rpms/selinux-policy/devel xm.patch, NONE, 1.1 selinux-policy.spec, 1.180, 1.181

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Tue Apr 25 15:19:53 UTC 2006 

Author: jantill

Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv6633

Modified Files:
	selinux-policy.spec 
Added Files:
	xm.patch 
Log Message:
* Tue Apr 25 2006 James Antill <jantill at redhat.com> 2.2.35-2
- Add xm policy
- Fix policygentool


xm.patch:
 policy/modules/system/xen.if                    |   63 ++++++++++++++++++++++++
 policy/modules/system/xen.te                    |   52 +++++++++++++++++++
 serefpolicy-2.2.35/policy/modules/system/xen.fc |    1 
 3 files changed, 116 insertions(+)

--- NEW FILE xm.patch ---
diff -ru serefpolicy-2.2.35-orig/policy/modules/system/xen.fc serefpolicy-2.2.35/policy/modules/system/xen.fc
--- serefpolicy-2.2.35-orig/policy/modules/system/xen.fc	2006-04-24 20:14:54.000000000 -0400
+++ serefpolicy-2.2.35/policy/modules/system/xen.fc	2006-04-25 11:01:03.000000000 -0400
@@ -14,3 +14,4 @@
 /var/run/xend\.pid	--      gen_context(system_u:object_r:xend_var_run_t,s0)
 /var/run/xenstore\.pid	--	gen_context(system_u:object_r:xenstored_var_run_t,s0)
 /var/run/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_run_t,s0)
+/usr/sbin/xm		--	gen_context(system_u:object_r:xm_exec_t,s0)
--- serefpolicy-2.2.35-orig/policy/modules/system/xen.if	2006-04-25 10:27:36.000000000 -0400
+++ serefpolicy-2.2.35/policy/modules/system/xen.if	2006-04-25 11:03:07.000000000 -0400
@@ -83,3 +83,66 @@
 	allow $1 xenstored_var_run_t:sock_file { getattr write };
 	allow $1 xenstored_t:unix_stream_socket connectto;
 ')
+
+########################################
+## <summary>
+##	Connect to xend over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xen_connect',`
+	gen_require(`
+		type xend_t, xend_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 xend_var_run_t:dir search;
+	allow $1 xend_var_run_t:sock_file getattr;
+	allow $1 xend_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Write to xend over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xen_writeto',`
+	gen_require(`
+		type xend_var_run_t;
+	')
+
+	allow $1 xend_var_run_t:sock_file write;
+')
+
+
+########################################
+## <summary>
+##	Execute a domain transition to run xm.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`xm_domtrans',`
+	gen_requires(`
+		type xm_t, xm_exec_t;
+	')
+
+	domain_auto_trans($1,xm_exec_t,xm_t)
+
+	allow $1 xm_t:fd use;
+	allow xm_t $1:fd use;
+	allow xm_t:$1:fifo_file rw_file_perms;
+	allow xm_t $1:process sigchld;
+')
Only in serefpolicy-2.2.35/policy/modules/system: xen.if~
--- serefpolicy-2.2.35-orig/policy/modules/system/xen.te	2006-04-25 10:27:36.000000000 -0400
+++ serefpolicy-2.2.35/policy/modules/system/xen.te	2006-04-25 11:01:03.000000000 -0400
@@ -224,3 +224,55 @@
 miscfiles_read_localization(xenstored_t)
 
 xen_append_log(xenstored_t)
+
+########################################
+#
+# Declarations
+#
+
+type xm_t;
+type xm_exec_t;
+domain_type(xm_t)
+init_daemon_domain(xm_t, xm_exec_t)
+
+########################################
+#
+# xm local policy
+#
+# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
+
+# Some common macros (you might be able to remove some)
+files_read_etc_files(xm_t)
+libs_use_ld_so(xm_t)
+libs_use_shared_libs(xm_t)
+miscfiles_read_localization(xm_t)
+# internal communication is often done using fifo and unix sockets.
+allow xm_t self:fifo_file { read write };
+allow xm_t self:unix_stream_socket create_stream_socket_perms;
+
+
+# james -- aujdit2allow
+
+corecmd_exec_bin(xm_t)
+corecmd_exec_sbin(xm_t)
+
+kernel_read_system_state(xm_t)
+kernel_read_kernel_sysctls(xm_t)
+kernel_read_xen_state(xm_t)
+kernel_write_xen_state(xm_t)
+term_use_all_terms(xm_t)
+
+dev_read_urand(xm_t)
+
+xen_append_log(xm_t)
+xen_connect(xm_t)
+xen_writeto(xm_t)
+
+xen_stream_connect_xenstore(xm_t)
+allow xm_t self:capability dac_override;
+
+
+# allow xm_t root_t:dir search;
+# Need to relabel files for xen
+auth_read_all_files_except_shadow(xm_t)
+


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.180
retrieving revision 1.181
diff -u -r1.180 -r1.181
--- selinux-policy.spec	25 Apr 2006 10:57:57 -0000	1.180
+++ selinux-policy.spec	25 Apr 2006 15:19:51 -0000	1.181
@@ -16,11 +16,12 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.2.35
-Release: 1
+Release: 2
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
 patch: policy-20060411.patch
+patch2: xm.patch
 Source1: modules-targeted.conf
 Source2: booleans-targeted.conf
 Source3: Makefile.devel
@@ -150,6 +151,7 @@
 %prep 
 %setup -q -n serefpolicy-%{version}
 %patch -p1
+%patch2 -p1
 
 %install
 # Build targeted policy
@@ -332,6 +334,10 @@
 %endif
 
 %changelog
+* Tue Apr 25 2006 James Antill <jantill at redhat.com> 2.2.35-2
+- Add xm policy
+- Fix policygentool
+
 * Mon Apr 24 2006 Dan Walsh <dwalsh at redhat.com> 2.2.35-1
 - Update to upstream
 - Fix postun to only disable selinux on full removal of the packages

More information about the fedora-cvs-commits mailing list