- Allow avahi to access inotify

- Remove a lot of bogus security_t:filesystem avcs
2007-06-27 18:12:03 +00:00 · 2007-06-27 18:12:03 +00:00 · 7f44213c00
parent 1afb424363
commit 7f44213c00
2 changed files with 100 additions and 26 deletions
--- a/policy-20070525.patch
+++ b/policy-20070525.patch
@ -6602,7 +6602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.1/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2007-06-19 16:23:35.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/samba.te	2007-06-19 17:06:27.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/services/samba.te	2007-06-27 11:39:37.000000000 -0400
@@ -189,6 +189,8 @@
 
 miscfiles_read_localization(samba_net_t) 
@ -6678,6 +6678,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 
 domain_use_interactive_fds(winbind_t)
 
+@@ -767,6 +782,7 @@
+ #
+ # Winbind helper local policy
+ #
+corecmd_exec_bin(winbind_t)
+ 
+ allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
+ allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.0.1/policy/modules/services/sasl.te
 --- nsaserefpolicy/policy/modules/services/sasl.te	2007-05-29 14:10:57.000000000 -0400
 +++ serefpolicy-3.0.1/policy/modules/services/sasl.te	2007-06-19 17:06:27.000000000 -0400
@ -7442,7 +7450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.1/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/authlogin.if	2007-06-21 10:33:53.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/system/authlogin.if	2007-06-27 10:19:29.000000000 -0400
@@ -27,7 +27,8 @@
 	domain_type($1_chkpwd_t)
 	domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
@ -8318,7 +8326,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
 # Sulogin local policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.0.1/policy/modules/system/logging.fc
 --- nsaserefpolicy/policy/modules/system/logging.fc	2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/logging.fc	2007-06-20 07:06:30.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/system/logging.fc	2007-06-27 10:17:24.000000000 -0400
+@@ -1,6 +1,6 @@
+-
+ /dev/log		-s	gen_context(system_u:object_r:devlog_t,s0)
+ 
+/etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/audit(/.*)?		gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
+ 
+ /sbin/auditctl		--	gen_context(system_u:object_r:auditctl_exec_t,s0)
@@ -43,3 +43,5 @@
 /var/spool/postfix/pid	-d	gen_context(system_u:object_r:var_run_t,s0)
 
@ -8327,7 +8343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 +/var/log/syslog-ng(/.*)?	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.1/policy/modules/system/logging.if
 --- nsaserefpolicy/policy/modules/system/logging.if	2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/logging.if	2007-06-19 17:06:27.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/system/logging.if	2007-06-27 10:20:58.000000000 -0400
@@ -33,8 +33,13 @@
 ## </param>
 #
@ -8343,10 +8359,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 ')
 
 ########################################
-@@ -238,6 +243,25 @@
+@@ -238,6 +243,63 @@
 
 ########################################
 ## <summary>
+##	Manage the syslogd configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_manage_syslog_config',`
+	gen_require(`
+		type syslogd_etc_t;
+	')
+
+	files_search_etc($1)
+	manage_files_pattern($1,syslog_conf_t,syslog_conf_t)
+')
+
+#######################################
+## <summary>
+##	Automatic transition from etc to syslog_conf_t.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_etc_filetrans_syslog_conf',`
+	gen_require(`
+		type syslog_conf_t;
+	')
+
+	files_etc_filetrans($1,syslog_conf_t,file)
+')
+
+########################################
+## <summary>
 +##	Execute klogd in the klog domain.
 +## </summary>
 +## <param name="domain">
@ -8369,7 +8423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 ##	Create an object in the log directory, with a private
 ##	type using a type transition.
 ## </summary>
-@@ -317,6 +341,25 @@
+@@ -317,6 +379,25 @@
 
 ########################################
 ## <summary>
@ -8395,7 +8449,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 ##	Allows the domain to open a file in the
 ##	log directory, but does not allow the listing
 ##	of the contents of the log directory.
-@@ -451,7 +494,7 @@
+@@ -451,7 +532,7 @@
 
 	files_search_var($1)
 	allow $1 var_log_t:dir list_dir_perms;
@ -8404,7 +8458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 ')
 
 ########################################
-@@ -495,6 +538,8 @@
+@@ -495,6 +576,8 @@
 	files_search_var($1)
 	manage_files_pattern($1,logfile,logfile)
 	read_lnk_files_pattern($1,logfile,logfile)
@ -8413,7 +8467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 ')
 
 ########################################
-@@ -578,3 +623,101 @@
+@@ -578,3 +661,101 @@
 	files_search_var($1)
 	manage_files_pattern($1,var_log_t,var_log_t)
 ')
@ -8517,7 +8571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.1/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2007-06-15 14:54:33.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/logging.te	2007-06-20 07:06:09.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/system/logging.te	2007-06-27 10:16:37.000000000 -0400
@@ -7,10 +7,15 @@
 #
 
@ -8534,7 +8588,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 role system_r types auditctl_t;
 
 type auditd_etc_t;
-@@ -48,6 +53,9 @@
+@@ -45,9 +50,15 @@
+ type syslogd_exec_t;
+ init_daemon_domain(syslogd_t,syslogd_exec_t)
+ 
+type syslog_conf_t;
+files_type(syslog_conf_t)
+
 type syslogd_tmp_t;
 files_tmp_file(syslogd_tmp_t)
 
@ -8544,7 +8604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 type syslogd_var_run_t;
 files_pid_file(syslogd_var_run_t)
 
-@@ -59,14 +67,17 @@
+@@ -59,14 +70,17 @@
 	init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
 ')
 
@ -8565,7 +8625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t)
 allow auditctl_t auditd_etc_t:dir list_dir_perms;
 
-@@ -91,6 +102,7 @@
+@@ -91,6 +105,7 @@
 
 locallogin_dontaudit_use_fds(auditctl_t)
 
@ -8573,7 +8633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 logging_send_syslog_msg(auditctl_t)
 
 ########################################
-@@ -98,12 +110,11 @@
+@@ -98,12 +113,11 @@
 # Auditd local policy
 #
 
@ -8587,7 +8647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 allow auditd_t self:fifo_file rw_file_perms;
 
 allow auditd_t auditd_etc_t:dir list_dir_perms;
-@@ -141,6 +152,7 @@
+@@ -141,6 +155,7 @@
 
 init_telinit(auditd_t)
 
@ -8595,7 +8655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 logging_send_syslog_msg(auditd_t)
 
 libs_use_ld_so(auditd_t)
-@@ -157,6 +169,8 @@
+@@ -157,6 +172,8 @@
 
 userdom_dontaudit_use_unpriv_user_fds(auditd_t)
 userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
@ -8604,7 +8664,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 
 optional_policy(`
 	seutil_sigchld_newrole(auditd_t)
-@@ -249,6 +263,10 @@
+@@ -243,12 +260,18 @@
+ allow syslogd_t self:udp_socket create_socket_perms;
+ allow syslogd_t self:tcp_socket create_stream_socket_perms;
+ 
+allow syslogd_t syslog_conf_t:file read;
+
+ # Create and bind to /dev/log or /var/run/log.
+ allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
+ files_pid_filetrans(syslogd_t,devlog_t,sock_file)
 
 # create/append log files.
 manage_files_pattern(syslogd_t,var_log_t,var_log_t)
@ -8615,7 +8683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 # Allow access for syslog-ng
 allow syslogd_t var_log_t:dir { create setattr };
 
-@@ -257,6 +275,9 @@
+@@ -257,6 +280,9 @@
 manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
 files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file })
 
@ -8625,7 +8693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 allow syslogd_t syslogd_var_run_t:file manage_file_perms;
 files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
 
-@@ -313,6 +334,7 @@
+@@ -313,6 +339,7 @@
 domain_use_interactive_fds(syslogd_t)
 
 files_read_etc_files(syslogd_t)
@ -10902,9 +10970,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.t
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.0.1/policy/modules/users/logadm.fc
 --- nsaserefpolicy/policy/modules/users/logadm.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/users/logadm.fc	2007-06-19 17:06:27.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/users/logadm.fc	2007-06-27 10:17:08.000000000 -0400
@@ -0,0 +1 @@
-+/etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
+# No logadm file contexts.
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.if serefpolicy-3.0.1/policy/modules/users/logadm.if
 --- nsaserefpolicy/policy/modules/users/logadm.if	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.0.1/policy/modules/users/logadm.if	2007-06-19 17:06:27.000000000 -0400
@ -10912,8 +10980,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.
 +## <summary>Policy for logadm user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.te serefpolicy-3.0.1/policy/modules/users/logadm.te
 --- nsaserefpolicy/policy/modules/users/logadm.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/users/logadm.te	2007-06-19 17:06:27.000000000 -0400
-@@ -0,0 +1,35 @@
+++ serefpolicy-3.0.1/policy/modules/users/logadm.te	2007-06-27 10:21:24.000000000 -0400
+@@ -0,0 +1,37 @@
 +policy_module(logadm,1.0.0)
 +
 +########################################
@ -10925,13 +10993,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.
 +files_type(syslog_conf_t)
 +
 +userdom_base_user_template(logadm)
-+allow logadm_t syslog_conf_t:file manage_file_perms;
-+files_etc_filetrans(logadm_t, syslog_conf_t, file)
 +
 +allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
 +
+logging_etc_filetrans_syslog_conf(logadm_t)
+logging_manage_syslog_config(logadm_t)
 +logging_manage_all_logs(logadm_t)
+
 +seutil_run_runinit(logadm_t, logadm_r, { logadm_tty_device_t logadm_devpts_t })
+
 +domain_kill_all_domains(logadm_t)
 +seutil_read_bin_policy(logadm_t)
 +corecmd_exec_shell(logadm_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -355,6 +355,10 @@ exit 0
 %endif

 %changelog
+* Wed Jun 26 2007 Dan Walsh <dwalsh@redhat.com> 3.0.1-2
+- Allow avahi to access inotify
+- Remove a lot of bogus security_t:filesystem avcs
+
 * Fri May 25 2007 Dan Walsh <dwalsh@redhat.com> 3.0.1-1
 - Remove ifdef strict policy from upstream