diff --git a/policy-20090105.patch b/policy-20090105.patch index 6041370..0f2e297 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -4897,7 +4897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +corecmd_executable_file(wm_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-03-05 10:34:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-04-30 08:31:43.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-05-05 14:05:47.000000000 -0400 @@ -32,6 +32,8 @@ # # /etc @@ -4907,16 +4907,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/apcupsd/apccontrol -- gen_context(system_u:object_r:bin_t,s0) /etc/apcupsd/changeme -- gen_context(system_u:object_r:bin_t,s0) /etc/apcupsd/commfailure -- gen_context(system_u:object_r:bin_t,s0) -@@ -134,6 +136,8 @@ +@@ -134,6 +136,10 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') +/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) + # # /usr # -@@ -210,6 +214,7 @@ +@@ -210,6 +216,7 @@ /usr/share/Modules/init(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) @@ -4924,7 +4926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) -@@ -299,3 +304,20 @@ +@@ -299,3 +306,20 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -5157,7 +5159,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.12/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2009-03-05 12:28:56.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/devices.if 2009-04-28 15:25:49.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/devices.if 2009-05-05 16:42:47.000000000 -0400 @@ -2268,6 +2268,25 @@ ######################################## @@ -11482,7 +11484,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.12/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/cups.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/cups.te 2009-05-05 14:06:36.000000000 -0400 @@ -20,9 +20,18 @@ type cupsd_etc_t; files_config_file(cupsd_etc_t) @@ -11660,7 +11662,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_list_world_readable(cupsd_t) files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) -@@ -195,15 +240,16 @@ +@@ -195,19 +240,21 @@ files_read_var_symlinks(cupsd_t) # for /etc/printcap files_dontaudit_write_etc_files(cupsd_t) @@ -11681,7 +11683,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(cupsd_t) # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.* -@@ -217,17 +263,21 @@ + libs_read_lib_files(cupsd_t) ++libs_exec_lib_files(cupsd_t) + + logging_send_audit_msgs(cupsd_t) + logging_send_syslog_msg(cupsd_t) +@@ -217,17 +264,21 @@ miscfiles_read_fonts(cupsd_t) seutil_read_config(cupsd_t) @@ -11706,7 +11713,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -244,8 +294,16 @@ +@@ -244,8 +295,16 @@ userdom_dbus_send_all_users(cupsd_t) optional_policy(` @@ -11723,7 +11730,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -261,6 +319,10 @@ +@@ -261,6 +320,10 @@ ') optional_policy(` @@ -11734,7 +11741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) -@@ -279,7 +341,7 @@ +@@ -279,7 +342,7 @@ # Cups configuration daemon local policy # @@ -11743,7 +11750,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit cupsd_config_t self:capability sys_tty_config; allow cupsd_config_t self:process signal_perms; allow cupsd_config_t self:fifo_file rw_fifo_file_perms; -@@ -302,8 +364,10 @@ +@@ -302,8 +365,10 @@ allow cupsd_config_t cupsd_log_t:file rw_file_perms; @@ -11756,7 +11763,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cupsd_config_t cupsd_var_run_t:file read_file_perms; -@@ -311,7 +375,7 @@ +@@ -311,7 +376,7 @@ files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file) kernel_read_system_state(cupsd_config_t) @@ -11765,7 +11772,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(cupsd_config_t) corenet_all_recvfrom_netlabel(cupsd_config_t) -@@ -324,6 +388,7 @@ +@@ -324,6 +389,7 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) @@ -11773,7 +11780,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t) -@@ -341,13 +406,14 @@ +@@ -341,13 +407,14 @@ files_read_var_symlinks(cupsd_config_t) # Alternatives asks for this @@ -11789,7 +11796,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_dontaudit_search_config(cupsd_config_t) -@@ -359,14 +425,16 @@ +@@ -359,14 +426,16 @@ lpd_read_config(cupsd_config_t) ifdef(`distro_redhat',` @@ -11808,7 +11815,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') -@@ -382,6 +450,7 @@ +@@ -382,6 +451,7 @@ optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) @@ -11816,7 +11823,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -491,7 +560,10 @@ +@@ -491,7 +561,10 @@ allow hplip_t self:udp_socket create_socket_perms; allow hplip_t self:rawip_socket create_socket_perms; @@ -11828,7 +11835,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cups_stream_connect(hplip_t) -@@ -500,6 +572,13 @@ +@@ -500,6 +573,13 @@ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) @@ -11842,7 +11849,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) -@@ -529,7 +608,8 @@ +@@ -529,7 +609,8 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -11852,7 +11859,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(hplip_t) fs_search_auto_mountpoints(hplip_t) -@@ -553,7 +633,9 @@ +@@ -553,7 +634,9 @@ userdom_dontaudit_search_user_home_dirs(hplip_t) userdom_dontaudit_search_user_home_content(hplip_t) @@ -11863,7 +11870,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` dbus_system_bus_client(hplip_t) -@@ -635,3 +717,49 @@ +@@ -635,3 +718,49 @@ optional_policy(` udev_read_db(ptal_t) ') @@ -13478,6 +13485,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # pid file manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.12/policy/modules/services/fetchmail.te +--- nsaserefpolicy/policy/modules/services/fetchmail.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/fetchmail.te 2009-05-04 15:58:59.000000000 -0400 +@@ -9,6 +9,7 @@ + type fetchmail_t; + type fetchmail_exec_t; + init_daemon_domain(fetchmail_t, fetchmail_exec_t) ++application_executable_file(fetchmail_exec_t) + + type fetchmail_var_run_t; + files_pid_file(fetchmail_var_run_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.fc serefpolicy-3.6.12/policy/modules/services/fprintd.fc --- nsaserefpolicy/policy/modules/services/fprintd.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/fprintd.fc 2009-04-28 15:26:41.000000000 -0400 @@ -24168,8 +24186,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-30 18:07:51.000000000 -0400 -@@ -8,19 +8,24 @@ ++++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-05-05 16:45:39.000000000 -0400 +@@ -8,19 +8,31 @@ ## ##

@@ -24190,14 +24208,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -attribute virt_image_type; +## +##

-+## Allow svirt to user serial/parallell communication ports ++## Allow svirt to manage device configuration, (pci) ++##

++##
++gen_tunable(virt_manage_sysfs, false) ++ ++## ++##

++## Allow svirt to use serial/parallell communication ports +##

+##
+gen_tunable(virt_use_comm, false) type virt_etc_t; files_config_file(virt_etc_t) -@@ -29,8 +34,13 @@ +@@ -29,8 +41,13 @@ files_type(virt_etc_rw_t) # virt Image files @@ -24213,7 +24238,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type virt_log_t; logging_log_file(virt_log_t) -@@ -48,17 +58,39 @@ +@@ -48,17 +65,39 @@ type virtd_initrc_exec_t; init_script_file(virtd_initrc_exec_t) @@ -24255,7 +24280,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -67,7 +99,11 @@ +@@ -67,7 +106,11 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -24268,7 +24293,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -86,6 +122,7 @@ +@@ -86,6 +129,7 @@ kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) kernel_load_module(virtd_t) @@ -24276,7 +24301,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -96,7 +133,7 @@ +@@ -96,7 +140,7 @@ corenet_tcp_sendrecv_generic_node(virtd_t) corenet_tcp_sendrecv_all_ports(virtd_t) corenet_tcp_bind_generic_node(virtd_t) @@ -24285,7 +24310,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_vnc_port(virtd_t) corenet_tcp_connect_vnc_port(virtd_t) corenet_tcp_connect_soundd_port(virtd_t) -@@ -104,21 +141,39 @@ +@@ -104,21 +148,39 @@ dev_read_sysfs(virtd_t) dev_read_rand(virtd_t) @@ -24326,7 +24351,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_getattr_pty_fs(virtd_t) term_use_ptmx(virtd_t) -@@ -129,6 +184,13 @@ +@@ -129,6 +191,13 @@ logging_send_syslog_msg(virtd_t) @@ -24340,7 +24365,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_read_all_users_state(virtd_t) tunable_policy(`virt_use_nfs',` -@@ -167,22 +229,34 @@ +@@ -167,22 +236,34 @@ dnsmasq_domtrans(virtd_t) dnsmasq_signal(virtd_t) dnsmasq_kill(virtd_t) @@ -24363,15 +24388,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + lvm_domtrans(virtd_t) +') - - optional_policy(` -- qemu_domtrans(virtd_t) ++ ++optional_policy(` + polkit_domtrans_auth(virtd_t) + polkit_domtrans_resolve(virtd_t) + polkit_read_lib(virtd_t) +') -+ -+optional_policy(` + + optional_policy(` +- qemu_domtrans(virtd_t) + qemu_spec_domtrans(virtd_t, svirt_t) qemu_read_state(virtd_t) qemu_signal(virtd_t) @@ -24380,7 +24405,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -195,8 +269,84 @@ +@@ -195,8 +276,88 @@ xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) @@ -24444,6 +24469,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dev_rw_printer(svirt_t) +') + ++tunable_policy(`virt_manage_sysfs',` ++ dev_rw_sysfs(svirt_t) ++') ++ +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(svirt_t) + fs_manage_nfs_files(svirt_t) @@ -29613,7 +29642,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xen_append_log(ifconfig_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.12/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2009-04-07 15:53:36.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-05-04 14:15:06.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-05-04 14:18:49.000000000 -0400 @@ -50,6 +50,7 @@ allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -32373,7 +32402,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.12/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/userdomain.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/userdomain.te 2009-05-05 08:21:50.000000000 -0400 @@ -8,13 +8,6 @@ ## @@ -32433,7 +32462,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_user_home_content(user_home_t) fs_associate_tmpfs(user_home_t) files_associate_tmp(user_home_t) -@@ -95,3 +91,23 @@ +@@ -95,3 +91,25 @@ type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t) @@ -32457,6 +32486,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_read_cifs_named_sockets(userhomereader) + fs_read_cifs_named_pipes(userhomereader) +') ++ ++allow userdomain userdomain:process signull; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.fc serefpolicy-3.6.12/policy/modules/system/virtual.fc --- nsaserefpolicy/policy/modules/system/virtual.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/virtual.fc 2009-04-23 09:44:57.000000000 -0400 @@ -32783,7 +32814,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.12/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/xen.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/xen.te 2009-05-05 14:42:25.000000000 -0400 @@ -6,6 +6,13 @@ # Declarations # @@ -32970,7 +33001,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_write_xen_state(xenstored_t) kernel_read_xen_state(xenstored_t) -@@ -312,18 +358,21 @@ +@@ -312,24 +358,28 @@ manage_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t) manage_fifo_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t) @@ -32993,7 +33024,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_sendrecv_generic_if(xm_t) corenet_tcp_sendrecv_generic_node(xm_t) -@@ -339,15 +388,58 @@ + corenet_tcp_connect_soundd_port(xm_t) + + dev_read_urand(xm_t) ++dev_search_sysfs(xm_t) + + files_read_etc_runtime_files(xm_t) + files_read_usr_files(xm_t) +@@ -339,15 +389,58 @@ storage_raw_read_fixed_disk(xm_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 763223a..734ce81 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 28%{?dist} +Release: 29%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -477,6 +477,9 @@ exit 0 %endif %changelog +* Tue May 5 2009 Dan Walsh 3.6.12-29 +- Allow svirt to manage pci and other sysfs device data + * Mon May 4 2009 Dan Walsh 3.6.12-28 - Fix package selection handling