rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Tue Aug 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-2 

- Add new type selinux_login_config_t for /etc/selinux/<type>/logins/
- Additional fixes for seutil_manage_module_store()
- dbus_system_domain() should be used with optional_policy
- Fix svirt to be allowed to use fusefs file system
- Allow login programs to read /run/ data created by systemd_login
- sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM modu
- Fix svirt to be allowed to use fusefs file system
- Allow piranha domain to use nsswitch
- Sanlock needs to send Kill Signals to non root processes
- Pulseaudio wants to execute /run/user/PID/.orc
This commit is contained in:
Miroslav Grepl 2012-08-07 16:51:57 +02:00
parent e2915aed43
commit 711b0e2035
3 changed files with 541 additions and 197 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

351
policy-rawhide.patch
View File

@ -70640,7 +70640,7 @@ index cda5588..91d1e25 100644
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/usr/lib/udev/devices/shm/.* <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 7c6b791..aad6319 100644
index 7c6b791..b40a5a5 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@ -71137,7 +71137,7 @@ index 7c6b791..aad6319 100644
########################################
## <summary>
## Mount a FUSE filesystem.
@@ -2025,6 +2387,68 @@ interface(`fs_read_fusefs_symlinks',`
@@ -2025,6 +2387,87 @@ interface(`fs_read_fusefs_symlinks',`
########################################
## <summary>
@ -71202,11 +71202,30 @@ index 7c6b791..aad6319 100644
+')
+
+########################################
+## <summary>
+## Get the attributes of a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_getattr_fusefs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ allow $1 fusefs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
## Get the attributes of an hugetlbfs
## filesystem.
## </summary>
@@ -2080,6 +2504,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
@@ -2080,6 +2523,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
########################################
## <summary>
@ -71231,7 +71250,7 @@ index 7c6b791..aad6319 100644
## Read and write hugetlbfs files.
## </summary>
## <param name="domain">
@@ -2148,11 +2590,12 @@ interface(`fs_list_inotifyfs',`
@@ -2148,11 +2609,12 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@ -71245,7 +71264,7 @@ index 7c6b791..aad6319 100644
## </summary>
## <param name="domain">
## <summary>
@@ -2485,6 +2928,7 @@ interface(`fs_read_nfs_files',`
@@ -2485,6 +2947,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@ -71253,7 +71272,7 @@ index 7c6b791..aad6319 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
@@ -2523,6 +2967,7 @@ interface(`fs_write_nfs_files',`
@@ -2523,6 +2986,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@ -71261,7 +71280,7 @@ index 7c6b791..aad6319 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
@@ -2549,6 +2994,25 @@ interface(`fs_exec_nfs_files',`
@@ -2549,6 +3013,25 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@ -71287,7 +71306,7 @@ index 7c6b791..aad6319 100644
## Append files
## on a NFS filesystem.
## </summary>
@@ -2569,7 +3033,7 @@ interface(`fs_append_nfs_files',`
@@ -2569,7 +3052,7 @@ interface(`fs_append_nfs_files',`
########################################
## <summary>
@ -71296,7 +71315,7 @@ index 7c6b791..aad6319 100644
## on a NFS filesystem.
## </summary>
## <param name="domain">
@@ -2589,6 +3053,42 @@ interface(`fs_dontaudit_append_nfs_files',`
@@ -2589,6 +3072,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
@ -71339,7 +71358,7 @@ index 7c6b791..aad6319 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
@@ -2603,7 +3103,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
@@ -2603,7 +3122,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@ -71348,7 +71367,7 @@ index 7c6b791..aad6319 100644
')
########################################
@@ -2627,7 +3127,7 @@ interface(`fs_read_nfs_symlinks',`
@@ -2627,7 +3146,7 @@ interface(`fs_read_nfs_symlinks',`
########################################
## <summary>
@ -71357,7 +71376,7 @@ index 7c6b791..aad6319 100644
## </summary>
## <param name="domain">
## <summary>
@@ -2741,7 +3241,7 @@ interface(`fs_search_removable',`
@@ -2741,7 +3260,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@ -71366,7 +71385,7 @@ index 7c6b791..aad6319 100644
## </summary>
## </param>
#
@@ -2777,7 +3277,7 @@ interface(`fs_read_removable_files',`
@@ -2777,7 +3296,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@ -71375,7 +71394,7 @@ index 7c6b791..aad6319 100644
## </summary>
## </param>
#
@@ -2970,6 +3470,7 @@ interface(`fs_manage_nfs_dirs',`
@@ -2970,6 +3489,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@ -71383,7 +71402,7 @@ index 7c6b791..aad6319 100644
allow $1 nfs_t:dir manage_dir_perms;
')
@@ -3010,6 +3511,7 @@ interface(`fs_manage_nfs_files',`
@@ -3010,6 +3530,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@ -71391,7 +71410,7 @@ index 7c6b791..aad6319 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
@@ -3050,6 +3552,7 @@ interface(`fs_manage_nfs_symlinks',`
@@ -3050,6 +3571,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@ -71399,7 +71418,7 @@ index 7c6b791..aad6319 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
@@ -3263,6 +3766,24 @@ interface(`fs_getattr_nfsd_files',`
@@ -3263,6 +3785,24 @@ interface(`fs_getattr_nfsd_files',`
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
')
@ -71424,7 +71443,7 @@ index 7c6b791..aad6319 100644
########################################
## <summary>
## Read and write NFS server files.
@@ -3283,6 +3804,24 @@ interface(`fs_rw_nfsd_fs',`
@@ -3283,6 +3823,24 @@ interface(`fs_rw_nfsd_fs',`
########################################
## <summary>
@ -71449,7 +71468,7 @@ index 7c6b791..aad6319 100644
## Allow the type to associate to ramfs filesystems.
## </summary>
## <param name="type">
@@ -3392,7 +3931,7 @@ interface(`fs_search_ramfs',`
@@ -3392,7 +3950,7 @@ interface(`fs_search_ramfs',`
########################################
## <summary>
@ -71458,7 +71477,7 @@ index 7c6b791..aad6319 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3429,7 +3968,7 @@ interface(`fs_manage_ramfs_dirs',`
@@ -3429,7 +3987,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
## <summary>
@ -71467,7 +71486,7 @@ index 7c6b791..aad6319 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3447,7 +3986,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
@@ -3447,7 +4005,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
## <summary>
@ -71476,7 +71495,7 @@ index 7c6b791..aad6319 100644
## </summary>
## <param name="domain">
## <summary>
@@ -3815,6 +4354,24 @@ interface(`fs_unmount_tmpfs',`
@@ -3815,6 +4373,24 @@ interface(`fs_unmount_tmpfs',`
########################################
## <summary>
@ -71501,7 +71520,7 @@ index 7c6b791..aad6319 100644
## Get the attributes of a tmpfs
## filesystem.
## </summary>
@@ -3963,6 +4520,42 @@ interface(`fs_dontaudit_list_tmpfs',`
@@ -3963,6 +4539,42 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
## <summary>
@ -71544,7 +71563,7 @@ index 7c6b791..aad6319 100644
## Create, read, write, and delete
## tmpfs directories
## </summary>
@@ -4069,7 +4662,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
@@ -4069,7 +4681,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
type tmpfs_t;
')
@ -71553,7 +71572,7 @@ index 7c6b791..aad6319 100644
')
########################################
@@ -4129,6 +4722,24 @@ interface(`fs_rw_tmpfs_files',`
@@ -4129,6 +4741,24 @@ interface(`fs_rw_tmpfs_files',`
########################################
## <summary>
@ -71578,7 +71597,7 @@ index 7c6b791..aad6319 100644
## Read tmpfs link files.
## </summary>
## <param name="domain">
@@ -4166,7 +4777,7 @@ interface(`fs_rw_tmpfs_chr_files',`
@@ -4166,7 +4796,7 @@ interface(`fs_rw_tmpfs_chr_files',`
########################################
## <summary>
@ -71587,7 +71606,7 @@ index 7c6b791..aad6319 100644
## </summary>
## <param name="domain">
## <summary>
@@ -4185,6 +4796,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
@@ -4185,6 +4815,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@ -71630,7 +71649,7 @@ index 7c6b791..aad6319 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
@@ -4242,6 +4889,43 @@ interface(`fs_relabel_tmpfs_blk_file',`
@@ -4242,6 +4908,43 @@ interface(`fs_relabel_tmpfs_blk_file',`
########################################
## <summary>
@ -71674,7 +71693,7 @@ index 7c6b791..aad6319 100644
## Read and write, create and delete generic
## files on tmpfs filesystems.
## </summary>
@@ -4261,6 +4945,25 @@ interface(`fs_manage_tmpfs_files',`
@@ -4261,6 +4964,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@ -71700,7 +71719,7 @@ index 7c6b791..aad6319 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
@@ -4467,6 +5170,8 @@ interface(`fs_mount_all_fs',`
@@ -4467,6 +5189,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@ -71709,7 +71728,7 @@ index 7c6b791..aad6319 100644
')
########################################
@@ -4513,7 +5218,7 @@ interface(`fs_unmount_all_fs',`
@@ -4513,7 +5237,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@ -71718,7 +71737,7 @@ index 7c6b791..aad6319 100644
## Example attributes:
## </p>
## <ul>
@@ -4876,3 +5581,43 @@ interface(`fs_unconfined',`
@@ -4876,3 +5600,43 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@ -87697,14 +87716,15 @@ index cbbda4a..8dcc346 100644
+userdom_use_inherited_user_terminals(netlabel_mgmt_t)
+
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index d43f3b1..5858c5f 100644
index d43f3b1..c4182e8 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -6,13 +6,13 @@
@@ -6,13 +6,14 @@
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
-/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?logins(/.*)? gen_context(system_u:object_r:selinux_login_config_t,s0)
+/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
/etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
-/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
@ -87717,7 +87737,7 @@ index d43f3b1..5858c5f 100644
#
# /root
@@ -35,12 +35,14 @@
@@ -35,12 +36,14 @@
/usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
/usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
@ -87733,7 +87753,7 @@ index d43f3b1..5858c5f 100644
#
# /var/lib
@@ -51,3 +53,7 @@
@@ -51,3 +54,7 @@
# /var/run
#
/var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0)
@ -87742,7 +87762,7 @@ index d43f3b1..5858c5f 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 3822072..cac0b1e 100644
index 3822072..beae2dc 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',`
@ -87899,7 +87919,7 @@ index 3822072..cac0b1e 100644
## Execute setfiles in the caller domain.
## </summary>
## <param name="domain">
@@ -680,6 +776,7 @@ interface(`seutil_manage_config',`
@@ -680,10 +776,94 @@ interface(`seutil_manage_config',`
')
files_search_etc($1)
@ -87907,7 +87927,160 @@ index 3822072..cac0b1e 100644
manage_files_pattern($1, selinux_config_t, selinux_config_t)
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
')
@@ -746,6 +843,29 @@ interface(`seutil_read_default_contexts',`
+########################################
+## <summary>
+## Do not audit attempts to search the SELinux
+## login configuration directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`seutil_dontaudit_search_login_config',`
+ gen_require(`
+ type selinux_login_config_t;
+ ')
+
+ dontaudit $1 selinux_login_config_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read the SELinux
+## login configuration.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`seutil_dontaudit_read_login_config',`
+ gen_require(`
+ type selinux_login_config_t;
+ ')
+ dontaudit $1 selinux_login_config_t:dir search_dir_perms;
+ dontaudit $1 selinux_login_config_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read the SELinux login configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_read_login_config',`
+ gen_require(`
+ type selinux_config_t;
+ type selinux_login_config_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search_dir_perms;
+ allow $1 selinux_login_config_t:dir list_dir_perms;
+ read_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
+ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
+')
+
+########################################
+## <summary>
+## Read and write the SELinux login configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_rw_login_config',`
+ gen_require(`
+ type selinux_config_t;
+ type selinux_login_config_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search_dir_perms;
+ allow $1 selinux_login_config_t:dir list_dir_perms;
+ rw_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
+')
+
#######################################
## <summary>
## Create, read, write, and delete
@@ -694,15 +874,62 @@ interface(`seutil_manage_config',`
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`seutil_manage_config_dirs',`
+interface(`seutil_rw_login_config_dirs',`
gen_require(`
type selinux_config_t;
+ type selinux_login_config_t;
')
files_search_etc($1)
- allow $1 selinux_config_t:dir manage_dir_perms;
+ allow $1 selinux_config_t:dir search_dir_perms;
+ allow $1 selinux_login_config_t:dir rw_dir_perms;
+')
+
+######################################
+## <summary>
+## Create, read, write, and delete
+## the general selinux configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_manage_login_config',`
+ gen_require(`
+ type selinux_config_t;
+ type selinux_login_config_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search_dir_perms;
+ manage_dirs_pattern($1, selinux_login_config_t, selinux_login_config_t)
+ manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
+ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
+')
+
+######################################
+## <summary>
+## manage the login selinux configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_manage_login_config_files',`
+ gen_require(`
+ type selinux_config_t;
+ type selinux_login_config_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 selinux_config_t:dir search_dir_perms;
+ manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
+ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
')
########################################
@@ -746,6 +973,29 @@ interface(`seutil_read_default_contexts',`
read_files_pattern($1, default_context_t, default_context_t)
')
@ -87937,7 +88110,7 @@ index 3822072..cac0b1e 100644
########################################
## <summary>
## Create, read, write, and delete the default_contexts files.
@@ -999,6 +1119,26 @@ interface(`seutil_domtrans_semanage',`
@@ -999,6 +1249,26 @@ interface(`seutil_domtrans_semanage',`
########################################
## <summary>
@ -87964,7 +88137,7 @@ index 3822072..cac0b1e 100644
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
@@ -1017,11 +1157,66 @@ interface(`seutil_domtrans_semanage',`
@@ -1017,11 +1287,66 @@ interface(`seutil_domtrans_semanage',`
#
interface(`seutil_run_semanage',`
gen_require(`
@ -88033,7 +88206,17 @@ index 3822072..cac0b1e 100644
')
########################################
@@ -1137,3 +1332,58 @@ interface(`seutil_dontaudit_libselinux_linked',`
@@ -1044,6 +1369,9 @@ interface(`seutil_manage_module_store',`
manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
manage_files_pattern($1, semanage_store_t, semanage_store_t)
filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active")
+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous")
+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "tmp")
')
#######################################
@@ -1137,3 +1465,58 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@ -88093,7 +88276,7 @@ index 3822072..cac0b1e 100644
+ auth_relabelto_shadow($1)
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index ec01d0b..98094ae 100644
index ec01d0b..12ed3ea 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,17 @@ gen_require(`
@ -88119,17 +88302,20 @@ index ec01d0b..98094ae 100644
#
# selinux_config_t is the type applied to
@@ -30,6 +33,9 @@ roleattribute system_r semanage_roles;
@@ -30,6 +33,12 @@ roleattribute system_r semanage_roles;
type selinux_config_t;
files_type(selinux_config_t)
+type selinux_login_config_t;
+files_type(selinux_login_config_t)
+
+type selinux_var_lib_t;
+files_type(selinux_var_lib_t)
+
type checkpolicy_t, can_write_binary_policy;
type checkpolicy_exec_t;
application_domain(checkpolicy_t, checkpolicy_exec_t)
@@ -60,14 +66,20 @@ application_domain(newrole_t, newrole_exec_t)
@@ -60,14 +69,20 @@ application_domain(newrole_t, newrole_exec_t)
domain_role_change_exemption(newrole_t)
domain_obj_id_change_exemption(newrole_t)
domain_interactive_fd(newrole_t)
@ -88153,7 +88339,7 @@ index ec01d0b..98094ae 100644
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
#neverallow ~can_write_binary_policy policy_config_t:file { write append };
@@ -83,7 +95,6 @@ type restorecond_t;
@@ -83,7 +98,6 @@ type restorecond_t;
type restorecond_exec_t;
init_daemon_domain(restorecond_t, restorecond_exec_t)
domain_obj_id_change_exemption(restorecond_t)
@ -88161,7 +88347,7 @@ index ec01d0b..98094ae 100644
type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t)
@@ -92,25 +103,33 @@ type run_init_t;
@@ -92,25 +106,32 @@ type run_init_t;
type run_init_exec_t;
application_domain(run_init_t, run_init_exec_t)
domain_system_change_exemption(run_init_t)
@ -88172,7 +88358,6 @@ index ec01d0b..98094ae 100644
type semanage_t;
type semanage_exec_t;
application_domain(semanage_t, semanage_exec_t)
+dbus_system_domain(semanage_t, semanage_exec_t)
+init_daemon_domain(semanage_t, semanage_exec_t)
domain_interactive_fd(semanage_t)
-role semanage_roles types semanage_t;
@ -88200,7 +88385,7 @@ index ec01d0b..98094ae 100644
type semanage_var_lib_t;
files_type(semanage_var_lib_t)
@@ -120,6 +139,11 @@ type setfiles_exec_t alias restorecon_exec_t;
@@ -120,6 +141,11 @@ type setfiles_exec_t alias restorecon_exec_t;
init_system_domain(setfiles_t, setfiles_exec_t)
domain_obj_id_change_exemption(setfiles_t)
@ -88212,7 +88397,15 @@ index ec01d0b..98094ae 100644
########################################
#
# Checkpolicy local policy
@@ -151,7 +175,7 @@ term_use_console(checkpolicy_t)
@@ -137,6 +163,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
allow checkpolicy_t selinux_config_t:dir search_dir_perms;
+allow checkpolicy_t selinux_login_config_t:dir search_dir_perms;
domain_use_interactive_fds(checkpolicy_t)
@@ -151,7 +178,7 @@ term_use_console(checkpolicy_t)
init_use_fds(checkpolicy_t)
init_use_script_ptys(checkpolicy_t)
@ -88221,7 +88414,7 @@ index ec01d0b..98094ae 100644
userdom_use_all_users_fds(checkpolicy_t)
ifdef(`distro_ubuntu',`
@@ -188,13 +212,15 @@ term_list_ptys(load_policy_t)
@@ -188,13 +215,15 @@ term_list_ptys(load_policy_t)
init_use_script_fds(load_policy_t)
init_use_script_ptys(load_policy_t)
@ -88238,7 +88431,15 @@ index ec01d0b..98094ae 100644
ifdef(`distro_ubuntu',`
optional_policy(`
@@ -220,7 +246,7 @@ optional_policy(`
@@ -205,6 +234,7 @@ ifdef(`distro_ubuntu',`
ifdef(`hide_broken_symptoms',`
# cjp: cover up stray file descriptors.
dontaudit load_policy_t selinux_config_t:file write;
+ dontaudit load_policy_t selinux_login_config_t:file write;
optional_policy(`
unconfined_dontaudit_read_pipes(load_policy_t)
@@ -220,7 +250,7 @@ optional_policy(`
# Newrole local policy
#
@ -88247,7 +88448,7 @@ index ec01d0b..98094ae 100644
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
@@ -232,7 +258,7 @@ allow newrole_t self:msgq create_msgq_perms;
@@ -232,7 +262,7 @@ allow newrole_t self:msgq create_msgq_perms;
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@ -88256,7 +88457,7 @@ index ec01d0b..98094ae 100644
read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
@@ -249,6 +275,7 @@ domain_use_interactive_fds(newrole_t)
@@ -249,6 +279,7 @@ domain_use_interactive_fds(newrole_t)
# for when the user types "exec newrole" at the command line:
domain_sigchld_interactive_fds(newrole_t)
@ -88264,7 +88465,7 @@ index ec01d0b..98094ae 100644
files_read_etc_files(newrole_t)
files_read_var_files(newrole_t)
files_read_var_symlinks(newrole_t)
@@ -276,25 +303,39 @@ term_relabel_all_ptys(newrole_t)
@@ -276,25 +307,39 @@ term_relabel_all_ptys(newrole_t)
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
@ -88310,7 +88511,7 @@ index ec01d0b..98094ae 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(newrole_t)
@@ -309,7 +350,7 @@ if(secure_mode) {
@@ -309,7 +354,7 @@ if(secure_mode) {
userdom_spec_domtrans_all_users(newrole_t)
}
@ -88319,7 +88520,7 @@ index ec01d0b..98094ae 100644
files_polyinstantiate_all(newrole_t)
')
@@ -328,9 +369,13 @@ kernel_use_fds(restorecond_t)
@@ -328,9 +373,13 @@ kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
@ -88334,7 +88535,7 @@ index ec01d0b..98094ae 100644
fs_list_inotifyfs(restorecond_t)
selinux_validate_context(restorecond_t)
@@ -341,6 +386,7 @@ selinux_compute_user_contexts(restorecond_t)
@@ -341,6 +390,7 @@ selinux_compute_user_contexts(restorecond_t)
files_relabel_non_auth_files(restorecond_t )
files_read_non_auth_files(restorecond_t)
@ -88342,7 +88543,7 @@ index ec01d0b..98094ae 100644
auth_use_nsswitch(restorecond_t)
locallogin_dontaudit_use_fds(restorecond_t)
@@ -351,6 +397,8 @@ miscfiles_read_localization(restorecond_t)
@@ -351,6 +401,8 @@ miscfiles_read_localization(restorecond_t)
seutil_libselinux_linked(restorecond_t)
@ -88351,7 +88552,7 @@ index ec01d0b..98094ae 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
@@ -366,21 +414,24 @@ optional_policy(`
@@ -366,21 +418,24 @@ optional_policy(`
# Run_init local policy
#
@ -88378,7 +88579,7 @@ index ec01d0b..98094ae 100644
dev_dontaudit_list_all_dev_nodes(run_init_t)
domain_use_interactive_fds(run_init_t)
@@ -398,14 +449,23 @@ selinux_compute_create_context(run_init_t)
@@ -398,14 +453,23 @@ selinux_compute_create_context(run_init_t)
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
@ -88404,7 +88605,7 @@ index ec01d0b..98094ae 100644
logging_send_syslog_msg(run_init_t)
@@ -414,7 +474,7 @@ miscfiles_read_localization(run_init_t)
@@ -414,7 +478,7 @@ miscfiles_read_localization(run_init_t)
seutil_libselinux_linked(run_init_t)
seutil_read_default_contexts(run_init_t)
@ -88413,7 +88614,7 @@ index ec01d0b..98094ae 100644
ifndef(`direct_sysadm_daemon',`
ifdef(`distro_gentoo',`
@@ -425,6 +485,19 @@ ifndef(`direct_sysadm_daemon',`
@@ -425,6 +489,19 @@ ifndef(`direct_sysadm_daemon',`
')
')
@ -88433,7 +88634,7 @@ index ec01d0b..98094ae 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
@@ -440,81 +513,83 @@ optional_policy(`
@@ -440,81 +517,87 @@ optional_policy(`
# semodule local policy
#
@ -88480,11 +88681,11 @@ index ec01d0b..98094ae 100644
-
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
-
-locallogin_use_fds(semanage_t)
+# Admins are creating pp files in random locations
+files_read_non_security_files(semanage_t)
-locallogin_use_fds(semanage_t)
-
-logging_send_syslog_msg(semanage_t)
-
-miscfiles_read_localization(semanage_t)
@ -88527,6 +88728,10 @@ index ec01d0b..98094ae 100644
- unconfined_domain(semanage_t)
- ')
+optional_policy(`
+ dbus_system_domain(semanage_t, semanage_exec_t)
+')
+
+optional_policy(`
+ mock_manage_lib_files(semanage_t)
+ mock_manage_lib_dirs(semanage_t)
+')
@ -88570,7 +88775,7 @@ index ec01d0b..98094ae 100644
')
########################################
@@ -522,108 +597,184 @@ ifdef(`distro_ubuntu',`
@@ -522,108 +605,184 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@ -88647,14 +88852,15 @@ index ec01d0b..98094ae 100644
+ devicekit_dontaudit_read_pid_files(setfiles_t)
+ devicekit_dontaudit_rw_log(setfiles_t)
+')
-seutil_libselinux_linked(setfiles_t)
+
+optional_policy(`
+ xserver_append_xdm_tmp_files(setfiles_t)
+')
+
-seutil_libselinux_linked(setfiles_t)
+ifdef(`hide_broken_symptoms',`
+
-userdom_use_all_users_fds(setfiles_t)
+ optional_policy(`
+ setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
+ setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
@ -88665,8 +88871,7 @@ index ec01d0b..98094ae 100644
+ unconfined_domain(setfiles_t)
+ ')
+')
-userdom_use_all_users_fds(setfiles_t)
+
+########################################
+#
+# Setfiles common policy

373
policy_contrib-rawhide.patch
View File

File diff suppressed because it is too large Load Diff

14
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
Release: 1%{?dist}
Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -491,6 +491,18 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Tue Aug 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-2
- Add new type selinux_login_config_t for /etc/selinux/<type>/logins/
- Additional fixes for seutil_manage_module_store()
- dbus_system_domain() should be used with optional_policy
- Fix svirt to be allowed to use fusefs file system
- Allow login programs to read /run/ data created by systemd_login
- sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM module
- Fix svirt to be allowed to use fusefs file system
- Allow piranha domain to use nsswitch
- Sanlock needs to send Kill Signals to non root processes
- Pulseaudio wants to execute /run/user/PID/.orc
* Fri Aug 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-1
- Fix saslauthd when it tries to read /etc/shadow
- Label gnome-boxes as a virt homedir