diff --git a/.gitignore b/.gitignore index 61e5f38..6574aaf 100644 --- a/.gitignore +++ b/.gitignore @@ -221,3 +221,4 @@ serefpolicy-3.8.8.tgz *.rpm serefpolicy* /serefpolicy-3.9.0.tgz +/serefpolicy-3.9.1.tgz diff --git a/policy-F14.patch b/policy-F14.patch index 9247ef9..3083567 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -188,7 +188,7 @@ index 3316f6e..cf3a77b 100644 +gen_tunable(mmap_low_allowed, false) + diff --git a/policy/mcs b/policy/mcs -index af90ef2..ebe5833 100644 +index af90ef2..fbd2c40 100644 --- a/policy/mcs +++ b/policy/mcs @@ -86,10 +86,10 @@ mlsconstrain file { create relabelto } @@ -204,6 +204,15 @@ index af90ef2..ebe5833 100644 (( h1 dom h2 ) and ( l2 eq h2 )); mlsconstrain process { transition dyntransition } +@@ -98,7 +98,7 @@ mlsconstrain process { transition dyntransition } + mlsconstrain process { ptrace } + (( h1 dom h2) or ( t1 == mcsptraceall )); + +-mlsconstrain process { sigkill sigstop } ++mlsconstrain process { signal sigkill sigstop } + (( h1 dom h2 ) or ( t1 == mcskillall )); + + # diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc index 30a0ac7..f5fc753 100644 --- a/policy/modules/admin/alsa.fc @@ -991,10 +1000,10 @@ index aa0dcc6..0154b77 100644 rpm_read_db(prelink_cron_system_t) ') diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te -index c5c7852..947df2b 100644 +index 2df2f1d..c1aaa79 100644 --- a/policy/modules/admin/readahead.te +++ b/policy/modules/admin/readahead.te -@@ -51,6 +51,7 @@ domain_read_all_domains_state(readahead_t) +@@ -53,6 +53,7 @@ domain_read_all_domains_state(readahead_t) files_list_non_security(readahead_t) files_read_non_security_files(readahead_t) @@ -1002,7 +1011,7 @@ index c5c7852..947df2b 100644 files_create_boot_flag(readahead_t) files_getattr_all_pipes(readahead_t) files_dontaudit_getattr_all_sockets(readahead_t) -@@ -64,6 +65,7 @@ fs_read_cgroup_files(readahead_t) +@@ -66,6 +67,7 @@ fs_read_cgroup_files(readahead_t) fs_read_tmpfs_files(readahead_t) fs_read_tmpfs_symlinks(readahead_t) fs_list_inotifyfs(readahead_t) @@ -5100,10 +5109,10 @@ index 0000000..15778fd +# No types are sandbox_exec_t diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if new file mode 100644 -index 0000000..d104714 +index 0000000..c20d303 --- /dev/null +++ b/policy/modules/apps/sandbox.if -@@ -0,0 +1,334 @@ +@@ -0,0 +1,335 @@ + +## policy for sandbox + @@ -5155,6 +5164,7 @@ index 0000000..d104714 + dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms; + dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms; + dontaudit sandbox_x_domain $1:unix_stream_socket { read write }; ++ dontaudit sandbox_x_domain $1:process signal; + + allow $1 sandbox_tmpfs_type:file manage_file_perms; + dontaudit $1 sandbox_tmpfs_type:file manage_file_perms; @@ -7178,10 +7188,10 @@ index 3b2da10..7eed11d 100644 +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index cac0c64..d0aaa1c 100644 +index 8b09281..e896bf7 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if -@@ -461,6 +461,24 @@ interface(`dev_getattr_generic_chr_files',` +@@ -498,6 +498,24 @@ interface(`dev_getattr_generic_chr_files',` ######################################## ## @@ -7206,7 +7216,7 @@ index cac0c64..d0aaa1c 100644 ## Dontaudit getattr for generic character device files. ## ## -@@ -497,6 +515,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',` +@@ -534,6 +552,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',` ######################################## ## @@ -7231,7 +7241,7 @@ index cac0c64..d0aaa1c 100644 ## Read and write generic character device files. ## ## -@@ -515,6 +551,24 @@ interface(`dev_rw_generic_chr_files',` +@@ -552,6 +588,24 @@ interface(`dev_rw_generic_chr_files',` ######################################## ## @@ -7253,10 +7263,10 @@ index cac0c64..d0aaa1c 100644 + +######################################## +## - ## Create generic character device files. + ## Dontaudit attempts to read/write generic character device files. ## ## -@@ -606,6 +660,24 @@ interface(`dev_delete_generic_symlinks',` +@@ -661,6 +715,24 @@ interface(`dev_delete_generic_symlinks',` ######################################## ## @@ -7281,7 +7291,7 @@ index cac0c64..d0aaa1c 100644 ## Create, delete, read, and write symbolic links in device directories. ## ## -@@ -1015,6 +1087,42 @@ interface(`dev_create_all_chr_files',` +@@ -1070,6 +1142,42 @@ interface(`dev_create_all_chr_files',` ######################################## ## @@ -7324,7 +7334,7 @@ index cac0c64..d0aaa1c 100644 ## Delete all block device files. ## ## -@@ -1277,6 +1385,24 @@ interface(`dev_getattr_autofs_dev',` +@@ -1332,6 +1440,24 @@ interface(`dev_getattr_autofs_dev',` ######################################## ## @@ -7349,7 +7359,7 @@ index cac0c64..d0aaa1c 100644 ## Do not audit attempts to get the attributes of ## the autofs device node. ## -@@ -3540,6 +3666,24 @@ interface(`dev_manage_smartcard',` +@@ -3595,6 +3721,24 @@ interface(`dev_manage_smartcard',` ######################################## ## @@ -7374,7 +7384,7 @@ index cac0c64..d0aaa1c 100644 ## Get the attributes of sysfs directories. ## ## -@@ -3682,6 +3826,24 @@ interface(`dev_rw_sysfs',` +@@ -3737,6 +3881,24 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -7399,7 +7409,7 @@ index cac0c64..d0aaa1c 100644 ## Read from pseudo random number generator devices (e.g., /dev/urandom). ## ## -@@ -3851,6 +4013,24 @@ interface(`dev_read_usbmon_dev',` +@@ -3906,6 +4068,24 @@ interface(`dev_read_usbmon_dev',` ######################################## ## @@ -7424,7 +7434,7 @@ index cac0c64..d0aaa1c 100644 ## Mount a usbfs filesystem. ## ## -@@ -4161,11 +4341,10 @@ interface(`dev_write_video_dev',` +@@ -4216,11 +4396,10 @@ interface(`dev_write_video_dev',` # interface(`dev_rw_vhost',` gen_require(` @@ -7439,10 +7449,10 @@ index cac0c64..d0aaa1c 100644 ######################################## diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 102d130..ec8eb73 100644 +index eb9c360..20c2d34 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te -@@ -100,6 +100,7 @@ dev_node(ksm_device_t) +@@ -102,6 +102,7 @@ dev_node(ksm_device_t) # type kvm_device_t; dev_node(kvm_device_t) @@ -7450,7 +7460,7 @@ index 102d130..ec8eb73 100644 # # Type for /dev/lirc -@@ -300,5 +301,5 @@ files_associate_tmp(device_node) +@@ -304,5 +305,5 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; @@ -8722,7 +8732,7 @@ index e3e17ba..3b34959 100644 +') + diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index fb63c3a..3561f03 100644 +index 56c3408..30bc860 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -52,6 +52,7 @@ type anon_inodefs_t; @@ -8775,7 +8785,7 @@ index fb63c3a..3561f03 100644 type vmblock_t; fs_noxattr_type(vmblock_t) files_mountpoint(vmblock_t) -@@ -248,6 +265,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -247,6 +264,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -8873,7 +8883,7 @@ index ed7667a..d676187 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 6fa55f2..90ee6db 100644 +index e4f98ce..806026c 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -156,6 +156,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) @@ -8884,7 +8894,7 @@ index 6fa55f2..90ee6db 100644 # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -@@ -255,7 +256,8 @@ fs_unmount_all_fs(kernel_t) +@@ -254,7 +255,8 @@ fs_unmount_all_fs(kernel_t) selinux_load_policy(kernel_t) @@ -8894,7 +8904,7 @@ index 6fa55f2..90ee6db 100644 corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -269,19 +271,29 @@ files_list_root(kernel_t) +@@ -268,19 +270,29 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -8924,7 +8934,7 @@ index 6fa55f2..90ee6db 100644 optional_policy(` hotplug_search_config(kernel_t) ') -@@ -358,6 +370,10 @@ optional_policy(` +@@ -357,6 +369,10 @@ optional_policy(` unconfined_domain_noaudit(kernel_t) ') @@ -11693,7 +11703,7 @@ index 9e39aa5..b37de8e 100644 +/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if -index c9e1a44..7260bf6 100644 +index c9e1a44..c96d035 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -13,17 +13,13 @@ @@ -11843,7 +11853,16 @@ index c9e1a44..7260bf6 100644 manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) -@@ -312,6 +307,25 @@ interface(`apache_domtrans',` +@@ -243,6 +238,8 @@ interface(`apache_role',` + relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) + relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) + ++ apache_exec_modules($2) ++ + tunable_policy(`httpd_enable_cgi',` + # If a user starts a script by hand it gets the proper context + domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) +@@ -312,6 +309,25 @@ interface(`apache_domtrans',` domtrans_pattern($1, httpd_exec_t, httpd_t) ') @@ -11869,7 +11888,7 @@ index c9e1a44..7260bf6 100644 ####################################### ## ## Send a generic signal to apache. -@@ -400,7 +414,7 @@ interface(`apache_dontaudit_rw_fifo_file',` +@@ -400,7 +416,7 @@ interface(`apache_dontaudit_rw_fifo_file',` type httpd_t; ') @@ -11878,7 +11897,7 @@ index c9e1a44..7260bf6 100644 ') ######################################## -@@ -526,6 +540,25 @@ interface(`apache_rw_cache_files',` +@@ -526,6 +542,25 @@ interface(`apache_rw_cache_files',` ######################################## ## ## Allow the specified domain to delete @@ -11904,7 +11923,7 @@ index c9e1a44..7260bf6 100644 ## Apache cache. ## ## -@@ -740,6 +773,25 @@ interface(`apache_dontaudit_search_modules',` +@@ -740,6 +775,25 @@ interface(`apache_dontaudit_search_modules',` ######################################## ## @@ -11930,7 +11949,7 @@ index c9e1a44..7260bf6 100644 ## Allow the specified domain to list ## the contents of the apache modules ## directory. -@@ -756,6 +808,7 @@ interface(`apache_list_modules',` +@@ -756,6 +810,7 @@ interface(`apache_list_modules',` ') allow $1 httpd_modules_t:dir list_dir_perms; @@ -11938,7 +11957,7 @@ index c9e1a44..7260bf6 100644 ') ######################################## -@@ -814,6 +867,7 @@ interface(`apache_list_sys_content',` +@@ -814,6 +869,7 @@ interface(`apache_list_sys_content',` ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) @@ -11946,7 +11965,7 @@ index c9e1a44..7260bf6 100644 files_search_var($1) ') -@@ -836,11 +890,80 @@ interface(`apache_manage_sys_content',` +@@ -836,11 +892,80 @@ interface(`apache_manage_sys_content',` ') files_search_var($1) @@ -12027,7 +12046,7 @@ index c9e1a44..7260bf6 100644 ######################################## ## ## Execute all web scripts in the system -@@ -858,6 +981,11 @@ interface(`apache_domtrans_sys_script',` +@@ -858,6 +983,11 @@ interface(`apache_domtrans_sys_script',` gen_require(` attribute httpdcontent; type httpd_sys_script_t; @@ -12039,7 +12058,7 @@ index c9e1a44..7260bf6 100644 ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -945,7 +1073,7 @@ interface(`apache_read_squirrelmail_data',` +@@ -945,7 +1075,7 @@ interface(`apache_read_squirrelmail_data',` type httpd_squirrelmail_t; ') @@ -12048,7 +12067,7 @@ index c9e1a44..7260bf6 100644 ') ######################################## -@@ -1086,6 +1214,25 @@ interface(`apache_read_tmp_files',` +@@ -1086,6 +1216,25 @@ interface(`apache_read_tmp_files',` read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -12074,7 +12093,7 @@ index c9e1a44..7260bf6 100644 ######################################## ## ## Dontaudit attempts to write -@@ -1102,7 +1249,7 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1102,7 +1251,7 @@ interface(`apache_dontaudit_write_tmp_files',` type httpd_tmp_t; ') @@ -12083,7 +12102,7 @@ index c9e1a44..7260bf6 100644 ') ######################################## -@@ -1172,7 +1319,7 @@ interface(`apache_admin',` +@@ -1172,7 +1321,7 @@ interface(`apache_admin',` type httpd_modules_t, httpd_lock_t; type httpd_var_run_t, httpd_php_tmp_t; type httpd_suexec_tmp_t, httpd_tmp_t; @@ -12092,7 +12111,7 @@ index c9e1a44..7260bf6 100644 ') allow $1 httpd_t:process { getattr ptrace signal_perms }; -@@ -1202,12 +1349,43 @@ interface(`apache_admin',` +@@ -1202,12 +1351,43 @@ interface(`apache_admin',` kernel_search_proc($1) allow $1 httpd_t:dir list_dir_perms; @@ -17340,7 +17359,7 @@ index 7cf6763..5b9771e 100644 + dontaudit $1 hald_var_run_t:file read_inherited_file_perms; +') diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te -index 24c6253..0a54d67 100644 +index 24c6253..188cd75 100644 --- a/policy/modules/services/hal.te +++ b/policy/modules/services/hal.te @@ -54,6 +54,9 @@ files_pid_file(hald_var_run_t) @@ -17370,7 +17389,7 @@ index 24c6253..0a54d67 100644 dev_rw_generic_usb_dev(hald_t) dev_setattr_generic_usb_dev(hald_t) dev_setattr_usbfs_files(hald_t) -@@ -211,10 +215,13 @@ seutil_read_config(hald_t) +@@ -211,14 +215,19 @@ seutil_read_config(hald_t) seutil_read_default_contexts(hald_t) seutil_read_file_contexts(hald_t) @@ -17385,7 +17404,13 @@ index 24c6253..0a54d67 100644 userdom_dontaudit_use_unpriv_user_fds(hald_t) userdom_dontaudit_search_user_home_dirs(hald_t) -@@ -268,6 +275,10 @@ optional_policy(` + ++netutils_domtrans(hald_t) ++ + optional_policy(` + alsa_domtrans(hald_t) + alsa_read_rw_config(hald_t) +@@ -268,6 +277,10 @@ optional_policy(` ') optional_policy(` @@ -17396,7 +17421,7 @@ index 24c6253..0a54d67 100644 gpm_dontaudit_getattr_gpmctl(hald_t) ') -@@ -318,6 +329,10 @@ optional_policy(` +@@ -318,6 +331,10 @@ optional_policy(` ') optional_policy(` @@ -17407,7 +17432,7 @@ index 24c6253..0a54d67 100644 udev_domtrans(hald_t) udev_read_db(hald_t) ') -@@ -338,6 +353,10 @@ optional_policy(` +@@ -338,6 +355,10 @@ optional_policy(` virt_manage_images(hald_t) ') @@ -17418,7 +17443,7 @@ index 24c6253..0a54d67 100644 ######################################## # # Hal acl local policy -@@ -358,6 +377,7 @@ files_search_var_lib(hald_acl_t) +@@ -358,6 +379,7 @@ files_search_var_lib(hald_acl_t) manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) @@ -17426,7 +17451,7 @@ index 24c6253..0a54d67 100644 corecmd_exec_bin(hald_acl_t) -@@ -470,6 +490,10 @@ files_read_usr_files(hald_keymap_t) +@@ -470,6 +492,10 @@ files_read_usr_files(hald_keymap_t) miscfiles_read_localization(hald_keymap_t) @@ -28755,12 +28780,12 @@ index 408f4e6..55c2d03 100644 auth_rw_login_records(getty_t) diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te -index b9efd1b..f1edb15 100644 +index 1fd31c1..683494c 100644 --- a/policy/modules/system/hostname.te +++ b/policy/modules/system/hostname.te -@@ -26,15 +26,18 @@ kernel_read_proc_symlinks(hostname_t) - - dev_read_sysfs(hostname_t) +@@ -28,15 +28,18 @@ dev_read_sysfs(hostname_t) + # Early devtmpfs, before udev relabel + dev_dontaudit_rw_generic_chr_files(hostname_t) +domain_dontaudit_leaks(hostname_t) domain_use_interactive_fds(hostname_t) @@ -28777,7 +28802,7 @@ index b9efd1b..f1edb15 100644 fs_dontaudit_use_tmpfs_chr_dev(hostname_t) term_dontaudit_use_console(hostname_t) -@@ -53,6 +56,10 @@ sysnet_read_config(hostname_t) +@@ -55,6 +58,10 @@ sysnet_read_config(hostname_t) sysnet_dns_name_resolve(hostname_t) optional_policy(` @@ -29216,7 +29241,7 @@ index f6aafe7..7da8294 100644 + allow $1 init_t:unix_stream_socket rw_stream_socket_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index bd45076..a100eb6 100644 +index abab4cf..9f9b812 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,27 @@ gen_require(` @@ -29292,14 +29317,15 @@ index bd45076..a100eb6 100644 # For /var/run/shutdown.pid. allow init_t init_var_run_t:file manage_file_perms; -@@ -120,15 +145,19 @@ corecmd_exec_chroot(init_t) +@@ -119,6 +144,7 @@ corecmd_exec_chroot(init_t) corecmd_exec_bin(init_t) dev_read_sysfs(init_t) +dev_read_urand(init_t) + # Early devtmpfs + dev_rw_generic_chr_files(init_t) - domain_getpgid_all_domains(init_t) - domain_kill_all_domains(init_t) +@@ -127,9 +153,12 @@ domain_kill_all_domains(init_t) domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) @@ -29312,7 +29338,7 @@ index bd45076..a100eb6 100644 files_rw_generic_pids(init_t) files_dontaudit_search_isid_type_dirs(init_t) files_manage_etc_runtime_files(init_t) -@@ -167,6 +196,8 @@ seutil_read_config(init_t) +@@ -168,6 +197,8 @@ seutil_read_config(init_t) miscfiles_read_localization(init_t) @@ -29321,7 +29347,7 @@ index bd45076..a100eb6 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; ') -@@ -177,7 +208,7 @@ ifdef(`distro_redhat',` +@@ -178,7 +209,7 @@ ifdef(`distro_redhat',` fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) ') @@ -29330,7 +29356,7 @@ index bd45076..a100eb6 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -185,23 +216,92 @@ tunable_policy(`init_upstart',` +@@ -186,23 +217,92 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -29423,7 +29449,7 @@ index bd45076..a100eb6 100644 unconfined_domain(init_t) ') -@@ -211,7 +311,7 @@ optional_policy(` +@@ -212,7 +312,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -29432,7 +29458,7 @@ index bd45076..a100eb6 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -240,6 +340,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,6 +341,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -29440,7 +29466,7 @@ index bd45076..a100eb6 100644 can_exec(initrc_t, initrc_tmp_t) manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) -@@ -257,11 +358,22 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,11 +359,22 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -29463,10 +29489,20 @@ index bd45076..a100eb6 100644 corecmd_exec_all_executables(initrc_t) -@@ -297,11 +409,13 @@ dev_manage_generic_files(initrc_t) +@@ -291,6 +403,7 @@ dev_read_sound_mixer(initrc_t) + dev_write_sound_mixer(initrc_t) + dev_setattr_all_chr_files(initrc_t) + dev_rw_lvm_control(initrc_t) ++dev_rw_generic_chr_files(initrc_t) + dev_delete_lvm_control_dev(initrc_t) + dev_manage_generic_symlinks(initrc_t) + dev_manage_generic_files(initrc_t) +@@ -298,13 +411,13 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) +-# Early devtmpfs +-dev_rw_generic_chr_files(initrc_t) +dev_rw_xserver_misc(initrc_t) domain_kill_all_domains(initrc_t) @@ -29477,7 +29513,7 @@ index bd45076..a100eb6 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -320,8 +434,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +436,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -29489,7 +29525,7 @@ index bd45076..a100eb6 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -337,8 +453,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +455,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -29503,7 +29539,7 @@ index bd45076..a100eb6 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -348,6 +468,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +470,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -29512,7 +29548,7 @@ index bd45076..a100eb6 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -360,6 +482,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +484,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -29520,7 +29556,7 @@ index bd45076..a100eb6 100644 selinux_get_enforce_mode(initrc_t) -@@ -391,13 +514,14 @@ logging_read_audit_config(initrc_t) +@@ -394,13 +516,14 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -29536,7 +29572,7 @@ index bd45076..a100eb6 100644 userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such -@@ -470,7 +594,7 @@ ifdef(`distro_redhat',` +@@ -473,7 +596,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -29545,7 +29581,7 @@ index bd45076..a100eb6 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -516,6 +640,19 @@ ifdef(`distro_redhat',` +@@ -519,6 +642,19 @@ ifdef(`distro_redhat',` optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -29565,7 +29601,7 @@ index bd45076..a100eb6 100644 ') optional_policy(` -@@ -523,10 +660,17 @@ ifdef(`distro_redhat',` +@@ -526,10 +662,17 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -29583,7 +29619,7 @@ index bd45076..a100eb6 100644 ') optional_policy(` -@@ -541,6 +685,35 @@ ifdef(`distro_suse',` +@@ -544,6 +687,35 @@ ifdef(`distro_suse',` ') ') @@ -29619,7 +29655,7 @@ index bd45076..a100eb6 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -553,6 +726,8 @@ optional_policy(` +@@ -556,6 +728,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -29628,7 +29664,7 @@ index bd45076..a100eb6 100644 ') optional_policy(` -@@ -569,6 +744,7 @@ optional_policy(` +@@ -572,6 +746,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -29636,7 +29672,7 @@ index bd45076..a100eb6 100644 ') optional_policy(` -@@ -581,6 +757,11 @@ optional_policy(` +@@ -584,6 +759,11 @@ optional_policy(` ') optional_policy(` @@ -29648,7 +29684,7 @@ index bd45076..a100eb6 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -597,6 +778,7 @@ optional_policy(` +@@ -600,6 +780,7 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -29656,7 +29692,7 @@ index bd45076..a100eb6 100644 optional_policy(` consolekit_dbus_chat(initrc_t) -@@ -698,7 +880,12 @@ optional_policy(` +@@ -701,7 +882,12 @@ optional_policy(` ') optional_policy(` @@ -29669,7 +29705,7 @@ index bd45076..a100eb6 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -721,6 +908,10 @@ optional_policy(` +@@ -724,6 +910,10 @@ optional_policy(` ') optional_policy(` @@ -29680,7 +29716,7 @@ index bd45076..a100eb6 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -742,6 +933,10 @@ optional_policy(` +@@ -745,6 +935,10 @@ optional_policy(` ') optional_policy(` @@ -29691,7 +29727,7 @@ index bd45076..a100eb6 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -763,8 +958,6 @@ optional_policy(` +@@ -766,8 +960,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -29700,7 +29736,7 @@ index bd45076..a100eb6 100644 ') optional_policy(` -@@ -773,14 +966,21 @@ optional_policy(` +@@ -776,14 +968,21 @@ optional_policy(` ') optional_policy(` @@ -29722,7 +29758,7 @@ index bd45076..a100eb6 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -802,11 +1002,19 @@ optional_policy(` +@@ -805,11 +1004,19 @@ optional_policy(` ') optional_policy(` @@ -29743,7 +29779,7 @@ index bd45076..a100eb6 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -816,6 +1024,25 @@ optional_policy(` +@@ -819,6 +1026,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -29769,7 +29805,7 @@ index bd45076..a100eb6 100644 ') optional_policy(` -@@ -841,3 +1068,55 @@ optional_policy(` +@@ -844,3 +1070,55 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -31557,7 +31593,7 @@ index 8b5c196..3490497 100644 + role $2 types showmount_t; ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index ee6520c..e36909c 100644 +index fca6947..24ffd8a 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -17,8 +17,15 @@ type mount_exec_t; @@ -31607,7 +31643,7 @@ index ee6520c..e36909c 100644 allow mount_t mount_loopback_t:file read_file_perms; -@@ -46,30 +68,54 @@ can_exec(mount_t, mount_exec_t) +@@ -46,32 +68,56 @@ can_exec(mount_t, mount_exec_t) files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) @@ -31646,6 +31682,8 @@ index ee6520c..e36909c 100644 +ifdef(`hide_broken_symptoms',` + dev_rw_generic_blk_files(mount_t) +') + # Early devtmpfs, before udev relabel + dev_dontaudit_rw_generic_chr_files(mount_t) domain_use_interactive_fds(mount_t) +domain_dontaudit_search_all_domains_state(mount_t) @@ -31664,7 +31702,7 @@ index ee6520c..e36909c 100644 files_mount_all_file_type_fs(mount_t) files_unmount_all_file_type_fs(mount_t) # for when /etc/mtab loses its type -@@ -79,25 +125,32 @@ files_read_isid_type_files(mount_t) +@@ -81,25 +127,32 @@ files_read_isid_type_files(mount_t) files_read_usr_files(mount_t) files_list_mnt(mount_t) @@ -31700,7 +31738,7 @@ index ee6520c..e36909c 100644 term_use_all_terms(mount_t) -@@ -106,6 +159,8 @@ auth_use_nsswitch(mount_t) +@@ -108,6 +161,8 @@ auth_use_nsswitch(mount_t) init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -31709,7 +31747,7 @@ index ee6520c..e36909c 100644 logging_send_syslog_msg(mount_t) -@@ -116,6 +171,12 @@ sysnet_use_portmap(mount_t) +@@ -118,6 +173,12 @@ sysnet_use_portmap(mount_t) seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -31722,7 +31760,7 @@ index ee6520c..e36909c 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -131,10 +192,17 @@ ifdef(`distro_ubuntu',` +@@ -133,10 +194,17 @@ ifdef(`distro_ubuntu',` ') ') @@ -31740,7 +31778,7 @@ index ee6520c..e36909c 100644 ') optional_policy(` -@@ -164,6 +232,8 @@ optional_policy(` +@@ -166,6 +234,8 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -31749,7 +31787,7 @@ index ee6520c..e36909c 100644 ') optional_policy(` -@@ -171,6 +241,25 @@ optional_policy(` +@@ -173,6 +243,25 @@ optional_policy(` ') optional_policy(` @@ -31775,7 +31813,7 @@ index ee6520c..e36909c 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -178,6 +267,11 @@ optional_policy(` +@@ -180,6 +269,11 @@ optional_policy(` ') ') @@ -31787,7 +31825,7 @@ index ee6520c..e36909c 100644 # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -185,6 +279,19 @@ optional_policy(` +@@ -187,6 +281,19 @@ optional_policy(` optional_policy(` samba_domtrans_smbmount(mount_t) @@ -31807,7 +31845,7 @@ index ee6520c..e36909c 100644 ') ######################################## -@@ -193,6 +300,42 @@ optional_policy(` +@@ -195,6 +302,42 @@ optional_policy(` # optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index a39aad9..0d858c7 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,8 +19,8 @@ %define CHECKPOLICYVER 2.0.21-1 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.9.0 -Release: 2%{?dist} +Version: 3.9.1 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,9 @@ exit 0 %endif %changelog +* Mon Aug 30 2010 Dan Walsh 3.9.1-1 +- Merge with upstream + * Thu Aug 26 2010 Dan Walsh 3.9.0-2 - More access needed for devicekit - Add dbadm policy diff --git a/sources b/sources index cb5f564..4192ac7 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -9012ab09af5480459942d4a54de91db4 serefpolicy-3.9.0.tgz +1351ca1eca73598202c01ea63efba6d1 serefpolicy-3.9.1.tgz