- Fixes for libvirt

2008-03-05 23:11:52 +00:00 · 2008-03-05 23:11:52 +00:00 · dc57e68eff
parent 5947905ef9
commit dc57e68eff
2 changed files with 97 additions and 39 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -6227,7 +6227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
 ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2008-02-01 09:12:53.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in	2008-03-04 15:06:28.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in	2008-03-04 16:33:16.000000000 -0500
@@ -82,6 +82,7 @@
 network_port(clockspeed, udp,4041,s0)
 network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
@ -6274,7 +6274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
 network_port(printer, tcp,515,s0)
 network_port(ptal, tcp,5703,s0)
 network_port(pxe, udp,4011,s0)
-@@ -148,7 +155,7 @@
+@@ -148,11 +155,11 @@
 network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
 network_port(rlogind, tcp,513,s0)
 network_port(rndc, tcp,953,s0)
@ -6283,6 +6283,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
 network_port(rsh, tcp,514,s0)
 network_port(rsync, tcp,873,s0, udp,873,s0)
 network_port(rwho, udp,513,s0)
+-network_port(smbd, tcp,139,s0, tcp,445,s0)
+network_port(smbd, tcp,137-139,s0, tcp,445,s0)
+ network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
+ network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
+ network_port(spamd, tcp,783,s0)
@@ -170,7 +177,12 @@
 network_port(transproxy, tcp,8081,s0)
 type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
@ -6878,7 +6883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.3.1/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/files.if	2008-03-04 16:23:38.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/kernel/files.if	2008-03-04 17:23:42.000000000 -0500
@@ -1266,6 +1266,24 @@
 
 ########################################
@ -7550,7 +7555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
 /dev/gscd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.3.1/policy/modules/kernel/storage.if
 --- nsaserefpolicy/policy/modules/kernel/storage.if	2008-02-26 08:17:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/storage.if	2008-02-26 08:29:22.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/kernel/storage.if	2008-03-04 17:41:15.000000000 -0500
@@ -81,6 +81,26 @@
 
 ########################################
@ -7783,7 +7788,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +/etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.3.1/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2007-10-23 17:17:42.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.if	2008-02-29 14:20:00.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/apache.if	2008-03-05 15:44:05.000000000 -0500
@@ -13,21 +13,16 @@
 #
 template(`apache_content_template',`
@ -12788,8 +12793,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
 +/etc/rc.d/init.d/dnsmasq	--	gen_context(system_u:object_r:dnsmasq_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.3.1/policy/modules/services/dnsmasq.if
 --- nsaserefpolicy/policy/modules/services/dnsmasq.if	2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/dnsmasq.if	2008-02-26 08:29:22.000000000 -0500
-@@ -1 +1,106 @@
+++ serefpolicy-3.3.1/policy/modules/services/dnsmasq.if	2008-03-05 14:40:55.000000000 -0500
+@@ -1 +1,125 @@
 ## <summary>dnsmasq DNS forwarder and DHCP server</summary>
 +
 +########################################
@ -12853,6 +12858,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
 +
 +########################################
 +## <summary>
+##	Send dnsmasq a sigkill
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+#
+interface(`dnsmasq_sigkill',`
+	gen_require(`
+		type dnsmasq_t;
+	')
+
+	allow $1 dnsmasq_t:process sigkill;
+')
+
+########################################
+## <summary>
 +##	All of the rules required to administrate 
 +##	an dnsmasq environment
 +## </summary>
@ -23011,7 +23035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if	2008-03-04 14:49:58.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/xserver.if	2008-03-05 14:36:29.000000000 -0500
@@ -12,9 +12,15 @@
 ##	</summary>
 ## </param>
@ -23745,7 +23769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	# X Protocol Extensions
 +	allow $3 std_xext_t:x_extension { use };
 +	allow $3 shmem_xext_t:x_extension { use };
-+	dontaudit $3 xextension_type:x_extension query;
+	allow $3 xextension_type:x_extension query;
 +
 +	# X Properties
 +	# can read and write client properties
@ -24303,7 +24327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.te	2008-02-28 16:46:06.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/xserver.te	2008-03-05 18:07:11.000000000 -0500
@@ -8,6 +8,14 @@
 
 ## <desc>
@ -24543,7 +24567,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 fs_getattr_all_fs(xdm_t)
 fs_search_auto_mountpoints(xdm_t)
-@@ -245,6 +357,7 @@
+@@ -237,6 +349,7 @@
+ storage_dontaudit_raw_write_removable_device(xdm_t)
+ storage_dontaudit_setattr_removable_dev(xdm_t)
+ storage_dontaudit_rw_scsi_generic(xdm_t)
+storage_rw_fuse(xdm_t)
+ 
+ term_setattr_console(xdm_t)
+ term_use_unallocated_ttys(xdm_t)
+@@ -245,6 +358,7 @@
 auth_domtrans_pam_console(xdm_t)
 auth_manage_pam_pid(xdm_t)
 auth_manage_pam_console_data(xdm_t)
@ -24551,7 +24583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 auth_rw_faillog(xdm_t)
 auth_write_login_records(xdm_t)
 
-@@ -256,12 +369,11 @@
+@@ -256,12 +370,11 @@
 libs_exec_lib_files(xdm_t)
 
 logging_read_generic_logs(xdm_t)
@ -24565,7 +24597,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
 userdom_create_all_users_keys(xdm_t)
-@@ -270,8 +382,13 @@
+@@ -270,8 +383,13 @@
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
@ -24579,7 +24611,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xdm_t)
-@@ -304,7 +421,11 @@
+@@ -304,7 +422,11 @@
 ')
 
 optional_policy(`
@ -24592,7 +24624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 
 optional_policy(`
-@@ -312,6 +433,23 @@
+@@ -312,6 +434,23 @@
 ')
 
 optional_policy(`
@ -24616,7 +24648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	# Talk to the console mouse server.
 	gpm_stream_connect(xdm_t)
 	gpm_setattr_gpmctl(xdm_t)
-@@ -322,6 +460,10 @@
+@@ -322,6 +461,10 @@
 ')
 
 optional_policy(`
@ -24627,7 +24659,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	loadkeys_exec(xdm_t)
 ')
 
-@@ -335,6 +477,11 @@
+@@ -335,6 +478,11 @@
 ')
 
 optional_policy(`
@ -24639,7 +24671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	seutil_sigchld_newrole(xdm_t)
 ')
 
-@@ -343,8 +490,8 @@
+@@ -343,8 +491,8 @@
 ')
 
 optional_policy(`
@ -24649,7 +24681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 	ifndef(`distro_redhat',`
 		allow xdm_t self:process { execheap execmem };
-@@ -380,7 +527,7 @@
+@@ -380,7 +528,7 @@
 allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
 
@ -24658,7 +24690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 # Label pid and temporary files with derived types.
 manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -392,6 +539,15 @@
+@@ -392,6 +540,15 @@
 can_exec(xdm_xserver_t, xkb_var_lib_t)
 files_search_var_lib(xdm_xserver_t)
 
@ -24674,7 +24706,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 # VNC v4 module in X server
 corenet_tcp_bind_vnc_port(xdm_xserver_t)
 
-@@ -404,9 +560,17 @@
+@@ -404,9 +561,17 @@
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@ -24692,7 +24724,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xdm_xserver_t)
 	fs_manage_nfs_files(xdm_xserver_t)
-@@ -420,6 +584,22 @@
+@@ -420,6 +585,22 @@
 ')
 
 optional_policy(`
@ -24715,7 +24747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	resmgr_stream_connect(xdm_t)
 ')
 
-@@ -429,47 +609,138 @@
+@@ -429,47 +610,138 @@
 ')
 
 optional_policy(`
@ -25285,7 +25317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.3.1/policy/modules/system/authlogin.te
 --- nsaserefpolicy/policy/modules/system/authlogin.te	2008-02-19 17:24:26.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/authlogin.te	2008-02-26 08:29:22.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/authlogin.te	2008-03-05 15:46:36.000000000 -0500
@@ -59,6 +59,9 @@
 type utempter_exec_t;
 application_domain(utempter_t,utempter_exec_t)
@ -25319,7 +25351,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ifdef(`distro_ubuntu',`
 	optional_policy(`
 		unconfined_domain(pam_t)
-@@ -297,8 +309,10 @@
+@@ -282,6 +294,11 @@
+ 	')
+ ')
+ 
+optional_policy(`
+	# apache leaks file descriptors
+	apache_dontaudit_rw_tcp_sockets(system_chkpwd_t)
+')
+
+ ########################################
+ #
+ # updpwd local policy
+@@ -297,8 +314,10 @@
 files_manage_etc_files(updpwd_t)
 
 term_dontaudit_use_console(updpwd_t)
@ -25331,7 +25375,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 
 auth_manage_shadow(updpwd_t)
 auth_use_nsswitch(updpwd_t)
-@@ -359,11 +373,6 @@
+@@ -359,11 +378,6 @@
 ')
 
 optional_policy(`
@ -28372,7 +28416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +/usr/sbin/sysreport	 	    --	gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.3.1/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.if	2008-02-26 08:29:22.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/unconfined.if	2008-03-04 17:26:54.000000000 -0500
@@ -12,14 +12,13 @@
 #
 interface(`unconfined_domain_noaudit',`
@ -28407,7 +28451,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 
 	kernel_unconfined($1)
 	corenet_unconfined($1)
-@@ -70,6 +70,7 @@
+@@ -40,6 +40,7 @@
+ 	domain_unconfined($1)
+ 	domain_dontaudit_read_all_domains_state($1)
+ 	domain_dontaudit_ptrace_all_domains($1)
+	domain_mmap_low($1)
+ 	files_unconfined($1)
+ 	fs_unconfined($1)
+ 	selinux_unconfined($1)
+@@ -70,6 +71,7 @@
 	optional_policy(`
 		# Communicate via dbusd.
 		dbus_system_bus_unconfined($1)
@ -28415,7 +28467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 	')
 
 	optional_policy(`
-@@ -95,6 +96,10 @@
+@@ -95,6 +97,10 @@
 	optional_policy(`
 		storage_unconfined($1)
 	')
@ -28426,7 +28478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 ########################################
-@@ -581,7 +586,6 @@
+@@ -581,7 +587,6 @@
 interface(`unconfined_dbus_connect',`
 	gen_require(`
 		type unconfined_t;
@ -28434,7 +28486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 	')
 
 	allow $1 unconfined_t:dbus acquire_svc;
-@@ -589,7 +593,139 @@
+@@ -589,7 +594,139 @@
 
 ########################################
 ## <summary>
@ -28575,7 +28627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -597,41 +733,43 @@
+@@ -597,41 +734,43 @@
 ##	</summary>
 ## </param>
 #
@ -28633,7 +28685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -639,10 +777,10 @@
+@@ -639,10 +778,10 @@
 ##	</summary>
 ## </param>
 #
@ -28974,7 +29026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-03-03 16:30:45.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-03-05 18:06:38.000000000 -0500
@@ -29,9 +29,14 @@
 	')
 
@ -32328,8 +32380,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te
 --- nsaserefpolicy/policy/modules/system/virt.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/virt.te	2008-02-26 08:29:22.000000000 -0500
-@@ -0,0 +1,159 @@
+++ serefpolicy-3.3.1/policy/modules/system/virt.te	2008-03-05 18:05:21.000000000 -0500
+@@ -0,0 +1,162 @@
 +
 +policy_module(virt,1.0.0)
 +
@ -32385,8 +32437,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
 +#
 +# virtd local policy
 +#
-+allow virtd_t self:capability { dac_override kill net_admin setgid };
-+allow virtd_t self:process sigkill;
+allow virtd_t self:capability { sys_module dac_override kill net_admin setgid };
+allow virtd_t self:process { sigkill signal };
 +allow virtd_t self:fifo_file rw_file_perms;
 +allow virtd_t self:unix_stream_socket create_stream_socket_perms;
 +allow virtd_t self:tcp_socket create_stream_socket_perms;
@ -32412,6 +32464,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
 +manage_lnk_files_pattern(virtd_t, virt_etc_rw_t,  virt_etc_rw_t)
 +filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
 +
+corecmd_exec_bin(virtd_t)
+
 +corenet_all_recvfrom_unlabeled(virtd_t)
 +corenet_all_recvfrom_netlabel(virtd_t)
 +corenet_tcp_sendrecv_all_if(virtd_t)
@ -32467,6 +32521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
 +optional_policy(`
 +	dnsmasq_domtrans(virtd_t)
 +	dnsmasq_signal(virtd_t)
+	dnsmasq_sigkill(virtd_t)
 +')
 +
 +optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -388,6 +388,9 @@ exit 0
 %endif

 %changelog
+* Mon Mar 3 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-11
+- Fixes for libvirt
+
 * Mon Mar 3 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-10
 - Allow bitlebee to read locale_t