rpms/selinux-policy/devel booleans-mls.conf, 1.8, 1.9 policy-20071130.patch, 1.95, 1.96 selinux-policy.spec, 1.629, 1.630
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Wed Mar 12 01:00:45 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv31942
Modified Files:
booleans-mls.conf policy-20071130.patch selinux-policy.spec
Log Message:
* Tue Mar 11 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-15
- Allow init to transition to initrc_t on shell exec.
- Fix init to be able to sendto init_t.
- Allow syslog to connect to mysql
- Allow lvm to manage its own fifo_files
- Allow bugzilla to use ldap
- More mls fixes
Index: booleans-mls.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/booleans-mls.conf,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- booleans-mls.conf 19 Nov 2007 20:09:32 -0000 1.8
+++ booleans-mls.conf 12 Mar 2008 01:00:13 -0000 1.9
@@ -223,3 +223,7 @@
# Allow samba to act as the domain controller
#
samba_domain_controller = false
+
+# Run the xserver as an object manager
+#
+xserver_object_manager = true
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.95
retrieving revision 1.96
diff -u -r1.95 -r1.96
--- policy-20071130.patch 11 Mar 2008 22:46:00 -0000 1.95
+++ policy-20071130.patch 12 Mar 2008 01:00:13 -0000 1.96
@@ -8483,7 +8483,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-02-29 13:36:51.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-03-11 19:28:21.000000000 -0400
@@ -20,6 +20,8 @@
# Declarations
#
@@ -8975,7 +8975,7 @@
')
########################################
-@@ -724,3 +859,46 @@
+@@ -724,3 +859,47 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -9013,6 +9013,7 @@
+mta_send_mail(httpd_bugzilla_script_t)
+
+sysnet_read_config(httpd_bugzilla_script_t)
++sysnet_use_ldap(httpd_bugzilla_script_t)
+
+optional_policy(`
+ mysql_search_db(httpd_bugzilla_script_t)
@@ -19545,6 +19546,17 @@
userdom_use_unpriv_users_fds(remote_login_t)
userdom_search_all_users_home_content(remote_login_t)
# Only permit unprivileged user domains to be entered via rlogin,
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.3.1/policy/modules/services/rhgb.te
+--- nsaserefpolicy/policy/modules/services/rhgb.te 2007-12-19 05:32:17.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/rhgb.te 2008-03-11 20:07:53.000000000 -0400
+@@ -92,6 +92,7 @@
+ term_getattr_pty_fs(rhgb_t)
+
+ init_write_initctl(rhgb_t)
++init_chat(rhgb_t)
+
+ libs_use_ld_so(rhgb_t)
+ libs_use_shared_libs(rhgb_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-3.3.1/policy/modules/services/ricci.if
--- nsaserefpolicy/policy/modules/services/ricci.if 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/ricci.if 2008-02-26 08:29:22.000000000 -0500
@@ -20154,8 +20166,34 @@
+/etc/rc.d/init.d/smb -- gen_context(system_u:object_r:samba_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.3.1/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/samba.if 2008-02-26 21:19:09.000000000 -0500
-@@ -63,6 +63,25 @@
++++ serefpolicy-3.3.1/policy/modules/services/samba.if 2008-03-11 17:56:00.000000000 -0400
+@@ -52,6 +52,25 @@
+ ## </summary>
+ ## </param>
+ #
++interface(`samba_domtrans_smb',`
++ gen_require(`
++ type smbd_t, smbd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1,smbd_exec_t,smbd_t)
++')
++
++########################################
++## <summary>
++## Execute samba net in the samba_net domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
+ interface(`samba_domtrans_net',`
+ gen_require(`
+ type samba_net_t, samba_net_exec_t;
+@@ -63,6 +82,25 @@
########################################
## <summary>
@@ -20181,7 +20219,7 @@
## Execute samba net in the samba_net domain, and
## allow the specified role the samba_net domain.
## </summary>
-@@ -95,6 +114,38 @@
+@@ -95,6 +133,38 @@
########################################
## <summary>
@@ -20220,7 +20258,7 @@
## Execute smbmount in the smbmount domain.
## </summary>
## <param name="domain">
-@@ -331,6 +382,25 @@
+@@ -331,6 +401,25 @@
########################################
## <summary>
@@ -20246,7 +20284,7 @@
## Allow the specified domain to
## read and write samba /var files.
## </summary>
-@@ -348,6 +418,7 @@
+@@ -348,6 +437,7 @@
files_search_var($1)
files_search_var_lib($1)
manage_files_pattern($1,samba_var_t,samba_var_t)
@@ -20254,7 +20292,7 @@
')
########################################
-@@ -492,3 +563,221 @@
+@@ -492,3 +582,221 @@
allow $1 samba_var_t:dir search_dir_perms;
stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
')
@@ -21371,7 +21409,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.3.1/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/smartmon.te 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/smartmon.te 2008-03-11 18:55:46.000000000 -0400
@@ -16,6 +16,9 @@
type fsdaemon_tmp_t;
files_tmp_file(fsdaemon_tmp_t)
@@ -21382,6 +21420,14 @@
########################################
#
# Local policy
+@@ -62,6 +65,7 @@
+ fs_search_auto_mountpoints(fsdaemon_t)
+
+ mls_file_read_all_levels(fsdaemon_t)
++mls_file_write_all_levels(fsdaemon_t)
+
+ storage_raw_read_fixed_disk(fsdaemon_t)
+ storage_raw_write_fixed_disk(fsdaemon_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.3.1/policy/modules/services/snmp.fc
--- nsaserefpolicy/policy/modules/services/snmp.fc 2007-06-19 16:23:06.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/snmp.fc 2008-02-26 08:29:22.000000000 -0500
@@ -23383,7 +23429,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-10 16:54:19.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-11 19:56:07.000000000 -0400
@@ -12,9 +12,15 @@
## </summary>
## </param>
@@ -23468,7 +23514,7 @@
files_read_etc_files($1_xserver_t)
files_read_etc_runtime_files($1_xserver_t)
-@@ -140,12 +159,16 @@
+@@ -140,26 +159,37 @@
fs_getattr_xattr_fs($1_xserver_t)
fs_search_nfs($1_xserver_t)
fs_search_auto_mountpoints($1_xserver_t)
@@ -23486,7 +23532,10 @@
term_setattr_unallocated_ttys($1_xserver_t)
term_use_unallocated_ttys($1_xserver_t)
-@@ -153,13 +176,17 @@
++ mls_file_read_to_clearance($1_xserver_t)
++ mls_file_write_to_clearance($1_xserver_t)
++
+ libs_use_ld_so($1_xserver_t)
libs_use_shared_libs($1_xserver_t)
logging_send_syslog_msg($1_xserver_t)
@@ -23505,7 +23554,7 @@
ifndef(`distro_redhat',`
allow $1_xserver_t self:process { execmem execheap execstack };
-@@ -169,6 +196,46 @@
+@@ -169,6 +199,46 @@
allow $1_xserver_t self:process { execmem execheap execstack };
')
@@ -23552,7 +23601,7 @@
optional_policy(`
apm_stream_connect($1_xserver_t)
')
-@@ -223,8 +290,10 @@
+@@ -223,8 +293,10 @@
template(`xserver_per_role_template',`
gen_require(`
@@ -23565,7 +23614,7 @@
')
##############################
-@@ -232,189 +301,119 @@
+@@ -232,189 +304,119 @@
# Declarations
#
@@ -23704,15 +23753,15 @@
- allow $1_xauth_t self:process signal;
- allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
-+ domtrans_pattern($2, xauth_exec_t, xauth_t)
-
+-
- allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans($1,$1_xauth_t,$1_xauth_home_t,file)
-
- manage_dirs_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
- manage_files_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
- files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
--
++ domtrans_pattern($2, xauth_exec_t, xauth_t)
+
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
-
- allow $2 $1_xauth_t:process signal;
@@ -23726,10 +23775,10 @@
-
- allow xdm_t $1_xauth_home_t:file manage_file_perms;
- userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file)
--
-- domain_use_interactive_fds($1_xauth_t)
+ ps_process_pattern($2,xauth_t)
+- domain_use_interactive_fds($1_xauth_t)
+-
- files_read_etc_files($1_xauth_t)
- files_search_pids($1_xauth_t)
-
@@ -23779,47 +23828,47 @@
# allow ps to show iceauth
- ps_process_pattern($2,$1_iceauth_t)
+ ps_process_pattern($2,iceauth_t)
-+
-+ allow $2 user_iceauth_home_t:file manage_file_perms;
-+ allow $2 user_iceauth_home_t:file { relabelfrom relabelto };
- allow $2 $1_iceauth_home_t:file manage_file_perms;
- allow $2 $1_iceauth_home_t:file { relabelfrom relabelto };
-+ userdom_use_user_terminals($1,iceauth_t)
++ allow $2 user_iceauth_home_t:file manage_file_perms;
++ allow $2 user_iceauth_home_t:file { relabelfrom relabelto };
- allow xdm_t $1_iceauth_home_t:file read_file_perms;
++ userdom_use_user_terminals($1,iceauth_t)
+
+- fs_search_auto_mountpoints($1_iceauth_t)
+ optional_policy(`
+ xserver_read_user_iceauth($1, $2)
+ ')
-- fs_search_auto_mountpoints($1_iceauth_t)
+- libs_use_ld_so($1_iceauth_t)
+- libs_use_shared_libs($1_iceauth_t)
+ ##############################
+ #
+ # User X object manager local policy
+ #
-- libs_use_ld_so($1_iceauth_t)
-- libs_use_shared_libs($1_iceauth_t)
+- userdom_use_user_terminals($1,$1_iceauth_t)
+ # Device rules
+ allow xdm_x_domain $2:x_device { getattr setattr setfocus grab bell };
-- userdom_use_user_terminals($1,$1_iceauth_t)
-+ allow $2 { input_xevent_t }:x_event send;
-+ allow $2 { x_rootwindow_t xdm_x_domain }:x_drawable send;
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files($1_iceauth_t)
- ')
-+ mls_xwin_read_to_clearance($2)
++ allow $2 { input_xevent_t }:x_event send;
++ allow $2 { x_rootwindow_t xdm_x_domain }:x_drawable send;
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files($1_iceauth_t)
- ')
++ mls_xwin_read_to_clearance($2)
++
+ xserver_user_x_domain_template($1,$1_t,$1_t,$1_tmpfs_t)
')
#######################################
-@@ -521,19 +520,18 @@
+@@ -521,19 +523,18 @@
## </param>
#
template(`xserver_user_client_template',`
@@ -23847,7 +23896,7 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -542,25 +540,542 @@
+@@ -542,25 +543,541 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@@ -23974,7 +24023,6 @@
+ type screensaver_xext_t, unknown_xext_t, x_rootscreen_t;
+ type disallowed_xext_t;
+ type output_xext_t;
-+ type accelgraphics_xext_t, xdm_xserver_t;
+
+ attribute x_server_domain, x_domain;
+ attribute xproperty_type;
@@ -24009,7 +24057,6 @@
+ allow $1 std_xext_t:x_extension query;
+ allow $1 x_rootwindow_t:x_drawable { get_property getattr };
+
-+
+ # Hacks
+ # everyone can get the input focus of everyone else
+ # this is a fundamental brokenness in the X protocol
@@ -24083,10 +24130,11 @@
+
+ # X Input
+ # can receive own events
-+ allow $1 input_xevent_t:{ x_event x_synthetic_event } receive;
++ allow $1 input_xevent_t:{ x_event x_synthetic_event } { send receive };
+ allow $1 $1:{ x_event x_synthetic_event } { send receive };
+ allow $1 default_xevent_t:x_event receive;
-+ allow $1 default_xevent_t:x_synthetic_event send;
++ allow $1 default_xevent_t:x_synthetic_event { receive send };
++
+
+ # can receive certain root window events
+ allow $1 focus_xevent_t:x_event receive;
@@ -24396,7 +24444,7 @@
')
')
-@@ -593,26 +1107,44 @@
+@@ -593,26 +1110,44 @@
#
template(`xserver_use_user_fonts',`
gen_require(`
@@ -24448,14 +24496,15 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -638,10 +1170,77 @@
+@@ -638,10 +1173,77 @@
#
template(`xserver_domtrans_user_xauth',`
gen_require(`
- type $1_xauth_t, xauth_exec_t;
+ type xauth_exec_t, xauth_t;
-+ ')
-+
+ ')
+
+- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
+')
+
@@ -24520,15 +24569,14 @@
+template(`xserver_read_user_iceauth',`
+ gen_require(`
+ type user_iceauth_home_t;
- ')
-
-- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
++ ')
++
+ # Read .Iceauthority file
+ allow $2 user_iceauth_home_t:file { getattr read };
')
########################################
-@@ -671,10 +1270,10 @@
+@@ -671,10 +1273,10 @@
#
template(`xserver_user_home_dir_filetrans_user_xauth',`
gen_require(`
@@ -24541,7 +24589,7 @@
')
########################################
-@@ -760,7 +1359,7 @@
+@@ -760,7 +1362,7 @@
type xconsole_device_t;
')
@@ -24550,7 +24598,7 @@
')
########################################
-@@ -860,6 +1459,25 @@
+@@ -860,6 +1462,25 @@
########################################
## <summary>
@@ -24576,7 +24624,7 @@
## Read xdm-writable configuration files.
## </summary>
## <param name="domain">
-@@ -914,6 +1532,7 @@
+@@ -914,6 +1535,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -24584,7 +24632,7 @@
')
########################################
-@@ -955,6 +1574,24 @@
+@@ -955,6 +1577,24 @@
########################################
## <summary>
@@ -24609,7 +24657,7 @@
## Execute the X server in the XDM X server domain.
## </summary>
## <param name="domain">
-@@ -965,15 +1602,47 @@
+@@ -965,15 +1605,47 @@
#
interface(`xserver_domtrans_xdm_xserver',`
gen_require(`
@@ -24658,7 +24706,7 @@
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1123,7 +1792,7 @@
+@@ -1123,7 +1795,7 @@
type xdm_xserver_tmp_t;
')
@@ -24667,7 +24715,7 @@
')
########################################
-@@ -1312,3 +1981,83 @@
+@@ -1312,3 +1984,83 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -24753,7 +24801,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-10 14:23:28.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-11 19:35:25.000000000 -0400
@@ -8,6 +8,14 @@
## <desc>
@@ -24896,7 +24944,19 @@
init_system_domain(xdm_xserver_t,xserver_exec_t)
ifdef(`enable_mcs',`
-@@ -95,8 +191,9 @@
+@@ -86,6 +182,11 @@
+ init_ranged_daemon_domain(xdm_t,xdm_exec_t,s0 - mcs_systemhigh)
+ ')
+
++ifdef(`enable_mls',`
++ init_ranged_domain(xdm_t,xdm_exec_t,s0 - mls_systemhigh)
++ init_ranged_daemon_domain(xdm_t,xdm_exec_t,s0 - mls_systemhigh)
++')
++
+ optional_policy(`
+ prelink_object_file(xkb_var_lib_t)
+ ')
+@@ -95,8 +196,9 @@
# XDM Local policy
#
@@ -24908,7 +24968,7 @@
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
-@@ -109,6 +206,8 @@
+@@ -109,6 +211,8 @@
allow xdm_t self:key { search link write };
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
@@ -24917,7 +24977,7 @@
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -131,15 +230,22 @@
+@@ -131,15 +235,22 @@
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@@ -24941,7 +25001,7 @@
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -153,6 +259,7 @@
+@@ -153,6 +264,7 @@
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
@@ -24949,7 +25009,7 @@
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
-@@ -173,6 +280,8 @@
+@@ -173,6 +285,8 @@
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
@@ -24958,7 +25018,7 @@
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -184,6 +293,7 @@
+@@ -184,6 +298,7 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_all_nodes(xdm_t)
corenet_udp_bind_all_nodes(xdm_t)
@@ -24966,7 +25026,7 @@
corenet_tcp_connect_all_ports(xdm_t)
corenet_sendrecv_all_client_packets(xdm_t)
# xdm tries to bind to biff_port_t
-@@ -196,6 +306,7 @@
+@@ -196,6 +311,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -24974,7 +25034,7 @@
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -208,8 +319,8 @@
+@@ -208,8 +324,8 @@
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
@@ -24985,7 +25045,7 @@
dev_getattr_power_mgmt_dev(xdm_t)
dev_setattr_power_mgmt_dev(xdm_t)
-@@ -226,6 +337,7 @@
+@@ -226,6 +342,7 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -24993,7 +25053,7 @@
fs_getattr_all_fs(xdm_t)
fs_search_auto_mountpoints(xdm_t)
-@@ -237,6 +349,7 @@
+@@ -237,6 +354,7 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -25001,7 +25061,7 @@
term_setattr_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
-@@ -245,6 +358,7 @@
+@@ -245,6 +363,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -25009,7 +25069,7 @@
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -256,12 +370,11 @@
+@@ -256,12 +375,11 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
@@ -25023,7 +25083,7 @@
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -270,8 +383,13 @@
+@@ -270,8 +388,13 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -25037,7 +25097,7 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
-@@ -304,7 +422,11 @@
+@@ -304,7 +427,11 @@
')
optional_policy(`
@@ -25050,7 +25110,7 @@
')
optional_policy(`
-@@ -312,6 +434,23 @@
+@@ -312,6 +439,23 @@
')
optional_policy(`
@@ -25074,7 +25134,7 @@
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
-@@ -322,6 +461,10 @@
+@@ -322,6 +466,10 @@
')
optional_policy(`
@@ -25085,7 +25145,7 @@
loadkeys_exec(xdm_t)
')
-@@ -335,6 +478,11 @@
+@@ -335,6 +483,11 @@
')
optional_policy(`
@@ -25097,7 +25157,7 @@
seutil_sigchld_newrole(xdm_t)
')
-@@ -343,8 +491,8 @@
+@@ -343,8 +496,8 @@
')
optional_policy(`
@@ -25107,7 +25167,7 @@
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -380,7 +528,7 @@
+@@ -380,7 +533,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -25116,7 +25176,7 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -392,6 +540,15 @@
+@@ -392,6 +545,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@@ -25132,7 +25192,7 @@
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -404,9 +561,17 @@
+@@ -404,9 +566,17 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@@ -25150,7 +25210,7 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_xserver_t)
fs_manage_nfs_files(xdm_xserver_t)
-@@ -420,6 +585,22 @@
+@@ -420,6 +590,22 @@
')
optional_policy(`
@@ -25173,7 +25233,7 @@
resmgr_stream_connect(xdm_t)
')
-@@ -429,47 +610,139 @@
+@@ -429,47 +615,139 @@
')
optional_policy(`
@@ -25223,21 +25283,22 @@
+
+tunable_policy(`allow_xserver_execmem', `
+ allow xdm_xserver_t self:process { execheap execmem execstack };
- ')
-
++')
++
+ifndef(`distro_redhat',`
+ allow xdm_xserver_t self:process { execheap execmem };
+')
+
+ifdef(`distro_rhel4',`
+ allow xdm_xserver_t self:process { execheap execmem };
-+')
-+
+ ')
+
+##############################
#
-# Wants to delete .xsession-errors file
+# xauth_t Local policy
-+#
+ #
+-allow xdm_t user_home_type:file unlink;
+domtrans_pattern(xdm_xserver_t, xauth_exec_t, xauth_t)
+
+userdom_user_home_dir_filetrans(user,xauth_t,user_xauth_home_t,file)
@@ -25284,10 +25345,11 @@
+
+##############################
#
--allow xdm_t user_home_type:file unlink;
+-# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
+# iceauth_t Local policy
#
--# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
+-allow pam_t xdm_t:fifo_file { getattr ioctl write };
+-') dnl end TODO
+
+allow iceauth_t user_iceauth_home_t:file manage_file_perms;
+userdom_user_home_dir_filetrans($1,iceauth_t,user_iceauth_home_t,file)
@@ -25311,9 +25373,7 @@
+userdom_sysadm_home_dir_filetrans(xauth_t, admin_xauth_home_t, file)
+
+########################################
- #
--allow pam_t xdm_t:fifo_file { getattr ioctl write };
--') dnl end TODO
++#
+# Rules for unconfined access to this module
+#
+
@@ -25744,7 +25804,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.3.1/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2008-02-19 17:24:26.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-03-05 15:46:36.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-03-11 17:52:13.000000000 -0400
@@ -59,6 +59,9 @@
type utempter_exec_t;
application_domain(utempter_t,utempter_exec_t)
@@ -25944,7 +26004,7 @@
')
')
-@@ -463,11 +470,13 @@
+@@ -463,11 +470,12 @@
interface(`init_telinit',`
gen_require(`
type initctl_t;
@@ -25955,7 +26015,6 @@
allow $1 initctl_t:fifo_file rw_fifo_file_perms;
-
+ allow $1 init_t:unix_dgram_socket sendto;
-+ allow init_t $1:unix_dgram_socket sendto;
init_exec($1)
')
@@ -26270,7 +26329,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2008-02-26 08:17:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-03-07 16:07:39.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-03-11 18:57:27.000000000 -0400
@@ -10,6 +10,20 @@
# Declarations
#
@@ -26333,6 +26392,15 @@
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
+@@ -86,7 +112,7 @@
+ # Re-exec itself
+ can_exec(init_t,init_exec_t)
+
+-allow init_t initrc_t:unix_stream_socket connectto;
++allow init_t initrc_t:unix_stream_socket { connectto rw_stream_socket_perms };
+
+ # For /var/run/shutdown.pid.
+ allow init_t init_var_run_t:file manage_file_perms;
@@ -102,8 +128,11 @@
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -26354,7 +26422,7 @@
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
-@@ -163,22 +194,31 @@
+@@ -163,22 +194,25 @@
fs_tmpfs_filetrans(init_t,initctl_t,fifo_file)
')
@@ -26382,18 +26450,12 @@
-optional_policy(`
- unconfined_domain(init_t)
+ifndef(`distro_ubuntu',`
-+# Run the shell in the unconfined_t or sysadm_t domain for single-user mode.
-+ifdef(`enable_mls',`
-+ userdom_shell_domtrans_sysadm(init_t)
-+',`
-+ optional_policy(`
-+ unconfined_shell_domtrans(init_t)
-+ ')
-+')
++ corecmd_shell_domtrans(init_t,initrc_t)
++ corecmd_shell_entry_type(initrc_t)
')
########################################
-@@ -187,7 +227,7 @@
+@@ -187,7 +221,7 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -26402,7 +26464,7 @@
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
-@@ -201,10 +241,9 @@
+@@ -201,10 +235,9 @@
allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
term_create_pty(initrc_t,initrc_devpts_t)
@@ -26415,7 +26477,16 @@
manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
-@@ -283,7 +322,6 @@
+@@ -257,7 +290,7 @@
+ dev_read_sound_mixer(initrc_t)
+ dev_write_sound_mixer(initrc_t)
+ dev_setattr_all_chr_files(initrc_t)
+-dev_read_lvm_control(initrc_t)
++dev_rw_lvm_control(initrc_t)
+ dev_delete_lvm_control_dev(initrc_t)
+ dev_manage_generic_symlinks(initrc_t)
+ dev_manage_generic_files(initrc_t)
+@@ -283,7 +316,6 @@
mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
@@ -26423,7 +26494,7 @@
selinux_get_enforce_mode(initrc_t)
-@@ -496,6 +534,31 @@
+@@ -496,6 +528,31 @@
')
')
@@ -26455,7 +26526,7 @@
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -559,14 +622,6 @@
+@@ -559,14 +616,6 @@
')
optional_policy(`
@@ -26470,7 +26541,7 @@
ftp_read_config(initrc_t)
')
-@@ -639,12 +694,6 @@
+@@ -639,12 +688,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -26483,7 +26554,7 @@
optional_policy(`
ifdef(`distro_redhat',`
-@@ -705,6 +754,9 @@
+@@ -705,6 +748,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -26493,7 +26564,7 @@
')
optional_policy(`
-@@ -717,9 +769,11 @@
+@@ -717,9 +763,11 @@
squid_manage_logs(initrc_t)
')
@@ -26508,7 +26579,7 @@
')
optional_policy(`
-@@ -738,6 +792,11 @@
+@@ -738,6 +786,11 @@
uml_setattr_util_sockets(initrc_t)
')
@@ -26520,7 +26591,7 @@
optional_policy(`
unconfined_domain(initrc_t)
-@@ -752,6 +811,10 @@
+@@ -752,6 +805,10 @@
')
optional_policy(`
@@ -26531,7 +26602,7 @@
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
-@@ -774,3 +837,4 @@
+@@ -774,3 +831,4 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -26927,7 +26998,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.3.1/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2008-02-26 08:17:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-03-10 12:22:41.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-03-11 20:22:56.000000000 -0400
@@ -61,10 +61,24 @@
logging_log_file(var_log_t)
files_mountpoint(var_log_t)
@@ -27007,15 +27078,22 @@
# manage temporary files
manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
-@@ -327,6 +349,7 @@
+@@ -327,6 +349,8 @@
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
corenet_tcp_connect_syslogd_port(syslogd_t)
+corenet_tcp_connect_postgresql_port(syslogd_t)
++corenet_tcp_connect_mysqld_port(syslogd_t)
# syslog-ng can send or receive logs
corenet_sendrecv_syslogd_client_packets(syslogd_t)
-@@ -344,14 +367,14 @@
+@@ -339,19 +363,20 @@
+ domain_use_interactive_fds(syslogd_t)
+
+ files_read_etc_files(syslogd_t)
++files_read_usr_files(syslogd_t)
+ files_read_var_files(syslogd_t)
+ files_read_etc_runtime_files(syslogd_t)
# /initrd is not umounted before minilog starts
files_dontaudit_search_isid_type_dirs(syslogd_t)
@@ -27032,7 +27110,7 @@
miscfiles_read_localization(syslogd_t)
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
-@@ -380,15 +403,11 @@
+@@ -380,15 +405,11 @@
')
optional_policy(`
@@ -27050,7 +27128,7 @@
')
optional_policy(`
-@@ -399,3 +418,37 @@
+@@ -399,3 +420,37 @@
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -27088,9 +27166,20 @@
+logging_domtrans_audisp(auditd_t)
+logging_audisp_signal(auditd_t)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.3.1/policy/modules/system/lvm.fc
+--- nsaserefpolicy/policy/modules/system/lvm.fc 2007-12-12 11:35:28.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/lvm.fc 2008-03-11 18:59:24.000000000 -0400
+@@ -55,6 +55,7 @@
+ /sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/multipathd -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/sbin/multipath\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/pvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/pvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/pvdata -- gen_context(system_u:object_r:lvm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.3.1/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-02-27 23:23:39.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/lvm.te 2008-03-11 19:04:42.000000000 -0400
@@ -44,9 +44,9 @@
# Cluster LVM daemon local policy
#
@@ -27151,7 +27240,7 @@
userdom_dontaudit_use_unpriv_user_fds(clvmd_t)
userdom_dontaudit_search_sysadm_home_dirs(clvmd_t)
-@@ -146,7 +159,8 @@
+@@ -146,17 +159,19 @@
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
# rawio needed for dmraid
@@ -27161,7 +27250,10 @@
dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
-@@ -156,7 +170,8 @@
+ allow lvm_t self:process setsched;
+ allow lvm_t self:file rw_file_perms;
+-allow lvm_t self:fifo_file rw_file_perms;
++allow lvm_t self:fifo_file manage_fifo_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -27634,8 +27726,8 @@
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.3.1/policy/modules/system/qemu.if
--- nsaserefpolicy/policy/modules/system/qemu.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2008-03-10 10:10:04.000000000 -0400
-@@ -0,0 +1,294 @@
++++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2008-03-11 17:53:51.000000000 -0400
+@@ -0,0 +1,303 @@
+
+## <summary>policy for qemu</summary>
+
@@ -27885,6 +27977,10 @@
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:shm create_shm_perms;
+
++ allow $1_t $1_tmp_t:dir manage_dir_perms;
++ allow $1_t $1_tmp_t:file manage_file_perms;
++ files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
++
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
+ corenet_tcp_sendrecv_all_if($1_t)
@@ -27903,6 +27999,7 @@
+ files_read_var_files($1_t)
+ files_search_all($1_t)
+
++ fs_list_inotify($1_t)
+ fs_rw_anon_inodefs_files($1_t)
+ fs_rw_tmpfs_files($1_t)
+
@@ -27924,6 +28021,10 @@
+ virt_read_config($1_t)
+
+ optional_policy(`
++ samba_domtrans_smb($1_t)
++ ')
++
++ optional_policy(`
+ xserver_stream_connect_xdm_xserver($1_t)
+ xserver_read_xdm_tmp_files($1_t)
+ xserver_xdm_rw_shm($1_t)
@@ -28585,7 +28686,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.3.1/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-07-16 14:09:49.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.if 2008-03-06 11:55:26.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.if 2008-03-11 19:26:26.000000000 -0400
@@ -145,6 +145,25 @@
########################################
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.629
retrieving revision 1.630
diff -u -r1.629 -r1.630
--- selinux-policy.spec 11 Mar 2008 22:46:00 -0000 1.629
+++ selinux-policy.spec 12 Mar 2008 01:00:13 -0000 1.630
@@ -17,12 +17,11 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 14%{?dist}
+Release: 15%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
patch: policy-20071130.patch
-Patch2: policy-init.patch
Source1: modules-targeted.conf
Source2: booleans-targeted.conf
Source3: Makefile.devel
@@ -180,7 +179,6 @@
%prep
%setup -n serefpolicy-%{version} -q
%patch -p1
-%patch2 -p1
%install
# Build targeted policy
@@ -390,6 +388,14 @@
%endif
%changelog
+* Tue Mar 11 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-15
+- Allow init to transition to initrc_t on shell exec.
+- Fix init to be able to sendto init_t.
+- Allow syslog to connect to mysql
+- Allow lvm to manage its own fifo_files
+- Allow bugzilla to use ldap
+- More mls fixes
+
* Tue Mar 11 2008 Bill Nottingham <notting at redhat.com> 3.3.1-14
- fixes for init policy (#436988)
- fix build
More information about the fedora-extras-commits
mailing list