rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Fixes for svirt

Browse Source
This commit is contained in:
Daniel J Walsh 2009-03-27 18:37:18 +00:00
parent cb51c2687c
commit 9da6c9c025
1 changed files with 88 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
policy-20090105.patch
View File

@ -1536,6 +1536,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_write_pid(vbetool_t) + xserver_write_pid(vbetool_t)
+') +')
+ +
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.10/policy/modules/apps/awstats.te
--- nsaserefpolicy/policy/modules/apps/awstats.te 2009-02-16 08:44:12.000000000 -0500
+++ serefpolicy-3.6.10/policy/modules/apps/awstats.te 2009-03-27 09:09:07.000000000 -0400
@@ -51,6 +51,8 @@
libs_read_lib_files(awstats_t)
+logging_read_generic_logs(awstats_t)
+
miscfiles_read_localization(awstats_t)
sysnet_dns_name_resolve(awstats_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.fc serefpolicy-3.6.10/policy/modules/apps/cdrecord.fc diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.fc serefpolicy-3.6.10/policy/modules/apps/cdrecord.fc
--- nsaserefpolicy/policy/modules/apps/cdrecord.fc 2008-08-07 11:15:03.000000000 -0400 --- nsaserefpolicy/policy/modules/apps/cdrecord.fc 2008-08-07 11:15:03.000000000 -0400
+++ serefpolicy-3.6.10/policy/modules/apps/cdrecord.fc 2009-03-24 09:03:48.000000000 -0400 +++ serefpolicy-3.6.10/policy/modules/apps/cdrecord.fc 2009-03-24 09:03:48.000000000 -0400
@ -4771,7 +4783,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/nfs/rpc_pipefs(/.*)? <<none>> /var/lib/nfs/rpc_pipefs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.10/policy/modules/kernel/files.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.10/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500 --- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
+++ serefpolicy-3.6.10/policy/modules/kernel/files.if 2009-03-26 21:12:48.000000000 -0400 +++ serefpolicy-3.6.10/policy/modules/kernel/files.if 2009-03-27 09:36:29.000000000 -0400
@@ -110,6 +110,11 @@ @@ -110,6 +110,11 @@
## </param> ## </param>
# #
@ -5121,8 +5133,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.10/policy/modules/kernel/filesystem.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.10/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-03-04 16:49:00.000000000 -0500 --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-03-04 16:49:00.000000000 -0500
+++ serefpolicy-3.6.10/policy/modules/kernel/filesystem.if 2009-03-24 09:03:48.000000000 -0400 +++ serefpolicy-3.6.10/policy/modules/kernel/filesystem.if 2009-03-27 13:53:56.000000000 -0400
@@ -754,6 +754,7 @@ @@ -723,6 +723,24 @@
########################################
## <summary>
+## Dont audit attempts to write to all noxattrfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_write_noxattr_fs_files',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ dontaudit $1 noxattrfs:file write;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete all noxattrfs directories.
## </summary>
## <param name="domain">
@@ -754,6 +772,7 @@
attribute noxattrfs; attribute noxattrfs;
') ')
@ -5130,7 +5167,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($1, noxattrfs, noxattrfs) read_files_pattern($1, noxattrfs, noxattrfs)
') ')
@@ -2173,6 +2174,7 @@ @@ -2173,6 +2192,7 @@
type removable_t; type removable_t;
') ')
@ -5138,7 +5175,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rw_blk_files_pattern($1, removable_t, removable_t) rw_blk_files_pattern($1, removable_t, removable_t)
') ')
@@ -3322,6 +3324,7 @@ @@ -3322,6 +3342,7 @@
type tmpfs_t; type tmpfs_t;
') ')
@ -5146,7 +5183,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit $1 tmpfs_t:file rw_file_perms; dontaudit $1 tmpfs_t:file rw_file_perms;
') ')
@@ -3643,6 +3646,7 @@ @@ -3643,6 +3664,7 @@
') ')
allow $1 filesystem_type:filesystem getattr; allow $1 filesystem_type:filesystem getattr;
@ -8278,6 +8315,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.6.10/policy/modules/services/bitlbee.te
--- nsaserefpolicy/policy/modules/services/bitlbee.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.10/policy/modules/services/bitlbee.te 2009-03-27 10:19:31.000000000 -0400
@@ -75,6 +75,8 @@
# grant read-only access to the user help files
files_read_usr_files(bitlbee_t)
+kernel_read_system_state(bitlbee_t)
+
libs_legacy_use_shared_libs(bitlbee_t)
miscfiles_read_localization(bitlbee_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.6.10/policy/modules/services/certmaster.fc diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.6.10/policy/modules/services/certmaster.fc
--- nsaserefpolicy/policy/modules/services/certmaster.fc 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/services/certmaster.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.10/policy/modules/services/certmaster.fc 2009-03-24 09:03:48.000000000 -0400 +++ serefpolicy-3.6.10/policy/modules/services/certmaster.fc 2009-03-24 09:03:48.000000000 -0400
@ -10570,6 +10619,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
+allow dbusd_unconfined session_bus_type:dbus all_dbus_perms; +allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg; +allow session_bus_type dbusd_unconfined:dbus send_msg;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.fc serefpolicy-3.6.10/policy/modules/services/dcc.fc
--- nsaserefpolicy/policy/modules/services/dcc.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.10/policy/modules/services/dcc.fc 2009-03-27 08:55:46.000000000 -0400
@@ -11,6 +11,7 @@
/usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
/var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
+/var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
/var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
/var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.10/policy/modules/services/dcc.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.10/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te 2009-01-19 11:06:49.000000000 -0500 --- nsaserefpolicy/policy/modules/services/dcc.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.10/policy/modules/services/dcc.te 2009-03-24 09:03:48.000000000 -0400 +++ serefpolicy-3.6.10/policy/modules/services/dcc.te 2009-03-24 09:03:48.000000000 -0400
@ -12833,8 +12893,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.10/policy/modules/services/lircd.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.10/policy/modules/services/lircd.te
--- nsaserefpolicy/policy/modules/services/lircd.te 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/services/lircd.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.10/policy/modules/services/lircd.te 2009-03-24 09:03:48.000000000 -0400 +++ serefpolicy-3.6.10/policy/modules/services/lircd.te 2009-03-27 09:36:23.000000000 -0400
@@ -0,0 +1,51 @@ @@ -0,0 +1,55 @@
+policy_module(lircd,1.0.0) +policy_module(lircd,1.0.0)
+ +
+######################################## +########################################
@ -12883,8 +12943,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
+logging_send_syslog_msg(lircd_t) +logging_send_syslog_msg(lircd_t)
+ +
+miscfiles_read_localization(lircd_t) +files_read_etc_files(lircd_t)
+files_list_var(lircd_t)
+files_manage_generic_locks(lircd_t)
+files_read_all_locks(lircd_t)
+ +
+miscfiles_read_localization(lircd_t)
+ +
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.6.10/policy/modules/services/mailman.fc diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.6.10/policy/modules/services/mailman.fc
--- nsaserefpolicy/policy/modules/services/mailman.fc 2008-08-07 11:15:11.000000000 -0400 --- nsaserefpolicy/policy/modules/services/mailman.fc 2008-08-07 11:15:11.000000000 -0400
@ -13062,7 +13126,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-#') -#')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.10/policy/modules/services/mta.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.10/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2009-01-19 11:06:49.000000000 -0500 --- nsaserefpolicy/policy/modules/services/mta.if 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.10/policy/modules/services/mta.if 2009-03-24 09:03:48.000000000 -0400 +++ serefpolicy-3.6.10/policy/modules/services/mta.if 2009-03-27 09:50:44.000000000 -0400
@@ -130,6 +130,15 @@ @@ -130,6 +130,15 @@
sendmail_create_log($1_mail_t) sendmail_create_log($1_mail_t)
') ')
@ -13130,6 +13194,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
') ')
@@ -806,6 +818,7 @@
')
files_search_spool($1)
+ manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t)
manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.10/policy/modules/services/mta.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.10/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2009-01-19 11:06:49.000000000 -0500 --- nsaserefpolicy/policy/modules/services/mta.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.10/policy/modules/services/mta.te 2009-03-24 09:03:48.000000000 -0400 +++ serefpolicy-3.6.10/policy/modules/services/mta.te 2009-03-24 09:03:48.000000000 -0400
@ -21169,7 +21241,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.10/policy/modules/services/virt.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.10/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2009-01-05 15:39:43.000000000 -0500 --- nsaserefpolicy/policy/modules/services/virt.if 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.10/policy/modules/services/virt.if 2009-03-24 09:03:48.000000000 -0400 +++ serefpolicy-3.6.10/policy/modules/services/virt.if 2009-03-27 13:53:49.000000000 -0400
@@ -2,28 +2,6 @@ @@ -2,28 +2,6 @@
######################################## ########################################
@ -21264,7 +21336,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate ## All of the rules required to administrate
## an virt environment ## an virt environment
## </summary> ## </summary>
@@ -327,3 +341,50 @@ @@ -327,3 +341,53 @@
virt_manage_log($1) virt_manage_log($1)
') ')
@ -21310,6 +21382,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) + fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
+ fs_getattr_tmpfs($1_t) + fs_getattr_tmpfs($1_t)
+ +
+ fs_read_noxattr_fs_files($1_t)
+ fs_dontaudit_write_noxattr_fs_files($1_t)
+
+ optional_policy(` + optional_policy(`
+ xserver_common_app($1_t) + xserver_common_app($1_t)
+ ') + ')
@ -24700,7 +24775,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.10/policy/modules/system/logging.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.10/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2009-01-05 15:39:43.000000000 -0500 --- nsaserefpolicy/policy/modules/system/logging.if 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.10/policy/modules/system/logging.if 2009-03-24 09:03:48.000000000 -0400 +++ serefpolicy-3.6.10/policy/modules/system/logging.if 2009-03-27 09:08:50.000000000 -0400
@@ -623,7 +623,7 @@ @@ -623,7 +623,7 @@
') ')