rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Fixes for clamscan and boinc policy

Browse Source 
- Add boinc_project_t setpgid
- Allow alsa to create tmp files in /tmp
This commit is contained in:
Miroslav Grepl 2010-12-10 13:55:11 +00:00
parent c2ad3681fa
commit b04a855a22
2 changed files with 102 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

114
policy-F15.patch
View File

@ -220,18 +220,35 @@ index 90d5203..1392679 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
index 453834c..5ff732d 100644 index 453834c..9d83d66 100644
--- a/policy/modules/admin/alsa.te --- a/policy/modules/admin/alsa.te
+++ b/policy/modules/admin/alsa.te +++ b/policy/modules/admin/alsa.te
@@ -11,7 +11,7 @@ init_system_domain(alsa_t, alsa_exec_t) @@ -11,7 +11,10 @@ init_system_domain(alsa_t, alsa_exec_t)
role system_r types alsa_t; role system_r types alsa_t;
type alsa_etc_rw_t; type alsa_etc_rw_t;
-files_type(alsa_etc_rw_t) -files_type(alsa_etc_rw_t)
+files_config_file(alsa_etc_rw_t) +files_config_file(alsa_etc_rw_t)
+
+type alsa_tmp_t;
+files_tmp_file(alsa_tmp_t)
type alsa_var_lib_t; type alsa_var_lib_t;
files_type(alsa_var_lib_t) files_type(alsa_var_lib_t)
@@ -39,6 +42,13 @@ files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
can_exec(alsa_t, alsa_exec_t)
+manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
+manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
+files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
+userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
+userdom_dontaudit_setattr_user_tmp(alsa_t)
+
+
manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
files_search_var_lib(alsa_t)
diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te
index f76ed8a..9a9526a 100644 index f76ed8a..9a9526a 100644
--- a/policy/modules/admin/anaconda.te --- a/policy/modules/admin/anaconda.te
@ -347,7 +364,7 @@ index a2e9cb5..b2de42c 100644
optional_policy(` optional_policy(`
apache_exec_modules(certwatch_t) apache_exec_modules(certwatch_t)
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
index 66fee7d..9191e32 100644 index 66fee7d..1d231b8 100644
--- a/policy/modules/admin/consoletype.te --- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te
@@ -79,16 +79,18 @@ optional_policy(` @@ -79,16 +79,18 @@ optional_policy(`
@ -355,7 +372,7 @@ index 66fee7d..9191e32 100644
optional_policy(` optional_policy(`
+ devicekit_dontaudit_read_pid_files(consoletype_t) + devicekit_dontaudit_read_pid_files(consoletype_t)
+ devicekit_dontaudit_write_log(consoletype_t) + devicekit_dontaudit_rw_log(consoletype_t)
+') +')
+ +
+optional_policy(` +optional_policy(`
@ -4165,7 +4182,7 @@ index 9a6d67d..b0c1197 100644
## mozilla over dbus. ## mozilla over dbus.
## </summary> ## </summary>
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index cbf4bec..9826f66 100644 index cbf4bec..1aa992d 100644
--- a/policy/modules/apps/mozilla.te --- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te
@@ -7,7 +7,7 @@ policy_module(mozilla, 2.2.2) @@ -7,7 +7,7 @@ policy_module(mozilla, 2.2.2)
@ -4247,7 +4264,7 @@ index cbf4bec..9826f66 100644
pulseaudio_exec(mozilla_t) pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t) pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t) pulseaudio_manage_home_files(mozilla_t)
@@ -266,3 +291,144 @@ optional_policy(` @@ -266,3 +291,145 @@ optional_policy(`
optional_policy(` optional_policy(`
thunderbird_domtrans(mozilla_t) thunderbird_domtrans(mozilla_t)
') ')
@ -4375,6 +4392,7 @@ index cbf4bec..9826f66 100644
+ nsplugin_manage_home_dirs(mozilla_plugin_t) + nsplugin_manage_home_dirs(mozilla_plugin_t)
+ nsplugin_manage_home_files(mozilla_plugin_t) + nsplugin_manage_home_files(mozilla_plugin_t)
+ nsplugin_user_home_dir_filetrans(mozilla_plugin_t, dir) + nsplugin_user_home_dir_filetrans(mozilla_plugin_t, dir)
+ nsplugin_user_home_filetrans(mozilla_plugin_t, file)
+ nsplugin_signal(mozilla_plugin_t) + nsplugin_signal(mozilla_plugin_t)
+') +')
+ +
@ -4495,10 +4513,10 @@ index 0000000..717eb3f
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if
new file mode 100644 new file mode 100644
index 0000000..c06e99e index 0000000..4f9cb05
--- /dev/null --- /dev/null
+++ b/policy/modules/apps/nsplugin.if +++ b/policy/modules/apps/nsplugin.if
@@ -0,0 +1,455 @@ @@ -0,0 +1,480 @@
+ +
+## <summary>policy for nsplugin</summary> +## <summary>policy for nsplugin</summary>
+ +
@ -4933,7 +4951,32 @@ index 0000000..c06e99e
+ type nsplugin_home_t; + type nsplugin_home_t;
+ ') + ')
+ +
+ userdom_user_home_content_filetrans($1, nsplugin_home_t, $2) + userdom_user_home_dir_filetrans($1, nsplugin_home_t, $2)
+')
+
+#######################################
+## <summary>
+## Create objects in a user home directory
+## with an automatic type transition to
+## the nsplugin home file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+#
+interface(`nsplugin_user_home_filetrans',`
+ gen_require(`
+ type nsplugin_home_t;
+ ')
+
+ userdom_user_home_content_filetrans($1, nsplugin_home_t, $2)
+') +')
+ +
+######################################## +########################################
@ -15986,10 +16029,10 @@ index 0000000..fa9b95a
+') +')
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
new file mode 100644 new file mode 100644
index 0000000..4bc3f06 index 0000000..3b58d07
--- /dev/null --- /dev/null
+++ b/policy/modules/services/boinc.te +++ b/policy/modules/services/boinc.te
@@ -0,0 +1,167 @@ @@ -0,0 +1,169 @@
+policy_module(boinc, 1.0.0) +policy_module(boinc, 1.0.0)
+ +
+######################################## +########################################
@ -16110,7 +16153,7 @@ index 0000000..4bc3f06
+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t) +domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
+allow boinc_t boinc_project_t:process sigkill; +allow boinc_t boinc_project_t:process sigkill;
+ +
+allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigstop }; +allow boinc_project_t self:process { ptrace setpgid setsched signal signull sigkill sigstop };
+allow boinc_project_t self:process { execmem execstack }; +allow boinc_project_t self:process { execmem execstack };
+ +
+allow boinc_project_t self:fifo_file rw_fifo_file_perms; +allow boinc_project_t self:fifo_file rw_fifo_file_perms;
@ -16150,6 +16193,8 @@ index 0000000..4bc3f06
+dev_rw_xserver_misc(boinc_project_t) +dev_rw_xserver_misc(boinc_project_t)
+ +
+files_read_etc_files(boinc_project_t) +files_read_etc_files(boinc_project_t)
+files_read_etc_runtime_files(boinc_project_t)
+files_read_usr_files(boinc_project_t)
+ +
+miscfiles_read_fonts(boinc_project_t) +miscfiles_read_fonts(boinc_project_t)
+miscfiles_read_localization(boinc_project_t) +miscfiles_read_localization(boinc_project_t)
@ -17119,7 +17164,7 @@ index 1f11572..7f6a7ab 100644
') ')
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index 8c36027..532fa91 100644 index 8c36027..28863a5 100644
--- a/policy/modules/services/clamav.te --- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te
@@ -1,9 +1,9 @@ @@ -1,9 +1,9 @@
@ -17226,7 +17271,11 @@ index 8c36027..532fa91 100644
######################################## ########################################
# #
# clamscam local policy # clamscam local policy
@@ -251,6 +266,7 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t) @@ -248,9 +263,11 @@ corenet_tcp_sendrecv_generic_if(clamscan_t)
corenet_tcp_sendrecv_generic_node(clamscan_t)
corenet_tcp_sendrecv_all_ports(clamscan_t)
corenet_tcp_sendrecv_clamd_port(clamscan_t)
+corenet_tcp_bind_generic_node(clamscan_t)
corenet_tcp_connect_clamd_port(clamscan_t) corenet_tcp_connect_clamd_port(clamscan_t)
kernel_read_kernel_sysctls(clamscan_t) kernel_read_kernel_sysctls(clamscan_t)
@ -17234,6 +17283,16 @@ index 8c36027..532fa91 100644
files_read_etc_files(clamscan_t) files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t) files_read_etc_runtime_files(clamscan_t)
@@ -265,6 +282,9 @@ miscfiles_read_public_files(clamscan_t)
clamav_stream_connect(clamscan_t)
mta_send_mail(clamscan_t)
+mta_read_queue(clamscan_t)
+
+sysnet_read_config(clamscan_t)
optional_policy(`
amavis_read_spool_files(clamscan_t)
diff --git a/policy/modules/services/clogd.if b/policy/modules/services/clogd.if diff --git a/policy/modules/services/clogd.if b/policy/modules/services/clogd.if
index c0a66a4..e438c5f 100644 index c0a66a4..e438c5f 100644
--- a/policy/modules/services/clogd.if --- a/policy/modules/services/clogd.if
@ -19737,7 +19796,7 @@ index 418a5a0..28d9e41 100644
/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) /var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) /var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
index f706b99..4b3d7f7 100644 index f706b99..6149a45 100644
--- a/policy/modules/services/devicekit.if --- a/policy/modules/services/devicekit.if
+++ b/policy/modules/services/devicekit.if +++ b/policy/modules/services/devicekit.if
@@ -5,9 +5,9 @@ @@ -5,9 +5,9 @@
@ -19752,7 +19811,7 @@ index f706b99..4b3d7f7 100644
## </param> ## </param>
# #
interface(`devicekit_domtrans',` interface(`devicekit_domtrans',`
@@ -118,6 +118,63 @@ interface(`devicekit_dbus_chat_power',` @@ -118,6 +118,82 @@ interface(`devicekit_dbus_chat_power',`
allow devicekit_power_t $1:dbus send_msg; allow devicekit_power_t $1:dbus send_msg;
') ')
@ -19794,6 +19853,25 @@ index f706b99..4b3d7f7 100644
+ dontaudit $1 devicekit_var_log_t:file { write }; + dontaudit $1 devicekit_var_log_t:file { write };
+') +')
+ +
+######################################
+## <summary>
+## Do not audit attempts to read and write the devicekit
+## log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`devicekit_dontaudit_rw_log',`
+ gen_require(`
+ type devicekit_var_log_t;
+ ')
+
+ dontaudit $1 devicekit_var_log_t:file rw_inherited_file_perms;
+')
+
+######################################## +########################################
+## <summary> +## <summary>
+## Allow the domain to read devicekit_power state files in /proc. +## Allow the domain to read devicekit_power state files in /proc.
@ -19816,7 +19894,7 @@ index f706b99..4b3d7f7 100644
######################################## ########################################
## <summary> ## <summary>
## Read devicekit PID files. ## Read devicekit PID files.
@@ -139,22 +196,52 @@ interface(`devicekit_read_pid_files',` @@ -139,22 +215,52 @@ interface(`devicekit_read_pid_files',`
######################################## ########################################
## <summary> ## <summary>
@ -19876,7 +19954,7 @@ index f706b99..4b3d7f7 100644
## </summary> ## </summary>
## </param> ## </param>
## <rolecap/> ## <rolecap/>
@@ -165,21 +252,22 @@ interface(`devicekit_admin',` @@ -165,21 +271,22 @@ interface(`devicekit_admin',`
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
') ')

7
selinux-policy.spec
View File

@ -21,7 +21,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.9.10 Version: 3.9.10
Release: 9%{?dist} Release: 10%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -471,6 +471,11 @@ exit 0
%endif %endif
%changelog %changelog
* Fri Dec 10 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-10
- Fixes for clamscan and boinc policy
- Add boinc_project_t setpgid
- Allow alsa to create tmp files in /tmp
* Tue Dec 7 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-9 * Tue Dec 7 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-9
- Push fixes to allow disabling of unlabeled_t packet access - Push fixes to allow disabling of unlabeled_t packet access
- Enable unlabelednet policy - Enable unlabelednet policy