rpms/selinux-policy/F-8 policy-20070703.patch,1.116,1.117

Wed Oct 31 00:13:00 UTC 2007

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv7329

Modified Files:
	policy-20070703.patch 
Log Message:
* Tue Oct 30 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-42
- Make tcbdomain 
- Allow domain domain:fd use
- Dontaudit rpm_rw_pipes


policy-20070703.patch:

Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.116
retrieving revision 1.117
diff -u -r1.116 -r1.117

--- policy-20070703.patch	31 Oct 2007 00:04:07 -0000	1.116
+++ policy-20070703.patch	31 Oct 2007 00:12:56 -0000	1.117
@@ -1481,16 +1481,8 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.0.8/policy/modules/admin/kudzu.te
 --- nsaserefpolicy/policy/modules/admin/kudzu.te	2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/kudzu.te	2007-10-30 16:10:13.000000000 -0400
-@@ -9,6 +9,7 @@
- type kudzu_t;
- type kudzu_exec_t;
- init_system_domain(kudzu_t,kudzu_exec_t)
-+domain_trusted_type(kudzu_t)
- 
- type kudzu_tmp_t;
- files_tmp_file(kudzu_tmp_t)
-@@ -21,8 +22,8 @@
++++ serefpolicy-3.0.8/policy/modules/admin/kudzu.te	2007-10-30 19:54:56.000000000 -0400
+@@ -21,8 +21,8 @@
  # Local policy
  #
  
@@ -1501,7 +1493,7 @@
  allow kudzu_t self:process { signal_perms execmem };
  allow kudzu_t self:fifo_file rw_fifo_file_perms;
  allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
-@@ -68,6 +69,7 @@
+@@ -68,6 +68,7 @@
  modutils_read_module_deps(kudzu_t)
  modutils_read_module_config(kudzu_t)
  modutils_rename_module_config(kudzu_t)
@@ -1509,7 +1501,7 @@
  
  storage_read_scsi_generic(kudzu_t)
  storage_read_tape(kudzu_t)
-@@ -103,6 +105,8 @@
+@@ -103,6 +104,8 @@
  init_use_fds(kudzu_t)
  init_use_script_ptys(kudzu_t)
  init_stream_connect_script(kudzu_t)
@@ -1518,7 +1510,7 @@
  # kudzu will telinit to make init re-read
  # the inittab after configuring serial consoles
  init_telinit(kudzu_t)
-@@ -134,20 +138,15 @@
+@@ -134,20 +137,15 @@
  ')
  
  optional_policy(`
@@ -1542,6 +1534,16 @@
  ')
  
  ifdef(`TODO',`
+@@ -162,6 +160,9 @@
+ 	allow kudzu_t rhgb_t:unix_stream_socket connectto;
+ ')
+ optional_policy(`
++	unconfined_domain(kudzu_t)
++')
++optional_policy(`
+ 	role system_r types sysadm_userhelper_t;
+ 	domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.0.8/policy/modules/admin/logrotate.te
 --- nsaserefpolicy/policy/modules/admin/logrotate.te	2007-10-22 13:21:42.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/admin/logrotate.te	2007-10-29 23:59:29.000000000 -0400
@@ -3708,45 +3710,8 @@
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.0.8/policy/modules/kernel/domain.if
 --- nsaserefpolicy/policy/modules/kernel/domain.if	2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/domain.if	2007-10-30 19:46:37.000000000 -0400
-@@ -33,6 +33,36 @@
- 
- ########################################
- ## <summary>
-+##	Make the specified type usable as a trusted computer base domain.
-+## </summary>
-+## <desc>
-+##	<p>
-+##	Make the specified type usable as a trusted computer base domain.
-+##	</p>
-+##	<p>
-+##	This is primarily used for system runtime processes
-+##	</p>
-+## </desc>
-+## <param name="type">
-+##	<summary>
-+##	Type to be used as a basic domain type.
-+##	</summary>
-+## </param>
-+#
-+interface(`domain_trusted_type',`
-+	gen_require(`
-+		attribute tcbdomain;
-+	')
-+
-+	domain_type($1)
-+
-+	optional_policy(`
-+		unconfined_domain($1)
-+	')
-+')
-+
-+########################################
-+## <summary>
- ##	Make the specified type usable as a domain.
- ## </summary>
- ## <param name="type">
-@@ -45,6 +75,11 @@
++++ serefpolicy-3.0.8/policy/modules/kernel/domain.if	2007-10-30 19:48:13.000000000 -0400
+@@ -45,6 +45,11 @@
  	# start with basic domain
  	domain_base_type($1)
  
@@ -3758,7 +3723,7 @@
  	# send init a sigchld and signull
  	optional_policy(`
  		init_sigchld($1)
-@@ -59,6 +94,7 @@
+@@ -59,6 +64,7 @@
  	')
  
  	optional_policy(`
@@ -3766,7 +3731,7 @@
  		selinux_dontaudit_read_fs($1)
  	')
  
-@@ -1271,3 +1307,20 @@
+@@ -1271,3 +1277,20 @@
  	typeattribute $1 mmap_low_domain_type;
  ')
  
@@ -4587,16 +4552,8 @@
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.0.8/policy/modules/kernel/kernel.te
 --- nsaserefpolicy/policy/modules/kernel/kernel.te	2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.te	2007-10-30 16:05:02.000000000 -0400
-@@ -239,6 +239,7 @@
- 
- domain_signal_all_domains(kernel_t)
- domain_search_all_domains_state(kernel_t)
-+domain_trusted_type(kernel_t)
- 
- files_list_root(kernel_t)
- files_list_etc(kernel_t)
-@@ -278,6 +279,7 @@
++++ serefpolicy-3.0.8/policy/modules/kernel/kernel.te	2007-10-30 19:49:01.000000000 -0400
+@@ -278,6 +278,7 @@
  
  optional_policy(`
  	logging_send_syslog_msg(kernel_t)
@@ -4604,17 +4561,6 @@
  ')
  
  optional_policy(`
-@@ -335,10 +337,6 @@
- 	seutil_read_bin_policy(kernel_t)
- ')
- 
--optional_policy(`
--	unconfined_domain(kernel_t)
--')
--
- ########################################
- #
- # Unlabeled process local policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.0.8/policy/modules/kernel/selinux.if
 --- nsaserefpolicy/policy/modules/kernel/selinux.if	2007-10-22 13:21:42.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/kernel/selinux.if	2007-10-29 23:59:29.000000000 -0400
@@ -7989,16 +7935,8 @@
  /var/run/vbestate 	--			gen_context(system_u:object_r:hald_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.8/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/hal.te	2007-10-30 16:09:07.000000000 -0400
-@@ -9,6 +9,7 @@
- type hald_t;
- type hald_exec_t;
- init_daemon_domain(hald_t,hald_exec_t)
-+domain_trusted_type(hald_t)
- 
- type hald_acl_t;
- type hald_acl_exec_t;
-@@ -49,6 +50,9 @@
++++ serefpolicy-3.0.8/policy/modules/services/hal.te	2007-10-30 19:54:25.000000000 -0400
+@@ -49,6 +49,9 @@
  type hald_var_lib_t;
  files_type(hald_var_lib_t)
  
@@ -8008,7 +7946,7 @@
  ########################################
  #
  # Local policy
-@@ -70,7 +74,7 @@
+@@ -70,7 +73,7 @@
  manage_files_pattern(hald_t,hald_cache_t,hald_cache_t)
  
  # log files for hald
@@ -8017,7 +7955,7 @@
  logging_log_filetrans(hald_t,hald_log_t,file)
  
  manage_dirs_pattern(hald_t,hald_tmp_t,hald_tmp_t)
-@@ -93,6 +97,7 @@
+@@ -93,6 +96,7 @@
  kernel_rw_irq_sysctls(hald_t)
  kernel_rw_vm_sysctls(hald_t)
  kernel_write_proc_files(hald_t)
@@ -8025,7 +7963,7 @@
  
  auth_read_pam_console_data(hald_t)
  
-@@ -155,6 +160,8 @@
+@@ -155,6 +159,8 @@
  selinux_compute_relabel_context(hald_t)
  selinux_compute_user_contexts(hald_t)
  
@@ -8034,7 +7972,18 @@
  storage_raw_read_removable_device(hald_t)
  storage_raw_write_removable_device(hald_t)
  storage_raw_read_fixed_disk(hald_t)
-@@ -293,6 +300,7 @@
+@@ -280,6 +286,10 @@
+ ')
+ 
+ optional_policy(`
++	unconfined_domain(hald_t)
++')
++
++optional_policy(`
+ 	updfstab_domtrans(hald_t)
+ ')
+ 
+@@ -293,6 +303,7 @@
  #
  
  allow hald_acl_t self:capability { dac_override fowner };
@@ -8042,7 +7991,7 @@
  allow hald_acl_t self:fifo_file read_fifo_file_perms;
  
  domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
-@@ -340,10 +348,14 @@
+@@ -340,10 +351,14 @@
  manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
  files_search_var_lib(hald_mac_t)
  
@@ -10400,7 +10349,7 @@
  manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.0.8/policy/modules/services/rpc.if
 --- nsaserefpolicy/policy/modules/services/rpc.if	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rpc.if	2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/rpc.if	2007-10-30 19:57:15.000000000 -0400
 @@ -89,8 +89,11 @@
  	# bind to arbitary unused ports
  	corenet_tcp_bind_generic_port($1_t)
@@ -10414,31 +10363,6 @@
  
  	fs_rw_rpc_named_pipes($1_t) 
  	fs_search_auto_mountpoints($1_t)
-@@ -214,6 +217,24 @@
- 
- ########################################
- ## <summary>
-+##      Execute domain in nfsd domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##      The type of the process performing this action.
-+##	</summary>
-+## </param>
-+#
-+interface(`rpc_domtrans_rpcd',`
-+	gen_require(`
-+		type rpcd_t, rpcd_exec_t;
-+	')
-+
-+	domtrans_pattern($1,rpcd_exec_t,rpcd_t)
-+')
-+
-+########################################
-+## <summary>
- ##      Read NFS exported content.
- ## </summary>
- ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.8/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2007-10-22 13:21:39.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/rpc.te	2007-10-29 23:59:29.000000000 -0400
@@ -12787,7 +12711,7 @@
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if	2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if	2007-10-30 20:09:22.000000000 -0400
 @@ -26,7 +26,8 @@
  	type $1_chkpwd_t, can_read_shadow_passwords;
  	application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -13723,7 +13647,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.8/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/init.te	2007-10-30 16:06:31.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/init.te	2007-10-30 19:53:21.000000000 -0400
 @@ -10,6 +10,20 @@
  # Declarations
  #
@@ -13745,7 +13669,7 @@
  # used for direct running of init scripts
  # by admin domains
  attribute direct_run_init;
-@@ -19,12 +33,14 @@
+@@ -19,12 +33,13 @@
  # Mark process types as daemons
  attribute daemon;
  
@@ -13757,11 +13681,10 @@
  type init_t;
  type init_exec_t;
 -domain_type(init_t)
-+domain_trusted_type(init_t)
  domain_entry_file(init_t,init_exec_t)
  kernel_domtrans_to(init_t,init_exec_t)
  role system_r types init_t;
-@@ -45,7 +61,7 @@
+@@ -45,7 +60,7 @@
  mls_trusted_object(initctl_t)
  
  type initrc_t;
@@ -13770,7 +13693,7 @@
  domain_type(initrc_t)
  domain_entry_file(initrc_t,initrc_exec_t)
  role system_r types initrc_t;
-@@ -73,7 +89,7 @@
+@@ -73,7 +88,7 @@
  #
  
  # Use capabilities. old rule:
@@ -13779,7 +13702,7 @@
  # is ~sys_module really needed? observed: 
  # sys_boot
  # sys_tty_config
-@@ -171,13 +187,13 @@
+@@ -171,13 +186,14 @@
  	nscd_socket_use(init_t)
  ')
  
@@ -13794,6 +13717,7 @@
  	userdom_shell_domtrans_sysadm(init_t)
 +',`
 +	optional_policy(`
++		unconfined_domain(init_t)
 +		unconfined_shell_domtrans(init_t)
 +	')
  ')
@@ -13808,7 +13732,12 @@
  dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
  allow initrc_t self:passwd rootok;
  
-@@ -201,10 +217,9 @@
+@@ -196,15 +212,13 @@
+ allow initrc_t self:tcp_socket create_stream_socket_perms;
+ allow initrc_t self:udp_socket create_socket_perms;
+ allow initrc_t self:fifo_file rw_file_perms;
+-allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
+ 
  allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
  term_create_pty(initrc_t,initrc_devpts_t)
  
@@ -13821,7 +13750,16 @@
  
  manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
  manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
-@@ -283,7 +298,6 @@
+@@ -233,6 +247,8 @@
+ # for lsof which is used by alsa shutdown:
+ kernel_dontaudit_getattr_message_if(initrc_t)
+ 
++auth_use_nsswitch(initrc_t)
++
+ files_read_kernel_symbol_table(initrc_t)
+ 
+ corenet_all_recvfrom_unlabeled(initrc_t)
+@@ -283,7 +299,6 @@
  mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
@@ -13829,7 +13767,16 @@
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -497,6 +511,47 @@
+@@ -365,8 +380,6 @@
+ 
+ seutil_read_config(initrc_t)
+ 
+-sysnet_read_config(initrc_t)
+-
+ userdom_read_all_users_home_content_files(initrc_t)
+ # Allow access to the sysadm TTYs. Note that this will give access to the 
+ # TTYs to any process in the initrc_t domain. Therefore, daemons and such
+@@ -497,6 +510,47 @@
  ')
  
  optional_policy(`
@@ -13877,7 +13824,7 @@
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
  ')
-@@ -632,12 +687,6 @@
+@@ -632,12 +686,6 @@
  	mta_read_config(initrc_t)
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
@@ -13890,7 +13837,23 @@
  
  optional_policy(`
  	ifdef(`distro_redhat',`
-@@ -703,6 +752,9 @@
+@@ -649,15 +697,10 @@
+ ')
+ 
+ optional_policy(`
+-	nis_use_ypbind(initrc_t)
+ 	nis_list_var_yp(initrc_t)
+ ')
+ 
+ optional_policy(`
+-	nscd_socket_use(initrc_t)
+-')
+-
+-optional_policy(`
+ 	openvpn_read_config(initrc_t)
+ ')
+ 
+@@ -703,6 +746,9 @@
  
  	# why is this needed:
  	rpm_manage_db(initrc_t)
@@ -13900,7 +13863,7 @@
  ')
  
  optional_policy(`
-@@ -750,6 +802,10 @@
+@@ -750,6 +796,10 @@
  ')
  
  optional_policy(`
@@ -16077,16 +16040,8 @@
  	xen_append_log(ifconfig_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te
 --- nsaserefpolicy/policy/modules/system/udev.te	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/udev.te	2007-10-30 16:53:56.000000000 -0400
-@@ -13,6 +13,7 @@
- domain_obj_id_change_exemption(udev_t)
- domain_entry_file(udev_t,udev_helper_exec_t)
- domain_interactive_fd(udev_t)
-+domain_trusted_type(udev_t)
- init_daemon_domain(udev_t,udev_exec_t)
- 
- type udev_etc_t alias etc_udev_t;
-@@ -132,6 +133,7 @@
++++ serefpolicy-3.0.8/policy/modules/system/udev.te	2007-10-30 19:53:35.000000000 -0400
+@@ -132,6 +132,7 @@
  
  init_read_utmp(udev_t)
  init_dontaudit_write_utmp(udev_t)
@@ -16094,7 +16049,7 @@
  
  libs_use_ld_so(udev_t)
  libs_use_shared_libs(udev_t)
-@@ -184,6 +186,12 @@
+@@ -184,6 +185,12 @@
  ')
  
  optional_policy(`
@@ -16107,7 +16062,7 @@
  	brctl_domtrans(udev_t)
  ')
  
-@@ -220,6 +228,10 @@
+@@ -220,6 +227,10 @@
  ')
  
  optional_policy(`
@@ -16118,6 +16073,16 @@
  	kernel_write_xen_state(udev_t)
  	kernel_read_xen_state(udev_t)
  	xen_manage_log(udev_t)
+@@ -227,5 +238,9 @@
+ ')
+ 
+ optional_policy(`
++	unconfined_domain(udev_t)
++')
++
++optional_policy(`
+ 	xserver_read_xdm_pid(udev_t)
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.0.8/policy/modules/system/unconfined.fc
 --- nsaserefpolicy/policy/modules/system/unconfined.fc	2007-10-22 13:21:39.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/system/unconfined.fc	2007-10-29 23:59:29.000000000 -0400


