- Fix lockdev_manage_files()

- Allow setroubleshootd to read var_lib_t to make email_alert working
- Add lockdev_manage_files()
- Call proper interface in virt.te
- Allow gkeyring_domain to create /var/run/UID/config/dbus file
- system dbus seems to be blocking suspend
- Dontaudit attemps to sys_ptrace, which I believe gpsd does not need
- When you enter a container from root, you generate avcs with a leaked file descriptor
- Allow mpd getattr on file system directories
- Make sure realmd creates content with the correct label
- Allow systemd-tty-ask to write kmsg
- Allow mgetty to use lockdev library for device locking
- Fix selinuxuser_user_share_music boolean name to selinuxuser_share_music
- When you enter a container from root, you generate avcs with a leaked file descriptor
- Make sure init.fc files are labeled correctly at creation
- File name trans vconsole.conf
- Fix labeling for nagios plugins
- label shared libraries in /opt/google/chrome as testrel_shlib_t
This commit is contained in:
Miroslav Grepl 2013-04-23 12:44:02 +02:00
parent aae6505e89
commit d61e0b894f
3 changed files with 665 additions and 401 deletions

View File

@ -3021,7 +3021,7 @@ index 7590165..19aaaed 100644
+ fs_mounton_fusefs(seunshare_domain) + fs_mounton_fusefs(seunshare_domain)
+') +')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 644d4d7..d2dbf35 100644 index 644d4d7..4debbf2 100644
--- a/policy/modules/kernel/corecommands.fc --- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@ @@ -1,9 +1,10 @@
@ -3179,7 +3179,7 @@ index 644d4d7..d2dbf35 100644
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -215,18 +246,28 @@ ifdef(`distro_gentoo',` @@ -215,18 +246,30 @@ ifdef(`distro_gentoo',`
/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@ -3189,7 +3189,9 @@ index 644d4d7..d2dbf35 100644
-/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0) -/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/nagios/plugins/negate -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nagios/plugins/urlize -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nagios/plugins/utils.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0) +/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
@ -3215,7 +3217,7 @@ index 644d4d7..d2dbf35 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
@@ -241,10 +282,15 @@ ifdef(`distro_gentoo',` @@ -241,10 +284,15 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@ -3231,7 +3233,7 @@ index 644d4d7..d2dbf35 100644
/usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
@@ -257,10 +303,17 @@ ifdef(`distro_gentoo',` @@ -257,10 +305,17 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@ -3252,7 +3254,7 @@ index 644d4d7..d2dbf35 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -276,10 +329,15 @@ ifdef(`distro_gentoo',` @@ -276,10 +331,15 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@ -3268,7 +3270,7 @@ index 644d4d7..d2dbf35 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
@@ -294,16 +352,22 @@ ifdef(`distro_gentoo',` @@ -294,16 +354,22 @@ ifdef(`distro_gentoo',`
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
@ -3293,7 +3295,7 @@ index 644d4d7..d2dbf35 100644
ifdef(`distro_debian',` ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -321,20 +385,27 @@ ifdef(`distro_redhat', ` @@ -321,20 +387,27 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@ -3322,7 +3324,7 @@ index 644d4d7..d2dbf35 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -383,11 +454,15 @@ ifdef(`distro_suse', ` @@ -383,11 +456,15 @@ ifdef(`distro_suse', `
# #
# /var # /var
# #
@ -3339,7 +3341,7 @@ index 644d4d7..d2dbf35 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
@@ -397,3 +472,12 @@ ifdef(`distro_suse', ` @@ -397,3 +474,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',` ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
') ')
@ -7749,7 +7751,7 @@ index 6a1e4d1..adafd25 100644
+ dontaudit $1 domain:socket_class_set { read write }; + dontaudit $1 domain:socket_class_set { read write };
') ')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index cf04cb5..dc4207f 100644 index cf04cb5..ff7b3f4 100644
--- a/policy/modules/kernel/domain.te --- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@ -7875,7 +7877,7 @@ index cf04cb5..dc4207f 100644
# Create/access any System V IPC objects. # Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *; allow unconfined_domain_type domain:{ sem msgq shm } *;
@@ -166,5 +227,266 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; @@ -166,5 +227,267 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys # act on all domains keys
allow unconfined_domain_type domain:key *; allow unconfined_domain_type domain:key *;
@ -7904,6 +7906,7 @@ index cf04cb5..dc4207f 100644
+ init_reboot(unconfined_domain_type) + init_reboot(unconfined_domain_type)
+ init_halt(unconfined_domain_type) + init_halt(unconfined_domain_type)
+ init_undefined(unconfined_domain_type) + init_undefined(unconfined_domain_type)
+ init_filetrans_named_content(unconfined_domain_type)
+') +')
+ +
+optional_policy(` +optional_policy(`
@ -18526,10 +18529,10 @@ index ff92430..36740ea 100644
## <summary> ## <summary>
## Execute a generic bin program in the sysadm domain. ## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 88d0028..83e6404 100644 index 88d0028..4cc476f 100644
--- a/policy/modules/roles/sysadm.te --- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,78 @@ policy_module(sysadm, 2.5.1) @@ -5,39 +5,79 @@ policy_module(sysadm, 2.5.1)
# Declarations # Declarations
# #
@ -18583,6 +18586,7 @@ index 88d0028..83e6404 100644
+application_exec(sysadm_t) +application_exec(sysadm_t)
+ +
+init_filetrans_named_content(sysadm_t)
init_exec(sysadm_t) init_exec(sysadm_t)
+init_exec_script_files(sysadm_t) +init_exec_script_files(sysadm_t)
+init_dbus_chat(sysadm_t) +init_dbus_chat(sysadm_t)
@ -18619,7 +18623,7 @@ index 88d0028..83e6404 100644
ifdef(`direct_sysadm_daemon',` ifdef(`direct_sysadm_daemon',`
optional_policy(` optional_policy(`
@@ -55,13 +94,7 @@ ifdef(`distro_gentoo',` @@ -55,13 +95,7 @@ ifdef(`distro_gentoo',`
init_exec_rc(sysadm_t) init_exec_rc(sysadm_t)
') ')
@ -18634,7 +18638,7 @@ index 88d0028..83e6404 100644
domain_ptrace_all_domains(sysadm_t) domain_ptrace_all_domains(sysadm_t)
') ')
@@ -71,9 +104,9 @@ optional_policy(` @@ -71,9 +105,9 @@ optional_policy(`
optional_policy(` optional_policy(`
apache_run_helper(sysadm_t, sysadm_r) apache_run_helper(sysadm_t, sysadm_r)
@ -18645,7 +18649,7 @@ index 88d0028..83e6404 100644
') ')
optional_policy(` optional_policy(`
@@ -87,6 +120,7 @@ optional_policy(` @@ -87,6 +121,7 @@ optional_policy(`
optional_policy(` optional_policy(`
asterisk_stream_connect(sysadm_t) asterisk_stream_connect(sysadm_t)
@ -18653,7 +18657,7 @@ index 88d0028..83e6404 100644
') ')
optional_policy(` optional_policy(`
@@ -110,6 +144,10 @@ optional_policy(` @@ -110,6 +145,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -18664,7 +18668,7 @@ index 88d0028..83e6404 100644
certwatch_run(sysadm_t, sysadm_r) certwatch_run(sysadm_t, sysadm_r)
') ')
@@ -122,11 +160,19 @@ optional_policy(` @@ -122,11 +161,19 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -18686,7 +18690,7 @@ index 88d0028..83e6404 100644
') ')
optional_policy(` optional_policy(`
@@ -140,6 +186,10 @@ optional_policy(` @@ -140,6 +187,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -18697,7 +18701,7 @@ index 88d0028..83e6404 100644
dmesg_exec(sysadm_t) dmesg_exec(sysadm_t)
') ')
@@ -156,11 +206,11 @@ optional_policy(` @@ -156,11 +207,11 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -18711,7 +18715,7 @@ index 88d0028..83e6404 100644
') ')
optional_policy(` optional_policy(`
@@ -179,6 +229,13 @@ optional_policy(` @@ -179,6 +230,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t) ipsec_stream_connect(sysadm_t)
# for lsof # for lsof
ipsec_getattr_key_sockets(sysadm_t) ipsec_getattr_key_sockets(sysadm_t)
@ -18725,7 +18729,7 @@ index 88d0028..83e6404 100644
') ')
optional_policy(` optional_policy(`
@@ -186,15 +243,20 @@ optional_policy(` @@ -186,15 +244,20 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -18749,7 +18753,7 @@ index 88d0028..83e6404 100644
') ')
optional_policy(` optional_policy(`
@@ -214,22 +276,20 @@ optional_policy(` @@ -214,22 +277,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r)
@ -18778,7 +18782,7 @@ index 88d0028..83e6404 100644
') ')
optional_policy(` optional_policy(`
@@ -241,14 +301,27 @@ optional_policy(` @@ -241,14 +302,27 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -18806,7 +18810,7 @@ index 88d0028..83e6404 100644
') ')
optional_policy(` optional_policy(`
@@ -256,10 +329,20 @@ optional_policy(` @@ -256,10 +330,20 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -18827,7 +18831,7 @@ index 88d0028..83e6404 100644
portage_run(sysadm_t, sysadm_r) portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r)
@@ -270,31 +353,36 @@ optional_policy(` @@ -270,31 +354,36 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -18871,7 +18875,7 @@ index 88d0028..83e6404 100644
') ')
optional_policy(` optional_policy(`
@@ -319,12 +407,18 @@ optional_policy(` @@ -319,12 +408,18 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -18891,7 +18895,7 @@ index 88d0028..83e6404 100644
') ')
optional_policy(` optional_policy(`
@@ -349,7 +443,18 @@ optional_policy(` @@ -349,7 +444,18 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -18911,7 +18915,7 @@ index 88d0028..83e6404 100644
') ')
optional_policy(` optional_policy(`
@@ -360,19 +465,15 @@ optional_policy(` @@ -360,19 +466,15 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -18933,7 +18937,7 @@ index 88d0028..83e6404 100644
') ')
optional_policy(` optional_policy(`
@@ -384,10 +485,6 @@ optional_policy(` @@ -384,10 +486,6 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -18944,7 +18948,7 @@ index 88d0028..83e6404 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r)
@@ -395,6 +492,9 @@ optional_policy(` @@ -395,6 +493,9 @@ optional_policy(`
optional_policy(` optional_policy(`
virt_stream_connect(sysadm_t) virt_stream_connect(sysadm_t)
@ -18954,7 +18958,7 @@ index 88d0028..83e6404 100644
') ')
optional_policy(` optional_policy(`
@@ -402,31 +502,34 @@ optional_policy(` @@ -402,31 +503,34 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -18995,7 +18999,7 @@ index 88d0028..83e6404 100644
auth_role(sysadm_r, sysadm_t) auth_role(sysadm_r, sysadm_t)
') ')
@@ -439,10 +542,6 @@ ifndef(`distro_redhat',` @@ -439,10 +543,6 @@ ifndef(`distro_redhat',`
') ')
optional_policy(` optional_policy(`
@ -19006,7 +19010,7 @@ index 88d0028..83e6404 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t) dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(` optional_policy(`
@@ -463,15 +562,75 @@ ifndef(`distro_redhat',` @@ -463,15 +563,75 @@ ifndef(`distro_redhat',`
') ')
optional_policy(` optional_policy(`
@ -26810,7 +26814,7 @@ index e4376aa..2c98c56 100644
+ allow $1 getty_unit_file_t:service start; + allow $1 getty_unit_file_t:service start;
+') +')
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index fc38c9c..dce2d4e 100644 index fc38c9c..61a1d24 100644
--- a/policy/modules/system/getty.te --- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te
@@ -27,6 +27,9 @@ files_tmp_file(getty_tmp_t) @@ -27,6 +27,9 @@ files_tmp_file(getty_tmp_t)
@ -26852,17 +26856,20 @@ index fc38c9c..dce2d4e 100644
# Support logging in from /dev/console # Support logging in from /dev/console
term_use_console(getty_t) term_use_console(getty_t)
',` ',`
@@ -125,10 +130,6 @@ optional_policy(` @@ -121,11 +126,11 @@ tunable_policy(`console_login',`
')
optional_policy(`
- mta_send_mail(getty_t)
+ lockdev_manage_files(getty_t)
') ')
optional_policy(` optional_policy(`
- nscd_use(getty_t) - nscd_use(getty_t)
-') + mta_send_mail(getty_t)
-
-optional_policy(`
ppp_domtrans(getty_t)
') ')
optional_policy(`
diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
index 9dfecf7..6d00f5c 100644 index 9dfecf7..6d00f5c 100644
--- a/policy/modules/system/hostname.fc --- a/policy/modules/system/hostname.fc
@ -27074,7 +27081,7 @@ index 9a4d3a7..9d960bb 100644
') ')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 24e7804..1894886 100644 index 24e7804..d0780a9 100644
--- a/policy/modules/system/init.if --- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if +++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@ @@ -1,5 +1,21 @@
@ -27959,7 +27966,7 @@ index 24e7804..1894886 100644
######################################## ########################################
## <summary> ## <summary>
## Allow the specified domain to connect to daemon with a tcp socket ## Allow the specified domain to connect to daemon with a tcp socket
@@ -1819,3 +2284,284 @@ interface(`init_udp_recvfrom_all_daemons',` @@ -1819,3 +2284,306 @@ interface(`init_udp_recvfrom_all_daemons',`
') ')
corenet_udp_recvfrom_labeled($1, daemon) corenet_udp_recvfrom_labeled($1, daemon)
') ')
@ -28244,6 +28251,28 @@ index 24e7804..1894886 100644
+ +
+ allow $1 init_t:system undefined; + allow $1 init_t:system undefined;
+') +')
+
+########################################
+## <summary>
+## Transition to init named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_filetrans_named_content',`
+ gen_require(`
+ type init_var_run_t;
+ type initrc_var_run_t;
+ type machineid_t;
+ ')
+
+ files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
+ files_pid_filetrans($1, init_var_run_t, file, "random-seed")
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index dd3be8d..969bda2 100644 index dd3be8d..969bda2 100644
--- a/policy/modules/system/init.te --- a/policy/modules/system/init.te
@ -30065,7 +30094,7 @@ index 5dfa44b..aa4d8fc 100644
optional_policy(` optional_policy(`
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 73bb3c0..aadfba0 100644 index 73bb3c0..46439b4 100644
--- a/policy/modules/system/libraries.fc --- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc
@@ -1,3 +1,4 @@ @@ -1,3 +1,4 @@
@ -30227,7 +30256,7 @@ index 73bb3c0..aadfba0 100644
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -299,17 +310,151 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te @@ -299,17 +310,152 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
# #
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@ -30383,6 +30412,7 @@ index 73bb3c0..aadfba0 100644
+/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/chrome/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ +
+/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) +/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
@ -32307,7 +32337,7 @@ index 9fe8e01..fa82aac 100644
/var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
') ')
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index fc28bc3..2f33076 100644 index fc28bc3..2960ed7 100644
--- a/policy/modules/system/miscfiles.if --- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if
@@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',` @@ -106,6 +106,24 @@ interface(`miscfiles_manage_generic_cert_dirs',`
@ -32445,7 +32475,7 @@ index fc28bc3..2f33076 100644
') ')
######################################## ########################################
@@ -809,3 +882,60 @@ interface(`miscfiles_manage_localization',` @@ -809,3 +882,61 @@ interface(`miscfiles_manage_localization',`
manage_lnk_files_pattern($1, locale_t, locale_t) manage_lnk_files_pattern($1, locale_t, locale_t)
') ')
@ -32466,6 +32496,7 @@ index fc28bc3..2f33076 100644
+ +
+ files_etc_filetrans($1, locale_t, { lnk_file file }, "localtime") + files_etc_filetrans($1, locale_t, { lnk_file file }, "localtime")
+ files_etc_filetrans($1, locale_t, file, "locale.conf") + files_etc_filetrans($1, locale_t, file, "locale.conf")
+ files_etc_filetrans($1, locale_t, file, "vconsole.conf")
+ files_etc_filetrans($1, locale_t, file, "locale.conf.new") + files_etc_filetrans($1, locale_t, file, "locale.conf.new")
+ files_etc_filetrans($1, locale_t, file, "timezone") + files_etc_filetrans($1, locale_t, file, "timezone")
+ files_etc_filetrans($1, locale_t, file, "clock") + files_etc_filetrans($1, locale_t, file, "clock")
@ -37060,10 +37091,10 @@ index 0000000..5894afb
+') +')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644 new file mode 100644
index 0000000..b3ea12d index 0000000..2c9ccbf
--- /dev/null --- /dev/null
+++ b/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te
@@ -0,0 +1,642 @@ @@ -0,0 +1,643 @@
+policy_module(systemd, 1.0.0) +policy_module(systemd, 1.0.0)
+ +
+####################################### +#######################################
@ -37308,6 +37339,7 @@ index 0000000..b3ea12d
+dev_create_generic_dirs(systemd_passwd_agent_t) +dev_create_generic_dirs(systemd_passwd_agent_t)
+dev_read_generic_files(systemd_passwd_agent_t) +dev_read_generic_files(systemd_passwd_agent_t)
+dev_write_generic_sock_files(systemd_passwd_agent_t) +dev_write_generic_sock_files(systemd_passwd_agent_t)
+dev_write_kmsg(systemd_passwd_agent_t)
+ +
+term_read_console(systemd_passwd_agent_t) +term_read_console(systemd_passwd_agent_t)
+ +
@ -39078,7 +39110,7 @@ index db75976..65191bd 100644
+ +
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 3c5dba7..9799799 100644 index 3c5dba7..b44b1c9 100644
--- a/policy/modules/system/userdomain.if --- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@ -40360,7 +40392,7 @@ index 3c5dba7..9799799 100644
- corenet_tcp_bind_generic_node($1_t) - corenet_tcp_bind_generic_node($1_t)
- corenet_tcp_bind_generic_port($1_t) - corenet_tcp_bind_generic_port($1_t)
+ +
+ tunable_policy(`selinuxuser_user_share_music',` + tunable_policy(`selinuxuser_share_music',`
+ corenet_tcp_bind_daap_port($1_usertype) + corenet_tcp_bind_daap_port($1_usertype)
+ ') + ')
+ +
@ -41745,7 +41777,7 @@ index 3c5dba7..9799799 100644
## Create keys for all user domains. ## Create keys for all user domains.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -3438,4 +4197,1357 @@ interface(`userdom_dbus_send_all_users',` @@ -3438,4 +4197,1393 @@ interface(`userdom_dbus_send_all_users',`
') ')
allow $1 userdomain:dbus send_msg; allow $1 userdomain:dbus send_msg;
@ -42306,6 +42338,42 @@ index 3c5dba7..9799799 100644
+ +
+######################################## +########################################
+## <summary> +## <summary>
+## Dontaudit Read files inherited from the admin home dir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_read_inherited_admin_home_files',`
+ gen_require(`
+ attribute admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Dontaudit append files inherited from the admin home dir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_append_inherited_admin_home_file',`
+ gen_require(`
+ attribute admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:file append_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Read/Write files inherited +## Read/Write files inherited
+## in a user home subdirectory. +## in a user home subdirectory.
+## </summary> +## </summary>
@ -43104,7 +43172,7 @@ index 3c5dba7..9799799 100644
+ filetrans_pattern($1, user_tmpfs_t, $2, $3, $4) + filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
') ')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index e2b538b..6371ed6 100644 index e2b538b..9e23738 100644
--- a/policy/modules/system/userdomain.te --- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5) @@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5)
@ -43143,7 +43211,7 @@ index e2b538b..6371ed6 100644
## </p> ## </p>
## </desc> ## </desc>
-gen_tunable(user_dmesg, false) -gen_tunable(user_dmesg, false)
+gen_tunable(selinuxuser_user_share_music, false) +gen_tunable(selinuxuser_share_music, false)
## <desc> ## <desc>
## <p> ## <p>

File diff suppressed because it is too large Load Diff

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.12.1 Version: 3.12.1
Release: 32%{?dist} Release: 35%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -229,8 +229,12 @@ if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
/sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \ /sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \
rm -f ${FILE_CONTEXT}.pre; \ rm -f ${FILE_CONTEXT}.pre; \
fi; \ fi; \
/sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \ if /sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
/sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null; \ continue; \
fi; \
if /sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null;then \
continue; \
fi;
%define preInstall() \ %define preInstall() \
if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \ if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \
@ -526,6 +530,41 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Tue Apr 23 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-35
- Fix lockdev_manage_files()
- Allow setroubleshootd to read var_lib_t to make email_alert working
- Add lockdev_manage_files()
- Call proper interface in virt.te
- Allow gkeyring_domain to create /var/run/UID/config/dbus file
- system dbus seems to be blocking suspend
- Dontaudit attemps to sys_ptrace, which I believe gpsd does not need
- When you enter a container from root, you generate avcs with a leaked file descriptor
- Allow mpd getattr on file system directories
- Make sure realmd creates content with the correct label
- Allow systemd-tty-ask to write kmsg
- Allow mgetty to use lockdev library for device locking
- Fix selinuxuser_user_share_music boolean name to selinuxuser_share_music
- When you enter a container from root, you generate avcs with a leaked file descriptor
- Make sure init.fc files are labeled correctly at creation
- File name trans vconsole.conf
- Fix labeling for nagios plugins
- label shared libraries in /opt/google/chrome as testrel_shlib_t
* Thu Apr 18 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-34
- Allow certmonger to dbus communicate with realmd
- Make realmd working
* Thu Apr 18 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-33
- Fix mozilla specification of homedir content
- Allow certmonger to read network state
- Allow tmpwatch to read tmp in /var/spool/{cups,lpd}
- Label all nagios plugin as unconfined by default
- Add httpd_serve_cobbler_files()
- Allow mdadm to read /dev/sr0 and create tmp files
- Allow certwatch to send mails
- Fix labeling for nagios plugins
- label shared libraries in /opt/google/chrome as testrel_shlib_t
* Wed Apr 17 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-32 * Wed Apr 17 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-32
- Allow realmd to run ipa, really needs to be an unconfined_domain - Allow realmd to run ipa, really needs to be an unconfined_domain
- Allow sandbox domains to use inherted terminals - Allow sandbox domains to use inherted terminals