- Allow confined users to manace virt_content_t, since this is home dir
content
- Allow all domains to read rpm_script_tmp_t which is what shell creates on
redirection
This commit is contained in:
Daniel J Walsh
parent
b0991a2dfd
commit
b11dbbb323
@ -782,7 +782,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
-/usr/sbin/readahead -- gen_context(system_u:object_r:readahead_exec_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te
|
||||
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-01-05 15:39:44.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-04-24 13:45:16.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-04-27 11:01:26.000000000 -0400
|
||||
@@ -11,8 +11,8 @@
|
||||
init_daemon_domain(readahead_t, readahead_exec_t)
|
||||
application_domain(readahead_t, readahead_exec_t)
|
||||
@ -808,7 +808,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
|
||||
files_pid_filetrans(readahead_t, readahead_var_run_t, file)
|
||||
@@ -58,6 +60,7 @@
|
||||
@@ -46,6 +48,7 @@
|
||||
storage_raw_read_fixed_disk(readahead_t)
|
||||
|
||||
domain_use_interactive_fds(readahead_t)
|
||||
+domain_read_all_domains_state(readahead_t)
|
||||
|
||||
files_dontaudit_getattr_all_sockets(readahead_t)
|
||||
files_list_non_security(readahead_t)
|
||||
@@ -58,6 +61,7 @@
|
||||
fs_dontaudit_search_ramfs(readahead_t)
|
||||
fs_dontaudit_read_ramfs_pipes(readahead_t)
|
||||
fs_dontaudit_read_ramfs_files(readahead_t)
|
||||
@ -816,7 +824,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
fs_read_tmpfs_symlinks(readahead_t)
|
||||
fs_list_inotifyfs(readahead_t)
|
||||
|
||||
@@ -72,6 +75,7 @@
|
||||
@@ -72,6 +76,7 @@
|
||||
init_getattr_initctl(readahead_t)
|
||||
|
||||
logging_send_syslog_msg(readahead_t)
|
||||
@ -5184,7 +5192,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## <param name="domain">
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te
|
||||
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-01-05 15:39:38.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-04-23 09:44:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-04-27 11:30:40.000000000 -0400
|
||||
@@ -5,6 +5,13 @@
|
||||
#
|
||||
# Declarations
|
||||
@ -5255,7 +5263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
|
||||
|
||||
# act on all domains keys
|
||||
@@ -153,3 +172,45 @@
|
||||
@@ -153,3 +172,46 @@
|
||||
|
||||
# receive from all domains over labeled networking
|
||||
domain_all_recvfrom_all_domains(unconfined_domain_type)
|
||||
@ -5280,6 +5288,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ rpm_rw_pipes(domain)
|
||||
+ rpm_dontaudit_use_script_fds(domain)
|
||||
+ rpm_dontaudit_write_pid_files(domain)
|
||||
+ rpm_read_script_tmp_files(domain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -14839,8 +14848,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.6.12/policy/modules/services/milter.fc
|
||||
--- nsaserefpolicy/policy/modules/services/milter.fc 2008-11-25 09:01:08.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/milter.fc 2009-04-27 10:00:53.000000000 -0400
|
||||
@@ -1,6 +1,8 @@
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/milter.fc 2009-04-27 11:46:55.000000000 -0400
|
||||
@@ -1,6 +1,9 @@
|
||||
-/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
|
||||
-/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
|
||||
|
||||
@ -14849,6 +14858,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
|
||||
/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
|
||||
/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
|
||||
+/var/lib/miltermilter.* gen_context(system_u:object_r:spamass_milter_state_t,s0)
|
||||
+
|
||||
+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.6.12/policy/modules/services/milter.if
|
||||
@ -21885,7 +21895,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te
|
||||
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-04-24 08:31:39.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-04-27 11:45:25.000000000 -0400
|
||||
@@ -20,6 +20,35 @@
|
||||
## </desc>
|
||||
gen_tunable(spamd_enable_home_dirs, true)
|
||||
@ -21982,7 +21992,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corenet_all_recvfrom_unlabeled(spamc_t)
|
||||
corenet_all_recvfrom_netlabel(spamc_t)
|
||||
@@ -255,9 +308,15 @@
|
||||
@@ -239,6 +292,7 @@
|
||||
corenet_sendrecv_all_client_packets(spamc_t)
|
||||
|
||||
fs_search_auto_mountpoints(spamc_t)
|
||||
+fs_list_inotifyfs(spamc_t)
|
||||
|
||||
# cjp: these should probably be removed:
|
||||
corecmd_list_bin(spamc_t)
|
||||
@@ -255,9 +309,15 @@
|
||||
files_dontaudit_search_var(spamc_t)
|
||||
# cjp: this may be removable:
|
||||
files_list_home(spamc_t)
|
||||
@ -21998,7 +22016,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
miscfiles_read_localization(spamc_t)
|
||||
|
||||
# cjp: this should probably be removed:
|
||||
@@ -265,13 +324,16 @@
|
||||
@@ -265,13 +325,16 @@
|
||||
|
||||
sysnet_read_config(spamc_t)
|
||||
|
||||
@ -22022,7 +22040,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -280,16 +342,21 @@
|
||||
@@ -280,16 +343,21 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -22046,7 +22064,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -301,7 +368,7 @@
|
||||
@@ -301,7 +369,7 @@
|
||||
# setuids to the user running spamc. Comment this if you are not
|
||||
# using this ability.
|
||||
|
||||
@ -22055,7 +22073,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dontaudit spamd_t self:capability sys_tty_config;
|
||||
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow spamd_t self:fd use;
|
||||
@@ -317,10 +384,13 @@
|
||||
@@ -317,10 +385,13 @@
|
||||
allow spamd_t self:unix_stream_socket connectto;
|
||||
allow spamd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow spamd_t self:udp_socket create_socket_perms;
|
||||
@ -22070,7 +22088,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
|
||||
|
||||
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
|
||||
@@ -329,10 +399,11 @@
|
||||
@@ -329,10 +400,11 @@
|
||||
|
||||
# var/lib files for spamd
|
||||
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
|
||||
@ -22083,7 +22101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
|
||||
|
||||
kernel_read_all_sysctls(spamd_t)
|
||||
@@ -382,22 +453,27 @@
|
||||
@@ -382,22 +454,27 @@
|
||||
|
||||
init_dontaudit_rw_utmp(spamd_t)
|
||||
|
||||
@ -22115,7 +22133,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
fs_manage_cifs_files(spamd_t)
|
||||
')
|
||||
|
||||
@@ -415,6 +491,7 @@
|
||||
@@ -415,6 +492,7 @@
|
||||
|
||||
optional_policy(`
|
||||
dcc_domtrans_client(spamd_t)
|
||||
@ -22123,7 +22141,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dcc_stream_connect_dccifd(spamd_t)
|
||||
')
|
||||
|
||||
@@ -424,10 +501,6 @@
|
||||
@@ -424,10 +502,6 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -22134,7 +22152,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
postfix_read_config(spamd_t)
|
||||
')
|
||||
|
||||
@@ -442,6 +515,10 @@
|
||||
@@ -442,6 +516,10 @@
|
||||
|
||||
optional_policy(`
|
||||
razor_domtrans(spamd_t)
|
||||
@ -22145,7 +22163,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -454,5 +531,9 @@
|
||||
@@ -454,5 +532,9 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -23420,7 +23438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
|
||||
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-23 09:44:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-27 11:40:19.000000000 -0400
|
||||
@@ -8,19 +8,24 @@
|
||||
|
||||
## <desc>
|
||||
@ -23449,7 +23467,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
type virt_etc_t;
|
||||
files_config_file(virt_etc_t)
|
||||
@@ -29,8 +34,12 @@
|
||||
@@ -29,8 +34,13 @@
|
||||
files_type(virt_etc_rw_t)
|
||||
|
||||
# virt Image files
|
||||
@ -23461,10 +23479,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+# virt Image files
|
||||
+type virt_content_t;
|
||||
+virtual_image(virt_content_t)
|
||||
+userdom_user_home_content(virt_content_t)
|
||||
|
||||
type virt_log_t;
|
||||
logging_log_file(virt_log_t)
|
||||
@@ -48,17 +57,39 @@
|
||||
@@ -48,17 +58,39 @@
|
||||
type virtd_initrc_exec_t;
|
||||
init_script_file(virtd_initrc_exec_t)
|
||||
|
||||
@ -23506,7 +23525,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||
|
||||
@@ -67,7 +98,11 @@
|
||||
@@ -67,7 +99,11 @@
|
||||
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
|
||||
|
||||
@ -23519,7 +23538,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
|
||||
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
|
||||
@@ -86,6 +121,7 @@
|
||||
@@ -86,6 +122,7 @@
|
||||
kernel_read_network_state(virtd_t)
|
||||
kernel_rw_net_sysctls(virtd_t)
|
||||
kernel_load_module(virtd_t)
|
||||
@ -23527,7 +23546,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corecmd_exec_bin(virtd_t)
|
||||
corecmd_exec_shell(virtd_t)
|
||||
@@ -96,7 +132,7 @@
|
||||
@@ -96,7 +133,7 @@
|
||||
corenet_tcp_sendrecv_generic_node(virtd_t)
|
||||
corenet_tcp_sendrecv_all_ports(virtd_t)
|
||||
corenet_tcp_bind_generic_node(virtd_t)
|
||||
@ -23536,7 +23555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
corenet_tcp_bind_vnc_port(virtd_t)
|
||||
corenet_tcp_connect_vnc_port(virtd_t)
|
||||
corenet_tcp_connect_soundd_port(virtd_t)
|
||||
@@ -104,21 +140,39 @@
|
||||
@@ -104,21 +141,39 @@
|
||||
|
||||
dev_read_sysfs(virtd_t)
|
||||
dev_read_rand(virtd_t)
|
||||
@ -23577,7 +23596,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
term_getattr_pty_fs(virtd_t)
|
||||
term_use_ptmx(virtd_t)
|
||||
|
||||
@@ -129,6 +183,13 @@
|
||||
@@ -129,6 +184,13 @@
|
||||
|
||||
logging_send_syslog_msg(virtd_t)
|
||||
|
||||
@ -23591,7 +23610,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
userdom_read_all_users_state(virtd_t)
|
||||
|
||||
tunable_policy(`virt_use_nfs',`
|
||||
@@ -167,22 +228,34 @@
|
||||
@@ -167,22 +229,34 @@
|
||||
dnsmasq_domtrans(virtd_t)
|
||||
dnsmasq_signal(virtd_t)
|
||||
dnsmasq_kill(virtd_t)
|
||||
@ -23631,7 +23650,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -198,5 +271,80 @@
|
||||
@@ -198,5 +272,80 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.6.12
|
||||
Release: 20%{?dist}
|
||||
Release: 21%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -446,6 +446,10 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Apr 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-21
|
||||
- Allow confined users to manace virt_content_t, since this is home dir content
|
||||
- Allow all domains to read rpm_script_tmp_t which is what shell creates on redirection
|
||||
|
||||
* Mon Apr 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-20
|
||||
- Fix labeling on /var/lib/misc/prelink*
|
||||
- Allow xserver to rw_shm_perms with all x_clients
|
||||
|
||||
Loading…
Reference in New Issue
Block a user