rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Allow gpg to read fips_enabled 

- Add support for /var/cache/realmd
- Add support for /usr/sbin/blazer_usb and systemd support for nut
- Add labeling for fenced_sanlock and allow sanclok transition to fen
- bitlbee wants to read own log file
- Allow glance domain to send a signal itself
- Allow xend_t to request that the kernel load a kernel module
- Allow pacemaker to execute heartbeat lib files
- cleanup new swift policy
This commit is contained in:
Miroslav Grepl 2013-02-08 14:01:21 +01:00
parent d4e203ba2f
commit ad094338a5
3 changed files with 176 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
policy-rawhide-base.patch
View File

@ -235863,10 +235863,10 @@ index 0000000..a4b0917
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
index 0000000..9b74225
index 0000000..1131866
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,612 @@
@@ -0,0 +1,616 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@ -236474,10 +236474,14 @@ index 0000000..9b74225
+
+files_read_system_conf_files(systemd_sysctl_t)
+
+dev_write_kmsg(systemd_sysctl_t)
+
+domain_use_interactive_fds(systemd_sysctl_t)
+
+files_read_etc_files(systemd_sysctl_t)
+
+init_stream_connect(systemd_sysctl_t)
+
+logging_stream_connect_syslog(systemd_sysctl_t)
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 40928d8..49fd32e 100644

234
policy-rawhide-contrib.patch
View File

@ -8023,7 +8023,7 @@ index e73fb79..2badfc0 100644
domain_system_change_exemption($1)
role_transition $2 bitlbee_initrc_exec_t system_r;
diff --git a/bitlbee.te b/bitlbee.te
index ac8c91e..a63f4c2 100644
index ac8c91e..80ecd7e 100644
--- a/bitlbee.te
+++ b/bitlbee.te
@@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t)
@ -8041,7 +8041,15 @@ index ac8c91e..a63f4c2 100644
allow bitlbee_t bitlbee_conf_t:dir list_dir_perms;
allow bitlbee_t bitlbee_conf_t:file read_file_perms;
@@ -59,8 +62,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
@@ -45,6 +48,7 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms;
manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
append_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
create_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
+read_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
setattr_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
@@ -59,8 +63,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
@ -8051,7 +8059,7 @@ index ac8c91e..a63f4c2 100644
corenet_all_recvfrom_unlabeled(bitlbee_t)
corenet_all_recvfrom_netlabel(bitlbee_t)
@@ -109,16 +112,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
@@ -109,16 +113,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
dev_read_rand(bitlbee_t)
dev_read_urand(bitlbee_t)
@ -23395,7 +23403,7 @@ index 9eacb2c..229782f 100644
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
domain_system_change_exemption($1)
diff --git a/glance.te b/glance.te
index e0a4f46..be03e22 100644
index e0a4f46..70277e8 100644
--- a/glance.te
+++ b/glance.te
@@ -7,8 +7,7 @@ policy_module(glance, 1.0.2)
@ -23421,7 +23429,15 @@ index e0a4f46..be03e22 100644
init_daemon_domain(glance_api_t, glance_api_exec_t)
type glance_api_initrc_exec_t;
@@ -56,10 +57,6 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
@@ -41,6 +42,7 @@ files_pid_file(glance_var_run_t)
# Common local policy
#
+allow glance_domain self:process signal_perms;
allow glance_domain self:fifo_file rw_fifo_file_perms;
allow glance_domain self:unix_stream_socket create_stream_socket_perms;
allow glance_domain self:tcp_socket { accept listen };
@@ -56,10 +58,6 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
@ -23432,7 +23448,7 @@ index e0a4f46..be03e22 100644
corenet_tcp_sendrecv_generic_if(glance_domain)
corenet_tcp_sendrecv_generic_node(glance_domain)
corenet_tcp_sendrecv_all_ports(glance_domain)
@@ -70,13 +67,10 @@ corecmd_exec_shell(glance_domain)
@@ -70,13 +68,10 @@ corecmd_exec_shell(glance_domain)
dev_read_urand(glance_domain)
@ -23447,7 +23463,7 @@ index e0a4f46..be03e22 100644
sysnet_dns_name_resolve(glance_domain)
########################################
@@ -88,8 +82,15 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
@@ -88,8 +83,15 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
@ -23463,7 +23479,7 @@ index e0a4f46..be03e22 100644
logging_send_syslog_msg(glance_registry_t)
@@ -108,13 +109,19 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
@@ -108,13 +110,19 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
can_exec(glance_api_t, glance_tmp_t)
@ -26764,7 +26780,7 @@ index 180f1b7..951b790 100644
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
diff --git a/gpg.te b/gpg.te
index 44cf341..c47fa5f 100644
index 44cf341..8424d09 100644
--- a/gpg.te
+++ b/gpg.te
@@ -1,47 +1,47 @@
@ -26836,7 +26852,7 @@ index 44cf341..c47fa5f 100644
type gpg_secret_t;
typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
@@ -52,112 +52,115 @@ type gpg_helper_t;
@@ -52,112 +52,116 @@ type gpg_helper_t;
type gpg_helper_exec_t;
typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
@ -26912,6 +26928,7 @@ index 44cf341..c47fa5f 100644
+userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg")
kernel_read_sysctl(gpg_t)
+kernel_read_system_state(gpg_t)
+kernel_getattr_core_if(gpg_t)
corecmd_exec_shell(gpg_t)
@ -27000,7 +27017,7 @@ index 44cf341..c47fa5f 100644
')
optional_policy(`
@@ -165,37 +168,51 @@ optional_policy(`
@@ -165,37 +169,51 @@ optional_policy(`
')
optional_policy(`
@ -27063,7 +27080,7 @@ index 44cf341..c47fa5f 100644
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(gpg_helper_t)
@@ -207,29 +224,35 @@ tunable_policy(`use_samba_home_dirs',`
@@ -207,29 +225,35 @@ tunable_policy(`use_samba_home_dirs',`
########################################
#
@ -27105,7 +27122,7 @@ index 44cf341..c47fa5f 100644
corecmd_exec_shell(gpg_agent_t)
dev_read_rand(gpg_agent_t)
@@ -239,31 +262,30 @@ domain_use_interactive_fds(gpg_agent_t)
@@ -239,31 +263,30 @@ domain_use_interactive_fds(gpg_agent_t)
fs_dontaudit_list_inotifyfs(gpg_agent_t)
@ -27148,7 +27165,7 @@ index 44cf341..c47fa5f 100644
')
optional_policy(`
@@ -277,8 +299,17 @@ optional_policy(`
@@ -277,8 +300,17 @@ optional_policy(`
allow gpg_pinentry_t self:process { getcap getsched setsched signal };
allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
@ -27167,7 +27184,7 @@ index 44cf341..c47fa5f 100644
manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
@@ -287,53 +318,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
@@ -287,53 +319,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
@ -45643,10 +45660,10 @@ index f5d145d..97e1148 100644
+ virt_ptrace(numad_t)
+')
diff --git a/nut.fc b/nut.fc
index 379af96..371119d 100644
index 379af96..41ff159 100644
--- a/nut.fc
+++ b/nut.fc
@@ -1,23 +1,13 @@
@@ -1,23 +1,16 @@
-/etc/nut(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
-/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
+/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
@ -45657,14 +45674,16 @@ index 379af96..371119d 100644
-/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
-/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
-
-/usr/lib/cgi-bin/nut/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-/usr/lib/cgi-bin/nut/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-/usr/lib/cgi-bin/nut/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+/usr/lib/systemd/system/nut.* -- gen_context(system_u:object_r:nut_unit_file_t,s0)
/usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
/usr/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
-/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
+/usr/sbin/blazer_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
+/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0)
@ -45676,29 +45695,35 @@ index 379af96..371119d 100644
+/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
diff --git a/nut.if b/nut.if
index 57c0161..56660c5 100644
index 57c0161..d5ad79d 100644
--- a/nut.if
+++ b/nut.if
@@ -1,39 +1 @@
@@ -1,39 +1,25 @@
-## <summary>Network UPS Tools </summary>
-
+## <summary>nut - Network UPS Tools </summary>
-########################################
-## <summary>
+#######################################
## <summary>
-## All of the rules required to
-## administrate an nut environment.
-## </summary>
-## <param name="domain">
+## Execute swift server in the swift domain.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
+## <summary>
+## Domain allowed to transition.
+## </summary>
## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
#
-interface(`nut_admin',`
- gen_require(`
- attribute nut_domain;
@ -45712,19 +45737,28 @@ index 57c0161..56660c5 100644
- domain_system_change_exemption($1)
- role_transition $2 nut_initrc_exec_t system_r;
- allow $2 system_r;
-
+interface(`nut_systemctl',`
+ gen_require(`
+ type nut_t;
+ type nut_unit_file_t;
+ ')
- files_search_etc($1)
- admin_pattern($1, nut_conf_t)
-
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_password_run($1)
+ allow $1 nut_unit_file_t:file read_file_perms;
+ allow $1 nut_unit_file_t:service manage_service_perms;
- files_search_pids($1)
- admin_pattern($1, nut_var_run_t)
-')
+## <summary>nut - Network UPS Tools </summary>
+ ps_process_pattern($1, swift_t)
')
diff --git a/nut.te b/nut.te
index 0c9deb7..87c7eb7 100644
index 0c9deb7..dbc52a1 100644
--- a/nut.te
+++ b/nut.te
@@ -1,121 +1,105 @@
@@ -1,121 +1,108 @@
-policy_module(nut, 1.2.4)
+policy_module(nut, 1.2.0)
@ -45759,6 +45793,9 @@ index 0c9deb7..87c7eb7 100644
type nut_var_run_t;
files_pid_file(nut_var_run_t)
-init_daemon_run_dir(nut_var_run_t, "nut")
+
+type nut_unit_file_t;
+systemd_unit_file(nut_unit_file_t)
########################################
#
@ -45774,20 +45811,20 @@ index 0c9deb7..87c7eb7 100644
-allow nut_domain nut_conf_t:dir list_dir_perms;
-allow nut_domain nut_conf_t:file read_file_perms;
-allow nut_domain nut_conf_t:lnk_file read_lnk_file_perms;
-
-manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
-manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
-files_pid_filetrans(nut_domain, nut_var_run_t, { dir file })
+allow nut_upsd_t self:capability { setgid setuid dac_override };
+allow nut_upsd_t self:process signal_perms;
-kernel_read_kernel_sysctls(nut_domain)
-manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
-manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
-files_pid_filetrans(nut_domain, nut_var_run_t, { dir file })
+allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
-logging_send_syslog_msg(nut_domain)
-kernel_read_kernel_sysctls(nut_domain)
+allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
-logging_send_syslog_msg(nut_domain)
-
-miscfiles_read_localization(nut_domain)
-
-########################################
@ -45803,18 +45840,18 @@ index 0c9deb7..87c7eb7 100644
+manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
-files_pid_filetrans(nut_upsd_t, nut_var_run_t, sock_file)
-
-stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t)
+files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file })
-stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t)
+kernel_read_kernel_sysctls(nut_upsd_t)
-corenet_all_recvfrom_unlabeled(nut_upsd_t)
-corenet_all_recvfrom_netlabel(nut_upsd_t)
-corenet_tcp_sendrecv_generic_if(nut_upsd_t)
-corenet_tcp_sendrecv_generic_node(nut_upsd_t)
-corenet_tcp_sendrecv_all_ports(nut_upsd_t)
-corenet_tcp_bind_generic_node(nut_upsd_t)
+kernel_read_kernel_sysctls(nut_upsd_t)
-
-corenet_sendrecv_ups_server_packets(nut_upsd_t)
corenet_tcp_bind_ups_port(nut_upsd_t)
-
@ -45842,9 +45879,9 @@ index 0c9deb7..87c7eb7 100644
+allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
+allow nut_upsmon_t self:tcp_socket create_socket_perms;
+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
+
+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
+# pid file
+manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
+manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
@ -45889,7 +45926,7 @@ index 0c9deb7..87c7eb7 100644
mta_send_mail(nut_upsmon_t)
optional_policy(`
@@ -124,14 +108,27 @@ optional_policy(`
@@ -124,14 +111,27 @@ optional_policy(`
########################################
#
@ -45919,7 +45956,7 @@ index 0c9deb7..87c7eb7 100644
corecmd_exec_bin(nut_upsdrvctl_t)
dev_read_sysfs(nut_upsdrvctl_t)
@@ -144,17 +141,28 @@ auth_use_nsswitch(nut_upsdrvctl_t)
@@ -144,17 +144,28 @@ auth_use_nsswitch(nut_upsdrvctl_t)
init_sigchld(nut_upsdrvctl_t)
@ -47570,7 +47607,7 @@ index 0000000..1a26cd5
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
index 0000000..4bc6574
index 0000000..b89f7fc
--- /dev/null
+++ b/openshift.te
@@ -0,0 +1,463 @@
@ -47970,7 +48007,7 @@ index 0000000..4bc6574
+#
+# openshift_cron local policy
+#
+allow openshift_cron_t self:capability net_admin;
+allow openshift_cron_t self:capability { net_admin sys_admin };
+allow openshift_cron_t self:process signal_perms;
+allow openshift_cron_t self:tcp_socket create_stream_socket_perms;
+allow openshift_cron_t self:udp_socket create_socket_perms;
@ -48762,7 +48799,7 @@ index 9682d9a..d47f913 100644
+ ')
')
diff --git a/pacemaker.te b/pacemaker.te
index 3dd8ada..9683812 100644
index 3dd8ada..993c92c 100644
--- a/pacemaker.te
+++ b/pacemaker.te
@@ -5,6 +5,13 @@ policy_module(pacemaker, 1.0.2)
@ -48839,7 +48876,7 @@ index 3dd8ada..9683812 100644
files_read_kernel_symbol_table(pacemaker_t)
fs_getattr_all_fs(pacemaker_t)
@@ -75,9 +87,16 @@ auth_use_nsswitch(pacemaker_t)
@@ -75,9 +87,20 @@ auth_use_nsswitch(pacemaker_t)
logging_send_syslog_msg(pacemaker_t)
@ -48855,8 +48892,12 @@ index 3dd8ada..9683812 100644
+ corosync_setattr_log(pacemaker_t)
corosync_stream_connect(pacemaker_t)
+ corosync_rw_tmpfs(pacemaker_t)
')
+')
+
+optional_policy(`
+ #executes heartbeat lib files
+ rgmanager_execute_lib(pacemaker_t)
')
diff --git a/pads.if b/pads.if
index 6e097c9..503c97a 100644
--- a/pads.if
@ -62321,12 +62362,14 @@ index f1512d6..93f1ee6 100644
userdom_dontaudit_search_user_home_dirs(readahead_t)
diff --git a/realmd.fc b/realmd.fc
index 04babe3..3c24ce4 100644
index 04babe3..02a1f34 100644
--- a/realmd.fc
+++ b/realmd.fc
@@ -1 +1 @@
@@ -1 +1,3 @@
-/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0)
+/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0)
+
+/var/cache/realmd(/.*)? gen_context(system_u:object_r:realmd_var_cache_t,s0)
diff --git a/realmd.if b/realmd.if
index bff31df..e38693b 100644
--- a/realmd.if
@ -62344,7 +62387,7 @@ index bff31df..e38693b 100644
## <param name="domain">
## <summary>
diff --git a/realmd.te b/realmd.te
index 9a8f052..5372646 100644
index 9a8f052..ecd8eaf 100644
--- a/realmd.te
+++ b/realmd.te
@@ -1,4 +1,4 @@
@ -62353,13 +62396,16 @@ index 9a8f052..5372646 100644
########################################
#
@@ -7,11 +7,12 @@ policy_module(realmd, 1.0.2)
@@ -7,43 +7,52 @@ policy_module(realmd, 1.0.2)
type realmd_t;
type realmd_exec_t;
-init_system_domain(realmd_t, realmd_exec_t)
+application_domain(realmd_t, realmd_exec_t)
+role system_r types realmd_t;
+
+type realmd_var_cache_t;
+files_type(realmd_var_cache_t)
########################################
#
@ -62368,7 +62414,13 @@ index 9a8f052..5372646 100644
#
allow realmd_t self:capability sys_nice;
@@ -22,28 +23,30 @@ kernel_read_system_state(realmd_t)
allow realmd_t self:process setsched;
+manage_files_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
+manage_dirs_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
+
kernel_read_system_state(realmd_t)
corecmd_exec_bin(realmd_t)
corecmd_exec_shell(realmd_t)
@ -62408,7 +62460,7 @@ index 9a8f052..5372646 100644
optional_policy(`
dbus_system_domain(realmd_t, realmd_exec_t)
@@ -67,17 +70,21 @@ optional_policy(`
@@ -67,17 +76,21 @@ optional_policy(`
optional_policy(`
nis_exec_ypbind(realmd_t)
@ -62433,7 +62485,7 @@ index 9a8f052..5372646 100644
')
optional_policy(`
@@ -86,5 +93,9 @@ optional_policy(`
@@ -86,5 +99,9 @@ optional_policy(`
sssd_manage_lib_files(realmd_t)
sssd_manage_public_files(realmd_t)
sssd_read_pid_files(realmd_t)
@ -62698,7 +62750,7 @@ index 5421af0..91e69b8 100644
+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
diff --git a/rgmanager.if b/rgmanager.if
index 1c2f9aa..5bd6fdb 100644
index 1c2f9aa..7d70a46 100644
--- a/rgmanager.if
+++ b/rgmanager.if
@@ -1,13 +1,13 @@
@ -62801,7 +62853,7 @@ index 1c2f9aa..5bd6fdb 100644
init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
domain_system_change_exemption($1)
@@ -121,3 +139,27 @@ interface(`rgmanager_admin',`
@@ -121,3 +139,47 @@ interface(`rgmanager_admin',`
files_list_pids($1)
admin_pattern($1, rgmanager_var_run_t)
')
@ -62829,6 +62881,26 @@ index 1c2f9aa..5bd6fdb 100644
+ files_list_pids($1)
+ admin_pattern($1, rgmanager_var_run_t)
+')
+
+######################################
+## <summary>
+## Allow the specified domain to execute rgmanager's lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rgmanager_execute_lib',`
+ gen_require(`
+ type rgmanager_var_lib_t;
+ ')
+
+ files_list_var_lib($1)
+ allow $1 rgmanager_var_lib_t:dir search_dir_perms;
+ can_exec($1, rgmanager_var_lib_t)
+')
diff --git a/rgmanager.te b/rgmanager.te
index b418d1c..1ad9c12 100644
--- a/rgmanager.te
@ -63054,15 +63126,16 @@ index b418d1c..1ad9c12 100644
xen_domtrans_xm(rgmanager_t)
')
diff --git a/rhcs.fc b/rhcs.fc
index 47de2d6..977f2eb 100644
index 47de2d6..d022603 100644
--- a/rhcs.fc
+++ b/rhcs.fc
@@ -1,31 +1,30 @@
@@ -1,31 +1,31 @@
-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_sanlockd -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_virtd -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
@ -71365,7 +71438,7 @@ index cd6c213..34b861a 100644
+ allow $1 sanlock_unit_file_t:service all_service_perms;
')
diff --git a/sanlock.te b/sanlock.te
index a34eac4..4f4eaf4 100644
index a34eac4..114c9d2 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -1,4 +1,4 @@
@ -71460,7 +71533,7 @@ index a34eac4..4f4eaf4 100644
auth_use_nsswitch(sanlock_t)
init_read_utmp(sanlock_t)
@@ -79,20 +87,25 @@ init_dontaudit_write_utmp(sanlock_t)
@@ -79,20 +87,29 @@ init_dontaudit_write_utmp(sanlock_t)
logging_send_syslog_msg(sanlock_t)
@ -71492,10 +71565,14 @@ index a34eac4..4f4eaf4 100644
+ fs_manage_cifs_files(sanlock_t)
+ fs_manage_cifs_named_sockets(sanlock_t)
+ fs_read_cifs_symlinks(sanlock_t)
+')
+
+optional_policy(`
+ rhcs_domtrans_fenced(sanlock_t)
')
optional_policy(`
@@ -100,7 +113,7 @@ optional_policy(`
@@ -100,7 +117,7 @@ optional_policy(`
')
optional_policy(`
@ -87038,7 +87115,7 @@ index f93558c..cc73c96 100644
files_search_pids($1)
diff --git a/xen.te b/xen.te
index ed40676..8042769 100644
index ed40676..0706207 100644
--- a/xen.te
+++ b/xen.te
@@ -1,42 +1,34 @@
@ -87360,7 +87437,12 @@ index ed40676..8042769 100644
kernel_read_kernel_sysctls(xend_t)
kernel_read_system_state(xend_t)
@@ -228,57 +275,39 @@ kernel_read_network_state(xend_t)
@@ -224,61 +271,44 @@ kernel_write_xen_state(xend_t)
kernel_read_xen_state(xend_t)
kernel_rw_net_sysctls(xend_t)
kernel_read_network_state(xend_t)
+kernel_request_load_module(xend_t)
corecmd_exec_bin(xend_t)
corecmd_exec_shell(xend_t)
@ -87424,7 +87506,7 @@ index ed40676..8042769 100644
storage_read_scsi_generic(xend_t)
@@ -295,7 +324,8 @@ locallogin_dontaudit_use_fds(xend_t)
@@ -295,7 +325,8 @@ locallogin_dontaudit_use_fds(xend_t)
logging_send_syslog_msg(xend_t)
@ -87434,7 +87516,7 @@ index ed40676..8042769 100644
miscfiles_read_hwdata(xend_t)
sysnet_domtrans_dhcpc(xend_t)
@@ -308,23 +338,7 @@ sysnet_rw_dhcp_config(xend_t)
@@ -308,23 +339,7 @@ sysnet_rw_dhcp_config(xend_t)
userdom_dontaudit_search_user_home_dirs(xend_t)
@ -87459,7 +87541,7 @@ index ed40676..8042769 100644
optional_policy(`
brctl_domtrans(xend_t)
@@ -342,7 +356,7 @@ optional_policy(`
@@ -342,7 +357,7 @@ optional_policy(`
mount_domtrans(xend_t)
')
@ -87468,7 +87550,7 @@ index ed40676..8042769 100644
netutils_domtrans(xend_t)
')
@@ -351,6 +365,7 @@ optional_policy(`
@@ -351,6 +366,7 @@ optional_policy(`
')
optional_policy(`
@ -87476,7 +87558,7 @@ index ed40676..8042769 100644
virt_search_images(xend_t)
virt_read_config(xend_t)
')
@@ -365,13 +380,9 @@ allow xenconsoled_t self:process setrlimit;
@@ -365,13 +381,9 @@ allow xenconsoled_t self:process setrlimit;
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
@ -87492,7 +87574,7 @@ index ed40676..8042769 100644
manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
manage_sock_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
files_pid_filetrans(xenconsoled_t, xenconsoled_var_run_t, { file sock_file })
@@ -384,10 +395,6 @@ dev_rw_xen(xenconsoled_t)
@@ -384,10 +396,6 @@ dev_rw_xen(xenconsoled_t)
dev_filetrans_xen(xenconsoled_t)
dev_rw_sysfs(xenconsoled_t)
@ -87503,7 +87585,7 @@ index ed40676..8042769 100644
fs_list_tmpfs(xenconsoled_t)
fs_manage_xenfs_dirs(xenconsoled_t)
@@ -395,15 +402,13 @@ fs_manage_xenfs_files(xenconsoled_t)
@@ -395,15 +403,13 @@ fs_manage_xenfs_files(xenconsoled_t)
term_create_pty(xenconsoled_t, xen_devpts_t)
term_use_generic_ptys(xenconsoled_t)
@ -87521,7 +87603,7 @@ index ed40676..8042769 100644
xen_stream_connect_xenstore(xenconsoled_t)
optional_policy(`
@@ -416,24 +421,26 @@ optional_policy(`
@@ -416,24 +422,26 @@ optional_policy(`
#
allow xenstored_t self:capability { dac_override ipc_lock sys_resource };
@ -87552,7 +87634,7 @@ index ed40676..8042769 100644
manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
@@ -448,157 +455,36 @@ dev_filetrans_xen(xenstored_t)
@@ -448,157 +456,36 @@ dev_filetrans_xen(xenstored_t)
dev_rw_xen(xenstored_t)
dev_read_sysfs(xenstored_t)

13
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
Release: 10%{?dist}
Release: 11%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -521,6 +521,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Fri Feb 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-11
- Allow gpg to read fips_enabled
- Add support for /var/cache/realmd
- Add support for /usr/sbin/blazer_usb and systemd support for nut
- Add labeling for fenced_sanlock and allow sanclok transition to fenced_t
- bitlbee wants to read own log file
- Allow glance domain to send a signal itself
- Allow xend_t to request that the kernel load a kernel module
- Allow pacemaker to execute heartbeat lib files
- cleanup new swift policy
* Tue Feb 5 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-10
- Fix smartmontools
- Fix userdom_restricted_xwindows_user_template() interface