,6 +275,10 @@ optional_policy(`
')
optional_policy(`
@ -34359,7 +34488,7 @@ index a054cf5..9f316ca 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
@@ -273,6 +292,11 @@ optional_policy(`
@@ -273,6 +293,11 @@ optional_policy(`
')
optional_policy(`

9
selinux-policy.spec
View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.3
Release: 1%{?dist}
Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -469,7 +469,12 @@ exit 0
%endif
%changelog
* Thu Aug 31 2010 Dan Walsh <dwalsh@redhat.com> 3.9.3-1
* Wed Sep 8 2010 Dan Walsh <dwalsh@redhat.com> 3.9.3-2
- Handle /var/db/sudo
- Allow pulseaudio to read alsa config
- Allow init to send initrc_t dbus messages
* Tue Sep 7 2010 Dan Walsh <dwalsh@redhat.com> 3.9.3-1
Allow iptables to read shorewall tmp files
Change chfn and passwd to use auth_use_pam so they can send dbus messages to fpr
intd