From ad094338a54fd24bf72ea5106021b3c895c328c1 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Fri, 8 Feb 2013 14:01:21 +0100 Subject: [PATCH] - Allow gpg to read fips_enabled - Add support for /var/cache/realmd - Add support for /usr/sbin/blazer_usb and systemd support for nut - Add labeling for fenced_sanlock and allow sanclok transition to fen - bitlbee wants to read own log file - Allow glance domain to send a signal itself - Allow xend_t to request that the kernel load a kernel module - Allow pacemaker to execute heartbeat lib files - cleanup new swift policy --- policy-rawhide-base.patch | 8 +- policy-rawhide-contrib.patch | 234 +++++++++++++++++++++++------------ selinux-policy.spec | 13 +- 3 files changed, 176 insertions(+), 79 deletions(-) diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index fe459955..b147456c 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -235863,10 +235863,10 @@ index 0000000..a4b0917 + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..9b74225 +index 0000000..1131866 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,612 @@ +@@ -0,0 +1,616 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -236474,10 +236474,14 @@ index 0000000..9b74225 + +files_read_system_conf_files(systemd_sysctl_t) + ++dev_write_kmsg(systemd_sysctl_t) ++ +domain_use_interactive_fds(systemd_sysctl_t) + +files_read_etc_files(systemd_sysctl_t) + ++init_stream_connect(systemd_sysctl_t) ++ +logging_stream_connect_syslog(systemd_sysctl_t) diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc index 40928d8..49fd32e 100644 diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index eadbfcc3..c640e4cb 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -8023,7 +8023,7 @@ index e73fb79..2badfc0 100644 domain_system_change_exemption($1) role_transition $2 bitlbee_initrc_exec_t system_r; diff --git a/bitlbee.te b/bitlbee.te -index ac8c91e..a63f4c2 100644 +index ac8c91e..80ecd7e 100644 --- a/bitlbee.te +++ b/bitlbee.te @@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t) @@ -8041,7 +8041,15 @@ index ac8c91e..a63f4c2 100644 allow bitlbee_t bitlbee_conf_t:dir list_dir_perms; allow bitlbee_t bitlbee_conf_t:file read_file_perms; -@@ -59,8 +62,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) +@@ -45,6 +48,7 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms; + manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) + append_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) + create_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) ++read_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) + setattr_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) + + manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) +@@ -59,8 +63,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file }) @@ -8051,7 +8059,7 @@ index ac8c91e..a63f4c2 100644 corenet_all_recvfrom_unlabeled(bitlbee_t) corenet_all_recvfrom_netlabel(bitlbee_t) -@@ -109,16 +112,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t) +@@ -109,16 +113,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t) dev_read_rand(bitlbee_t) dev_read_urand(bitlbee_t) @@ -23395,7 +23403,7 @@ index 9eacb2c..229782f 100644 init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t }) domain_system_change_exemption($1) diff --git a/glance.te b/glance.te -index e0a4f46..be03e22 100644 +index e0a4f46..70277e8 100644 --- a/glance.te +++ b/glance.te @@ -7,8 +7,7 @@ policy_module(glance, 1.0.2) @@ -23421,7 +23429,15 @@ index e0a4f46..be03e22 100644 init_daemon_domain(glance_api_t, glance_api_exec_t) type glance_api_initrc_exec_t; -@@ -56,10 +57,6 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) +@@ -41,6 +42,7 @@ files_pid_file(glance_var_run_t) + # Common local policy + # + ++allow glance_domain self:process signal_perms; + allow glance_domain self:fifo_file rw_fifo_file_perms; + allow glance_domain self:unix_stream_socket create_stream_socket_perms; + allow glance_domain self:tcp_socket { accept listen }; +@@ -56,10 +58,6 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t) manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t) @@ -23432,7 +23448,7 @@ index e0a4f46..be03e22 100644 corenet_tcp_sendrecv_generic_if(glance_domain) corenet_tcp_sendrecv_generic_node(glance_domain) corenet_tcp_sendrecv_all_ports(glance_domain) -@@ -70,13 +67,10 @@ corecmd_exec_shell(glance_domain) +@@ -70,13 +68,10 @@ corecmd_exec_shell(glance_domain) dev_read_urand(glance_domain) @@ -23447,7 +23463,7 @@ index e0a4f46..be03e22 100644 sysnet_dns_name_resolve(glance_domain) ######################################## -@@ -88,8 +82,15 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm +@@ -88,8 +83,15 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t) files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file }) @@ -23463,7 +23479,7 @@ index e0a4f46..be03e22 100644 logging_send_syslog_msg(glance_registry_t) -@@ -108,13 +109,19 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) +@@ -108,13 +110,19 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file }) can_exec(glance_api_t, glance_tmp_t) @@ -26764,7 +26780,7 @@ index 180f1b7..951b790 100644 + userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg") +') diff --git a/gpg.te b/gpg.te -index 44cf341..c47fa5f 100644 +index 44cf341..8424d09 100644 --- a/gpg.te +++ b/gpg.te @@ -1,47 +1,47 @@ @@ -26836,7 +26852,7 @@ index 44cf341..c47fa5f 100644 type gpg_secret_t; typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t }; -@@ -52,112 +52,115 @@ type gpg_helper_t; +@@ -52,112 +52,116 @@ type gpg_helper_t; type gpg_helper_exec_t; typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t }; typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t }; @@ -26912,6 +26928,7 @@ index 44cf341..c47fa5f 100644 +userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg") kernel_read_sysctl(gpg_t) ++kernel_read_system_state(gpg_t) +kernel_getattr_core_if(gpg_t) corecmd_exec_shell(gpg_t) @@ -27000,7 +27017,7 @@ index 44cf341..c47fa5f 100644 ') optional_policy(` -@@ -165,37 +168,51 @@ optional_policy(` +@@ -165,37 +169,51 @@ optional_policy(` ') optional_policy(` @@ -27063,7 +27080,7 @@ index 44cf341..c47fa5f 100644 tunable_policy(`use_nfs_home_dirs',` fs_dontaudit_rw_nfs_files(gpg_helper_t) -@@ -207,29 +224,35 @@ tunable_policy(`use_samba_home_dirs',` +@@ -207,29 +225,35 @@ tunable_policy(`use_samba_home_dirs',` ######################################## # @@ -27105,7 +27122,7 @@ index 44cf341..c47fa5f 100644 corecmd_exec_shell(gpg_agent_t) dev_read_rand(gpg_agent_t) -@@ -239,31 +262,30 @@ domain_use_interactive_fds(gpg_agent_t) +@@ -239,31 +263,30 @@ domain_use_interactive_fds(gpg_agent_t) fs_dontaudit_list_inotifyfs(gpg_agent_t) @@ -27148,7 +27165,7 @@ index 44cf341..c47fa5f 100644 ') optional_policy(` -@@ -277,8 +299,17 @@ optional_policy(` +@@ -277,8 +300,17 @@ optional_policy(` allow gpg_pinentry_t self:process { getcap getsched setsched signal }; allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms; @@ -27167,7 +27184,7 @@ index 44cf341..c47fa5f 100644 manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file) -@@ -287,53 +318,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) +@@ -287,53 +319,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) @@ -45643,10 +45660,10 @@ index f5d145d..97e1148 100644 + virt_ptrace(numad_t) +') diff --git a/nut.fc b/nut.fc -index 379af96..371119d 100644 +index 379af96..41ff159 100644 --- a/nut.fc +++ b/nut.fc -@@ -1,23 +1,13 @@ +@@ -1,23 +1,16 @@ -/etc/nut(/.*)? gen_context(system_u:object_r:nut_conf_t,s0) -/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0) +/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0) @@ -45657,14 +45674,16 @@ index 379af96..371119d 100644 -/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0) /sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) -/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) -- + -/usr/lib/cgi-bin/nut/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) -/usr/lib/cgi-bin/nut/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) -/usr/lib/cgi-bin/nut/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) ++/usr/lib/systemd/system/nut.* -- gen_context(system_u:object_r:nut_unit_file_t,s0) /usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0) /usr/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) -/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) ++/usr/sbin/blazer_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) +/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) /var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0) @@ -45676,29 +45695,35 @@ index 379af96..371119d 100644 +/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) +/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) diff --git a/nut.if b/nut.if -index 57c0161..56660c5 100644 +index 57c0161..d5ad79d 100644 --- a/nut.if +++ b/nut.if -@@ -1,39 +1 @@ +@@ -1,39 +1,25 @@ -## Network UPS Tools -- ++## nut - Network UPS Tools + -######################################## --## ++####################################### + ## -## All of the rules required to -## administrate an nut environment. --## --## ++## Execute swift server in the swift domain. + ## + ## -## -## Domain allowed access. -## --## ++## ++## Domain allowed to transition. ++## + ## -## -## -## Role allowed access. -## -## -## --# + # -interface(`nut_admin',` - gen_require(` - attribute nut_domain; @@ -45712,19 +45737,28 @@ index 57c0161..56660c5 100644 - domain_system_change_exemption($1) - role_transition $2 nut_initrc_exec_t system_r; - allow $2 system_r; -- ++interface(`nut_systemctl',` ++ gen_require(` ++ type nut_t; ++ type nut_unit_file_t; ++ ') + - files_search_etc($1) - admin_pattern($1, nut_conf_t) -- ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_password_run($1) ++ allow $1 nut_unit_file_t:file read_file_perms; ++ allow $1 nut_unit_file_t:service manage_service_perms; + - files_search_pids($1) - admin_pattern($1, nut_var_run_t) --') -+## nut - Network UPS Tools ++ ps_process_pattern($1, swift_t) + ') diff --git a/nut.te b/nut.te -index 0c9deb7..87c7eb7 100644 +index 0c9deb7..dbc52a1 100644 --- a/nut.te +++ b/nut.te -@@ -1,121 +1,105 @@ +@@ -1,121 +1,108 @@ -policy_module(nut, 1.2.4) +policy_module(nut, 1.2.0) @@ -45759,6 +45793,9 @@ index 0c9deb7..87c7eb7 100644 type nut_var_run_t; files_pid_file(nut_var_run_t) -init_daemon_run_dir(nut_var_run_t, "nut") ++ ++type nut_unit_file_t; ++systemd_unit_file(nut_unit_file_t) ######################################## # @@ -45774,20 +45811,20 @@ index 0c9deb7..87c7eb7 100644 -allow nut_domain nut_conf_t:dir list_dir_perms; -allow nut_domain nut_conf_t:file read_file_perms; -allow nut_domain nut_conf_t:lnk_file read_lnk_file_perms; -- --manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t) --manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t) --files_pid_filetrans(nut_domain, nut_var_run_t, { dir file }) +allow nut_upsd_t self:capability { setgid setuid dac_override }; +allow nut_upsd_t self:process signal_perms; --kernel_read_kernel_sysctls(nut_domain) +-manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t) +-manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t) +-files_pid_filetrans(nut_domain, nut_var_run_t, { dir file }) +allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto }; +allow nut_upsd_t self:tcp_socket connected_stream_socket_perms; --logging_send_syslog_msg(nut_domain) +-kernel_read_kernel_sysctls(nut_domain) +allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto; +-logging_send_syslog_msg(nut_domain) +- -miscfiles_read_localization(nut_domain) - -######################################## @@ -45803,18 +45840,18 @@ index 0c9deb7..87c7eb7 100644 +manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) -files_pid_filetrans(nut_upsd_t, nut_var_run_t, sock_file) -- --stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t) +files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file }) +-stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t) ++kernel_read_kernel_sysctls(nut_upsd_t) + -corenet_all_recvfrom_unlabeled(nut_upsd_t) -corenet_all_recvfrom_netlabel(nut_upsd_t) -corenet_tcp_sendrecv_generic_if(nut_upsd_t) -corenet_tcp_sendrecv_generic_node(nut_upsd_t) -corenet_tcp_sendrecv_all_ports(nut_upsd_t) -corenet_tcp_bind_generic_node(nut_upsd_t) -+kernel_read_kernel_sysctls(nut_upsd_t) - +- -corenet_sendrecv_ups_server_packets(nut_upsd_t) corenet_tcp_bind_ups_port(nut_upsd_t) - @@ -45842,9 +45879,9 @@ index 0c9deb7..87c7eb7 100644 +allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto }; +allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto }; +allow nut_upsmon_t self:tcp_socket create_socket_perms; - -+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) + ++read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) + +# pid file +manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) +manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) @@ -45889,7 +45926,7 @@ index 0c9deb7..87c7eb7 100644 mta_send_mail(nut_upsmon_t) optional_policy(` -@@ -124,14 +108,27 @@ optional_policy(` +@@ -124,14 +111,27 @@ optional_policy(` ######################################## # @@ -45919,7 +45956,7 @@ index 0c9deb7..87c7eb7 100644 corecmd_exec_bin(nut_upsdrvctl_t) dev_read_sysfs(nut_upsdrvctl_t) -@@ -144,17 +141,28 @@ auth_use_nsswitch(nut_upsdrvctl_t) +@@ -144,17 +144,28 @@ auth_use_nsswitch(nut_upsdrvctl_t) init_sigchld(nut_upsdrvctl_t) @@ -47570,7 +47607,7 @@ index 0000000..1a26cd5 +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..4bc6574 +index 0000000..b89f7fc --- /dev/null +++ b/openshift.te @@ -0,0 +1,463 @@ @@ -47970,7 +48007,7 @@ index 0000000..4bc6574 +# +# openshift_cron local policy +# -+allow openshift_cron_t self:capability net_admin; ++allow openshift_cron_t self:capability { net_admin sys_admin }; +allow openshift_cron_t self:process signal_perms; +allow openshift_cron_t self:tcp_socket create_stream_socket_perms; +allow openshift_cron_t self:udp_socket create_socket_perms; @@ -48762,7 +48799,7 @@ index 9682d9a..d47f913 100644 + ') ') diff --git a/pacemaker.te b/pacemaker.te -index 3dd8ada..9683812 100644 +index 3dd8ada..993c92c 100644 --- a/pacemaker.te +++ b/pacemaker.te @@ -5,6 +5,13 @@ policy_module(pacemaker, 1.0.2) @@ -48839,7 +48876,7 @@ index 3dd8ada..9683812 100644 files_read_kernel_symbol_table(pacemaker_t) fs_getattr_all_fs(pacemaker_t) -@@ -75,9 +87,16 @@ auth_use_nsswitch(pacemaker_t) +@@ -75,9 +87,20 @@ auth_use_nsswitch(pacemaker_t) logging_send_syslog_msg(pacemaker_t) @@ -48855,8 +48892,12 @@ index 3dd8ada..9683812 100644 + corosync_setattr_log(pacemaker_t) corosync_stream_connect(pacemaker_t) + corosync_rw_tmpfs(pacemaker_t) - ') ++') + ++optional_policy(` ++ #executes heartbeat lib files ++ rgmanager_execute_lib(pacemaker_t) + ') diff --git a/pads.if b/pads.if index 6e097c9..503c97a 100644 --- a/pads.if @@ -62321,12 +62362,14 @@ index f1512d6..93f1ee6 100644 userdom_dontaudit_search_user_home_dirs(readahead_t) diff --git a/realmd.fc b/realmd.fc -index 04babe3..3c24ce4 100644 +index 04babe3..02a1f34 100644 --- a/realmd.fc +++ b/realmd.fc -@@ -1 +1 @@ +@@ -1 +1,3 @@ -/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0) +/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0) ++ ++/var/cache/realmd(/.*)? gen_context(system_u:object_r:realmd_var_cache_t,s0) diff --git a/realmd.if b/realmd.if index bff31df..e38693b 100644 --- a/realmd.if @@ -62344,7 +62387,7 @@ index bff31df..e38693b 100644 ## ## diff --git a/realmd.te b/realmd.te -index 9a8f052..5372646 100644 +index 9a8f052..ecd8eaf 100644 --- a/realmd.te +++ b/realmd.te @@ -1,4 +1,4 @@ @@ -62353,13 +62396,16 @@ index 9a8f052..5372646 100644 ######################################## # -@@ -7,11 +7,12 @@ policy_module(realmd, 1.0.2) +@@ -7,43 +7,52 @@ policy_module(realmd, 1.0.2) type realmd_t; type realmd_exec_t; -init_system_domain(realmd_t, realmd_exec_t) +application_domain(realmd_t, realmd_exec_t) +role system_r types realmd_t; ++ ++type realmd_var_cache_t; ++files_type(realmd_var_cache_t) ######################################## # @@ -62368,7 +62414,13 @@ index 9a8f052..5372646 100644 # allow realmd_t self:capability sys_nice; -@@ -22,28 +23,30 @@ kernel_read_system_state(realmd_t) + allow realmd_t self:process setsched; + ++manage_files_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t) ++manage_dirs_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t) ++ + kernel_read_system_state(realmd_t) + corecmd_exec_bin(realmd_t) corecmd_exec_shell(realmd_t) @@ -62408,7 +62460,7 @@ index 9a8f052..5372646 100644 optional_policy(` dbus_system_domain(realmd_t, realmd_exec_t) -@@ -67,17 +70,21 @@ optional_policy(` +@@ -67,17 +76,21 @@ optional_policy(` optional_policy(` nis_exec_ypbind(realmd_t) @@ -62433,7 +62485,7 @@ index 9a8f052..5372646 100644 ') optional_policy(` -@@ -86,5 +93,9 @@ optional_policy(` +@@ -86,5 +99,9 @@ optional_policy(` sssd_manage_lib_files(realmd_t) sssd_manage_public_files(realmd_t) sssd_read_pid_files(realmd_t) @@ -62698,7 +62750,7 @@ index 5421af0..91e69b8 100644 +/var/run/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_run_t,s0) +/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) diff --git a/rgmanager.if b/rgmanager.if -index 1c2f9aa..5bd6fdb 100644 +index 1c2f9aa..7d70a46 100644 --- a/rgmanager.if +++ b/rgmanager.if @@ -1,13 +1,13 @@ @@ -62801,7 +62853,7 @@ index 1c2f9aa..5bd6fdb 100644 init_labeled_script_domtrans($1, rgmanager_initrc_exec_t) domain_system_change_exemption($1) -@@ -121,3 +139,27 @@ interface(`rgmanager_admin',` +@@ -121,3 +139,47 @@ interface(`rgmanager_admin',` files_list_pids($1) admin_pattern($1, rgmanager_var_run_t) ') @@ -62829,6 +62881,26 @@ index 1c2f9aa..5bd6fdb 100644 + files_list_pids($1) + admin_pattern($1, rgmanager_var_run_t) +') ++ ++###################################### ++## ++## Allow the specified domain to execute rgmanager's lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rgmanager_execute_lib',` ++ gen_require(` ++ type rgmanager_var_lib_t; ++ ') ++ ++ files_list_var_lib($1) ++ allow $1 rgmanager_var_lib_t:dir search_dir_perms; ++ can_exec($1, rgmanager_var_lib_t) ++') diff --git a/rgmanager.te b/rgmanager.te index b418d1c..1ad9c12 100644 --- a/rgmanager.te @@ -63054,15 +63126,16 @@ index b418d1c..1ad9c12 100644 xen_domtrans_xm(rgmanager_t) ') diff --git a/rhcs.fc b/rhcs.fc -index 47de2d6..977f2eb 100644 +index 47de2d6..d022603 100644 --- a/rhcs.fc +++ b/rhcs.fc -@@ -1,31 +1,30 @@ +@@ -1,31 +1,31 @@ -/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0) -/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0) +/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) +/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0) +/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0) ++/usr/sbin/fence_sanlockd -- gen_context(system_u:object_r:fenced_exec_t,s0) +/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0) +/usr/sbin/fence_virtd -- gen_context(system_u:object_r:fenced_exec_t,s0) +/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0) @@ -71365,7 +71438,7 @@ index cd6c213..34b861a 100644 + allow $1 sanlock_unit_file_t:service all_service_perms; ') diff --git a/sanlock.te b/sanlock.te -index a34eac4..4f4eaf4 100644 +index a34eac4..114c9d2 100644 --- a/sanlock.te +++ b/sanlock.te @@ -1,4 +1,4 @@ @@ -71460,7 +71533,7 @@ index a34eac4..4f4eaf4 100644 auth_use_nsswitch(sanlock_t) init_read_utmp(sanlock_t) -@@ -79,20 +87,25 @@ init_dontaudit_write_utmp(sanlock_t) +@@ -79,20 +87,29 @@ init_dontaudit_write_utmp(sanlock_t) logging_send_syslog_msg(sanlock_t) @@ -71492,10 +71565,14 @@ index a34eac4..4f4eaf4 100644 + fs_manage_cifs_files(sanlock_t) + fs_manage_cifs_named_sockets(sanlock_t) + fs_read_cifs_symlinks(sanlock_t) ++') ++ ++optional_policy(` ++ rhcs_domtrans_fenced(sanlock_t) ') optional_policy(` -@@ -100,7 +113,7 @@ optional_policy(` +@@ -100,7 +117,7 @@ optional_policy(` ') optional_policy(` @@ -87038,7 +87115,7 @@ index f93558c..cc73c96 100644 files_search_pids($1) diff --git a/xen.te b/xen.te -index ed40676..8042769 100644 +index ed40676..0706207 100644 --- a/xen.te +++ b/xen.te @@ -1,42 +1,34 @@ @@ -87360,7 +87437,12 @@ index ed40676..8042769 100644 kernel_read_kernel_sysctls(xend_t) kernel_read_system_state(xend_t) -@@ -228,57 +275,39 @@ kernel_read_network_state(xend_t) +@@ -224,61 +271,44 @@ kernel_write_xen_state(xend_t) + kernel_read_xen_state(xend_t) + kernel_rw_net_sysctls(xend_t) + kernel_read_network_state(xend_t) ++kernel_request_load_module(xend_t) + corecmd_exec_bin(xend_t) corecmd_exec_shell(xend_t) @@ -87424,7 +87506,7 @@ index ed40676..8042769 100644 storage_read_scsi_generic(xend_t) -@@ -295,7 +324,8 @@ locallogin_dontaudit_use_fds(xend_t) +@@ -295,7 +325,8 @@ locallogin_dontaudit_use_fds(xend_t) logging_send_syslog_msg(xend_t) @@ -87434,7 +87516,7 @@ index ed40676..8042769 100644 miscfiles_read_hwdata(xend_t) sysnet_domtrans_dhcpc(xend_t) -@@ -308,23 +338,7 @@ sysnet_rw_dhcp_config(xend_t) +@@ -308,23 +339,7 @@ sysnet_rw_dhcp_config(xend_t) userdom_dontaudit_search_user_home_dirs(xend_t) @@ -87459,7 +87541,7 @@ index ed40676..8042769 100644 optional_policy(` brctl_domtrans(xend_t) -@@ -342,7 +356,7 @@ optional_policy(` +@@ -342,7 +357,7 @@ optional_policy(` mount_domtrans(xend_t) ') @@ -87468,7 +87550,7 @@ index ed40676..8042769 100644 netutils_domtrans(xend_t) ') -@@ -351,6 +365,7 @@ optional_policy(` +@@ -351,6 +366,7 @@ optional_policy(` ') optional_policy(` @@ -87476,7 +87558,7 @@ index ed40676..8042769 100644 virt_search_images(xend_t) virt_read_config(xend_t) ') -@@ -365,13 +380,9 @@ allow xenconsoled_t self:process setrlimit; +@@ -365,13 +381,9 @@ allow xenconsoled_t self:process setrlimit; allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms; allow xenconsoled_t self:fifo_file rw_fifo_file_perms; @@ -87492,7 +87574,7 @@ index ed40676..8042769 100644 manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) manage_sock_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) files_pid_filetrans(xenconsoled_t, xenconsoled_var_run_t, { file sock_file }) -@@ -384,10 +395,6 @@ dev_rw_xen(xenconsoled_t) +@@ -384,10 +396,6 @@ dev_rw_xen(xenconsoled_t) dev_filetrans_xen(xenconsoled_t) dev_rw_sysfs(xenconsoled_t) @@ -87503,7 +87585,7 @@ index ed40676..8042769 100644 fs_list_tmpfs(xenconsoled_t) fs_manage_xenfs_dirs(xenconsoled_t) -@@ -395,15 +402,13 @@ fs_manage_xenfs_files(xenconsoled_t) +@@ -395,15 +403,13 @@ fs_manage_xenfs_files(xenconsoled_t) term_create_pty(xenconsoled_t, xen_devpts_t) term_use_generic_ptys(xenconsoled_t) @@ -87521,7 +87603,7 @@ index ed40676..8042769 100644 xen_stream_connect_xenstore(xenconsoled_t) optional_policy(` -@@ -416,24 +421,26 @@ optional_policy(` +@@ -416,24 +422,26 @@ optional_policy(` # allow xenstored_t self:capability { dac_override ipc_lock sys_resource }; @@ -87552,7 +87634,7 @@ index ed40676..8042769 100644 manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) -@@ -448,157 +455,36 @@ dev_filetrans_xen(xenstored_t) +@@ -448,157 +456,36 @@ dev_filetrans_xen(xenstored_t) dev_rw_xen(xenstored_t) dev_read_sysfs(xenstored_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 3f2724c7..92da6803 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 10%{?dist} +Release: 11%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -521,6 +521,17 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Feb 8 2013 Miroslav Grepl 3.12.1-11 +- Allow gpg to read fips_enabled +- Add support for /var/cache/realmd +- Add support for /usr/sbin/blazer_usb and systemd support for nut +- Add labeling for fenced_sanlock and allow sanclok transition to fenced_t +- bitlbee wants to read own log file +- Allow glance domain to send a signal itself +- Allow xend_t to request that the kernel load a kernel module +- Allow pacemaker to execute heartbeat lib files +- cleanup new swift policy + * Tue Feb 5 2013 Miroslav Grepl 3.12.1-10 - Fix smartmontools - Fix userdom_restricted_xwindows_user_template() interface