-Update to upstream

2010-06-28 21:27:05 +00:00 · 2010-06-28 21:27:05 +00:00 · 74e6a69ce9
commit 74e6a69ce9
parent 6c42218d9d
3 changed files with 80 additions and 39 deletions
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@ -973,7 +973,7 @@ mls = base
 #
 # Policy for mock rpm builder
 # 
-mock = base
+mock = module

 # Layer: system
 # Module: modutils
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -973,7 +973,7 @@ mls = base
 #
 # Policy for mock rpm builder
 # 
-mock = base
+mock = module

 # Layer: system
 # Module: modutils
--- a/policy-F14.patch
+++ b/policy-F14.patch
@ -22073,7 +22073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 /var/vdsm(/.*)?			gen_context(system_u:object_r:virt_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.8.6/policy/modules/services/virt.if
 --- nsaserefpolicy/policy/modules/services/virt.if	2010-03-23 10:55:15.000000000 -0400
-+++ serefpolicy-3.8.6/policy/modules/services/virt.if	2010-06-25 15:32:58.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/services/virt.if	2010-06-28 17:16:24.000000000 -0400
@@ -21,6 +21,7 @@
 	type $1_t, virt_domain;
 	domain_type($1_t)
@ -22220,8 +22220,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.8.6/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.6/policy/modules/services/virt.te	2010-06-25 15:28:29.000000000 -0400
-@@ -50,12 +50,12 @@
+++ serefpolicy-3.8.6/policy/modules/services/virt.te	2010-06-28 17:20:07.000000000 -0400
+@@ -4,6 +4,7 @@
+ #
+ # Declarations
+ #
+attribute virsh_transition_domain;
+ 
+ ## <desc>
+ ## <p>
+@@ -50,12 +51,12 @@
 virt_domain_template(svirt)
 role system_r types svirt_t;
 
@ -22237,7 +22245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 type virt_etc_t;
 files_config_file(virt_etc_t)
 
-@@ -71,8 +71,12 @@
+@@ -71,8 +72,12 @@
 virt_image(virt_content_t)
 userdom_user_home_content(virt_content_t)
 
@ -22250,7 +22258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 
 type virt_var_run_t;
 files_pid_file(virt_var_run_t)
-@@ -89,6 +93,11 @@
+@@ -89,6 +94,11 @@
 type virtd_initrc_exec_t;
 init_script_file(virtd_initrc_exec_t)
 
@ -22262,7 +22270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
 ')
-@@ -104,15 +113,12 @@
+@@ -104,15 +114,12 @@
 
 allow svirt_t self:udp_socket create_socket_perms;
 
@ -22279,7 +22287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
 
 list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -160,6 +166,7 @@
+@@ -160,6 +167,7 @@
 
 tunable_policy(`virt_use_usb',`
 	dev_rw_usbfs(svirt_t)
@ -22287,7 +22295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 	fs_manage_dos_dirs(svirt_t)
 	fs_manage_dos_files(svirt_t)
 ')
-@@ -178,22 +185,29 @@
+@@ -178,22 +186,29 @@
 #
 
 allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@ -22320,7 +22328,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
 read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
 
-@@ -204,9 +218,15 @@
+@@ -204,9 +219,15 @@
 
 manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
 manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@ -22336,7 +22344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
 manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
 logging_log_filetrans(virtd_t, virt_log_t, { file dir })
-@@ -247,18 +267,25 @@
+@@ -247,18 +268,25 @@
 dev_rw_kvm(virtd_t)
 dev_getattr_all_chr_files(virtd_t)
 dev_rw_mtrr(virtd_t)
@ -22363,7 +22371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 
 fs_list_auto_mountpoints(virtd_t)
 fs_getattr_xattr_fs(virtd_t)
-@@ -267,6 +294,15 @@
+@@ -267,6 +295,15 @@
 fs_manage_cgroup_dirs(virtd_t)
 fs_rw_cgroup_files(virtd_t)
 
@ -22379,7 +22387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 mcs_process_set_categories(virtd_t)
 
 storage_manage_fixed_disk(virtd_t)
-@@ -290,15 +326,22 @@
+@@ -290,15 +327,22 @@
 
 logging_send_syslog_msg(virtd_t)
 
@ -22402,7 +22410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virtd_t)
-@@ -369,6 +412,7 @@
+@@ -369,6 +413,7 @@
 	qemu_signal(virtd_t)
 	qemu_kill(virtd_t)
 	qemu_setsched(virtd_t)
@ -22410,7 +22418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 ')
 
 optional_policy(`
-@@ -406,6 +450,19 @@
+@@ -406,6 +451,19 @@
 allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
 allow virt_domain self:tcp_socket create_stream_socket_perms;
 
@ -22430,7 +22438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 append_files_pattern(virt_domain, virt_log_t, virt_log_t)
 
 append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -426,6 +483,7 @@
+@@ -426,6 +484,7 @@
 corenet_tcp_bind_virt_migration_port(virt_domain)
 corenet_tcp_connect_virt_migration_port(virt_domain)
 
@ -22438,7 +22446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 dev_read_rand(virt_domain)
 dev_read_sound(virt_domain)
 dev_read_urand(virt_domain)
-@@ -433,6 +491,7 @@
+@@ -433,6 +492,7 @@
 dev_rw_ksm(virt_domain)
 dev_rw_kvm(virt_domain)
 dev_rw_qemu(virt_domain)
@ -22446,7 +22454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 
 domain_use_interactive_fds(virt_domain)
 
-@@ -444,6 +503,11 @@
+@@ -444,6 +504,11 @@
 fs_getattr_tmpfs(virt_domain)
 fs_rw_anon_inodefs_files(virt_domain)
 fs_rw_tmpfs_files(virt_domain)
@ -22458,7 +22466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 
 term_use_all_terms(virt_domain)
 term_getattr_pty_fs(virt_domain)
-@@ -461,8 +525,122 @@
+@@ -461,8 +526,120 @@
 ')
 
 optional_policy(`
@ -22491,14 +22499,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 +allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
 +allow virsh_t self:tcp_socket create_stream_socket_perms;
 +
-+manage_files_pattern(virsh_t, xend_var_lib_t, xend_var_lib_t)
-+manage_fifo_files_pattern(virsh_t, xend_var_lib_t, xend_var_lib_t)
-+manage_sock_files_pattern(virsh_t, xend_var_lib_t, xend_var_lib_t)
-+files_search_var_lib(virsh_t)
-+
-+allow virsh_t xen_image_t:dir rw_dir_perms;
-+allow virsh_t xen_image_t:file read_file_perms;
-+allow virsh_t xen_image_t:blk_file read_blk_file_perms;
+manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
+manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
 +
 +dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
 +
@ -22541,9 +22544,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 +
 +sysnet_dns_name_resolve(virsh_t)
 +
-+xen_append_log(virsh_t)
-+xen_stream_connect(virsh_t)
-+xen_stream_connect_xenstore(virsh_t)
+optional_policy(`
+	xen_manage_image_dirs(virsh_t)
+	xen_append_log(virsh_t)
+	xen_stream_connect(virsh_t)
+	xen_stream_connect_xenstore(virsh_t)
+')
 +
 +optional_policy(`
 +	dbus_system_bus_client(virsh_t)
@ -32105,21 +32111,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc
 ifdef(`distro_debian',`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.8.6/policy/modules/system/xen.if
 --- nsaserefpolicy/policy/modules/system/xen.if	2010-03-23 10:55:15.000000000 -0400
-+++ serefpolicy-3.8.6/policy/modules/system/xen.if	2010-06-21 10:53:58.000000000 -0400
-@@ -213,8 +213,9 @@
+++ serefpolicy-3.8.6/policy/modules/system/xen.if	2010-06-28 17:17:26.000000000 -0400
+@@ -87,6 +87,26 @@
+ ## 	</summary>
+ ## </param>
+ #
+interface(`xen_manage_image_dirs',`
+	gen_require(`
+		type xend_var_lib_t;
+	')
+
+	files_list_var_lib($1)
+	manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read/write
+##	xend image files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed to transition.
+## 	</summary>
+## </param>
+#
+ interface(`xen_rw_image_files',`
+ 	gen_require(`
+ 		type xen_image_t, xend_var_lib_t;
+@@ -213,8 +233,9 @@
 interface(`xen_domtrans_xm',`
 	gen_require(`
 		type xm_t, xm_exec_t;
-+		attribute xm_transition_domain;
+		attribute virsh_transition_domain;
 	')
 -
-+	typeattribute $1 xm_transition_domain;
+	typeattribute $1 virsh_transition_domain;
 	domtrans_pattern($1, xm_exec_t, xm_t)
 ')
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.8.6/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.6/policy/modules/system/xen.te	2010-06-22 09:24:13.000000000 -0400
+++ serefpolicy-3.8.6/policy/modules/system/xen.te	2010-06-28 17:16:48.000000000 -0400
@@ -4,6 +4,7 @@
 #
 # Declarations
@ -32128,7 +32161,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
 
 ## <desc>
 ## <p>
-@@ -89,11 +90,6 @@
+@@ -34,6 +35,7 @@
+ files_type(xen_image_t)
+ # xen_image_t can be assigned to blk devices
+ dev_node(xen_image_t)
+virt_image(xen_image_t)
+ 
+ type xenctl_t;
+ files_type(xenctl_t)
+@@ -89,11 +91,6 @@
 type xenconsoled_var_run_t;
 files_pid_file(xenconsoled_var_run_t)
 
@ -32140,7 +32181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
 #######################################
 #
 # evtchnd local policy
-@@ -346,6 +342,7 @@
+@@ -346,6 +343,7 @@
 
 files_read_usr_files(xenstored_t)
 
@ -32148,7 +32189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
 fs_manage_xenfs_files(xenstored_t)
 
 storage_raw_read_fixed_disk(xenstored_t)
-@@ -366,98 +363,9 @@
+@@ -366,98 +364,9 @@
 
 ########################################
 #