- Add labeling for /usr/sbin/amavi

- Colin asked for this program to be treated as cloud-init - Allow ftp services to manage xferlog_t - Fix vmtools policy to allow user roles to access vmtools_helper_t - Allow block_suspend cap2 for ipa-otpd - Allow certmonger to search home content - Allow pkcsslotd to read users state - Allow exim to use pam stack to check passwords - Add labeling for /usr/sbin/amavi - Colin asked for this program to be treated as cloud-init - Allow ftp services to manage xferlog_t - Fix vmtools policy to allow user roles to access vmtools_helper_t - Allow block_suspend cap2 for ipa-otpd - Allow certmonger to search home content - Allow pkcsslotd to read users state - Allow exim to use pam stack to check passwor
2014-02-21 17:01:54 +01:00 · 2014-02-21 17:01:54 +01:00 · 74ec503d1c
parent 450ad890ec
commit 74ec503d1c
3 changed files with 66 additions and 32 deletions
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@ -22555,7 +22555,7 @@ index cc877c7..07f129b 100644
 +	xserver_rw_xdm_pipes(ssh_agent_type)
 +')
 diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 8274418..abeb351 100644
+index 8274418..0069d82 100644
 --- a/policy/modules/services/xserver.fc
 +++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@ -22617,7 +22617,7 @@ index 8274418..abeb351 100644
 /etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/X11/[wxg]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/X11/wdm(/.*)?		gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -46,26 +76,32 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -46,26 +76,33 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 # /tmp
 #
@ -22643,6 +22643,7 @@ index 8274418..abeb351 100644
 -/usr/s?bin/[xkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 +/usr/s?bin/[mxgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 +
 +/usr/bin/sddm-greeter	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
 +/usr/bin/razor-lightdm-.*    --  gen_context(system_u:object_r:xdm_exec_t,s0)
@ -22656,7 +22657,7 @@ index 8274418..abeb351 100644
 /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -92,18 +128,31 @@ ifndef(`distro_debian',`
+@@ -92,18 +129,31 @@ ifndef(`distro_debian',`
 /var/lib/gdm(3)?(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
 /var/lib/lxdm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
@ -22692,7 +22693,7 @@ index 8274418..abeb351 100644
 /var/run/xdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/lxdm\.auth	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/lxdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
-@@ -112,6 +161,16 @@ ifndef(`distro_debian',`
+@@ -112,6 +162,16 @@ ifndef(`distro_debian',`
 /var/run/xauth(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
@ -40629,7 +40630,7 @@ index 0abaf84..8b34dbc 100644
 -/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 -')
 diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index 5ca20a9..7bbabfc 100644
+index 5ca20a9..e749152 100644
 --- a/policy/modules/system/unconfined.if
 +++ b/policy/modules/system/unconfined.if
@@ -12,53 +12,57 @@
@ -41133,14 +41134,14 @@ index 5ca20a9..7bbabfc 100644
 	gen_require(`
 -		type unconfined_t;
 -		class dbus send_msg;
-+		type unconfined_server_t;
+		type unconfined_service_t;
 	')
 -	allow $1 unconfined_t:dbus send_msg;
 -	allow unconfined_t $1:dbus send_msg;
 +	files_search_pids($1)
 +	files_write_generic_pid_pipes($1)
-+	allow $1 unconfined_server_t:unix_stream_socket { getattr connectto };
+	allow $1 unconfined_service_t:unix_stream_socket { getattr connectto };
 ')
 ########################################
@ -41160,11 +41161,11 @@ index 5ca20a9..7bbabfc 100644
 	gen_require(`
 -		type unconfined_t;
 -		class dbus acquire_svc;
-+		type unconfined_server_t;
+		type unconfined_service_t;
 	')
 -	allow $1 unconfined_t:dbus acquire_svc;
-+	corecmd_bin_domtrans($1, unconfined_server_t)
+	corecmd_bin_domtrans($1, unconfined_service_t)
 ')
 diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
 index 5fe902d..fe042f9 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -10747,7 +10747,7 @@ index 008f8ef..144c074 100644
 	admin_pattern($1, certmonger_var_run_t)
 ')
 diff --git a/certmonger.te b/certmonger.te
-index 550b287..8dd67f1 100644
+index 550b287..6f366b4 100644
 --- a/certmonger.te
 +++ b/certmonger.te
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@ -10809,16 +10809,16 @@ index 550b287..8dd67f1 100644
 files_list_tmp(certmonger_t)
 fs_search_cgroup_dirs(certmonger_t)
-@@ -70,16 +83,17 @@ init_getattr_all_script_files(certmonger_t)
+@@ -70,16 +83,18 @@ init_getattr_all_script_files(certmonger_t)
 logging_send_syslog_msg(certmonger_t)
 -miscfiles_read_localization(certmonger_t)
 miscfiles_manage_generic_cert_files(certmonger_t)
 -userdom_search_user_home_content(certmonger_t)
 +systemd_exec_systemctl(certmonger_t)
 +
 userdom_search_user_home_content(certmonger_t)
 +userdom_manage_home_certs(certmonger_t)
 optional_policy(`
@ -10830,7 +10830,7 @@ index 550b287..8dd67f1 100644
 ')
 optional_policy(`
-@@ -92,11 +106,47 @@ optional_policy(`
+@@ -92,11 +107,47 @@ optional_policy(`
 ')
 optional_policy(`
@ -12310,14 +12310,15 @@ index 4a5b3d1..cd146bd 100644
 ')
 diff --git a/cloudform.fc b/cloudform.fc
 new file mode 100644
-index 0000000..51990d0
+index 0000000..6cc6774
 --- /dev/null
 +++ b/cloudform.fc
-@@ -0,0 +1,27 @@
+@@ -0,0 +1,28 @@
 +/etc/rc\.d/init\.d/iwhd --      gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/mongod	--	gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
 +
 +/usr/bin/cloud-init     --      gen_context(system_u:object_r:cloud_init_exec_t,s0)
 +/usr/libexec/min-metadata-service     --      gen_context(system_u:object_r:cloud_init_exec_t,s0)
 +/usr/bin/deltacloudd    --	gen_context(system_u:object_r:deltacloudd_exec_t,s0)
 +/usr/bin/iwhd           --      gen_context(system_u:object_r:iwhd_exec_t,s0)
 +/usr/bin/mongod		    --	gen_context(system_u:object_r:mongod_exec_t,s0)
@ -26847,7 +26848,7 @@ index 4498143..77bbcef 100644
 	ftp_run_ftpdctl($1, $2)
 ')
 diff --git a/ftp.te b/ftp.te
-index 36838c2..34b08ac 100644
+index 36838c2..a09e8b2 100644
 --- a/ftp.te
 +++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1)
@ -26913,7 +26914,18 @@ index 36838c2..34b08ac 100644
 manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
 manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
 manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -206,14 +219,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
+@@ -198,22 +211,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
 allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
 -allow ftpd_t xferlog_t:dir setattr_dir_perms;
 -append_files_pattern(ftpd_t, xferlog_t, xferlog_t)
 -create_files_pattern(ftpd_t, xferlog_t, xferlog_t)
 -setattr_files_pattern(ftpd_t, xferlog_t, xferlog_t)
 -logging_log_filetrans(ftpd_t, xferlog_t, file)
 +manage_dirs_pattern(ftpd_t, xferlog_t, xferlog_t)
 +manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
 +logging_log_filetrans(ftpd_t, xferlog_t, { dir file })
 kernel_read_kernel_sysctls(ftpd_t)
 kernel_read_system_state(ftpd_t)
@ -26929,7 +26941,7 @@ index 36838c2..34b08ac 100644
 corenet_all_recvfrom_netlabel(ftpd_t)
 corenet_tcp_sendrecv_generic_if(ftpd_t)
 corenet_udp_sendrecv_generic_if(ftpd_t)
-@@ -229,9 +241,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
+@@ -229,9 +239,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
 corenet_sendrecv_ftp_data_server_packets(ftpd_t)
 corenet_tcp_bind_ftp_data_port(ftpd_t)
@ -26943,7 +26955,7 @@ index 36838c2..34b08ac 100644
 files_read_etc_runtime_files(ftpd_t)
 files_search_var_lib(ftpd_t)
-@@ -250,7 +265,6 @@ logging_send_audit_msgs(ftpd_t)
+@@ -250,7 +263,6 @@ logging_send_audit_msgs(ftpd_t)
 logging_send_syslog_msg(ftpd_t)
 logging_set_loginuid(ftpd_t)
@ -26951,7 +26963,7 @@ index 36838c2..34b08ac 100644
 miscfiles_read_public_files(ftpd_t)
 seutil_dontaudit_search_config(ftpd_t)
-@@ -259,32 +273,50 @@ sysnet_use_ldap(ftpd_t)
+@@ -259,32 +271,50 @@ sysnet_use_ldap(ftpd_t)
 userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
 userdom_dontaudit_search_user_home_dirs(ftpd_t)
@ -27009,7 +27021,7 @@ index 36838c2..34b08ac 100644
 ')
 tunable_policy(`ftpd_use_passive_mode',`
-@@ -304,22 +336,19 @@ tunable_policy(`ftpd_connect_db',`
+@@ -304,22 +334,19 @@ tunable_policy(`ftpd_connect_db',`
 	corenet_sendrecv_mssql_client_packets(ftpd_t)
 	corenet_tcp_connect_mssql_port(ftpd_t)
 	corenet_tcp_sendrecv_mssql_port(ftpd_t)
@ -27037,7 +27049,7 @@ index 36838c2..34b08ac 100644
 	userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
 ')
-@@ -363,9 +392,8 @@ optional_policy(`
+@@ -363,9 +390,8 @@ optional_policy(`
 optional_policy(`
 	selinux_validate_context(ftpd_t)
@ -27048,7 +27060,7 @@ index 36838c2..34b08ac 100644
 	kerberos_use(ftpd_t)
 ')
-@@ -416,21 +444,20 @@ optional_policy(`
+@@ -416,21 +442,20 @@ optional_policy(`
 #
 stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@ -27072,7 +27084,7 @@ index 36838c2..34b08ac 100644
 miscfiles_read_public_files(anon_sftpd_t)
-@@ -443,23 +470,34 @@ tunable_policy(`sftpd_anon_write',`
+@@ -443,23 +468,34 @@ tunable_policy(`sftpd_anon_write',`
 # Sftpd local policy
 #
@ -27113,7 +27125,7 @@ index 36838c2..34b08ac 100644
 ')
 tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -481,21 +519,11 @@ tunable_policy(`sftpd_anon_write',`
+@@ -481,21 +517,11 @@ tunable_policy(`sftpd_anon_write',`
 tunable_policy(`sftpd_full_access',`
 	allow sftpd_t self:capability { dac_override dac_read_search };
 	fs_read_noxattr_fs_files(sftpd_t)
@ -33114,10 +33126,10 @@ index 0000000..deb738f
 +
 diff --git a/ipa.te b/ipa.te
 new file mode 100644
-index 0000000..589066e
+index 0000000..0fd2678
 --- /dev/null
 +++ b/ipa.te
-@@ -0,0 +1,38 @@
+@@ -0,0 +1,40 @@
 +policy_module(ipa, 1.0.0)
 +
 +########################################
@ -33139,6 +33151,8 @@ index 0000000..589066e
 +# ipa_otpd local policy
 +#
 +
 +allow ipa_otpd_t self:capability2 block_suspend;
 +
 +allow ipa_otpd_t self:fifo_file rw_fifo_file_perms;
 +allow ipa_otpd_t self:unix_stream_socket create_stream_socket_perms;
 +
@ -60638,7 +60652,7 @@ index 0000000..a989aea
 +
 +sysnet_read_config(piranha_domain)
 diff --git a/pkcs.te b/pkcs.te
-index 8eb3f7b..7c08f64 100644
+index 8eb3f7b..1ff0fe3 100644
 --- a/pkcs.te
 +++ b/pkcs.te
@@ -7,21 +7,27 @@ policy_module(pkcs, 1.0.1)
@ -60669,7 +60683,7 @@ index 8eb3f7b..7c08f64 100644
 files_tmpfs_file(pkcs_slotd_tmpfs_t)
 ########################################
-@@ -53,8 +59,5 @@ manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
+@@ -53,8 +59,6 @@ manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
 manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
 fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, dir)
@ -60678,6 +60692,7 @@ index 8eb3f7b..7c08f64 100644
 logging_send_syslog_msg(pkcs_slotd_t)
 -miscfiles_read_localization(pkcs_slotd_t)
 +userdom_read_all_users_state(pkcs_slotd_t)
 diff --git a/pki.fc b/pki.fc
 new file mode 100644
 index 0000000..726d992
@ -101457,7 +101472,7 @@ index 0000000..7933d80
 +')
 diff --git a/vmtools.te b/vmtools.te
 new file mode 100644
-index 0000000..b881c53
+index 0000000..c47cb0e
 --- /dev/null
 +++ b/vmtools.te
@@ -0,0 +1,82 @@
@ -101480,7 +101495,7 @@ index 0000000..b881c53
 +type vmtools_helper_t;
 +type vmtools_helper_exec_t;
 +application_domain(vmtools_helper_t, vmtools_helper_exec_t)
-+role vmtools_helper_roles types vmtools_t;
+role vmtools_helper_roles types vmtools_helper_t;
 +
 +type vmtools_unit_file_t;
 +systemd_unit_file(vmtools_unit_file_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 25%{?dist}
+Release: 26%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -580,6 +580,24 @@ SELinux Reference policy mls base module.
 %endif
 %changelog
 * Fri Feb 21 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-26
 - Add labeling for /usr/sbin/amavi
 - Colin asked for this program to be treated as cloud-init
 - Allow ftp services to manage xferlog_t
 - Fix vmtools policy to allow user roles to access vmtools_helper_t
 - Allow block_suspend cap2 for ipa-otpd
 - Allow certmonger to search home content
 - Allow pkcsslotd to read users state
 - Allow exim to use pam stack to check passwords
 - Add labeling for /usr/sbin/amavi
 - Colin asked for this program to be treated as cloud-init
 - Allow ftp services to manage xferlog_t
 - Fix vmtools policy to allow user roles to access vmtools_helper_t
 - Allow block_suspend cap2 for ipa-otpd
 - Allow certmonger to search home content
 - Allow pkcsslotd to read users state
 - Allow exim to use pam stack to check passwords
 * Tue Feb 18 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-25
 - Add lvm_read_metadata()
 - Allow auditadm to search /var/log/audit dir