This commit is contained in:
Dan Walsh 2010-11-02 17:07:21 -04:00
parent 9754f472c7
commit 9896599663
2 changed files with 156 additions and 72 deletions

View File

@ -34897,14 +34897,16 @@ index 32a3c13..7baeb6f 100644
optional_policy(`
diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
index 2124b6a..be4b00f 100644
index 2124b6a..6546d6e 100644
--- a/policy/modules/services/virt.fc
+++ b/policy/modules/services/virt.fc
@@ -1,3 +1,4 @@
+HOME_DIR/.libvirt(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
@@ -1,4 +1,5 @@
-HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+HOME_DIR/.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
@@ -13,17 +14,19 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
@ -35196,10 +35198,10 @@ index 7c5d8d8..dbdc0e0 100644
+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
+')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 3eca020..62e349a 100644
index 3eca020..500f8e9 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,57 +5,66 @@ policy_module(virt, 1.4.0)
@@ -5,80 +5,97 @@ policy_module(virt, 1.4.0)
# Declarations
#
@ -35287,7 +35289,12 @@ index 3eca020..62e349a 100644
type virt_etc_t;
files_config_file(virt_etc_t)
@@ -65,20 +74,25 @@ files_type(virt_etc_rw_t)
type virt_etc_rw_t;
files_type(virt_etc_rw_t)
+type virt_home_t;
+userdom_user_home_content(virt_home_t)
+
# virt Image files
type virt_image_t; # customizable
virt_image(virt_image_t)
@ -35314,7 +35321,7 @@ index 3eca020..62e349a 100644
type virtd_t;
type virtd_exec_t;
@@ -89,6 +103,11 @@ domain_subj_id_change_exemption(virtd_t)
@@ -89,6 +106,11 @@ domain_subj_id_change_exemption(virtd_t)
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@ -35326,7 +35333,7 @@ index 3eca020..62e349a 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
@@ -104,15 +123,12 @@ ifdef(`enable_mls',`
@@ -104,15 +126,12 @@ ifdef(`enable_mls',`
allow svirt_t self:udp_socket create_socket_perms;
@ -35343,7 +35350,15 @@ index 3eca020..62e349a 100644
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
@@ -147,11 +163,15 @@ tunable_policy(`virt_use_fusefs',`
@@ -133,6 +152,7 @@ dev_list_sysfs(svirt_t)
userdom_search_user_home_content(svirt_t)
userdom_read_user_home_content_symlinks(svirt_t)
userdom_read_all_users_state(svirt_t)
+append_files_pattern(svirt_t, virt_home_t, virt_home_t)
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
@@ -147,11 +167,15 @@ tunable_policy(`virt_use_fusefs',`
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@ -35359,7 +35374,7 @@ index 3eca020..62e349a 100644
')
tunable_policy(`virt_use_sysfs',`
@@ -160,11 +180,22 @@ tunable_policy(`virt_use_sysfs',`
@@ -160,11 +184,22 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@ -35382,7 +35397,7 @@ index 3eca020..62e349a 100644
xen_rw_image_files(svirt_t)
')
@@ -174,22 +205,28 @@ optional_policy(`
@@ -174,22 +209,28 @@ optional_policy(`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@ -35415,7 +35430,7 @@ index 3eca020..62e349a 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
@@ -200,8 +237,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@@ -200,8 +241,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@ -35432,7 +35447,7 @@ index 3eca020..62e349a 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
@@ -220,6 +263,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -220,6 +267,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
@ -35440,7 +35455,7 @@ index 3eca020..62e349a 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
@@ -243,18 +287,27 @@ dev_read_rand(virtd_t)
@@ -243,18 +291,27 @@ dev_read_rand(virtd_t)
dev_rw_kvm(virtd_t)
dev_getattr_all_chr_files(virtd_t)
dev_rw_mtrr(virtd_t)
@ -35469,7 +35484,7 @@ index 3eca020..62e349a 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
@@ -262,6 +315,18 @@ fs_rw_anon_inodefs_files(virtd_t)
@@ -262,6 +319,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@ -35488,14 +35503,14 @@ index 3eca020..62e349a 100644
mcs_process_set_categories(virtd_t)
@@ -285,16 +350,26 @@ modutils_read_module_config(virtd_t)
@@ -285,16 +354,30 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
+selinux_validate_context(virtd_t)
+
+selinux_validate_context(virtd_t)
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
@ -35510,12 +35525,16 @@ index 3eca020..62e349a 100644
userdom_read_user_home_content_files(virtd_t)
+userdom_relabel_user_home_files(virtd_t)
+userdom_setattr_user_home_content_files(virtd_t)
+manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t)
+manage_files_pattern(virtd_t, virt_home_t, virt_home_t)
+manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t)
+userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file })
+
+consoletype_exec(virtd_t)
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
@@ -365,6 +440,8 @@ optional_policy(`
@@ -365,6 +448,8 @@ optional_policy(`
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@ -35524,7 +35543,7 @@ index 3eca020..62e349a 100644
')
optional_policy(`
@@ -396,12 +473,25 @@ optional_policy(`
@@ -396,12 +481,25 @@ optional_policy(`
allow virt_domain self:capability { dac_read_search dac_override kill };
allow virt_domain self:process { execmem execstack signal getsched signull };
@ -35551,7 +35570,7 @@ index 3eca020..62e349a 100644
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
@@ -422,6 +512,7 @@ corenet_rw_tun_tap_dev(virt_domain)
@@ -422,6 +520,7 @@ corenet_rw_tun_tap_dev(virt_domain)
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@ -35559,7 +35578,7 @@ index 3eca020..62e349a 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
@@ -429,10 +520,12 @@ dev_write_sound(virt_domain)
@@ -429,10 +528,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@ -35572,7 +35591,7 @@ index 3eca020..62e349a 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
@@ -440,6 +533,11 @@ files_search_all(virt_domain)
@@ -440,6 +541,11 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@ -35584,7 +35603,7 @@ index 3eca020..62e349a 100644
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
@@ -457,8 +555,117 @@ optional_policy(`
@@ -457,8 +563,117 @@ optional_policy(`
')
optional_policy(`
@ -36110,7 +36129,7 @@ index 6f1e3c7..6a160b2 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index da2601a..0ad10f7 100644
index da2601a..19018ae 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@ -36584,7 +36603,7 @@ index da2601a..0ad10f7 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
@@ -1038,6 +1141,24 @@ interface(`xserver_manage_xdm_tmp_files',`
@@ -1038,6 +1141,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
## <summary>
@ -36596,6 +36615,24 @@ index da2601a..0ad10f7 100644
+## </summary>
+## </param>
+#
+interface(`xserver_relabel_xdm_tmp_dirs',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ allow initrc_t initrc_tmp_t:dir relabel_dir_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete xdm temporary dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_manage_xdm_tmp_dirs',`
+ gen_require(`
+ type xdm_tmp_t;
@ -36609,7 +36646,7 @@ index da2601a..0ad10f7 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary>
@@ -1052,7 +1173,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
@@ -1052,7 +1191,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@ -36618,7 +36655,7 @@ index da2601a..0ad10f7 100644
')
########################################
@@ -1070,8 +1191,10 @@ interface(`xserver_domtrans',`
@@ -1070,8 +1209,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@ -36630,7 +36667,7 @@ index da2601a..0ad10f7 100644
')
########################################
@@ -1185,6 +1308,7 @@ interface(`xserver_stream_connect',`
@@ -1185,6 +1326,7 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@ -36638,7 +36675,7 @@ index da2601a..0ad10f7 100644
')
########################################
@@ -1210,7 +1334,7 @@ interface(`xserver_read_tmp_files',`
@@ -1210,7 +1352,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@ -36647,7 +36684,7 @@ index da2601a..0ad10f7 100644
## </summary>
## <param name="domain">
## <summary>
@@ -1220,13 +1344,23 @@ interface(`xserver_read_tmp_files',`
@@ -1220,13 +1362,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@ -36672,7 +36709,7 @@ index da2601a..0ad10f7 100644
')
########################################
@@ -1243,10 +1377,355 @@ interface(`xserver_manage_core_devices',`
@@ -1243,10 +1395,355 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@ -39676,7 +39713,7 @@ index df3fa64..73dc579 100644
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 8a105fd..fc65044 100644
index 8a105fd..08817a8 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@ -39906,7 +39943,7 @@ index 8a105fd..fc65044 100644
')
optional_policy(`
@@ -199,10 +321,23 @@ optional_policy(`
@@ -199,10 +321,25 @@ optional_policy(`
')
optional_policy(`
@ -39923,14 +39960,16 @@ index 8a105fd..fc65044 100644
+')
+
+optional_policy(`
+ xserver_relabel_xdm_tmp_dirs(init_t)
+ xserver_manage_xdm_tmp_dirs(init_t)
+ xserver_setattr_xdm_tmp_dirs(initrc_t)
+')
+
+optional_policy(`
unconfined_domain(init_t)
')
@@ -212,7 +347,7 @@ optional_policy(`
@@ -212,7 +349,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -39939,7 +39978,7 @@ index 8a105fd..fc65044 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
@@ -241,6 +376,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
@@ -241,12 +378,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -39947,7 +39986,14 @@ index 8a105fd..fc65044 100644
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
@@ -258,11 +394,23 @@ kernel_change_ring_buffer_level(initrc_t)
manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
+allow initrc_t initrc_tmp_t:dir relabelfrom;
init_write_initctl(initrc_t)
@@ -258,11 +397,23 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@ -39971,7 +40017,7 @@ index 8a105fd..fc65044 100644
corecmd_exec_all_executables(initrc_t)
@@ -291,6 +439,7 @@ dev_read_sound_mixer(initrc_t)
@@ -291,6 +442,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@ -39979,7 +40025,7 @@ index 8a105fd..fc65044 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
@@ -298,13 +447,13 @@ dev_manage_generic_files(initrc_t)
@@ -298,13 +450,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@ -39995,7 +40041,7 @@ index 8a105fd..fc65044 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -323,8 +472,10 @@ files_getattr_all_symlinks(initrc_t)
@@ -323,8 +475,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@ -40007,7 +40053,7 @@ index 8a105fd..fc65044 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
@@ -340,8 +491,12 @@ files_list_isid_type_dirs(initrc_t)
@@ -340,8 +494,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@ -40021,7 +40067,7 @@ index 8a105fd..fc65044 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
@@ -351,6 +506,8 @@ fs_mount_all_fs(initrc_t)
@@ -351,6 +509,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@ -40030,7 +40076,7 @@ index 8a105fd..fc65044 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
@@ -363,6 +520,7 @@ mls_process_read_up(initrc_t)
@@ -363,6 +523,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@ -40038,7 +40084,7 @@ index 8a105fd..fc65044 100644
selinux_get_enforce_mode(initrc_t)
@@ -380,6 +538,7 @@ auth_read_pam_pid(initrc_t)
@@ -380,6 +541,7 @@ auth_read_pam_pid(initrc_t)
auth_delete_pam_pid(initrc_t)
auth_delete_pam_console_data(initrc_t)
auth_use_nsswitch(initrc_t)
@ -40046,7 +40092,7 @@ index 8a105fd..fc65044 100644
libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t)
@@ -394,13 +553,14 @@ logging_read_audit_config(initrc_t)
@@ -394,13 +556,14 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@ -40062,7 +40108,7 @@ index 8a105fd..fc65044 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
@@ -473,7 +633,7 @@ ifdef(`distro_redhat',`
@@ -473,7 +636,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@ -40071,7 +40117,7 @@ index 8a105fd..fc65044 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
@@ -519,6 +679,19 @@ ifdef(`distro_redhat',`
@@ -519,6 +682,19 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@ -40091,7 +40137,7 @@ index 8a105fd..fc65044 100644
')
optional_policy(`
@@ -526,10 +699,17 @@ ifdef(`distro_redhat',`
@@ -526,10 +702,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@ -40109,7 +40155,7 @@ index 8a105fd..fc65044 100644
')
optional_policy(`
@@ -544,6 +724,35 @@ ifdef(`distro_suse',`
@@ -544,6 +727,35 @@ ifdef(`distro_suse',`
')
')
@ -40145,7 +40191,7 @@ index 8a105fd..fc65044 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
@@ -556,6 +765,8 @@ optional_policy(`
@@ -556,6 +768,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@ -40154,7 +40200,7 @@ index 8a105fd..fc65044 100644
')
optional_policy(`
@@ -572,6 +783,7 @@ optional_policy(`
@@ -572,6 +786,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@ -40162,7 +40208,7 @@ index 8a105fd..fc65044 100644
')
optional_policy(`
@@ -584,6 +796,11 @@ optional_policy(`
@@ -584,6 +799,11 @@ optional_policy(`
')
optional_policy(`
@ -40174,7 +40220,7 @@ index 8a105fd..fc65044 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
@@ -600,6 +817,9 @@ optional_policy(`
@@ -600,9 +820,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@ -40184,7 +40230,11 @@ index 8a105fd..fc65044 100644
optional_policy(`
consolekit_dbus_chat(initrc_t)
@@ -701,7 +921,13 @@ optional_policy(`
+ consolekit_manage_log(initrc_t)
')
optional_policy(`
@@ -701,7 +925,13 @@ optional_policy(`
')
optional_policy(`
@ -40198,7 +40248,7 @@ index 8a105fd..fc65044 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -724,6 +950,10 @@ optional_policy(`
@@ -724,6 +954,10 @@ optional_policy(`
')
optional_policy(`
@ -40209,7 +40259,7 @@ index 8a105fd..fc65044 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
@@ -745,6 +975,10 @@ optional_policy(`
@@ -745,6 +979,10 @@ optional_policy(`
')
optional_policy(`
@ -40220,7 +40270,7 @@ index 8a105fd..fc65044 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
@@ -766,8 +1000,6 @@ optional_policy(`
@@ -766,8 +1004,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@ -40229,7 +40279,7 @@ index 8a105fd..fc65044 100644
')
optional_policy(`
@@ -776,14 +1008,21 @@ optional_policy(`
@@ -776,14 +1012,21 @@ optional_policy(`
')
optional_policy(`
@ -40251,7 +40301,7 @@ index 8a105fd..fc65044 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
@@ -805,11 +1044,19 @@ optional_policy(`
@@ -805,11 +1048,19 @@ optional_policy(`
')
optional_policy(`
@ -40272,7 +40322,7 @@ index 8a105fd..fc65044 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
@@ -819,6 +1066,25 @@ optional_policy(`
@@ -819,6 +1070,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@ -40298,7 +40348,7 @@ index 8a105fd..fc65044 100644
')
optional_policy(`
@@ -844,3 +1110,59 @@ optional_policy(`
@@ -844,3 +1114,59 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@ -44162,7 +44212,7 @@ index 0291685..44fe366 100644
/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 025348a..65971f9 100644
index 025348a..cea695c 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -34,6 +34,7 @@ interface(`udev_domtrans',`
@ -44183,7 +44233,22 @@ index 025348a..65971f9 100644
')
########################################
@@ -231,3 +231,36 @@ interface(`udev_manage_pid_files',`
@@ -185,12 +185,14 @@ interface(`udev_dontaudit_search_db',`
interface(`udev_read_db',`
gen_require(`
type udev_tbl_t;
+ type device_t;
')
dev_list_all_dev_nodes($1)
allow $1 udev_tbl_t:dir list_dir_perms;
read_files_pattern($1, udev_tbl_t, udev_tbl_t)
read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
+ allow $1 device_t:file read_file_perms;
')
########################################
@@ -231,3 +233,36 @@ interface(`udev_manage_pid_files',`
files_search_var_lib($1)
manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
')
@ -44221,7 +44286,7 @@ index 025348a..65971f9 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index a054cf5..f24ab6b 100644
index a054cf5..4fc2837 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto;
@ -44242,7 +44307,15 @@ index a054cf5..f24ab6b 100644
kernel_read_system_state(udev_t)
kernel_request_load_module(udev_t)
@@ -111,15 +113,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
@@ -87,6 +89,7 @@ kernel_rw_unix_dgram_sockets(udev_t)
kernel_dgram_send(udev_t)
kernel_signal(udev_t)
kernel_search_debugfs(udev_t)
+kernel_stream_connect(udev_t)
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
@@ -111,15 +114,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
@ -44264,7 +44337,15 @@ index a054cf5..f24ab6b 100644
mcs_ptrace_all(udev_t)
@@ -186,6 +193,7 @@ ifdef(`distro_redhat',`
@@ -143,6 +151,7 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
+init_stream_connect(udev_t)
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
@@ -186,6 +195,7 @@ ifdef(`distro_redhat',`
fs_manage_tmpfs_chr_files(udev_t)
fs_relabel_tmpfs_blk_file(udev_t)
fs_relabel_tmpfs_chr_file(udev_t)
@ -44272,7 +44353,7 @@ index a054cf5..f24ab6b 100644
term_search_ptys(udev_t)
@@ -216,11 +224,16 @@ optional_policy(`
@@ -216,11 +226,16 @@ optional_policy(`
')
optional_policy(`
@ -44289,7 +44370,7 @@ index a054cf5..f24ab6b 100644
')
optional_policy(`
@@ -233,6 +246,10 @@ optional_policy(`
@@ -233,6 +248,10 @@ optional_policy(`
')
optional_policy(`
@ -44300,7 +44381,7 @@ index a054cf5..f24ab6b 100644
lvm_domtrans(udev_t)
')
@@ -259,6 +276,10 @@ optional_policy(`
@@ -259,6 +278,10 @@ optional_policy(`
')
optional_policy(`
@ -44311,7 +44392,7 @@ index a054cf5..f24ab6b 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
@@ -273,6 +294,11 @@ optional_policy(`
@@ -273,6 +296,11 @@ optional_policy(`
')
optional_policy(`

View File

@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.7
Release: 8%{?dist}
Release: 9%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -470,6 +470,9 @@ exit 0
%endif
%changelog
* Tue Nov 2 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-9
-
* Mon Nov 1 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-8
- Allow NetworkManager to read openvpn_etc_t
- Dontaudit hplip to write of /usr dirs