rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Fix label for /var/run/udev to udev_var_run_t 

- Mock needs to be able to read network state
This commit is contained in:
Miroslav Grepl 2011-04-04 17:35:35 +00:00
parent 462b89a9a5
commit fb7e97f251
2 changed files with 219 additions and 108 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

321
policy-F16.patch
View File

@ -32212,7 +32212,7 @@ index 8581040..2367841 100644
allow $1 nagios_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
index bf64a4c..f1eff62 100644
index bf64a4c..8a9789c 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -79,6 +79,7 @@ files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
@ -32284,7 +32284,15 @@ index bf64a4c..f1eff62 100644
dev_read_sysfs(nrpe_t)
dev_read_urand(nrpe_t)
@@ -270,12 +273,10 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
@@ -211,6 +214,7 @@ domain_read_all_domains_state(nrpe_t)
files_read_etc_runtime_files(nrpe_t)
files_read_etc_files(nrpe_t)
+files_read_usr_files(nrpe_t)
fs_getattr_all_fs(nrpe_t)
fs_search_auto_mountpoints(nrpe_t)
@@ -270,12 +274,10 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
#
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@ -32297,7 +32305,7 @@ index bf64a4c..f1eff62 100644
kernel_read_kernel_sysctls(nagios_mail_plugin_t)
corecmd_read_bin_files(nagios_mail_plugin_t)
@@ -299,7 +300,7 @@ optional_policy(`
@@ -299,7 +301,7 @@ optional_policy(`
optional_policy(`
postfix_stream_connect_master(nagios_mail_plugin_t)
@ -32306,7 +32314,7 @@ index bf64a4c..f1eff62 100644
')
######################################
@@ -310,6 +311,9 @@ optional_policy(`
@@ -310,6 +312,9 @@ optional_policy(`
# needed by ioctl()
allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
@ -32316,7 +32324,7 @@ index bf64a4c..f1eff62 100644
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
fs_getattr_all_fs(nagios_checkdisk_plugin_t)
@@ -323,7 +327,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
@@ -323,7 +328,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
allow nagios_services_plugin_t self:process { signal sigkill };
@ -32324,7 +32332,7 @@ index bf64a4c..f1eff62 100644
allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_services_plugin_t self:udp_socket create_socket_perms;
@@ -340,6 +343,8 @@ files_read_usr_files(nagios_services_plugin_t)
@@ -340,6 +344,8 @@ files_read_usr_files(nagios_services_plugin_t)
optional_policy(`
netutils_domtrans_ping(nagios_services_plugin_t)
@ -32333,7 +32341,7 @@ index bf64a4c..f1eff62 100644
')
optional_policy(`
@@ -363,7 +368,6 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
@@ -363,7 +369,6 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
@ -40048,7 +40056,7 @@ index 82cb169..9e72970 100644
+ admin_pattern($1, samba_unconfined_script_exec_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index e30bb63..2c24007 100644
index e30bb63..941f823 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
@ -40082,7 +40090,7 @@ index e30bb63..2c24007 100644
# smbd Local policy
#
-allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
+allow smbd_t self:capability { chown fowner kill setgid setuid sys_nice sys_admin sys_resource lease dac_override dac_read_search };
+allow smbd_t self:capability { chown fowner kill setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
@ -41756,7 +41764,7 @@ index 078bcd7..2d60774 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 22adaca..80b2f2e 100644
index 22adaca..68ad7a7 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@ -41958,7 +41966,7 @@ index 22adaca..80b2f2e 100644
libs_read_lib_files($1_ssh_agent_t)
@@ -393,14 +408,11 @@ template(`ssh_role_template',`
@@ -393,14 +408,13 @@ template(`ssh_role_template',`
seutil_dontaudit_read_config($1_ssh_agent_t)
# Write to the user domain tty.
@ -41971,10 +41979,12 @@ index 22adaca..80b2f2e 100644
- allow $3 $1_ssh_agent_t:fd use;
- allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
- allow $3 $1_ssh_agent_t:process sigchld;
+
+ ssh_run_keygen($3,$2)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_ssh_agent_t)
@@ -477,8 +489,9 @@ interface(`ssh_read_pipes',`
@@ -477,8 +491,9 @@ interface(`ssh_read_pipes',`
type sshd_t;
')
@ -41985,7 +41995,7 @@ index 22adaca..80b2f2e 100644
########################################
## <summary>
## Read and write a ssh server unnamed pipe.
@@ -494,7 +507,7 @@ interface(`ssh_rw_pipes',`
@@ -494,7 +509,7 @@ interface(`ssh_rw_pipes',`
type sshd_t;
')
@ -41994,7 +42004,7 @@ index 22adaca..80b2f2e 100644
')
########################################
@@ -586,6 +599,24 @@ interface(`ssh_domtrans',`
@@ -586,6 +601,24 @@ interface(`ssh_domtrans',`
########################################
## <summary>
@ -42019,7 +42029,7 @@ index 22adaca..80b2f2e 100644
## Execute the ssh client in the caller domain.
## </summary>
## <param name="domain">
@@ -618,7 +649,7 @@ interface(`ssh_setattr_key_files',`
@@ -618,7 +651,7 @@ interface(`ssh_setattr_key_files',`
type sshd_key_t;
')
@ -42028,7 +42038,7 @@ index 22adaca..80b2f2e 100644
files_search_pids($1)
')
@@ -680,6 +711,32 @@ interface(`ssh_domtrans_keygen',`
@@ -680,6 +713,32 @@ interface(`ssh_domtrans_keygen',`
domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
')
@ -42061,7 +42071,7 @@ index 22adaca..80b2f2e 100644
########################################
## <summary>
## Read ssh server keys
@@ -695,7 +752,7 @@ interface(`ssh_dontaudit_read_server_keys',`
@@ -695,7 +754,7 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@ -42070,7 +42080,7 @@ index 22adaca..80b2f2e 100644
')
######################################
@@ -735,3 +792,21 @@ interface(`ssh_delete_tmp',`
@@ -735,3 +794,21 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@ -42093,7 +42103,7 @@ index 22adaca..80b2f2e 100644
+ allow $1 sshd_t:process signull;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 2dad3c8..7f14c83 100644
index 2dad3c8..594aa01 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@ -42422,7 +42432,7 @@ index 2dad3c8..7f14c83 100644
') dnl endif TODO
########################################
@@ -322,14 +369,18 @@ tunable_policy(`ssh_sysadm_login',`
@@ -322,14 +369,19 @@ tunable_policy(`ssh_sysadm_login',`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@ -42438,11 +42448,12 @@ index 2dad3c8..7f14c83 100644
+manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
+manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
+userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
+userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
+
kernel_read_kernel_sysctls(ssh_keygen_t)
fs_search_auto_mountpoints(ssh_keygen_t)
@@ -353,7 +404,7 @@ logging_send_syslog_msg(ssh_keygen_t)
@@ -353,7 +405,7 @@ logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
optional_policy(`
@ -49359,7 +49370,7 @@ index cc83689..3388f34 100644
+')
+
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index ea29513..55561ae 100644
index ea29513..819a8d5 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@ -50078,7 +50089,15 @@ index ea29513..55561ae 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
@@ -810,11 +1103,19 @@ optional_policy(`
@@ -800,7 +1093,6 @@ optional_policy(`
')
optional_policy(`
- udev_rw_db(initrc_t)
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
@@ -810,11 +1102,19 @@ optional_policy(`
')
optional_policy(`
@ -50099,7 +50118,7 @@ index ea29513..55561ae 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
@@ -824,6 +1125,25 @@ optional_policy(`
@@ -824,6 +1124,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@ -50125,7 +50144,7 @@ index ea29513..55561ae 100644
')
optional_policy(`
@@ -849,3 +1169,42 @@ optional_policy(`
@@ -849,3 +1168,42 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@ -53434,7 +53453,7 @@ index 170e2c7..0aa893a 100644
+')
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 7ed9819..1d43b4b 100644
index 7ed9819..5ae4038 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@ -53617,7 +53636,7 @@ index 7ed9819..1d43b4b 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
@@ -353,7 +382,7 @@ optional_policy(`
@@ -353,16 +382,19 @@ optional_policy(`
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@ -53626,7 +53645,11 @@ index 7ed9819..1d43b4b 100644
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
@@ -363,6 +392,7 @@ dontaudit run_init_t self:capability { dac_override dac_read_search };
# the failed access to the current directory
dontaudit run_init_t self:capability { dac_override dac_read_search };
+kernel_dontaudit_getattr_core_if(run_init_t)
+
corecmd_exec_bin(run_init_t)
corecmd_exec_shell(run_init_t)
@ -53634,7 +53657,7 @@ index 7ed9819..1d43b4b 100644
dev_dontaudit_list_all_dev_nodes(run_init_t)
domain_use_interactive_fds(run_init_t)
@@ -380,6 +410,8 @@ selinux_compute_create_context(run_init_t)
@@ -380,6 +412,8 @@ selinux_compute_create_context(run_init_t)
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
@ -53643,7 +53666,15 @@ index 7ed9819..1d43b4b 100644
auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
auth_domtrans_upd_passwd(run_init_t)
@@ -396,7 +428,7 @@ miscfiles_read_localization(run_init_t)
@@ -388,6 +422,7 @@ auth_dontaudit_read_shadow(run_init_t)
init_spec_domtrans_script(run_init_t)
# for utmp
init_rw_utmp(run_init_t)
+init_dontaudit_getattr_initctl(run_init_t)
logging_send_syslog_msg(run_init_t)
@@ -396,7 +431,7 @@ miscfiles_read_localization(run_init_t)
seutil_libselinux_linked(run_init_t)
seutil_read_default_contexts(run_init_t)
@ -53652,7 +53683,7 @@ index 7ed9819..1d43b4b 100644
ifndef(`direct_sysadm_daemon',`
ifdef(`distro_gentoo',`
@@ -405,6 +437,15 @@ ifndef(`direct_sysadm_daemon',`
@@ -405,6 +440,19 @@ ifndef(`direct_sysadm_daemon',`
')
')
@ -53662,13 +53693,17 @@ index 7ed9819..1d43b4b 100644
+')
+
+optional_policy(`
+ gpm_dontaudit_getattr_gpmctl(run_init_t)
+')
+
+optional_policy(`
+ rpm_domtrans(run_init_t)
+')
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
@@ -420,61 +461,22 @@ optional_policy(`
@@ -420,61 +468,22 @@ optional_policy(`
# semodule local policy
#
@ -53678,22 +53713,22 @@ index 7ed9819..1d43b4b 100644
-allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
-allow semanage_t policy_config_t:file rw_file_perms;
-
+seutil_semanage_policy(semanage_t)
+allow semanage_t self:fifo_file rw_fifo_file_perms;
-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file manage_file_perms;
-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
-
+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-kernel_read_system_state(semanage_t)
-kernel_read_kernel_sysctls(semanage_t)
-
-corecmd_exec_bin(semanage_t)
+seutil_semanage_policy(semanage_t)
+allow semanage_t self:fifo_file rw_fifo_file_perms;
-
-dev_read_urand(semanage_t)
+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-
-domain_use_interactive_fds(semanage_t)
-
-files_read_etc_files(semanage_t)
@ -53715,13 +53750,13 @@ index 7ed9819..1d43b4b 100644
-
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
+# Admins are creating pp files in random locations
+auth_read_all_files_except_shadow(semanage_t)
-
-locallogin_use_fds(semanage_t)
-
-logging_send_syslog_msg(semanage_t)
-
+# Admins are creating pp files in random locations
+auth_read_all_files_except_shadow(semanage_t)
-miscfiles_read_localization(semanage_t)
-
-seutil_libselinux_linked(semanage_t)
@ -53738,7 +53773,7 @@ index 7ed9819..1d43b4b 100644
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
@@ -487,118 +489,69 @@ ifdef(`distro_debian',`
@@ -487,118 +496,69 @@ ifdef(`distro_debian',`
files_read_var_lib_symlinks(semanage_t)
')
@ -53787,19 +53822,13 @@ index 7ed9819..1d43b4b 100644
-
-domain_use_interactive_fds(setfiles_t)
-domain_dontaudit_search_all_domains_state(setfiles_t)
+init_dontaudit_use_fds(setsebool_t)
-
-files_read_etc_runtime_files(setfiles_t)
-files_read_etc_files(setfiles_t)
-files_list_all(setfiles_t)
-files_relabel_all_files(setfiles_t)
-files_read_usr_symlinks(setfiles_t)
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_config(setsebool_t)
-
-fs_getattr_xattr_fs(setfiles_t)
-fs_list_all(setfiles_t)
-fs_search_auto_mountpoints(setfiles_t)
@ -53827,9 +53856,15 @@ index 7ed9819..1d43b4b 100644
-init_use_script_fds(setfiles_t)
-init_use_script_ptys(setfiles_t)
-init_exec_script_files(setfiles_t)
-
+init_dontaudit_use_fds(setsebool_t)
-logging_send_syslog_msg(setfiles_t)
-
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_config(setsebool_t)
-miscfiles_read_localization(setfiles_t)
+########################################
+#
@ -54753,26 +54788,29 @@ index 0000000..1e5b954
+ readahead_manage_pid_files(systemd_notify_t)
+')
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 0291685..ff75c28 100644
index 0291685..7e94f4b 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -11,6 +11,9 @@
@@ -1,6 +1,6 @@
-/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
-/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0)
-/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0)
+/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_var_run_t,s0)
+/dev/\.udevdb -- gen_context(system_u:object_r:udev_var_run_t,s0)
+/dev/udev\.tbl -- gen_context(system_u:object_r:udev_var_run_t,s0)
/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
/etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
@@ -21,4 +21,6 @@
+/run/udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
+/run/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
+
/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
@@ -22,3 +25,4 @@
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
-/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 025348a..8b50d5f 100644
index 025348a..4e2ca03 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -34,6 +34,7 @@ interface(`udev_domtrans',`
@ -54793,26 +54831,29 @@ index 025348a..8b50d5f 100644
')
########################################
@@ -185,12 +185,14 @@ interface(`udev_dontaudit_search_db',`
interface(`udev_read_db',`
@@ -160,10 +160,10 @@ interface(`udev_manage_rules_files',`
#
interface(`udev_dontaudit_search_db',`
gen_require(`
type udev_tbl_t;
+ type device_t;
- type udev_tbl_t;
+ type udev_var_run_t;
')
dev_list_all_dev_nodes($1)
allow $1 udev_tbl_t:dir list_dir_perms;
read_files_pattern($1, udev_tbl_t, udev_tbl_t)
read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
+ allow $1 device_t:file read_file_perms;
- dontaudit $1 udev_tbl_t:dir search_dir_perms;
+ dontaudit $1 udev_var_run_t:dir search_dir_perms;
')
########################################
@@ -214,6 +216,24 @@ interface(`udev_rw_db',`
########################################
## <summary>
+## Allow process to modify relabelto udev database
@@ -183,19 +183,32 @@ interface(`udev_dontaudit_search_db',`
## <infoflow type="read" weight="10"/>
#
interface(`udev_read_db',`
+ udev_read_pid_files($1)
+')
+
+########################################
+## <summary>
+## Allow process to modify list of devices.
+## </summary>
+## <param name="domain">
+## <summary>
@ -54820,21 +54861,73 @@ index 025348a..8b50d5f 100644
+## </summary>
+## </param>
+#
+interface(`udev_rw_db',`
gen_require(`
- type udev_tbl_t;
+ type udev_var_run_t;
')
+ files_search_pids($1)
dev_list_all_dev_nodes($1)
- allow $1 udev_tbl_t:dir list_dir_perms;
- read_files_pattern($1, udev_tbl_t, udev_tbl_t)
- read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
+ rw_files_pattern($1, udev_var_run_t, udev_var_run_t)
')
########################################
## <summary>
-## Allow process to modify list of devices.
+## Allow process to modify relabelto udev database
## </summary>
## <param name="domain">
## <summary>
@@ -203,13 +216,36 @@ interface(`udev_read_db',`
## </summary>
## </param>
#
-interface(`udev_rw_db',`
+interface(`udev_relabelto_db',`
+ gen_require(`
+ type udev_tbl_t;
+ type udev_var_run_t;
+ ')
+
+ allow $1 udev_tbl_t:file relabelto_file_perms;
+ files_search_pids($1)
+ allow $1 udev_var_run_t:file relabelto_file_perms;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## udev pid files.
## </summary>
@@ -231,3 +251,62 @@ interface(`udev_manage_pid_files',`
files_search_var_lib($1)
+## Create, read, write, and delete
+## udev pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_read_pid_files',`
gen_require(`
- type udev_tbl_t;
+ type udev_var_run_t;
')
dev_list_all_dev_nodes($1)
- allow $1 udev_tbl_t:file rw_file_perms;
+ files_search_pids($1)
+ allow $1 udev_var_run_t:dir list_dir_perms;
+ read_files_pattern($1, udev_var_run_t, udev_var_run_t)
+ read_lnk_files_pattern($1, udev_var_run_t, udev_var_run_t)
')
########################################
@@ -228,6 +264,65 @@ interface(`udev_manage_pid_files',`
type udev_var_run_t;
')
- files_search_var_lib($1)
+ files_search_pids($1)
manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
')
+
@ -54897,10 +54990,10 @@ index 025348a..8b50d5f 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index d88f7c3..1cadaa2 100644
index d88f7c3..b18dc17 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -14,6 +14,8 @@ domain_entry_file(udev_t, udev_helper_exec_t)
@@ -14,17 +14,17 @@ domain_entry_file(udev_t, udev_helper_exec_t)
domain_interactive_fd(udev_t)
init_daemon_domain(udev_t, udev_exec_t)
@ -54909,7 +55002,19 @@ index d88f7c3..1cadaa2 100644
type udev_etc_t alias etc_udev_t;
files_config_file(udev_etc_t)
@@ -38,6 +40,12 @@ ifdef(`enable_mcs',`
-type udev_tbl_t alias udev_tdb_t;
-files_type(udev_tbl_t)
-
type udev_rules_t;
files_type(udev_rules_t)
type udev_var_run_t;
files_pid_file(udev_var_run_t)
+typealias udev_var_run_t alias udev_tbl_t;
ifdef(`enable_mcs',`
kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
@@ -38,6 +38,12 @@ ifdef(`enable_mcs',`
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
dontaudit udev_t self:capability sys_tty_config;
@ -54922,7 +55027,7 @@ index d88f7c3..1cadaa2 100644
allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
@@ -52,6 +60,7 @@ allow udev_t self:unix_dgram_socket sendto;
@@ -52,6 +58,7 @@ allow udev_t self:unix_dgram_socket sendto;
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
@ -54930,27 +55035,29 @@ index d88f7c3..1cadaa2 100644
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
@@ -64,7 +73,8 @@ allow udev_t udev_etc_t:file read_file_perms;
@@ -62,17 +69,16 @@ can_exec(udev_t, udev_helper_exec_t)
# read udev config
allow udev_t udev_etc_t:file read_file_perms;
# create udev database in /dev/.udevdb
allow udev_t udev_tbl_t:file manage_file_perms;
-# create udev database in /dev/.udevdb
-allow udev_t udev_tbl_t:file manage_file_perms;
-dev_filetrans(udev_t, udev_tbl_t, file)
+allow udev_t udev_tbl_t:lnk_file manage_file_perms;
+dev_filetrans(udev_t, udev_tbl_t, { file lnk_file } )
-
list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
@@ -72,7 +82,8 @@ read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
-files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
+files_pid_filetrans(udev_t, udev_var_run_t, { file dir })
+allow udev_t udev_var_run_t:file mounton;
+dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } )
+
kernel_read_system_state(udev_t)
kernel_request_load_module(udev_t)
@@ -87,6 +98,7 @@ kernel_rw_unix_dgram_sockets(udev_t)
@@ -87,6 +93,7 @@ kernel_rw_unix_dgram_sockets(udev_t)
kernel_dgram_send(udev_t)
kernel_signal(udev_t)
kernel_search_debugfs(udev_t)
@ -54958,7 +55065,7 @@ index d88f7c3..1cadaa2 100644
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
@@ -111,15 +123,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
@@ -111,15 +118,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
@ -54980,7 +55087,7 @@ index d88f7c3..1cadaa2 100644
mcs_ptrace_all(udev_t)
@@ -143,6 +160,7 @@ auth_use_nsswitch(udev_t)
@@ -143,6 +155,7 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@ -54988,7 +55095,7 @@ index d88f7c3..1cadaa2 100644
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
@@ -186,15 +204,16 @@ ifdef(`distro_redhat',`
@@ -186,15 +199,16 @@ ifdef(`distro_redhat',`
fs_manage_tmpfs_chr_files(udev_t)
fs_relabel_tmpfs_blk_file(udev_t)
fs_relabel_tmpfs_chr_file(udev_t)
@ -55008,7 +55115,7 @@ index d88f7c3..1cadaa2 100644
')
optional_policy(`
@@ -216,11 +235,16 @@ optional_policy(`
@@ -216,11 +230,16 @@ optional_policy(`
')
optional_policy(`
@ -55025,7 +55132,7 @@ index d88f7c3..1cadaa2 100644
')
optional_policy(`
@@ -233,6 +257,10 @@ optional_policy(`
@@ -233,6 +252,10 @@ optional_policy(`
')
optional_policy(`
@ -55036,7 +55143,7 @@ index d88f7c3..1cadaa2 100644
lvm_domtrans(udev_t)
')
@@ -259,6 +287,10 @@ optional_policy(`
@@ -259,6 +282,10 @@ optional_policy(`
')
optional_policy(`
@ -55047,7 +55154,7 @@ index d88f7c3..1cadaa2 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
@@ -273,6 +305,11 @@ optional_policy(`
@@ -273,6 +300,11 @@ optional_policy(`
')
optional_policy(`

6
selinux-policy.spec
View File

@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
Release: 10%{?dist}
Release: 11%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -475,6 +475,10 @@ exit 0
%endif
%changelog
* Mon Apr 4 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-11
- Fix label for /var/run/udev to udev_var_run_t
- Mock needs to be able to read network state
* Fri Apr 1 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-10
- Add file_contexts.subs to handle /run and /run/lock
- Add other fixes relating to /run changes from F15 policy