Allow logrotate setuid and setgid since logrotate is supposed to do it

Fixes for thumb policy by grift Add new nfsd ports Added fix to allow confined apps to execmod on chrome Add labeling for additional vdsm directories Allow Exim and Dovecot SASL Add label for /var/run/nmbd Add fixes to make virsh and xen working together Colord executes ls /var/spool/cron is now labeled as user_cron_spool_t
2011-10-04 10:50:39 -04:00 · 2011-10-04 10:50:39 -04:00 · f1bc73d0ef
parent e15ae4fa84
commit f1bc73d0ef
6 changed files with 417 additions and 34 deletions
--- a/execmem.patch
+++ b/execmem.patch
@ -0,0 +1,379 @@
+diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
+index 8d3c1d8..a7b1b65 100644
+--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
+@@ -416,14 +416,6 @@ optional_policy(`
+ 	unconfined_domain_noaudit(rpm_script_t)
+ 	unconfined_domtrans(rpm_script_t)
+ 	unconfined_execmem_domtrans(rpm_script_t)
+-
+-	optional_policy(`
+-		java_domtrans_unconfined(rpm_script_t)
+-	')
+-
+-	optional_policy(`
+-		mono_domtrans(rpm_script_t)
+-	')
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
+index 6f3570a..70c661e 100644
+--- a/policy/modules/apps/execmem.fc
+++ b/policy/modules/apps/execmem.fc
+@@ -46,3 +46,48 @@ ifdef(`distro_gentoo',`
+ /opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+ /opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0)
+ /usr/local/Wolfram/Mathematica(/.*)?MathKernel	  -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+#
+# /opt
+#
+/opt/(.*/)?bin/java[^/]* --	gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/matlab.*/bin.*/MATLAB.* --	gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/local/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/MATLAB.*/bin.*/MATLAB.* --	gen_context(system_u:object_r:execmem_exec_t,s0)
+
+#
+# /usr
+#
+/usr/Aptana[^/]*/AptanaStudio	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/(.*/)?bin/java.* 	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/fastjar	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/frysk		--	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/gappletviewer	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/gcj-dbtool	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/gij		--	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/gjarsigner	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/gkeytool	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/grmic		--	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/grmiregistry	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/jv-convert	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/octave-[^/]*	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/lib(.*/)?bin/java[^/]* --	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/eclipse/eclipse --	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/opera(/.*)?/opera --	gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/opera(/.*)?/works --	gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)?	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/ibm(/.*)?/eclipse/plugins(/.*)?	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+
+ifdef(`distro_redhat',`
+/usr/java/eclipse[^/]*/eclipse	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+')
+/usr/bin/mono.*	--	gen_context(system_u:object_r:execmem_exec_t,s0)
+diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
+index e23f640..a78bec0 100644
+--- a/policy/modules/apps/execmem.if
+++ b/policy/modules/apps/execmem.if
+@@ -129,4 +129,3 @@ interface(`execmem_execmod',`
+ 
+ 	allow $1 execmem_exec_t:file execmod;
+ ')
+-
+diff --git a/policy/modules/apps/execmem.te b/policy/modules/apps/execmem.te
+index a7d37e2..fd8450f 100644
+--- a/policy/modules/apps/execmem.te
+++ b/policy/modules/apps/execmem.te
+@@ -4,7 +4,25 @@ policy_module(execmem, 1.0.0)
+ #
+ # Declarations
+ #
+attribute execmem_type;
+ 
+-type execmem_exec_t alias unconfined_execmem_exec_t;
+type execmem_exec_t;
+typealias execmem_exec_t alias { unconfined_execmem_exec_t mono_exec_t java_exec_t };
+ application_executable_file(execmem_exec_t)
+ 
+allow execmem_type self:process { execmem execstack };
+files_execmod_tmp(execmem_type)
+execmem_execmod(execmem_type)
+
+optional_policy(`
+	gnome_read_usr_config(execmem_type)
+')
+	
+optional_policy(`
+	mozilla_execmod_user_home_files(execmem_type)
+')
+
+optional_policy(`
+	nsplugin_rw_shm(execmem_type)
+	nsplugin_rw_semaphores(execmem_type)
+')
+diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
+index d1b1280..f93103b 100644
+--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
+@@ -273,10 +273,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	java_domtrans(mozilla_t)
+-')
+-
+-optional_policy(`
+ 	lpd_domtrans_lpr(mozilla_t)
+ ')
+ 
+@@ -456,7 +452,7 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	java_exec(mozilla_plugin_t)
+	execmem_exec(mozilla_plugin_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te
+index ccc15ab..9d0e298 100644
+--- a/policy/modules/apps/podsleuth.te
+++ b/policy/modules/apps/podsleuth.te
+@@ -85,5 +85,5 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mono_exec(podsleuth_t)
+	execmem_exec(podsleuth_t)
+ ')
+diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
+index bfabe3f..fbbce55 100644
+--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
+@@ -268,10 +268,6 @@ ifndef(`distro_redhat',`
+ 	')
+ 
+ 	optional_policy(`
+-		java_role(staff_r, staff_t)
+-	')
+-
+-	optional_policy(`
+ 		lockdev_role(staff_r, staff_t)
+ 	')
+ 
+diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
+index 7cd6d4f..e120bbc 100644
+--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
+@@ -524,10 +524,6 @@ ifndef(`distro_redhat',`
+ 	')
+ 
+ 	optional_policy(`
+-		java_role(sysadm_r, sysadm_t)
+-	')
+-
+-	optional_policy(`
+ 		lockdev_role(sysadm_r, sysadm_t)
+ 	')
+ 
+diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
+index fcc8949..6f1425f 100644
+--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
+@@ -337,10 +337,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	java_run_unconfined(unconfined_t, unconfined_r)
+-')
+-
+-optional_policy(`
+ 	kerberos_filetrans_named_content(unconfined_t)
+ ')
+ 
+@@ -361,13 +357,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mono_role_template(unconfined, unconfined_r, unconfined_t)
+-	unconfined_domain_noaudit(unconfined_mono_t)
+-	role system_r types unconfined_mono_t;
+-')
+-
+-
+-optional_policy(`
+ 	mozilla_role_plugin(unconfined_r)
+ 
+ 	tunable_policy(`unconfined_mozilla_plugin_transition', `
+diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
+index e5a8559..68013b7 100644
+--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
+@@ -148,10 +148,6 @@ ifndef(`distro_redhat',`
+ 	')
+ 
+ 	optional_policy(`
+-		java_role(user_r, user_t)
+-	')
+-
+-	optional_policy(`
+ 		lockdev_role(user_r, user_t)
+ 	')
+ 
+diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
+index 1cd57fd..a1db79d 100644
+--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
+@@ -107,14 +107,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	java_role_template(xguest, xguest_r, xguest_t)
+-')
+-
+-optional_policy(`
+-	mono_role_template(xguest, xguest_r, xguest_t)
+-')
+-
+-optional_policy(`
+ 	mozilla_run_plugin(xguest_usertype, xguest_r)
+ ')
+ 
+diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
+index 1442451..add9ada 100644
+--- a/policy/modules/services/boinc.te
+++ b/policy/modules/services/boinc.te
+@@ -168,5 +168,5 @@ miscfiles_read_fonts(boinc_project_t)
+ miscfiles_read_localization(boinc_project_t)
+ 
+ optional_policy(`
+-	java_exec(boinc_project_t)
+	execmem_exec(boinc_project_t)
+ ')
+diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
+index 86ea0ba..a2c41fd 100644
+--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
+@@ -299,10 +299,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mono_domtrans(crond_t)
+-')
+-
+-optional_policy(`
+ 	amanda_search_var_lib(crond_t)
+ ')
+ 
+@@ -553,10 +549,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mono_domtrans(system_cronjob_t)
+-')
+-
+-optional_policy(`
+ 	mrtg_append_create_logs(system_cronjob_t)
+ ')
+ 
+@@ -709,11 +701,6 @@ tunable_policy(`fcron_crond',`
+ 	allow crond_t user_cron_spool_t:file manage_file_perms;
+ ')
+ 
+-# need a per-role version of this:
+-#optional_policy(`
+-#	mono_domtrans(cronjob_t)
+-#')
+-
+ optional_policy(`
+ 	nis_use_ypbind(cronjob_t)
+ ')
+diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
+index 1e40c00..ae34382 100644
+--- a/policy/modules/services/hadoop.if
+++ b/policy/modules/services/hadoop.if
+@@ -127,7 +127,7 @@ template(`hadoop_domain_template',`
+ 
+ 	hadoop_exec_config(hadoop_$1_t)
+ 
+-	java_exec(hadoop_$1_t)
+	execmem_exec(hadoop_$1_t)
+ 
+ 	kerberos_use(hadoop_$1_t)
+ 
+diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
+index 3889dc9..32dc803 100644
+--- a/policy/modules/services/hadoop.te
+++ b/policy/modules/services/hadoop.te
+@@ -167,7 +167,7 @@ miscfiles_read_localization(hadoop_t)
+ 
+ userdom_use_inherited_user_terminals(hadoop_t)
+ 
+-java_exec(hadoop_t)
+execmem_exec(hadoop_t)
+ 
+ kerberos_use(hadoop_t)
+ 
+@@ -342,7 +342,7 @@ sysnet_read_config(zookeeper_t)
+ userdom_use_inherited_user_terminals(zookeeper_t)
+ userdom_dontaudit_search_user_home_dirs(zookeeper_t)
+ 
+-java_exec(zookeeper_t)
+execmem_exec(zookeeper_t)
+ 
+ ########################################
+ #
+@@ -427,4 +427,4 @@ miscfiles_read_localization(zookeeper_server_t)
+ 
+ sysnet_read_config(zookeeper_server_t)
+ 
+-java_exec(zookeeper_server_t)
+execmem_exec(zookeeper_server_t)
+diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
+index 60e0e2d..d14f2d6 100644
+--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
+@@ -1247,10 +1247,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mono_rw_shm(xserver_t)
+-')
+-
+-optional_policy(`
+ 	rhgb_rw_shm(xserver_t)
+ 	rhgb_rw_tmpfs_files(xserver_t)
+ ')
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 53f3bfe..20dd3a0 100644
+--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
+@@ -1190,10 +1190,6 @@ optional_policy(`
+ 		unconfined_dontaudit_rw_pipes(daemon)
+ 	')
+ 
+-	optional_policy(`
+-		mono_domtrans(initrc_t)
+-	')
+-
+ 	# Allow SELinux aware applications to request rpm_script_t execution
+ 	rpm_transition_script(initrc_t)
+ 	
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index e7a65ae..a001ce9 100644
+--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
+@@ -1281,14 +1281,6 @@ template(`userdom_unpriv_user_template', `
+ 	')
+ 
+ 	optional_policy(`
+-		java_role_template($1, $1_r, $1_t)
+-	')
+-
+-	optional_policy(`
+-		mono_role_template($1, $1_r, $1_t)
+-	')
+-
+-	optional_policy(`
+ 		mount_run_fusermount($1_t, $1_r)
+ 		mount_read_pid_files($1_t)
+ 	')
--- a/modules-mls.conf
+++ b/modules-mls.conf
@ -733,13 +733,6 @@ i18n_input = off
 # 
 jabber = module

-# Layer: apps
-# Module: java
-#
-# java executable
-# 
-java = module
-
 # Layer: admin
 # Module: kdump
 #
@ -925,13 +918,6 @@ modutils = module
 # 
 mojomojo = module

-# Layer: apps
-# Module: mono
-#
-# mono executable
-# 
-mono = module
-
 # Layer: system
 # Module: mount
 #
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -843,13 +843,6 @@ i18n_input = off
 # 
 jabber = module

-# Layer: apps
-# Module: java
-#
-# java executable
-# 
-java = module
-
 # Layer: apps
 # Module: execmem
 #
@ -1071,13 +1064,6 @@ mojomojo = module
 # 
 modutils = module

-# Layer: apps
-# Module: mono
-#
-# mono executable
-# 
-mono = module
-
 # Layer: system
 # Module: mount
 #
--- a/policy-F16.patch
+++ b/policy-F16.patch
@ -66791,7 +66791,7 @@ index 808ba93..ed84884 100644
 
 ########################################
 diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index e5836d3..c76046b 100644
+index e5836d3..eae9427 100644
 --- a/policy/modules/system/libraries.te
 +++ b/policy/modules/system/libraries.te
@@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot };
@ -66834,7 +66834,17 @@ index e5836d3..c76046b 100644
 ifdef(`hide_broken_symptoms',`
 	ifdef(`distro_gentoo',`
 		# leaked fds from portage
-@@ -131,6 +139,10 @@ optional_policy(`
+@@ -114,6 +122,9 @@ ifdef(`hide_broken_symptoms',`
+ 		')
+ 	')
+ 
+	dev_dontaudit_rw_lvm_control(ldconfig_t)
+	term_dontaudit_use_unallocated_ttys(ldconfig_t)
+
+ 	optional_policy(`
+ 		unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
+ 	')
+@@ -131,6 +142,10 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -66845,7 +66855,7 @@ index e5836d3..c76046b 100644
 	puppet_rw_tmp(ldconfig_t)
 ')
 
-@@ -141,6 +153,3 @@ optional_policy(`
+@@ -141,6 +156,3 @@ optional_policy(`
 	rpm_manage_script_tmp_files(ldconfig_t)
 ')
 
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 34.6%{?dist}
+Release: 36%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -214,7 +214,7 @@ fi;
 if [ -e /etc/selinux/%2/.rebuild ]; then \
   rm /etc/selinux/%2/.rebuild; \
   if [ %1 -ne 1 ]; then \
-	/usr/sbin/semodule -n -s %2 -r moilscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \
+	/usr/sbin/semodule -n -s %2 -r java mono moilscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \
   fi \
   /usr/sbin/semodule -B -s %2; \
 else \
@ -240,6 +240,7 @@ Based off of reference policy: Checked out revision  2.20091117
 %patch -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1

 %install
 mkdir selinux_config
@ -471,6 +472,27 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Mon Oct 3 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-36
+- Allow logrotate setuid and setgid since logrotate is supposed to do it
+- Fixes for thumb policy by grift
+- Add new nfsd ports
+- Added fix to allow confined apps to execmod on chrome
+- Add labeling for additional vdsm directories
+- Allow Exim and Dovecot SASL
+- Add label for /var/run/nmbd
+- Add fixes to make virsh and xen working together
+- Colord executes ls
+- /var/spool/cron  is now labeled as user_cron_spool_t
+
+* Mon Oct 3 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-35
+- Stop complaining about leaked file descriptors during install
+
+* Fri Sep 29 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-34.7
+- Remove java and mono module and merge into execmem
+
+* Fri Sep 29 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-34.6
+- Fixes for thumb policy and passwd_file_t
+
 * Fri Sep 29 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-34.4
 - Fixes caused by the labeling of /etc/passwd
 - Add thumb.patch to transition unconfined_t to thumb_t for Rawhide
--- a/thumb.patch
+++ b/thumb.patch
@ -6,7 +6,7 @@ index 1105ff5..620e17b 100644
 		rtkit_scheduled(unconfined_usertype)
 	')
 
-+	# Might remove later if this proves to be problematic, but would like to gather AVC's
+	# Might remove later if this proves to be problematic, but would like to gather AVCs
 +	optional_policy(`
 +		thumb_role(unconfined_r, unconfined_usertype)
 +	')