- Add policykit fixes from Tim Waugh

- dontaudit sandbox domains sandbox_file_t:dir mounton
- Add new dontaudit rules for sysadm_dbusd_t
- Change label for /var/run/faillock
This commit is contained in:
Miroslav Grepl 2011-03-10 12:46:20 +00:00
parent 9b89d85005
commit 8d54634624
2 changed files with 116 additions and 60 deletions

View File

@ -2354,7 +2354,7 @@ index d5aaf0e..689b2fd 100644
optional_policy(`
mta_send_mail(sxid_t)
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
index 6a5004b..9b0f49e 100644
index 6a5004b..b6ede9a 100644
--- a/policy/modules/admin/tmpreaper.te
+++ b/policy/modules/admin/tmpreaper.te
@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0)
@ -2365,7 +2365,7 @@ index 6a5004b..9b0f49e 100644
application_domain(tmpreaper_t, tmpreaper_exec_t)
role system_r types tmpreaper_t;
@@ -25,8 +26,11 @@ fs_getattr_xattr_fs(tmpreaper_t)
@@ -25,11 +26,16 @@ fs_getattr_xattr_fs(tmpreaper_t)
files_read_etc_files(tmpreaper_t)
files_read_var_lib_files(tmpreaper_t)
files_purge_tmp(tmpreaper_t)
@ -2377,7 +2377,12 @@ index 6a5004b..9b0f49e 100644
files_getattr_all_dirs(tmpreaper_t)
files_getattr_all_files(tmpreaper_t)
@@ -38,7 +42,9 @@ logging_send_syslog_msg(tmpreaper_t)
+mcs_file_read_all(tmpreaper_t)
+mcs_file_write_all(tmpreaper_t)
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
@@ -38,7 +44,9 @@ logging_send_syslog_msg(tmpreaper_t)
miscfiles_read_localization(tmpreaper_t)
miscfiles_delete_man_pages(tmpreaper_t)
@ -2388,7 +2393,7 @@ index 6a5004b..9b0f49e 100644
ifdef(`distro_redhat',`
userdom_list_user_home_content(tmpreaper_t)
@@ -52,7 +58,9 @@ optional_policy(`
@@ -52,7 +60,9 @@ optional_policy(`
')
optional_policy(`
@ -2398,7 +2403,7 @@ index 6a5004b..9b0f49e 100644
apache_delete_cache_files(tmpreaper_t)
apache_setattr_cache_dirs(tmpreaper_t)
')
@@ -66,6 +74,14 @@ optional_policy(`
@@ -66,6 +76,14 @@ optional_policy(`
')
optional_policy(`
@ -7628,10 +7633,10 @@ index 0000000..0fedd57
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
index 0000000..2280381
index 0000000..f2201d7
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
@@ -0,0 +1,474 @@
@@ -0,0 +1,476 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@ -7768,6 +7773,7 @@ index 0000000..2280381
+manage_sock_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
+manage_fifo_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
+manage_lnk_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
+dontaudit sandbox_domain sandbox_file_t:dir mounton;
+
+gen_require(`
+ type usr_t, lib_t, locale_t;
@ -7849,6 +7855,7 @@ index 0000000..2280381
+fs_getattr_tmpfs(sandbox_x_domain)
+fs_getattr_xattr_fs(sandbox_x_domain)
+fs_list_inotifyfs(sandbox_x_domain)
+fs_dontaudit_getattr_xattr_fs(sandbox_x_domain)
+
+auth_dontaudit_read_login_records(sandbox_x_domain)
+auth_dontaudit_write_login_records(sandbox_x_domain)
@ -12702,7 +12709,7 @@ index a9b8982..57c4a6a 100644
+/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 3723150..bde6daa 100644
index 3723150..d6d1dbe 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',`
@ -12714,20 +12721,30 @@ index 3723150..bde6daa 100644
typeattribute $1 fixed_disk_raw_read;
')
@@ -203,6 +205,8 @@ interface(`storage_create_fixed_disk_dev',`
@@ -203,7 +205,10 @@ interface(`storage_create_fixed_disk_dev',`
type fixed_disk_device_t;
')
+ allow $1 self:capability mknod;
+
allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
+ allow $1 fixed_disk_device_t:chr_file create_chr_file_perms;
dev_add_entry_generic_dirs($1)
')
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
index 3994e57..43aa641 100644
index 3994e57..a1923fe 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
@@ -18,6 +18,7 @@
@@ -6,6 +6,7 @@
/dev/console -c gen_context(system_u:object_r:console_device_t,s0)
/dev/cu.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/dcbri[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/hpilo/[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/hvc.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/hvsi.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/i2c[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
@@ -18,6 +19,7 @@
/dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
@ -12735,7 +12752,7 @@ index 3994e57..43aa641 100644
/dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
@@ -40,3 +41,5 @@ ifdef(`distro_gentoo',`
@@ -40,3 +42,5 @@ ifdef(`distro_gentoo',`
# used by init scripts to initally populate udev /dev
/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
')
@ -20408,13 +20425,14 @@ index 0258b48..8fde016 100644
manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
diff --git a/policy/modules/services/colord.fc b/policy/modules/services/colord.fc
new file mode 100644
index 0000000..7a01ff6
index 0000000..0a83e88
--- /dev/null
+++ b/policy/modules/services/colord.fc
@@ -0,0 +1,4 @@
@@ -0,0 +1,5 @@
+
+/usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
+
+/var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
+/var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
diff --git a/policy/modules/services/colord.if b/policy/modules/services/colord.if
new file mode 100644
@ -20466,10 +20484,10 @@ index 0000000..38cb883
+
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
new file mode 100644
index 0000000..0ecb72e
index 0000000..173e56f
--- /dev/null
+++ b/policy/modules/services/colord.te
@@ -0,0 +1,68 @@
@@ -0,0 +1,78 @@
+policy_module(colord,1.0.0)
+
+########################################
@ -20509,6 +20527,7 @@ index 0000000..0ecb72e
+
+corenet_udp_bind_generic_node(colord_t)
+corenet_udp_bind_ipp_port(colord_t)
+corenet_tcp_connect_ipp_port(colord_t)
+
+dev_read_raw_memory(colord_t)
+dev_write_raw_memory(colord_t)
@ -20519,6 +20538,8 @@ index 0000000..0ecb72e
+dev_read_urand(colord_t)
+dev_list_sysfs(colord_t)
+dev_read_generic_usb_dev(colord_t)
+storage_read_scsi_generic(colord_t)
+storage_write_scsi_generic(colord_t)
+
+domain_use_interactive_fds(colord_t)
+
@ -20536,6 +20557,13 @@ index 0000000..0ecb72e
+')
+
+optional_policy(`
+ policykit_dbus_chat(colord_t)
+ policykit_domtrans_auth(colord_t)
+ policykit_read_lib(colord_t)
+ policykit_read_reload(colord_t)
+')
+
+optional_policy(`
+ udev_read_db(colord_t)
+')
diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
@ -22048,7 +22076,7 @@ index a8b93c0..831ce70 100644
type dante_var_run_t;
files_pid_file(dante_var_run_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 0d5711c..2f38c31 100644
index 0d5711c..cee56c8 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
@ -22073,7 +22101,18 @@ index 0d5711c..2f38c31 100644
ubac_constrained($1_dbusd_t)
role $2 types $1_dbusd_t;
@@ -76,7 +75,7 @@ template(`dbus_role_template',`
@@ -62,8 +61,9 @@ template(`dbus_role_template',`
# Local policy
#
+ dontaudit $1_dbusd_t self:capability sys_resource;
allow $1_dbusd_t self:process { getattr sigkill signal };
- dontaudit $1_dbusd_t self:process ptrace;
+ dontaudit $1_dbusd_t self:process { ptrace setrlimit };
allow $1_dbusd_t self:file { getattr read write };
allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
allow $1_dbusd_t self:dbus { send_msg acquire_svc };
@@ -76,7 +76,7 @@ template(`dbus_role_template',`
allow $3 $1_dbusd_t:unix_stream_socket connectto;
# SE-DBus specific permissions
@ -22082,7 +22121,7 @@ index 0d5711c..2f38c31 100644
allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
@@ -88,14 +87,16 @@ template(`dbus_role_template',`
@@ -88,14 +88,16 @@ template(`dbus_role_template',`
files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
@ -22102,7 +22141,7 @@ index 0d5711c..2f38c31 100644
kernel_read_system_state($1_dbusd_t)
kernel_read_kernel_sysctls($1_dbusd_t)
@@ -116,7 +117,7 @@ template(`dbus_role_template',`
@@ -116,7 +118,7 @@ template(`dbus_role_template',`
dev_read_urand($1_dbusd_t)
@ -22111,7 +22150,7 @@ index 0d5711c..2f38c31 100644
domain_read_all_domains_state($1_dbusd_t)
files_read_etc_files($1_dbusd_t)
@@ -149,17 +150,25 @@ template(`dbus_role_template',`
@@ -149,17 +151,25 @@ template(`dbus_role_template',`
term_use_all_terms($1_dbusd_t)
@ -22139,7 +22178,7 @@ index 0d5711c..2f38c31 100644
xserver_use_xdm_fds($1_dbusd_t)
xserver_rw_xdm_pipes($1_dbusd_t)
')
@@ -181,10 +190,12 @@ interface(`dbus_system_bus_client',`
@@ -181,10 +191,12 @@ interface(`dbus_system_bus_client',`
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
@ -22152,7 +22191,7 @@ index 0d5711c..2f38c31 100644
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
@@ -197,6 +208,34 @@ interface(`dbus_system_bus_client',`
@@ -197,6 +209,34 @@ interface(`dbus_system_bus_client',`
#######################################
## <summary>
@ -22187,7 +22226,7 @@ index 0d5711c..2f38c31 100644
## Template for creating connections to
## a user DBUS.
## </summary>
@@ -217,6 +256,8 @@ interface(`dbus_session_bus_client',`
@@ -217,6 +257,8 @@ interface(`dbus_session_bus_client',`
# For connecting to the bus
allow $1 session_bus_type:unix_stream_socket connectto;
@ -22196,7 +22235,7 @@ index 0d5711c..2f38c31 100644
')
########################################
@@ -431,14 +472,28 @@ interface(`dbus_system_domain',`
@@ -431,14 +473,28 @@ interface(`dbus_system_domain',`
domtrans_pattern(system_dbusd_t, $2, $1)
@ -22226,7 +22265,7 @@ index 0d5711c..2f38c31 100644
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
')
@@ -497,3 +552,23 @@ interface(`dbus_unconfined',`
@@ -497,3 +553,23 @@ interface(`dbus_unconfined',`
typeattribute $1 dbusd_unconfined;
')
@ -22251,17 +22290,17 @@ index 0d5711c..2f38c31 100644
+')
+
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 86d09b4..1c0dd9b 100644
index 86d09b4..8e05351 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -33,6 +33,7 @@ files_tmp_file(system_dbusd_tmp_t)
type system_dbusd_var_lib_t;
files_type(system_dbusd_var_lib_t)
+init_sock_file(system_dbusd_var_lib_t)
@@ -36,6 +36,7 @@ files_type(system_dbusd_var_lib_t)
type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
+init_sock_file(system_dbusd_var_run_t)
ifdef(`enable_mcs',`
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
@@ -52,9 +53,9 @@ ifdef(`enable_mls',`
# dac_override: /var/run/dbus is owned by messagebus on Debian
@ -39577,7 +39616,7 @@ index 22adaca..d9913e0 100644
+ allow $1 sshd_t:process signull;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 2dad3c8..f5c37de 100644
index 2dad3c8..d060ae4 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@ -39716,7 +39755,7 @@ index 2dad3c8..f5c37de 100644
seutil_read_config(ssh_t)
@@ -169,14 +176,18 @@ userdom_dontaudit_list_user_home_dirs(ssh_t)
@@ -169,14 +176,19 @@ userdom_dontaudit_list_user_home_dirs(ssh_t)
userdom_search_user_home_dirs(ssh_t)
# Write to the user domain tty.
userdom_use_user_terminals(ssh_t)
@ -39725,6 +39764,7 @@ index 2dad3c8..f5c37de 100644
userdom_read_user_tmp_files(ssh_t)
+userdom_write_user_tmp_files(ssh_t)
+userdom_read_user_home_content_symlinks(ssh_t)
+userdom_read_home_certs(ssh_t)
tunable_policy(`allow_ssh_keysign',`
- domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
@ -39740,7 +39780,7 @@ index 2dad3c8..f5c37de 100644
')
tunable_policy(`use_nfs_home_dirs',`
@@ -196,10 +207,15 @@ tunable_policy(`user_tcp_server',`
@@ -196,10 +208,15 @@ tunable_policy(`user_tcp_server',`
')
optional_policy(`
@ -39756,7 +39796,7 @@ index 2dad3c8..f5c37de 100644
##############################
#
# ssh_keysign_t local policy
@@ -209,7 +225,7 @@ tunable_policy(`allow_ssh_keysign',`
@@ -209,7 +226,7 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@ -39765,7 +39805,7 @@ index 2dad3c8..f5c37de 100644
dev_read_urand(ssh_keysign_t)
@@ -232,33 +248,43 @@ optional_policy(`
@@ -232,33 +249,43 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@ -39818,7 +39858,7 @@ index 2dad3c8..f5c37de 100644
')
optional_policy(`
@@ -266,11 +292,24 @@ optional_policy(`
@@ -266,11 +293,24 @@ optional_policy(`
')
optional_policy(`
@ -39844,7 +39884,7 @@ index 2dad3c8..f5c37de 100644
')
optional_policy(`
@@ -284,6 +323,11 @@ optional_policy(`
@@ -284,6 +324,11 @@ optional_policy(`
')
optional_policy(`
@ -39856,7 +39896,7 @@ index 2dad3c8..f5c37de 100644
unconfined_shell_domtrans(sshd_t)
')
@@ -292,26 +336,26 @@ optional_policy(`
@@ -292,26 +337,26 @@ optional_policy(`
')
ifdef(`TODO',`
@ -39902,7 +39942,7 @@ index 2dad3c8..f5c37de 100644
') dnl endif TODO
########################################
@@ -324,12 +368,15 @@ tunable_policy(`ssh_sysadm_login',`
@@ -324,12 +369,15 @@ tunable_policy(`ssh_sysadm_login',`
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
@ -39919,7 +39959,7 @@ index 2dad3c8..f5c37de 100644
kernel_read_kernel_sysctls(ssh_keygen_t)
fs_search_auto_mountpoints(ssh_keygen_t)
@@ -353,7 +400,7 @@ logging_send_syslog_msg(ssh_keygen_t)
@@ -353,7 +401,7 @@ logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
optional_policy(`
@ -45028,7 +45068,7 @@ index 88df85d..2fa3974 100644
ssh_sigchld(application_domain_type)
ssh_rw_stream_sockets(application_domain_type)
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index 2952cef..4485fd5 100644
index 2952cef..d845132 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -10,6 +10,7 @@
@ -45051,12 +45091,12 @@ index 2952cef..4485fd5 100644
/var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
/var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
+/var/run/faillock(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+/var/run/faillock(/.*)? gen_context(system_u:object_r:faillog_t,s0)
/var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 42b4f0f..e6b751b 100644
index 42b4f0f..75cee4d 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@ -45124,15 +45164,16 @@ index 42b4f0f..e6b751b 100644
selinux_get_fs_mount($1)
selinux_validate_context($1)
@@ -141,6 +158,7 @@ interface(`auth_login_pgm_domain',`
@@ -141,6 +158,8 @@ interface(`auth_login_pgm_domain',`
mls_process_set_level($1)
mls_fd_share_all_levels($1)
+ auth_manage_faillog($1)
+ auth_manage_pam_pid($1)
auth_use_pam($1)
init_rw_utmp($1)
@@ -151,8 +169,45 @@ interface(`auth_login_pgm_domain',`
@@ -151,8 +170,45 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
@ -45180,7 +45221,7 @@ index 42b4f0f..e6b751b 100644
')
')
@@ -365,13 +420,15 @@ interface(`auth_domtrans_chk_passwd',`
@@ -365,13 +421,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@ -45197,7 +45238,7 @@ index 42b4f0f..e6b751b 100644
')
########################################
@@ -418,6 +475,7 @@ interface(`auth_run_chk_passwd',`
@@ -418,6 +476,7 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@ -45205,7 +45246,7 @@ index 42b4f0f..e6b751b 100644
')
########################################
@@ -694,7 +752,7 @@ interface(`auth_relabel_shadow',`
@@ -694,7 +753,7 @@ interface(`auth_relabel_shadow',`
')
files_search_etc($1)
@ -45214,7 +45255,7 @@ index 42b4f0f..e6b751b 100644
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -736,6 +794,43 @@ interface(`auth_rw_faillog',`
@@ -736,6 +795,45 @@ interface(`auth_rw_faillog',`
allow $1 faillog_t:file rw_file_perms;
')
@ -45252,13 +45293,15 @@ index 42b4f0f..e6b751b 100644
+ ')
+
+ logging_search_logs($1)
+ files_search_pids($1)
+ allow $1 faillog_t:dir manage_dir_perms;
+ allow $1 faillog_t:file manage_file_perms;
+')
+
#######################################
## <summary>
## Read the last logins log.
@@ -874,6 +969,46 @@ interface(`auth_exec_pam',`
@@ -874,6 +972,46 @@ interface(`auth_exec_pam',`
########################################
## <summary>
@ -45305,7 +45348,7 @@ index 42b4f0f..e6b751b 100644
## Manage var auth files. Used by various other applications
## and pam applets etc.
## </summary>
@@ -896,6 +1031,26 @@ interface(`auth_manage_var_auth',`
@@ -896,6 +1034,26 @@ interface(`auth_manage_var_auth',`
########################################
## <summary>
@ -45332,7 +45375,7 @@ index 42b4f0f..e6b751b 100644
## Read PAM PID files.
## </summary>
## <param name="domain">
@@ -1093,6 +1248,24 @@ interface(`auth_delete_pam_console_data',`
@@ -1093,6 +1251,24 @@ interface(`auth_delete_pam_console_data',`
########################################
## <summary>
@ -45357,7 +45400,7 @@ index 42b4f0f..e6b751b 100644
## Read all directories on the filesystem, except
## the shadow passwords and listed exceptions.
## </summary>
@@ -1326,6 +1499,25 @@ interface(`auth_setattr_login_records',`
@@ -1326,6 +1502,25 @@ interface(`auth_setattr_login_records',`
########################################
## <summary>
@ -45383,7 +45426,7 @@ index 42b4f0f..e6b751b 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
@@ -1500,28 +1692,36 @@ interface(`auth_manage_login_records',`
@@ -1500,28 +1695,36 @@ interface(`auth_manage_login_records',`
#
interface(`auth_use_nsswitch',`
@ -45427,7 +45470,7 @@ index 42b4f0f..e6b751b 100644
optional_policy(`
kerberos_use($1)
')
@@ -1531,7 +1731,15 @@ interface(`auth_use_nsswitch',`
@@ -1531,7 +1734,15 @@ interface(`auth_use_nsswitch',`
')
optional_policy(`
@ -51291,10 +51334,10 @@ index 0000000..1d17a7b
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
index 0000000..23d4b0c
index 0000000..17f7ea8
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,138 @@
@@ -0,0 +1,144 @@
+
+policy_module(systemd, 1.0.0)
+
@ -51397,6 +51440,11 @@ index 0000000..23d4b0c
+
+seutil_read_file_contexts(systemd_tmpfiles_t)
+
+mcs_file_read_all(systemd_tmpfiles_t)
+mcs_file_write_all(systemd_tmpfiles_t)
+mls_file_read_all_levels(systemd_tmpfiles_t)
+mls_file_write_all_levels(systemd_tmpfiles_t)
+
+logging_create_devlog_dev(systemd_tmpfiles_t)
+logging_send_syslog_msg(systemd_tmpfiles_t)
+
@ -51409,6 +51457,7 @@ index 0000000..23d4b0c
+')
+
+optional_policy(`
+ rpm_read_db(systemd_tmpfiles_t)
+ rpm_delete_db(systemd_tmpfiles_t)
+')
+

View File

@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
Release: 1%{?dist}
Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -472,6 +472,13 @@ exit 0
%endif
%changelog
* Thu Mar 10 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-2
- Add policykit fixes from Tim Waugh
- dontaudit sandbox domains sandbox_file_t:dir mounton
- Add new dontaudit rules for sysadm_dbusd_t
- Change label for /var/run/faillock
* other fixes which relate with this change
* Tue Mar 8 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-1
- Update to upstream
- Fixes for telepathy