diff --git a/policy-F14.patch b/policy-F14.patch index 6454d83..dc286a9 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -34897,14 +34897,16 @@ index 32a3c13..7baeb6f 100644 optional_policy(` diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc -index 2124b6a..be4b00f 100644 +index 2124b6a..6546d6e 100644 --- a/policy/modules/services/virt.fc +++ b/policy/modules/services/virt.fc -@@ -1,3 +1,4 @@ -+HOME_DIR/.libvirt(/.*)? gen_context(system_u:object_r:virt_content_t,s0) - HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +@@ -1,4 +1,5 @@ +-HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0) ++HOME_DIR/.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) ++HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0) HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) + @@ -13,17 +14,19 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) @@ -35196,10 +35198,10 @@ index 7c5d8d8..dbdc0e0 100644 + dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; +') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..62e349a 100644 +index 3eca020..500f8e9 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te -@@ -5,57 +5,66 @@ policy_module(virt, 1.4.0) +@@ -5,80 +5,97 @@ policy_module(virt, 1.4.0) # Declarations # @@ -35287,7 +35289,12 @@ index 3eca020..62e349a 100644 type virt_etc_t; files_config_file(virt_etc_t) -@@ -65,20 +74,25 @@ files_type(virt_etc_rw_t) + type virt_etc_rw_t; + files_type(virt_etc_rw_t) + ++type virt_home_t; ++userdom_user_home_content(virt_home_t) ++ # virt Image files type virt_image_t; # customizable virt_image(virt_image_t) @@ -35314,7 +35321,7 @@ index 3eca020..62e349a 100644 type virtd_t; type virtd_exec_t; -@@ -89,6 +103,11 @@ domain_subj_id_change_exemption(virtd_t) +@@ -89,6 +106,11 @@ domain_subj_id_change_exemption(virtd_t) type virtd_initrc_exec_t; init_script_file(virtd_initrc_exec_t) @@ -35326,7 +35333,7 @@ index 3eca020..62e349a 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -104,15 +123,12 @@ ifdef(`enable_mls',` +@@ -104,15 +126,12 @@ ifdef(`enable_mls',` allow svirt_t self:udp_socket create_socket_perms; @@ -35343,7 +35350,15 @@ index 3eca020..62e349a 100644 fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file) list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) -@@ -147,11 +163,15 @@ tunable_policy(`virt_use_fusefs',` +@@ -133,6 +152,7 @@ dev_list_sysfs(svirt_t) + userdom_search_user_home_content(svirt_t) + userdom_read_user_home_content_symlinks(svirt_t) + userdom_read_all_users_state(svirt_t) ++append_files_pattern(svirt_t, virt_home_t, virt_home_t) + + tunable_policy(`virt_use_comm',` + term_use_unallocated_ttys(svirt_t) +@@ -147,11 +167,15 @@ tunable_policy(`virt_use_fusefs',` tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(svirt_t) fs_manage_nfs_files(svirt_t) @@ -35359,7 +35374,7 @@ index 3eca020..62e349a 100644 ') tunable_policy(`virt_use_sysfs',` -@@ -160,11 +180,22 @@ tunable_policy(`virt_use_sysfs',` +@@ -160,11 +184,22 @@ tunable_policy(`virt_use_sysfs',` tunable_policy(`virt_use_usb',` dev_rw_usbfs(svirt_t) @@ -35382,7 +35397,7 @@ index 3eca020..62e349a 100644 xen_rw_image_files(svirt_t) ') -@@ -174,22 +205,28 @@ optional_policy(` +@@ -174,22 +209,28 @@ optional_policy(` # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; @@ -35415,7 +35430,7 @@ index 3eca020..62e349a 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -200,8 +237,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) +@@ -200,8 +241,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -35432,7 +35447,7 @@ index 3eca020..62e349a 100644 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -220,6 +263,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) +@@ -220,6 +267,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) @@ -35440,7 +35455,7 @@ index 3eca020..62e349a 100644 kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) -@@ -243,18 +287,27 @@ dev_read_rand(virtd_t) +@@ -243,18 +291,27 @@ dev_read_rand(virtd_t) dev_rw_kvm(virtd_t) dev_getattr_all_chr_files(virtd_t) dev_rw_mtrr(virtd_t) @@ -35469,7 +35484,7 @@ index 3eca020..62e349a 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -262,6 +315,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -262,6 +319,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -35488,14 +35503,14 @@ index 3eca020..62e349a 100644 mcs_process_set_categories(virtd_t) -@@ -285,16 +350,26 @@ modutils_read_module_config(virtd_t) +@@ -285,16 +354,30 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) +logging_send_audit_msgs(virtd_t) - -+selinux_validate_context(virtd_t) + ++selinux_validate_context(virtd_t) + +seutil_read_config(virtd_t) seutil_read_default_contexts(virtd_t) +seutil_read_file_contexts(virtd_t) @@ -35510,12 +35525,16 @@ index 3eca020..62e349a 100644 userdom_read_user_home_content_files(virtd_t) +userdom_relabel_user_home_files(virtd_t) +userdom_setattr_user_home_content_files(virtd_t) ++manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t) ++manage_files_pattern(virtd_t, virt_home_t, virt_home_t) ++manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t) ++userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file }) + +consoletype_exec(virtd_t) tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -365,6 +440,8 @@ optional_policy(` +@@ -365,6 +448,8 @@ optional_policy(` qemu_signal(virtd_t) qemu_kill(virtd_t) qemu_setsched(virtd_t) @@ -35524,7 +35543,7 @@ index 3eca020..62e349a 100644 ') optional_policy(` -@@ -396,12 +473,25 @@ optional_policy(` +@@ -396,12 +481,25 @@ optional_policy(` allow virt_domain self:capability { dac_read_search dac_override kill }; allow virt_domain self:process { execmem execstack signal getsched signull }; @@ -35551,7 +35570,7 @@ index 3eca020..62e349a 100644 append_files_pattern(virt_domain, virt_log_t, virt_log_t) append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -@@ -422,6 +512,7 @@ corenet_rw_tun_tap_dev(virt_domain) +@@ -422,6 +520,7 @@ corenet_rw_tun_tap_dev(virt_domain) corenet_tcp_bind_virt_migration_port(virt_domain) corenet_tcp_connect_virt_migration_port(virt_domain) @@ -35559,7 +35578,7 @@ index 3eca020..62e349a 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +520,12 @@ dev_write_sound(virt_domain) +@@ -429,10 +528,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -35572,7 +35591,7 @@ index 3eca020..62e349a 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,6 +533,11 @@ files_search_all(virt_domain) +@@ -440,6 +541,11 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -35584,7 +35603,7 @@ index 3eca020..62e349a 100644 term_use_all_terms(virt_domain) term_getattr_pty_fs(virt_domain) -@@ -457,8 +555,117 @@ optional_policy(` +@@ -457,8 +563,117 @@ optional_policy(` ') optional_policy(` @@ -36110,7 +36129,7 @@ index 6f1e3c7..6a160b2 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index da2601a..0ad10f7 100644 +index da2601a..19018ae 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -36584,7 +36603,7 @@ index da2601a..0ad10f7 100644 read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') -@@ -1038,6 +1141,24 @@ interface(`xserver_manage_xdm_tmp_files',` +@@ -1038,6 +1141,42 @@ interface(`xserver_manage_xdm_tmp_files',` ######################################## ## @@ -36596,6 +36615,24 @@ index da2601a..0ad10f7 100644 +## +## +# ++interface(`xserver_relabel_xdm_tmp_dirs',` ++ gen_require(` ++ type xdm_tmp_t; ++ ') ++ ++ allow initrc_t initrc_tmp_t:dir relabel_dir_perms; ++') ++ ++######################################## ++## ++## Create, read, write, and delete xdm temporary dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`xserver_manage_xdm_tmp_dirs',` + gen_require(` + type xdm_tmp_t; @@ -36609,7 +36646,7 @@ index da2601a..0ad10f7 100644 ## Do not audit attempts to get the attributes of ## xdm temporary named sockets. ## -@@ -1052,7 +1173,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` +@@ -1052,7 +1191,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` type xdm_tmp_t; ') @@ -36618,7 +36655,7 @@ index da2601a..0ad10f7 100644 ') ######################################## -@@ -1070,8 +1191,10 @@ interface(`xserver_domtrans',` +@@ -1070,8 +1209,10 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') @@ -36630,7 +36667,7 @@ index da2601a..0ad10f7 100644 ') ######################################## -@@ -1185,6 +1308,7 @@ interface(`xserver_stream_connect',` +@@ -1185,6 +1326,7 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -36638,7 +36675,7 @@ index da2601a..0ad10f7 100644 ') ######################################## -@@ -1210,7 +1334,7 @@ interface(`xserver_read_tmp_files',` +@@ -1210,7 +1352,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -36647,7 +36684,7 @@ index da2601a..0ad10f7 100644 ## ## ## -@@ -1220,13 +1344,23 @@ interface(`xserver_read_tmp_files',` +@@ -1220,13 +1362,23 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -36672,7 +36709,7 @@ index da2601a..0ad10f7 100644 ') ######################################## -@@ -1243,10 +1377,355 @@ interface(`xserver_manage_core_devices',` +@@ -1243,10 +1395,355 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -39676,7 +39713,7 @@ index df3fa64..73dc579 100644 + allow $1 init_t:unix_stream_socket rw_stream_socket_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 8a105fd..fc65044 100644 +index 8a105fd..08817a8 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,27 @@ gen_require(` @@ -39906,7 +39943,7 @@ index 8a105fd..fc65044 100644 ') optional_policy(` -@@ -199,10 +321,23 @@ optional_policy(` +@@ -199,10 +321,25 @@ optional_policy(` ') optional_policy(` @@ -39923,14 +39960,16 @@ index 8a105fd..fc65044 100644 +') + +optional_policy(` ++ xserver_relabel_xdm_tmp_dirs(init_t) + xserver_manage_xdm_tmp_dirs(init_t) ++ xserver_setattr_xdm_tmp_dirs(initrc_t) +') + +optional_policy(` unconfined_domain(init_t) ') -@@ -212,7 +347,7 @@ optional_policy(` +@@ -212,7 +349,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -39939,7 +39978,7 @@ index 8a105fd..fc65044 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,6 +376,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +378,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -39947,7 +39986,14 @@ index 8a105fd..fc65044 100644 can_exec(initrc_t, initrc_tmp_t) manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) -@@ -258,11 +394,23 @@ kernel_change_ring_buffer_level(initrc_t) + manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) + manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) + files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir }) ++allow initrc_t initrc_tmp_t:dir relabelfrom; + + init_write_initctl(initrc_t) + +@@ -258,11 +397,23 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -39971,7 +40017,7 @@ index 8a105fd..fc65044 100644 corecmd_exec_all_executables(initrc_t) -@@ -291,6 +439,7 @@ dev_read_sound_mixer(initrc_t) +@@ -291,6 +442,7 @@ dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) dev_rw_lvm_control(initrc_t) @@ -39979,7 +40025,7 @@ index 8a105fd..fc65044 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +447,13 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +450,13 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -39995,7 +40041,7 @@ index 8a105fd..fc65044 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -323,8 +472,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +475,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -40007,7 +40053,7 @@ index 8a105fd..fc65044 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +491,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +494,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -40021,7 +40067,7 @@ index 8a105fd..fc65044 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +506,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +509,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -40030,7 +40076,7 @@ index 8a105fd..fc65044 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +520,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +523,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -40038,7 +40084,7 @@ index 8a105fd..fc65044 100644 selinux_get_enforce_mode(initrc_t) -@@ -380,6 +538,7 @@ auth_read_pam_pid(initrc_t) +@@ -380,6 +541,7 @@ auth_read_pam_pid(initrc_t) auth_delete_pam_pid(initrc_t) auth_delete_pam_console_data(initrc_t) auth_use_nsswitch(initrc_t) @@ -40046,7 +40092,7 @@ index 8a105fd..fc65044 100644 libs_rw_ld_so_cache(initrc_t) libs_exec_lib_files(initrc_t) -@@ -394,13 +553,14 @@ logging_read_audit_config(initrc_t) +@@ -394,13 +556,14 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -40062,7 +40108,7 @@ index 8a105fd..fc65044 100644 userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such -@@ -473,7 +633,7 @@ ifdef(`distro_redhat',` +@@ -473,7 +636,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -40071,7 +40117,7 @@ index 8a105fd..fc65044 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -519,6 +679,19 @@ ifdef(`distro_redhat',` +@@ -519,6 +682,19 @@ ifdef(`distro_redhat',` optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -40091,7 +40137,7 @@ index 8a105fd..fc65044 100644 ') optional_policy(` -@@ -526,10 +699,17 @@ ifdef(`distro_redhat',` +@@ -526,10 +702,17 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -40109,7 +40155,7 @@ index 8a105fd..fc65044 100644 ') optional_policy(` -@@ -544,6 +724,35 @@ ifdef(`distro_suse',` +@@ -544,6 +727,35 @@ ifdef(`distro_suse',` ') ') @@ -40145,7 +40191,7 @@ index 8a105fd..fc65044 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -556,6 +765,8 @@ optional_policy(` +@@ -556,6 +768,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -40154,7 +40200,7 @@ index 8a105fd..fc65044 100644 ') optional_policy(` -@@ -572,6 +783,7 @@ optional_policy(` +@@ -572,6 +786,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -40162,7 +40208,7 @@ index 8a105fd..fc65044 100644 ') optional_policy(` -@@ -584,6 +796,11 @@ optional_policy(` +@@ -584,6 +799,11 @@ optional_policy(` ') optional_policy(` @@ -40174,7 +40220,7 @@ index 8a105fd..fc65044 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -600,6 +817,9 @@ optional_policy(` +@@ -600,9 +820,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -40184,7 +40230,11 @@ index 8a105fd..fc65044 100644 optional_policy(` consolekit_dbus_chat(initrc_t) -@@ -701,7 +921,13 @@ optional_policy(` ++ consolekit_manage_log(initrc_t) + ') + + optional_policy(` +@@ -701,7 +925,13 @@ optional_policy(` ') optional_policy(` @@ -40198,7 +40248,7 @@ index 8a105fd..fc65044 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -724,6 +950,10 @@ optional_policy(` +@@ -724,6 +954,10 @@ optional_policy(` ') optional_policy(` @@ -40209,7 +40259,7 @@ index 8a105fd..fc65044 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -745,6 +975,10 @@ optional_policy(` +@@ -745,6 +979,10 @@ optional_policy(` ') optional_policy(` @@ -40220,7 +40270,7 @@ index 8a105fd..fc65044 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -766,8 +1000,6 @@ optional_policy(` +@@ -766,8 +1004,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -40229,7 +40279,7 @@ index 8a105fd..fc65044 100644 ') optional_policy(` -@@ -776,14 +1008,21 @@ optional_policy(` +@@ -776,14 +1012,21 @@ optional_policy(` ') optional_policy(` @@ -40251,7 +40301,7 @@ index 8a105fd..fc65044 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,11 +1044,19 @@ optional_policy(` +@@ -805,11 +1048,19 @@ optional_policy(` ') optional_policy(` @@ -40272,7 +40322,7 @@ index 8a105fd..fc65044 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -819,6 +1066,25 @@ optional_policy(` +@@ -819,6 +1070,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -40298,7 +40348,7 @@ index 8a105fd..fc65044 100644 ') optional_policy(` -@@ -844,3 +1110,59 @@ optional_policy(` +@@ -844,3 +1114,59 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -44162,7 +44212,7 @@ index 0291685..44fe366 100644 /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) +/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if -index 025348a..65971f9 100644 +index 025348a..cea695c 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -34,6 +34,7 @@ interface(`udev_domtrans',` @@ -44183,7 +44233,22 @@ index 025348a..65971f9 100644 ') ######################################## -@@ -231,3 +231,36 @@ interface(`udev_manage_pid_files',` +@@ -185,12 +185,14 @@ interface(`udev_dontaudit_search_db',` + interface(`udev_read_db',` + gen_require(` + type udev_tbl_t; ++ type device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 udev_tbl_t:dir list_dir_perms; + read_files_pattern($1, udev_tbl_t, udev_tbl_t) + read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t) ++ allow $1 device_t:file read_file_perms; + ') + + ######################################## +@@ -231,3 +233,36 @@ interface(`udev_manage_pid_files',` files_search_var_lib($1) manage_files_pattern($1, udev_var_run_t, udev_var_run_t) ') @@ -44221,7 +44286,7 @@ index 025348a..65971f9 100644 +') + diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index a054cf5..f24ab6b 100644 +index a054cf5..4fc2837 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto; @@ -44242,7 +44307,15 @@ index a054cf5..f24ab6b 100644 kernel_read_system_state(udev_t) kernel_request_load_module(udev_t) -@@ -111,15 +113,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these +@@ -87,6 +89,7 @@ kernel_rw_unix_dgram_sockets(udev_t) + kernel_dgram_send(udev_t) + kernel_signal(udev_t) + kernel_search_debugfs(udev_t) ++kernel_stream_connect(udev_t) + + #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 + kernel_rw_net_sysctls(udev_t) +@@ -111,15 +114,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these files_read_usr_files(udev_t) files_read_etc_runtime_files(udev_t) @@ -44264,7 +44337,15 @@ index a054cf5..f24ab6b 100644 mcs_ptrace_all(udev_t) -@@ -186,6 +193,7 @@ ifdef(`distro_redhat',` +@@ -143,6 +151,7 @@ auth_use_nsswitch(udev_t) + init_read_utmp(udev_t) + init_dontaudit_write_utmp(udev_t) + init_getattr_initctl(udev_t) ++init_stream_connect(udev_t) + + logging_search_logs(udev_t) + logging_send_syslog_msg(udev_t) +@@ -186,6 +195,7 @@ ifdef(`distro_redhat',` fs_manage_tmpfs_chr_files(udev_t) fs_relabel_tmpfs_blk_file(udev_t) fs_relabel_tmpfs_chr_file(udev_t) @@ -44272,7 +44353,7 @@ index a054cf5..f24ab6b 100644 term_search_ptys(udev_t) -@@ -216,11 +224,16 @@ optional_policy(` +@@ -216,11 +226,16 @@ optional_policy(` ') optional_policy(` @@ -44289,7 +44370,7 @@ index a054cf5..f24ab6b 100644 ') optional_policy(` -@@ -233,6 +246,10 @@ optional_policy(` +@@ -233,6 +248,10 @@ optional_policy(` ') optional_policy(` @@ -44300,7 +44381,7 @@ index a054cf5..f24ab6b 100644 lvm_domtrans(udev_t) ') -@@ -259,6 +276,10 @@ optional_policy(` +@@ -259,6 +278,10 @@ optional_policy(` ') optional_policy(` @@ -44311,7 +44392,7 @@ index a054cf5..f24ab6b 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -273,6 +294,11 @@ optional_policy(` +@@ -273,6 +296,11 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 161036b..e88472d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.7 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -470,6 +470,9 @@ exit 0 %endif %changelog +* Tue Nov 2 2010 Dan Walsh 3.9.7-9 +- + * Mon Nov 1 2010 Dan Walsh 3.9.7-8 - Allow NetworkManager to read openvpn_etc_t - Dontaudit hplip to write of /usr dirs