rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Add labeling for /dev/tgt 

- Dontaudit leak fd from firewalld for modprobe
- Allow runuser running as rpm_script_t to
This commit is contained in:
Miroslav Grepl 2013-06-14 12:56:00 +02:00
parent 166a2805b7
commit 708bb6ef9d
3 changed files with 207 additions and 447 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

607
policy-rawhide-base.patch
View File

@ -5637,7 +5637,7 @@ index b31c054..17e11e0 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 76f285e..e26dfc3 100644
index 76f285e..0fc6f53 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@ -6384,7 +6384,32 @@ index 76f285e..e26dfc3 100644
## Do not audit attempts to get the attributes
## of the BIOS non-volatile RAM device.
## </summary>
@@ -3254,7 +3565,25 @@ interface(`dev_rw_printer',`
@@ -3163,6 +3474,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
########################################
## <summary>
+## Read BIOS non-volatile RAM.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_nvram',`
+ gen_require(`
+ type nvram_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, nvram_device_t)
+')
+
+########################################
+## <summary>
## Read and write BIOS non-volatile RAM.
## </summary>
## <param name="domain">
@@ -3254,7 +3583,25 @@ interface(`dev_rw_printer',`
########################################
## <summary>
@ -6411,7 +6436,7 @@ index 76f285e..e26dfc3 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3262,12 +3591,13 @@ interface(`dev_rw_printer',`
@@ -3262,12 +3609,13 @@ interface(`dev_rw_printer',`
## </summary>
## </param>
#
@ -6428,269 +6453,117 @@ index 76f285e..e26dfc3 100644
')
########################################
@@ -3855,7 +4185,7 @@ interface(`dev_getattr_sysfs_dirs',`
@@ -3855,6 +4203,96 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
-## Search the sysfs directories.
+## Set the attributes of sysfs directories.
## </summary>
## <param name="domain">
## <summary>
@@ -3863,53 +4193,53 @@ interface(`dev_getattr_sysfs_dirs',`
## </summary>
## </param>
#
-interface(`dev_search_sysfs',`
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_sysfs_dirs',`
gen_require(`
type sysfs_t;
')
- search_dirs_pattern($1, sysfs_t, sysfs_t)
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:dir setattr_dir_perms;
')
########################################
## <summary>
-## Do not audit attempts to search sysfs.
+')
+
+########################################
+## <summary>
+## Get attributes of sysfs filesystems.
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`dev_dontaudit_search_sysfs',`
+## </summary>
+## </param>
+#
+interface(`dev_getattr_sysfs_fs',`
gen_require(`
type sysfs_t;
')
- dontaudit $1 sysfs_t:dir search_dir_perms;
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem getattr;
')
########################################
## <summary>
-## List the contents of the sysfs directories.
+')
+
+########################################
+## <summary>
+## Mount a filesystem on /sys
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allow access.
## </summary>
## </param>
#
-interface(`dev_list_sysfs',`
+## </summary>
+## </param>
+#
+interface(`dev_mounton_sysfs',`
gen_require(`
type sysfs_t;
')
- list_dirs_pattern($1, sysfs_t, sysfs_t)
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:dir mounton;
')
########################################
## <summary>
-## Write in a sysfs directories.
+')
+
+########################################
+## <summary>
+## Mount sysfs filesystems.
## </summary>
## <param name="domain">
## <summary>
@@ -3917,37 +4247,35 @@ interface(`dev_list_sysfs',`
## </summary>
## </param>
#
-# cjp: added for cpuspeed
-interface(`dev_write_sysfs_dirs',`
+interface(`dev_mount_sysfs_fs',`
gen_require(`
type sysfs_t;
')
- allow $1 sysfs_t:dir write;
+ allow $1 sysfs_t:filesystem mount;
')
########################################
## <summary>
-## Do not audit attempts to write in a sysfs directory.
+## Unmount sysfs filesystems.
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`dev_dontaudit_write_sysfs_dirs',`
+## </summary>
+## </param>
+#
+interface(`dev_mount_sysfs_fs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Unmount sysfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_unmount_sysfs_fs',`
gen_require(`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
## Search the sysfs directories.
## </summary>
## <param name="domain">
@@ -3904,6 +4342,7 @@ interface(`dev_list_sysfs',`
type sysfs_t;
')
- dontaudit $1 sysfs_t:dir write;
+ allow $1 sysfs_t:filesystem unmount;
+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
list_dirs_pattern($1, sysfs_t, sysfs_t)
')
@@ -3946,23 +4385,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
## <summary>
-## Create, read, write, and delete sysfs
-## directories.
+## Search the sysfs directories.
## </summary>
## <param name="domain">
## <summary>
@@ -3955,47 +4283,35 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
## </summary>
## </param>
#
-interface(`dev_manage_sysfs_dirs',`
+interface(`dev_search_sysfs',`
gen_require(`
type sysfs_t;
')
- manage_dirs_pattern($1, sysfs_t, sysfs_t)
+ search_dirs_pattern($1, sysfs_t, sysfs_t)
')
########################################
## <summary>
-## Read hardware state information.
+## Do not audit attempts to search sysfs.
## </summary>
-## <desc>
-## <p>
-## Allow the specified domain to read the contents of
-## the sysfs filesystem. This filesystem contains
-## information, parameters, and other settings on the
-## hardware installed on the system.
-## </p>
-## </desc>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
-## <infoflow type="read" weight="10"/>
#
-interface(`dev_read_sysfs',`
+interface(`dev_dontaudit_search_sysfs',`
gen_require(`
type sysfs_t;
')
- read_files_pattern($1, sysfs_t, sysfs_t)
- read_lnk_files_pattern($1, sysfs_t, sysfs_t)
-
- list_dirs_pattern($1, sysfs_t, sysfs_t)
+ dontaudit $1 sysfs_t:dir search_dir_perms;
')
########################################
## <summary>
-## Allow caller to modify hardware state information.
+## List the contents of the sysfs directories.
## </summary>
## <param name="domain">
## <summary>
@@ -4003,20 +4319,18 @@ interface(`dev_read_sysfs',`
## </summary>
## </param>
#
-interface(`dev_rw_sysfs',`
+interface(`dev_list_sysfs',`
gen_require(`
type sysfs_t;
')
- rw_files_pattern($1, sysfs_t, sysfs_t)
read_lnk_files_pattern($1, sysfs_t, sysfs_t)
-
list_dirs_pattern($1, sysfs_t, sysfs_t)
')
########################################
## <summary>
-## Read and write the TPM device.
+## Write in a sysfs directories.
## </summary>
## <param name="domain">
## <summary>
@@ -4024,78 +4338,60 @@ interface(`dev_rw_sysfs',`
## </summary>
## </param>
#
-interface(`dev_rw_tpm',`
+# cjp: added for cpuspeed
+interface(`dev_write_sysfs_dirs',`
gen_require(`
- type device_t, tpm_device_t;
+ type sysfs_t;
')
- rw_chr_files_pattern($1, device_t, tpm_device_t)
+ allow $1 sysfs_t:dir write;
')
########################################
## <summary>
-## Read from pseudo random number generator devices (e.g., /dev/urandom).
+## Do not audit attempts to write in a sysfs directory.
## </summary>
-## <desc>
-## <p>
-## Allow the specified domain to read from pseudo random number
-## generator devices (e.g., /dev/urandom). Typically this is
-## used in situations when a cryptographically secure random
-## number is not necessarily needed. One example is the Stack
-## Smashing Protector (SSP, formerly known as ProPolice) support
-## that may be compiled into programs.
-## </p>
-## <p>
-## Related interface:
-## </p>
-## <ul>
-## <li>dev_read_rand()</li>
-## </ul>
-## <p>
-## Related tunable:
-## </p>
-## <ul>
-## <li>global_ssp</li>
-## </ul>
-## </desc>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
-## <infoflow type="read" weight="10"/>
#
-interface(`dev_read_urand',`
+interface(`dev_dontaudit_write_sysfs_dirs',`
gen_require(`
- type device_t, urandom_device_t;
+ type sysfs_t;
')
- read_chr_files_pattern($1, device_t, urandom_device_t)
+ dontaudit $1 sysfs_t:dir write;
')
########################################
## <summary>
-## Do not audit attempts to read from pseudo
-## random devices (e.g., /dev/urandom)
+## Read cpu online hardware state information.
## </summary>
+## <desc>
@ -6700,44 +6573,37 @@ index 76f285e..e26dfc3 100644
+## </desc>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed access.
## Domain allowed access.
## </summary>
## </param>
#
-interface(`dev_dontaudit_read_urand',`
-interface(`dev_manage_sysfs_dirs',`
+interface(`dev_read_cpu_online',`
gen_require(`
- type urandom_device_t;
+ gen_require(`
+ type cpu_online_t;
')
- dontaudit $1 urandom_device_t:chr_file { getattr read };
+ ')
+
+ dev_search_sysfs($1)
+ read_files_pattern($1, cpu_online_t, cpu_online_t)
')
########################################
## <summary>
-## Write to the pseudo random device (e.g., /dev/urandom). This
-## sets the random number generator seed.
+')
+
+########################################
+## <summary>
+## Relabel cpu online hardware state information.
## </summary>
## <param name="domain">
## <summary>
@@ -4103,19 +4399,245 @@ interface(`dev_dontaudit_read_urand',`
## </summary>
## </param>
#
-interface(`dev_write_urand',`
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_relabel_cpu_online',`
gen_require(`
- type device_t, urandom_device_t;
+ type cpu_online_t;
+ type sysfs_t;
type sysfs_t;
')
- write_chr_files_pattern($1, device_t, urandom_device_t)
- manage_dirs_pattern($1, sysfs_t, sysfs_t)
+ dev_search_sysfs($1)
+ allow $1 cpu_online_t:file relabel_file_perms;
')
@ -6745,69 +6611,24 @@ index 76f285e..e26dfc3 100644
+
########################################
## <summary>
-## Getattr generic the USB devices.
+## Read hardware state information.
## </summary>
-## <param name="domain">
+## <desc>
+## <p>
+## Allow the specified domain to read the contents of
+## the sysfs filesystem. This filesystem contains
+## information, parameters, and other settings on the
+## hardware installed on the system.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`dev_read_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ read_files_pattern($1, sysfs_t, sysfs_t)
+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+
+ list_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
+## Allow caller to modify hardware state information.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ rw_files_pattern($1, sysfs_t, sysfs_t)
+ read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+
+ list_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
## Read hardware state information.
@@ -4016,7 +4481,7 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
-## Read and write the TPM device.
+## Relabel hardware state directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
## </summary>
## <param name="domain">
## <summary>
@@ -4024,9 +4489,65 @@ interface(`dev_rw_sysfs',`
## </summary>
## </param>
#
-interface(`dev_rw_tpm',`
+interface(`dev_relabel_sysfs_dirs',`
+ gen_require(`
gen_require(`
- type device_t, tpm_device_t;
+ type sysfs_t;
+ ')
+
@ -6865,92 +6686,13 @@ index 76f285e..e26dfc3 100644
+interface(`dev_rw_tpm',`
+ gen_require(`
+ type device_t, tpm_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, tpm_device_t)
+')
+
+########################################
+## <summary>
+## Read from pseudo random number generator devices (e.g., /dev/urandom).
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read from pseudo random number
+## generator devices (e.g., /dev/urandom). Typically this is
+## used in situations when a cryptographically secure random
+## number is not necessarily needed. One example is the Stack
+## Smashing Protector (SSP, formerly known as ProPolice) support
+## that may be compiled into programs.
+## </p>
+## <p>
+## Related interface:
+## </p>
+## <ul>
+## <li>dev_read_rand()</li>
+## </ul>
+## <p>
+## Related tunable:
+## </p>
+## <ul>
+## <li>global_ssp</li>
+## </ul>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`dev_read_urand',`
+ gen_require(`
+ type device_t, urandom_device_t;
+ ')
+
+ read_chr_files_pattern($1, device_t, urandom_device_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read from pseudo
+## random devices (e.g., /dev/urandom)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_read_urand',`
+ gen_require(`
+ type urandom_device_t;
+ ')
+
+ dontaudit $1 urandom_device_t:chr_file { getattr read };
+')
+
+########################################
+## <summary>
+## Write to the pseudo random device (e.g., /dev/urandom). This
+## sets the random number generator seed.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_write_urand',`
+ gen_require(`
+ type device_t, urandom_device_t;
+ ')
+
+ write_chr_files_pattern($1, device_t, urandom_device_t)
+')
+
+########################################
+## <summary>
')
rw_chr_files_pattern($1, device_t, tpm_device_t)
@@ -4113,6 +4634,25 @@ interface(`dev_write_urand',`
########################################
## <summary>
+## Do not audit attempts to write to pseudo
+## random devices (e.g., /dev/urandom)
+## </summary>
@ -6970,13 +6712,10 @@ index 76f285e..e26dfc3 100644
+
+########################################
+## <summary>
+## Getattr generic the USB devices.
+## </summary>
+## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
@@ -4409,9 +4931,9 @@ interface(`dev_rw_usbfs',`
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
@@ -4409,9 +4949,9 @@ interface(`dev_rw_usbfs',`
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
')
@ -6988,7 +6727,7 @@ index 76f285e..e26dfc3 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4419,17 +4941,17 @@ interface(`dev_rw_usbfs',`
@@ -4419,17 +4959,17 @@ interface(`dev_rw_usbfs',`
## </summary>
## </param>
#
@ -7011,7 +6750,7 @@ index 76f285e..e26dfc3 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4437,12 +4959,12 @@ interface(`dev_getattr_video_dev',`
@@ -4437,12 +4977,12 @@ interface(`dev_getattr_video_dev',`
## </summary>
## </param>
#
@ -7027,7 +6766,7 @@ index 76f285e..e26dfc3 100644
')
########################################
@@ -4539,6 +5061,134 @@ interface(`dev_write_video_dev',`
@@ -4539,6 +5079,134 @@ interface(`dev_write_video_dev',`
########################################
## <summary>
@ -7162,7 +6901,7 @@ index 76f285e..e26dfc3 100644
## Allow read/write the vhost net device
## </summary>
## <param name="domain">
@@ -4557,6 +5207,24 @@ interface(`dev_rw_vhost',`
@@ -4557,6 +5225,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@ -7187,7 +6926,7 @@ index 76f285e..e26dfc3 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
@@ -4762,6 +5430,26 @@ interface(`dev_rw_xserver_misc',`
@@ -4762,6 +5448,26 @@ interface(`dev_rw_xserver_misc',`
########################################
## <summary>
@ -7214,7 +6953,7 @@ index 76f285e..e26dfc3 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
@@ -4851,3 +5539,943 @@ interface(`dev_unconfined',`
@@ -4851,3 +5557,943 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@ -15146,7 +14885,7 @@ index 522ab32..cb9c3a2 100644
')
}
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index 54f1827..409df4f 100644
index 54f1827..cc2de1a 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -23,12 +23,15 @@
@ -15166,16 +14905,17 @@ index 54f1827..409df4f 100644
/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -51,7 +54,7 @@ ifdef(`distro_redhat', `
@@ -51,7 +54,8 @@ ifdef(`distro_redhat', `
/dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0)
-/dev/tw[a-z][^/]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/tgt -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
+/dev/tw[a-z][^/]* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/vd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -81,3 +84,6 @@ ifdef(`distro_redhat', `
@@ -81,3 +85,6 @@ ifdef(`distro_redhat', `
/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
@ -31487,7 +31227,7 @@ index 7449974..6375786 100644
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
+')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 7a49e28..3e5393b 100644
index 7a49e28..1d374a0 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -5,7 +5,7 @@ policy_module(modutils, 1.13.3)
@ -31668,7 +31408,7 @@ index 7a49e28..3e5393b 100644
userdom_dontaudit_search_user_home_dirs(insmod_t)
kernel_domtrans_to(insmod_t, insmod_exec_t)
@@ -184,28 +202,32 @@ optional_policy(`
@@ -184,28 +202,33 @@ optional_policy(`
')
optional_policy(`
@ -31685,6 +31425,7 @@ index 7a49e28..3e5393b 100644
optional_policy(`
- hotplug_search_config(insmod_t)
+ firewalld_dontaudit_write_tmp_files(insmod_t)
+ firewallgui_dontaudit_rw_pipes(insmod_t)
')
@ -31708,7 +31449,7 @@ index 7a49e28..3e5393b 100644
')
optional_policy(`
@@ -225,6 +247,7 @@ optional_policy(`
@@ -225,6 +248,7 @@ optional_policy(`
optional_policy(`
rpm_rw_pipes(insmod_t)
@ -31716,7 +31457,7 @@ index 7a49e28..3e5393b 100644
')
optional_policy(`
@@ -233,6 +256,10 @@ optional_policy(`
@@ -233,6 +257,10 @@ optional_policy(`
')
optional_policy(`
@ -31727,7 +31468,7 @@ index 7a49e28..3e5393b 100644
# cjp: why is this needed:
dev_rw_xserver_misc(insmod_t)
@@ -291,11 +318,10 @@ init_use_script_ptys(update_modules_t)
@@ -291,11 +319,10 @@ init_use_script_ptys(update_modules_t)
logging_send_syslog_msg(update_modules_t)

39
policy-rawhide-contrib.patch
View File

@ -64407,7 +64407,7 @@ index 951db7f..6d6ec1d 100644
+ allow $1 mdadm_exec_t:file { getattr_file_perms execute };
')
diff --git a/raid.te b/raid.te
index 2c1730b..259b790 100644
index 2c1730b..e67ea1b 100644
--- a/raid.te
+++ b/raid.te
@@ -15,6 +15,9 @@ role mdadm_roles types mdadm_t;
@ -64453,10 +64453,11 @@ index 2c1730b..259b790 100644
corecmd_exec_bin(mdadm_t)
corecmd_exec_shell(mdadm_t)
@@ -51,17 +59,19 @@ dev_dontaudit_getattr_all_blk_files(mdadm_t)
@@ -51,17 +59,20 @@ dev_dontaudit_getattr_all_blk_files(mdadm_t)
dev_dontaudit_getattr_all_chr_files(mdadm_t)
dev_read_realtime_clock(mdadm_t)
dev_read_raw_memory(mdadm_t)
+dev_read_nvram(mdadm_t)
+dev_read_generic_files(mdadm_t)
+domain_read_all_domains_state(mdadm_t)
@ -64475,7 +64476,7 @@ index 2c1730b..259b790 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
@@ -70,16 +80,18 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
@@ -70,16 +81,18 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
@ -70529,7 +70530,7 @@ index 0628d50..84f2fd7 100644
+ allow rpm_script_t $1:process sigchld;
')
diff --git a/rpm.te b/rpm.te
index 5cbe81c..f79d5f4 100644
index 5cbe81c..ff2b58e 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
@ -70785,7 +70786,7 @@ index 5cbe81c..f79d5f4 100644
')
########################################
@@ -239,19 +252,20 @@ optional_policy(`
@@ -239,18 +252,20 @@ optional_policy(`
#
allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
@ -70803,13 +70804,13 @@ index 5cbe81c..f79d5f4 100644
allow rpm_script_t self:msgq create_msgq_perms;
allow rpm_script_t self:msg { send receive };
allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow rpm_script_t rpm_t:netlink_route_socket { read write };
-
-allow rpm_script_t rpm_t:netlink_route_socket { read write };
+allow rpm_script_t self:netlink_audit_socket create_socket_perms;
allow rpm_script_t rpm_tmp_t:file read_file_perms;
allow rpm_script_t rpm_script_tmp_t:dir mounton;
@@ -267,8 +281,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
@@ -267,8 +282,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@ -70820,7 +70821,7 @@ index 5cbe81c..f79d5f4 100644
kernel_read_crypto_sysctls(rpm_script_t)
kernel_read_kernel_sysctls(rpm_script_t)
@@ -277,45 +292,27 @@ kernel_read_network_state(rpm_script_t)
@@ -277,45 +293,27 @@ kernel_read_network_state(rpm_script_t)
kernel_list_all_proc(rpm_script_t)
kernel_read_software_raid_state(rpm_script_t)
@ -70870,7 +70871,7 @@ index 5cbe81c..f79d5f4 100644
mls_file_read_all_levels(rpm_script_t)
mls_file_write_all_levels(rpm_script_t)
@@ -331,30 +328,48 @@ storage_raw_write_fixed_disk(rpm_script_t)
@@ -331,30 +329,48 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
@ -70928,7 +70929,7 @@ index 5cbe81c..f79d5f4 100644
ifdef(`distro_redhat',`
optional_policy(`
@@ -363,40 +378,54 @@ ifdef(`distro_redhat',`
@@ -363,40 +379,54 @@ ifdef(`distro_redhat',`
')
')
@ -70993,7 +70994,7 @@ index 5cbe81c..f79d5f4 100644
unconfined_domtrans(rpm_script_t)
optional_policy(`
@@ -409,6 +438,6 @@ optional_policy(`
@@ -409,6 +439,6 @@ optional_policy(`
')
optional_policy(`
@ -83440,6 +83441,18 @@ index 38389e6..4847b43 100644
+/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0)
+/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
+/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0)
diff --git a/tgtd.if b/tgtd.if
index 5406b6e..dc5b46e 100644
--- a/tgtd.if
+++ b/tgtd.if
@@ -97,6 +97,6 @@ interface(`tgtd_admin',`
files_search_tmp($1)
admin_pattern($1, tgtd_tmp_t)
- files_search_tmpfs($1)
+ fs_search_tmpfs($1)
admin_pattern($1, tgtd_tmpfs_t)
')
diff --git a/tgtd.te b/tgtd.te
index c93c973..08aef1e 100644
--- a/tgtd.te

8
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
Release: 51%{?dist}
Release: 52%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -530,6 +530,12 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Fri Jun 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-52
- Add labeling for /dev/tgt
- Dontaudit leak fd from firewalld for modprobe
- Allow runuser running as rpm_script_t to create netlink_audit socket
- Allow mdadm to read BIOS non-volatile RAM
* Thu Jun 13 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-51
- accountservice watches when accounts come and go in wtmp
- /usr/java/jre1.7.0_21/bin/java needs to create netlink socket