* Fri Apr 5 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-26

- Try to label on controlC devices up to 30 correctly
- Add mount_rw_pid_files() interface
- Add additional mount/umount interfaces needed by mock
- fsadm_t sends audit messages in reads kernel_ipc_info when doing livecd-iso-to-disk
- Fix tabs
- Allow initrc_domain to search rgmanager lib files
- Add more fixes which make mock working together with confined users
  * Allow mock_t to manage rpm files
  * Allow mock_t to read rpm log files
  * Allow mock to setattr on tmpfs, devpts
  * Allow mount/umount filesystems
- Add rpm_read_log() interface
- yum-cron runs rpm from within it.
- Allow tuned to transition to dmidecode
- Allow firewalld to do net_admin
- Allow mock to unmont tmpfs_t
- Fix virt_sigkill() interface
- Add additional fixes for mock. Mainly caused by mount running in mock_t
- Allow mock to write sysfs_t and mount pid files
- Add mailman_domain to mailman_template()
- Allow openvswitch to execute shell
- Allow qpidd to use kerberos
- Allow mailman to use fusefs, needs back port to RHEL6
- Allow apache and its scripts to use anon_inodefs
- Add alias for git_user_content_t and git_sys_content_t so that RHEL6 will update to RHEL7
- Realmd needs to connect to samba ports, needs back port to F18 also
- Allow colord to read /run/initial-setup-
- Allow sanlock-helper to send sigkill to virtd which is registred to sanlock
- Add virt_kill() interface
- Add rgmanager_search_lib() interface
- Allow wdmd to getattr on all filesystems. Back ported from RHEL6
This commit is contained in:
Miroslav Grepl 2013-04-05 17:34:40 +02:00
parent d9444b18fb
commit f4f51d7574
3 changed files with 579 additions and 225 deletions

View File

@ -5515,7 +5515,7 @@ index b31c054..3a628fe 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 76f285e..f7e9534 100644
index 76f285e..059e984 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@ -6306,7 +6306,7 @@ index 76f285e..f7e9534 100644
')
########################################
@@ -3855,6 +4185,42 @@ interface(`dev_getattr_sysfs_dirs',`
@@ -3855,6 +4185,78 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
@ -6345,11 +6345,47 @@ index 76f285e..f7e9534 100644
+')
+
+########################################
+## <summary>
+## Mount sysfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_mount_sysfs_fs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Unmount sysfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_unmount_sysfs_fs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
## Search the sysfs directories.
## </summary>
## <param name="domain">
@@ -3904,6 +4270,7 @@ interface(`dev_list_sysfs',`
@@ -3904,6 +4306,7 @@ interface(`dev_list_sysfs',`
type sysfs_t;
')
@ -6357,7 +6393,7 @@ index 76f285e..f7e9534 100644
list_dirs_pattern($1, sysfs_t, sysfs_t)
')
@@ -3946,23 +4313,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
@@ -3946,23 +4349,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
## <summary>
@ -6378,7 +6414,7 @@ index 76f285e..f7e9534 100644
#
-interface(`dev_manage_sysfs_dirs',`
+interface(`dev_read_cpu_online',`
+ gen_require(`
gen_require(`
+ type cpu_online_t;
+ ')
+
@ -6397,7 +6433,7 @@ index 76f285e..f7e9534 100644
+## </param>
+#
+interface(`dev_relabel_cpu_online',`
gen_require(`
+ gen_require(`
+ type cpu_online_t;
type sysfs_t;
')
@ -6411,7 +6447,7 @@ index 76f285e..f7e9534 100644
########################################
## <summary>
## Read hardware state information.
@@ -4016,6 +4409,62 @@ interface(`dev_rw_sysfs',`
@@ -4016,6 +4445,62 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@ -6474,7 +6510,7 @@ index 76f285e..f7e9534 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
@@ -4113,6 +4562,25 @@ interface(`dev_write_urand',`
@@ -4113,6 +4598,25 @@ interface(`dev_write_urand',`
########################################
## <summary>
@ -6500,7 +6536,7 @@ index 76f285e..f7e9534 100644
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
@@ -4557,6 +5025,24 @@ interface(`dev_rw_vhost',`
@@ -4557,6 +5061,24 @@ interface(`dev_rw_vhost',`
########################################
## <summary>
@ -6525,7 +6561,7 @@ index 76f285e..f7e9534 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
@@ -4762,6 +5248,26 @@ interface(`dev_rw_xserver_misc',`
@@ -4762,6 +5284,26 @@ interface(`dev_rw_xserver_misc',`
########################################
## <summary>
@ -6552,7 +6588,7 @@ index 76f285e..f7e9534 100644
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
@@ -4851,3 +5357,917 @@ interface(`dev_unconfined',`
@@ -4851,3 +5393,937 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@ -7386,6 +7422,26 @@ index 76f285e..f7e9534 100644
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC7")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC8")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC9")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC10")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC11")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC12")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC13")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC14")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC15")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC16")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC17")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC18")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC19")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC20")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC21")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC22")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC23")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC24")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC25")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC26")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC27")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC28")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC29")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr0")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr1")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd0")
@ -15293,7 +15349,7 @@ index 7be4ddf..f7021a0 100644
+
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 649e458..31a14c8 100644
index 649e458..cc924ae 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@ -15305,7 +15361,32 @@ index 649e458..31a14c8 100644
')
########################################
@@ -804,6 +804,24 @@ interface(`kernel_unmount_proc',`
@@ -786,6 +786,24 @@ interface(`kernel_mount_kvmfs',`
########################################
## <summary>
+## Mount the proc filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mount_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:filesystem mount;
+')
+
+########################################
+## <summary>
## Unmount the proc filesystem.
## </summary>
## <param name="domain">
@@ -804,6 +822,24 @@ interface(`kernel_unmount_proc',`
########################################
## <summary>
@ -15330,7 +15411,7 @@ index 649e458..31a14c8 100644
## Get the attributes of the proc filesystem.
## </summary>
## <param name="domain">
@@ -991,13 +1009,10 @@ interface(`kernel_read_proc_symlinks',`
@@ -991,13 +1027,10 @@ interface(`kernel_read_proc_symlinks',`
#
interface(`kernel_read_system_state',`
gen_require(`
@ -15346,7 +15427,7 @@ index 649e458..31a14c8 100644
')
########################################
@@ -1477,6 +1492,24 @@ interface(`kernel_dontaudit_list_all_proc',`
@@ -1477,6 +1510,24 @@ interface(`kernel_dontaudit_list_all_proc',`
########################################
## <summary>
@ -15371,7 +15452,7 @@ index 649e458..31a14c8 100644
## Do not audit attempts by caller to search
## the base directory of sysctls.
## </summary>
@@ -2085,7 +2118,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
@@ -2085,7 +2136,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@ -15380,7 +15461,7 @@ index 649e458..31a14c8 100644
')
########################################
@@ -2282,6 +2315,25 @@ interface(`kernel_list_unlabeled',`
@@ -2282,6 +2333,25 @@ interface(`kernel_list_unlabeled',`
########################################
## <summary>
@ -15406,7 +15487,7 @@ index 649e458..31a14c8 100644
## Read the process state (/proc/pid) of all unlabeled_t.
## </summary>
## <param name="domain">
@@ -2306,7 +2358,7 @@ interface(`kernel_read_unlabeled_state',`
@@ -2306,7 +2376,7 @@ interface(`kernel_read_unlabeled_state',`
## </summary>
## <param name="domain">
## <summary>
@ -15415,7 +15496,7 @@ index 649e458..31a14c8 100644
## </summary>
## </param>
#
@@ -2488,6 +2540,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
@@ -2488,6 +2558,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
## <summary>
@ -15440,7 +15521,7 @@ index 649e458..31a14c8 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
## </summary>
@@ -2525,6 +2595,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
@@ -2525,6 +2613,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
########################################
## <summary>
@ -15465,7 +15546,7 @@ index 649e458..31a14c8 100644
## Allow caller to relabel unlabeled files.
## </summary>
## <param name="domain">
@@ -2632,7 +2720,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
@@ -2632,7 +2738,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
allow $1 unlabeled_t:association { sendto recvfrom };
# temporary hack until labeling on packets is supported
@ -15474,7 +15555,7 @@ index 649e458..31a14c8 100644
')
########################################
@@ -2670,6 +2758,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
@@ -2670,6 +2776,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
## <summary>
@ -15499,7 +15580,7 @@ index 649e458..31a14c8 100644
## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
@@ -2697,6 +2803,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
@@ -2697,6 +2821,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
## <summary>
@ -15525,7 +15606,7 @@ index 649e458..31a14c8 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
## </summary>
@@ -2806,6 +2931,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
@@ -2806,6 +2949,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@ -15559,7 +15640,7 @@ index 649e458..31a14c8 100644
########################################
## <summary>
@@ -2961,6 +3113,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
@@ -2961,6 +3131,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
@ -15584,7 +15665,7 @@ index 649e458..31a14c8 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
@@ -2975,5 +3145,299 @@ interface(`kernel_unconfined',`
@@ -2975,5 +3163,299 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@ -17164,7 +17245,7 @@ index 7d45d15..22c9cfe 100644
+
+/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 771bce1..8b0e5e6 100644
index 771bce1..55ebf4b 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -124,7 +124,7 @@ interface(`term_user_tty',`
@ -17226,7 +17307,50 @@ index 771bce1..8b0e5e6 100644
')
########################################
@@ -481,6 +504,24 @@ interface(`term_list_ptys',`
@@ -384,6 +407,42 @@ interface(`term_getattr_pty_fs',`
########################################
## <summary>
+## Mount a pty filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_mount_pty_fs',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ allow $1 devpts_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## Unmount a pty filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_unmount_pty_fs',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ allow $1 devpts_t:filesystem unmount;
+')
+
+########################################
+## <summary>
## Relabel from and to pty filesystem.
## </summary>
## <param name="domain">
@@ -481,6 +540,24 @@ interface(`term_list_ptys',`
########################################
## <summary>
@ -17251,7 +17375,7 @@ index 771bce1..8b0e5e6 100644
## Do not audit attempts to read the
## /dev/pts directory.
## </summary>
@@ -620,7 +661,7 @@ interface(`term_use_generic_ptys',`
@@ -620,7 +697,7 @@ interface(`term_use_generic_ptys',`
########################################
## <summary>
@ -17260,7 +17384,7 @@ index 771bce1..8b0e5e6 100644
## write the generic pty type. This is
## generally only used in the targeted policy.
## </summary>
@@ -635,6 +676,7 @@ interface(`term_dontaudit_use_generic_ptys',`
@@ -635,6 +712,7 @@ interface(`term_dontaudit_use_generic_ptys',`
type devpts_t;
')
@ -17268,7 +17392,7 @@ index 771bce1..8b0e5e6 100644
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
')
@@ -879,6 +921,26 @@ interface(`term_use_all_ptys',`
@@ -879,6 +957,26 @@ interface(`term_use_all_ptys',`
########################################
## <summary>
@ -17295,7 +17419,7 @@ index 771bce1..8b0e5e6 100644
## Do not audit attempts to read or write any ptys.
## </summary>
## <param name="domain">
@@ -892,7 +954,7 @@ interface(`term_dontaudit_use_all_ptys',`
@@ -892,7 +990,7 @@ interface(`term_dontaudit_use_all_ptys',`
attribute ptynode;
')
@ -17304,7 +17428,7 @@ index 771bce1..8b0e5e6 100644
')
########################################
@@ -912,7 +974,7 @@ interface(`term_relabel_all_ptys',`
@@ -912,7 +1010,7 @@ interface(`term_relabel_all_ptys',`
')
dev_list_all_dev_nodes($1)
@ -17313,7 +17437,7 @@ index 771bce1..8b0e5e6 100644
')
########################################
@@ -940,7 +1002,7 @@ interface(`term_getattr_all_user_ptys',`
@@ -940,7 +1038,7 @@ interface(`term_getattr_all_user_ptys',`
## </summary>
## <param name="domain">
## <summary>
@ -17322,7 +17446,7 @@ index 771bce1..8b0e5e6 100644
## </summary>
## </param>
#
@@ -1259,7 +1321,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
@@ -1259,7 +1357,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
@ -17371,7 +17495,7 @@ index 771bce1..8b0e5e6 100644
')
########################################
@@ -1275,11 +1377,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
@@ -1275,11 +1413,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
#
interface(`term_getattr_all_ttys',`
gen_require(`
@ -17385,7 +17509,7 @@ index 771bce1..8b0e5e6 100644
')
########################################
@@ -1296,10 +1400,12 @@ interface(`term_getattr_all_ttys',`
@@ -1296,10 +1436,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',`
gen_require(`
attribute ttynode;
@ -17398,7 +17522,7 @@ index 771bce1..8b0e5e6 100644
')
########################################
@@ -1377,7 +1483,27 @@ interface(`term_use_all_ttys',`
@@ -1377,7 +1519,27 @@ interface(`term_use_all_ttys',`
')
dev_list_all_dev_nodes($1)
@ -17427,7 +17551,7 @@ index 771bce1..8b0e5e6 100644
')
########################################
@@ -1396,7 +1522,7 @@ interface(`term_dontaudit_use_all_ttys',`
@@ -1396,7 +1558,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
@ -17436,7 +17560,7 @@ index 771bce1..8b0e5e6 100644
')
########################################
@@ -1504,7 +1630,7 @@ interface(`term_use_all_user_ttys',`
@@ -1504,7 +1666,7 @@ interface(`term_use_all_user_ttys',`
## </summary>
## <param name="domain">
## <summary>
@ -17445,7 +17569,7 @@ index 771bce1..8b0e5e6 100644
## </summary>
## </param>
#
@@ -1512,3 +1638,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
@@ -1512,3 +1674,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
')
@ -26328,7 +26452,7 @@ index 016a770..1effeb4 100644
+ files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
+')
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 6c4b6ee..4ea7640 100644
index 6c4b6ee..f512b72 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -13,6 +13,9 @@ role system_r types fsadm_t;
@ -26357,7 +26481,15 @@ index 6c4b6ee..4ea7640 100644
# log files
allow fsadm_t fsadm_log_t:dir setattr;
@@ -101,6 +110,8 @@ files_read_usr_files(fsadm_t)
@@ -53,6 +62,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
# Enable swapping to files
allow fsadm_t swapfile_t:file { rw_file_perms swapon };
+kernel_get_sysvipc_info(fsadm_t)
kernel_read_system_state(fsadm_t)
kernel_read_kernel_sysctls(fsadm_t)
kernel_request_load_module(fsadm_t)
@@ -101,6 +111,8 @@ files_read_usr_files(fsadm_t)
files_read_etc_files(fsadm_t)
files_manage_lost_found(fsadm_t)
files_manage_isid_type_dirs(fsadm_t)
@ -26366,7 +26498,7 @@ index 6c4b6ee..4ea7640 100644
# Write to /etc/mtab.
files_manage_etc_runtime_files(fsadm_t)
files_etc_filetrans_etc_runtime(fsadm_t, file)
@@ -120,6 +131,9 @@ fs_list_auto_mountpoints(fsadm_t)
@@ -120,6 +132,9 @@ fs_list_auto_mountpoints(fsadm_t)
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dirs(fsadm_t)
fs_read_tmpfs_symlinks(fsadm_t)
@ -26376,7 +26508,7 @@ index 6c4b6ee..4ea7640 100644
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
# for tune2fs
@@ -133,21 +147,26 @@ storage_raw_write_fixed_disk(fsadm_t)
@@ -133,21 +148,27 @@ storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
storage_raw_write_removable_device(fsadm_t)
storage_read_scsi_generic(fsadm_t)
@ -26394,6 +26526,7 @@ index 6c4b6ee..4ea7640 100644
+init_stream_connect(fsadm_t)
logging_send_syslog_msg(fsadm_t)
+logging_send_audit_msgs(fsadm_t)
+logging_stream_connect_syslog(fsadm_t)
-miscfiles_read_localization(fsadm_t)
@ -26405,7 +26538,7 @@ index 6c4b6ee..4ea7640 100644
ifdef(`distro_redhat',`
optional_policy(`
@@ -166,6 +185,11 @@ optional_policy(`
@@ -166,6 +187,11 @@ optional_policy(`
')
optional_policy(`
@ -26417,7 +26550,7 @@ index 6c4b6ee..4ea7640 100644
hal_dontaudit_write_log(fsadm_t)
')
@@ -179,6 +203,10 @@ optional_policy(`
@@ -179,6 +205,10 @@ optional_policy(`
')
optional_policy(`
@ -26428,7 +26561,7 @@ index 6c4b6ee..4ea7640 100644
nis_use_ypbind(fsadm_t)
')
@@ -192,6 +220,10 @@ optional_policy(`
@@ -192,6 +222,10 @@ optional_policy(`
')
optional_policy(`
@ -27940,7 +28073,7 @@ index 24e7804..1894886 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index dd3be8d..99c538c 100644
index dd3be8d..61531ce 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@ -28206,15 +28339,14 @@ index dd3be8d..99c538c 100644
+
+optional_policy(`
+ gnome_filetrans_home_content(init_t)
')
optional_policy(`
- auth_rw_login_records(init_t)
+')
+
+optional_policy(`
+ modutils_domtrans_insmod(init_t)
+ modutils_list_module_config(init_t)
')
optional_policy(`
+')
+
+optional_policy(`
+ postfix_exec(init_t)
+ postfix_list_spool(init_t)
+ mta_read_aliases(init_t)
@ -28338,28 +28470,29 @@ index dd3be8d..99c538c 100644
+optional_policy(`
+ lvm_rw_pipes(init_t)
+ lvm_read_config(init_t)
+')
+
+optional_policy(`
')
optional_policy(`
- auth_rw_login_records(init_t)
+ consolekit_manage_log(init_t)
+')
+
+optional_policy(`
')
optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
+')
+
+optional_policy(`
')
optional_policy(`
- nscd_use(init_t)
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
+ # The master process of dovecot will manage this file.
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
')
optional_policy(`
- nscd_use(init_t)
+')
+
+optional_policy(`
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
')
@ -29002,7 +29135,7 @@ index dd3be8d..99c538c 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
@@ -896,3 +1353,187 @@ optional_policy(`
@@ -896,3 +1353,191 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@ -29184,6 +29317,10 @@ index dd3be8d..99c538c 100644
+allow initrc_domain systemprocess_entry:file { getattr open read execute };
+allow initrc_domain systemprocess:process transition;
+
+optional_policy(`
+ rgmanager_search_lib(initrc_domain)
+')
+
+ifdef(`direct_sysadm_daemon',`
+ allow daemon direct_run_init:fd use;
+ allow daemon direct_run_init:fifo_file rw_inherited_fifo_file_perms;
@ -32614,7 +32751,7 @@ index 72c746e..f035d9f 100644
+/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
+/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index 4584457..0755e25 100644
index 4584457..e432df3 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -16,6 +16,13 @@ interface(`mount_domtrans',`
@ -32631,7 +32768,7 @@ index 4584457..0755e25 100644
')
########################################
@@ -38,11 +45,103 @@ interface(`mount_domtrans',`
@@ -38,11 +45,122 @@ interface(`mount_domtrans',`
#
interface(`mount_run',`
gen_require(`
@ -32719,6 +32856,25 @@ index 4584457..0755e25 100644
+
+########################################
+## <summary>
+## Read/write mount PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_rw_pid_files',`
+ gen_require(`
+ type mount_var_run_t;
+ ')
+
+ rw_files_pattern($1, mount_var_run_t, mount_var_run_t)
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Manage mount PID files.
+## </summary>
+## <param name="domain">
@ -32737,7 +32893,7 @@ index 4584457..0755e25 100644
')
########################################
@@ -91,7 +190,7 @@ interface(`mount_signal',`
@@ -91,7 +209,7 @@ interface(`mount_signal',`
## </summary>
## <param name="domain">
## <summary>
@ -32746,7 +32902,7 @@ index 4584457..0755e25 100644
## </summary>
## </param>
#
@@ -131,45 +230,138 @@ interface(`mount_send_nfs_client_request',`
@@ -131,45 +249,138 @@ interface(`mount_send_nfs_client_request',`
########################################
## <summary>
@ -32806,14 +32962,19 @@ index 4584457..0755e25 100644
## <summary>
-## Role allowed access.
+## Domain allowed access.
+## </summary>
+## </param>
+#
## </summary>
## </param>
-## <rolecap/>
#
-interface(`mount_run_unconfined',`
+interface(`mount_exec_fusermount',`
+ gen_require(`
gen_require(`
- type unconfined_mount_t;
+ type fusermount_exec_t;
+ ')
+
')
- mount_domtrans_unconfined($1)
- role $2 types unconfined_mount_t;
+ can_exec($1, fusermount_exec_t)
+')
+
@ -32824,19 +32985,14 @@ index 4584457..0755e25 100644
+## <param name="domain">
+## <summary>
+## Domain to not audit.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`mount_run_unconfined',`
+## </summary>
+## </param>
+#
+interface(`mount_dontaudit_exec_fusermount',`
gen_require(`
- type unconfined_mount_t;
+ gen_require(`
+ type fusermount_exec_t;
')
- mount_domtrans_unconfined($1)
- role $2 types unconfined_mount_t;
+ ')
+
+ dontaudit $1 fusermount_exec_t:file exec_file_perms;
+')
+
@ -32902,7 +33058,7 @@ index 4584457..0755e25 100644
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 6a50270..2fc14cd 100644
index 6a50270..b34911e 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -10,35 +10,60 @@ policy_module(mount, 1.15.1)
@ -33003,7 +33159,7 @@ index 6a50270..2fc14cd 100644
kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
# To load binfmt_misc kernel module
@@ -60,31 +100,46 @@ kernel_request_load_module(mount_t)
@@ -60,31 +100,47 @@ kernel_request_load_module(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
@ -33019,6 +33175,7 @@ index 6a50270..2fc14cd 100644
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
dev_getattr_sound_dev(mount_t)
+dev_rw_loop_control(mount_t)
+
+ifdef(`hide_broken_symptoms',`
+ dev_rw_generic_blk_files(mount_t)
@ -33053,7 +33210,7 @@ index 6a50270..2fc14cd 100644
files_read_isid_type_files(mount_t)
# For reading cert files
files_read_usr_files(mount_t)
@@ -92,28 +147,39 @@ files_list_mnt(mount_t)
@@ -92,28 +148,39 @@ files_list_mnt(mount_t)
files_dontaudit_write_all_mountpoints(mount_t)
files_dontaudit_setattr_all_mountpoints(mount_t)
@ -33099,7 +33256,7 @@ index 6a50270..2fc14cd 100644
term_dontaudit_manage_pty_dirs(mount_t)
auth_use_nsswitch(mount_t)
@@ -121,16 +187,21 @@ auth_use_nsswitch(mount_t)
@@ -121,16 +188,21 @@ auth_use_nsswitch(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@ -33123,7 +33280,7 @@ index 6a50270..2fc14cd 100644
ifdef(`distro_redhat',`
optional_policy(`
@@ -146,26 +217,27 @@ ifdef(`distro_ubuntu',`
@@ -146,26 +218,27 @@ ifdef(`distro_ubuntu',`
')
')
@ -33163,7 +33320,7 @@ index 6a50270..2fc14cd 100644
corenet_tcp_bind_generic_port(mount_t)
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
@@ -179,6 +251,8 @@ optional_policy(`
@@ -179,6 +252,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@ -33172,7 +33329,7 @@ index 6a50270..2fc14cd 100644
')
optional_policy(`
@@ -186,6 +260,36 @@ optional_policy(`
@@ -186,6 +261,36 @@ optional_policy(`
')
optional_policy(`
@ -33209,7 +33366,7 @@ index 6a50270..2fc14cd 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
@@ -194,24 +298,128 @@ optional_policy(`
@@ -194,24 +299,128 @@ optional_policy(`
')
optional_policy(`

File diff suppressed because it is too large Load Diff

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
Release: 25%{?dist}
Release: 26%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -526,6 +526,39 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Fri Apr 5 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-26
- Try to label on controlC devices up to 30 correctly
- Add mount_rw_pid_files() interface
- Add additional mount/umount interfaces needed by mock
- fsadm_t sends audit messages in reads kernel_ipc_info when doing livecd-iso-to-disk
- Fix tabs
- Allow initrc_domain to search rgmanager lib files
- Add more fixes which make mock working together with confined users
* Allow mock_t to manage rpm files
* Allow mock_t to read rpm log files
* Allow mock to setattr on tmpfs, devpts
* Allow mount/umount filesystems
- Add rpm_read_log() interface
- yum-cron runs rpm from within it.
- Allow tuned to transition to dmidecode
- Allow firewalld to do net_admin
- Allow mock to unmont tmpfs_t
- Fix virt_sigkill() interface
- Add additional fixes for mock. Mainly caused by mount running in mock_t
- Allow mock to write sysfs_t and mount pid files
- Add mailman_domain to mailman_template()
- Allow openvswitch to execute shell
- Allow qpidd to use kerberos
- Allow mailman to use fusefs, needs back port to RHEL6
- Allow apache and its scripts to use anon_inodefs
- Add alias for git_user_content_t and git_sys_content_t so that RHEL6 will update to RHEL7
- Realmd needs to connect to samba ports, needs back port to F18 also
- Allow colord to read /run/initial-setup-
- Allow sanlock-helper to send sigkill to virtd which is registred to sanlock
- Add virt_kill() interface
- Add rgmanager_search_lib() interface
- Allow wdmd to getattr on all filesystems. Back ported from RHEL6
* Tue Apr 2 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-25
- Allow realmd to create tmp files
- FIx ircssi_home_t type to irssi_home_t