rpms/selinux-policy/devel modules-minimum.conf, 1.13, 1.14 modules-mls.conf, 1.47, 1.48 modules-targeted.conf, 1.115, 1.116 policy-20090105.patch, 1.48, 1.49 selinux-policy.spec, 1.797, 1.798
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Feb 27 21:23:18 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9155
Modified Files:
modules-minimum.conf modules-mls.conf modules-targeted.conf
policy-20090105.patch selinux-policy.spec
Log Message:
* Fri Feb 27 2009 Dan Walsh <dwalsh at redhat.com> 3.6.6-8
- Further confinement of qemu images via svirt
Index: modules-minimum.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-minimum.conf,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- modules-minimum.conf 10 Feb 2009 16:08:36 -0000 1.13
+++ modules-minimum.conf 27 Feb 2009 21:22:47 -0000 1.14
@@ -1413,6 +1413,13 @@
#
virt = module
+# Layer: system
+# Module: virtual
+#
+# Virtualization libraries
+#
+virtual = base
+
# Layer: apps
# Module: qemu
#
Index: modules-mls.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-mls.conf,v
retrieving revision 1.47
retrieving revision 1.48
diff -u -r1.47 -r1.48
--- modules-mls.conf 28 Jan 2009 22:23:18 -0000 1.47
+++ modules-mls.conf 27 Feb 2009 21:22:47 -0000 1.48
@@ -1399,6 +1399,13 @@
#
virt = module
+# Layer: system
+# Module: virtual
+#
+# Virtualization libraries
+#
+virtual = base
+
# Layer: apps
# Module: qemu
#
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.115
retrieving revision 1.116
diff -u -r1.115 -r1.116
--- modules-targeted.conf 10 Feb 2009 16:08:36 -0000 1.115
+++ modules-targeted.conf 27 Feb 2009 21:22:47 -0000 1.116
@@ -1413,6 +1413,13 @@
#
virt = module
+# Layer: system
+# Module: virtual
+#
+# Virtualization libraries
+#
+virtual = base
+
# Layer: apps
# Module: qemu
#
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.48
retrieving revision 1.49
diff -u -r1.48 -r1.49
--- policy-20090105.patch 26 Feb 2009 14:28:27 -0000 1.48
+++ policy-20090105.patch 27 Feb 2009 21:22:47 -0000 1.49
@@ -420,17 +420,18 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.6/policy/mcs
--- nsaserefpolicy/policy/mcs 2009-02-03 22:50:50.000000000 -0500
-+++ serefpolicy-3.6.6/policy/mcs 2009-02-16 13:18:06.000000000 -0500
-@@ -67,7 +67,7 @@
++++ serefpolicy-3.6.6/policy/mcs 2009-02-27 15:49:53.000000000 -0500
+@@ -67,7 +67,8 @@
# Note that getattr on files is always permitted.
#
mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
- ( h1 dom h2 );
-+ (( h1 dom h2 ) or ( t1 == mlsfilewrite ));
++ ((( h1 dom h2 ) or ( t1 == mlsfilewrite ))
++ and ((t1 != virtualdomain) or (t2 != virtual_image_type) or (h1 == h2)));
mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
(( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
-@@ -75,7 +75,7 @@
+@@ -75,19 +76,20 @@
# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
mlsconstrain file { create relabelto }
@@ -439,7 +440,10 @@
# At this time we do not restrict "ps" type operations via MCS. This
# will probably change in future.
-@@ -84,10 +84,10 @@
+ mlsconstrain file { read }
+- (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
++ ((( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ))
++ and ((t1 != virtualdomain) or (t2 != virtual_image_type) or (h1 == h2)));
# new file labels must be dominated by the relabeling subject clearance
mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
@@ -3637,7 +3641,7 @@
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.6/policy/modules/apps/qemu.if
--- nsaserefpolicy/policy/modules/apps/qemu.if 2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.6/policy/modules/apps/qemu.if 2009-02-20 11:37:20.000000000 -0500
++++ serefpolicy-3.6.6/policy/modules/apps/qemu.if 2009-02-26 17:53:22.000000000 -0500
@@ -40,6 +40,93 @@
qemu_domtrans($1)
@@ -3824,7 +3828,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -127,84 +290,84 @@
+@@ -127,84 +290,81 @@
#
template(`qemu_domain_template',`
@@ -3832,13 +3836,10 @@
- #
- # Local Policy
- #
-+ gen_require(`
-+ attribute qemutype;
-+ ')
-
-- type $1_t;
+-
+ type $1_t;
- domain_type($1_t)
-+ type $1_t, qemutype;
++ virtual_domain($1_t)
type $1_tmp_t;
files_tmp_file($1_tmp_t)
@@ -3851,10 +3852,7 @@
+ files_tmpfs_file($1_tmpfs_t)
+
+ type $1_image_t;
-+ virt_image($1_image_t)
-+
-+ allow $1_t self:capability kill;
-+ allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
++ virtual_image($1_image_t)
- allow $1_t self:capability { dac_read_search dac_override };
- allow $1_t self:process { execstack execmem signal getsched };
@@ -3862,6 +3860,9 @@
- allow $1_t self:shm create_shm_perms;
- allow $1_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_t self:tcp_socket create_stream_socket_perms;
++ allow $1_t self:capability kill;
++ allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
++
+ manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
+ manage_files_pattern($1_t, $1_image_t, $1_image_t)
+ read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
@@ -3891,21 +3892,21 @@
- files_read_usr_files($1_t)
- files_read_var_files($1_t)
- files_search_all($1_t)
+-
+- fs_list_inotifyfs($1_t)
+- fs_rw_anon_inodefs_files($1_t)
+- fs_rw_tmpfs_files($1_t)
+ manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
+ fs_getattr_tmpfs($1_t)
-- fs_list_inotifyfs($1_t)
-- fs_rw_anon_inodefs_files($1_t)
-- fs_rw_tmpfs_files($1_t)
+- storage_raw_write_removable_device($1_t)
+- storage_raw_read_removable_device($1_t)
+ userdom_read_user_tmpfs_files($1_t)
+ userdom_signull_unpriv_users($1_t)
-- storage_raw_write_removable_device($1_t)
-- storage_raw_read_removable_device($1_t)
--
- term_use_ptmx($1_t)
- term_getattr_pty_fs($1_t)
- term_use_generic_ptys($1_t)
@@ -3972,17 +3973,8 @@
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.6/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.6/policy/modules/apps/qemu.te 2009-02-23 16:13:38.000000000 -0500
-@@ -6,6 +6,8 @@
- # Declarations
- #
-
-+attribute qemutype;
-+
- ## <desc>
- ## <p>
- ## Allow qemu to connect fully to the network
-@@ -13,28 +15,162 @@
++++ serefpolicy-3.6.6/policy/modules/apps/qemu.te 2009-02-26 17:38:52.000000000 -0500
+@@ -13,28 +13,101 @@
## </desc>
gen_tunable(qemu_full_network, false)
@@ -4018,18 +4010,11 @@
+type qemu_var_run_t;
+files_pid_file(qemu_var_run_t)
+
-+########################################
-+#
-+# qemu common policy
-+#
-+allow qemutype self:capability { dac_read_search dac_override };
-+allow qemutype self:process { execstack execmem signal getsched signull };
-+
-+allow qemutype self:fifo_file rw_file_perms;
-+allow qemutype self:shm create_shm_perms;
-+allow qemutype self:unix_stream_socket create_stream_socket_perms;
-+allow qemutype self:tcp_socket create_stream_socket_perms;
-+
+ ########################################
+ #
+ # qemu local policy
+ #
+
+manage_dirs_pattern(qemu_t, qemu_cache_t, qemu_cache_t)
+manage_files_pattern(qemu_t, qemu_cache_t, qemu_cache_t)
+files_var_filetrans(qemu_t, qemu_cache_t, { file dir })
@@ -4039,60 +4024,6 @@
+manage_lnk_files_pattern(qemu_t, qemu_var_run_t, qemu_var_run_t)
+files_pid_filetrans(qemu_t, qemu_var_run_t, { dir file })
+
-+kernel_read_system_state(qemutype)
-+
-+corenet_all_recvfrom_unlabeled(qemutype)
-+corenet_all_recvfrom_netlabel(qemutype)
-+corenet_tcp_sendrecv_generic_if(qemutype)
-+corenet_tcp_sendrecv_generic_node(qemutype)
-+corenet_tcp_sendrecv_all_ports(qemutype)
-+corenet_tcp_bind_generic_node(qemutype)
-+corenet_tcp_bind_vnc_port(qemutype)
-+corenet_rw_tun_tap_dev(qemutype)
-+
-+dev_read_sound(qemutype)
-+dev_write_sound(qemutype)
-+dev_rw_kvm(qemutype)
-+dev_rw_qemu(qemutype)
-+
-+domain_use_interactive_fds(qemutype)
-+
-+files_read_etc_files(qemutype)
-+files_read_usr_files(qemutype)
-+files_read_var_files(qemutype)
-+files_search_all(qemutype)
-+
-+fs_list_inotifyfs(qemutype)
-+fs_rw_anon_inodefs_files(qemutype)
-+fs_rw_tmpfs_files(qemutype)
-+
-+term_use_all_terms(qemutype)
-+term_getattr_pty_fs(qemutype)
-+term_use_generic_ptys(qemutype)
-+term_use_ptmx(qemutype)
-+
-+auth_use_nsswitch(qemutype)
-+
-+miscfiles_read_localization(qemutype)
-+
-+optional_policy(`
-+ virt_read_config(qemutype)
-+ virt_read_lib_files(qemutype)
-+ virt_read_content(qemutype)
-+')
-+
-+optional_policy(`
-+ xserver_stream_connect(qemutype)
-+ xserver_read_xdm_tmp_files(qemutype)
-+ xserver_read_xdm_pid(qemutype)
-+ xserver_rw_shm(qemutype)
-+')
-+
- ########################################
- #
- # qemu local policy
- #
-
+storage_raw_write_removable_device(qemu_t)
+storage_raw_read_removable_device(qemu_t)
+
@@ -5482,7 +5413,7 @@
type power_device_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.6/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.6/policy/modules/kernel/domain.if 2009-02-16 17:42:39.000000000 -0500
++++ serefpolicy-3.6.6/policy/modules/kernel/domain.if 2009-02-26 17:54:41.000000000 -0500
@@ -629,6 +629,7 @@
dontaudit $1 unconfined_domain_type:dir search_dir_perms;
@@ -12169,7 +12100,7 @@
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.6/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.6/policy/modules/services/dbus.if 2009-02-17 16:08:31.000000000 -0500
++++ serefpolicy-3.6.6/policy/modules/services/dbus.if 2009-02-26 10:05:58.000000000 -0500
@@ -44,6 +44,7 @@
attribute session_bus_type;
@@ -12195,7 +12126,16 @@
files_read_etc_files($1_dbusd_t)
files_list_home($1_dbusd_t)
-@@ -160,6 +162,10 @@
+@@ -145,6 +147,8 @@
+ seutil_read_config($1_dbusd_t)
+ seutil_read_default_contexts($1_dbusd_t)
+
++ term_use_all_terms($1_dbusd_t)
++
+ userdom_read_user_home_content_files($1_dbusd_t)
+
+ ifdef(`hide_broken_symptoms', `
+@@ -160,6 +164,10 @@
')
optional_policy(`
@@ -12206,7 +12146,7 @@
hal_dbus_chat($1_dbusd_t)
')
-@@ -185,10 +191,12 @@
+@@ -185,10 +193,12 @@
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
@@ -12220,7 +12160,7 @@
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
-@@ -197,6 +205,10 @@
+@@ -197,6 +207,10 @@
files_search_pids($1)
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
dbus_read_config($1)
@@ -12231,7 +12171,7 @@
')
#######################################
-@@ -244,6 +256,35 @@
+@@ -244,6 +258,35 @@
########################################
## <summary>
@@ -12267,7 +12207,7 @@
## Read dbus configuration.
## </summary>
## <param name="domain">
-@@ -318,3 +359,77 @@
+@@ -318,3 +361,77 @@
allow $1 system_dbusd_t:dbus *;
')
@@ -12347,7 +12287,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.6/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.6/policy/modules/services/dbus.te 2009-02-16 13:18:06.000000000 -0500
++++ serefpolicy-3.6.6/policy/modules/services/dbus.te 2009-02-26 10:07:02.000000000 -0500
@@ -9,14 +9,15 @@
#
# Delcarations
@@ -22735,7 +22675,7 @@
+/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.6/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.6/policy/modules/services/ssh.if 2009-02-16 13:18:06.000000000 -0500
++++ serefpolicy-3.6.6/policy/modules/services/ssh.if 2009-02-26 11:26:28.000000000 -0500
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -22860,9 +22800,9 @@
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_all_ports($1_t)
+ corenet_tcp_bind_all_unreserved_ports($1_t)
- corenet_sendrecv_ssh_server_packets($1_t)
-+ # -R qualifier
+ corenet_sendrecv_ssh_server_packets($1_t)
++ # -R qualifier
+ corenet_sendrecv_ssh_server_packets($1_t)
+ # tunnel feature and -w (net_admin capability also)
+ corenet_rw_tun_tap_dev($1_t)
@@ -22896,7 +22836,32 @@
')
optional_policy(`
-@@ -611,3 +611,42 @@
+@@ -454,6 +454,24 @@
+
+ ########################################
+ ## <summary>
++## Send a generic signal to the ssh server.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ssh_signal',`
++ gen_require(`
++ type sshd_t;
++ ')
++
++ allow $1 sshd_t:process signal;
++')
++
++########################################
++## <summary>
+ ## Read a ssh server unnamed pipe.
+ ## </summary>
+ ## <param name="domain">
+@@ -611,3 +629,42 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
@@ -23402,8 +23367,37 @@
+HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.6/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.6/policy/modules/services/virt.if 2009-02-16 13:18:06.000000000 -0500
-@@ -117,12 +117,12 @@
++++ serefpolicy-3.6.6/policy/modules/services/virt.if 2009-02-26 17:54:39.000000000 -0500
+@@ -2,28 +2,6 @@
+
+ ########################################
+ ## <summary>
+-## Make the specified type usable as a virt image
+-## </summary>
+-## <param name="type">
+-## <summary>
+-## Type to be used as a virtual image
+-## </summary>
+-## </param>
+-#
+-interface(`virt_image',`
+- gen_require(`
+- attribute virt_image_type;
+- ')
+-
+- typeattribute $1 virt_image_type;
+- files_type($1)
+-
+- # virt images can be assigned to blk devices
+- dev_node($1)
+-')
+-
+-########################################
+-## <summary>
+ ## Execute a domain transition to run virt.
+ ## </summary>
+ ## <param name="domain">
+@@ -117,12 +95,12 @@
')
files_search_pids($1)
@@ -23418,7 +23412,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -135,6 +135,7 @@
+@@ -135,6 +113,7 @@
type virt_var_run_t;
')
@@ -23426,7 +23420,7 @@
manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
')
-@@ -293,6 +294,41 @@
+@@ -293,6 +272,41 @@
########################################
## <summary>
@@ -23470,19 +23464,32 @@
## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.6/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.6/policy/modules/services/virt.te 2009-02-17 15:29:03.000000000 -0500
-@@ -32,6 +32,10 @@
- type virt_image_t, virt_image_type; # customizable
- virt_image(virt_image_t)
++++ serefpolicy-3.6.6/policy/modules/services/virt.te 2009-02-27 15:56:41.000000000 -0500
+@@ -20,8 +20,6 @@
+ ## </desc>
+ gen_tunable(virt_use_samba, false)
+
+-attribute virt_image_type;
+-
+ type virt_etc_t;
+ files_config_file(virt_etc_t)
+
+@@ -29,8 +27,12 @@
+ files_type(virt_etc_rw_t)
+ # virt Image files
+-type virt_image_t, virt_image_type; # customizable
+-virt_image(virt_image_t)
++type virt_image_t; # customizable
++virtual_image(virt_image_t)
++
+# virt Image files
+type virt_content_t;
-+virt_image(virt_content_t)
-+
++virtual_image(virt_content_t)
+
type virt_log_t;
logging_log_file(virt_log_t)
-
-@@ -48,12 +52,20 @@
+@@ -48,12 +50,20 @@
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@@ -23504,17 +23511,19 @@
allow virtd_t self:process { getsched sigkill signal execmem };
allow virtd_t self:fifo_file rw_file_perms;
allow virtd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -69,6 +81,9 @@
-
- manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
+@@ -67,7 +77,10 @@
+ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+-manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
++virtual_manage_image(virtd_t)
++
+manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
+manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
-+
+
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
- logging_log_filetrans(virtd_t, virt_log_t, { file dir })
-@@ -96,7 +111,7 @@
+@@ -96,7 +109,7 @@
corenet_tcp_sendrecv_generic_node(virtd_t)
corenet_tcp_sendrecv_all_ports(virtd_t)
corenet_tcp_bind_generic_node(virtd_t)
@@ -23523,7 +23532,7 @@
corenet_tcp_bind_vnc_port(virtd_t)
corenet_tcp_connect_vnc_port(virtd_t)
corenet_tcp_connect_soundd_port(virtd_t)
-@@ -110,11 +125,13 @@
+@@ -110,11 +123,13 @@
files_read_usr_files(virtd_t)
files_read_etc_files(virtd_t)
@@ -23537,7 +23546,7 @@
storage_raw_write_removable_device(virtd_t)
storage_raw_read_removable_device(virtd_t)
-@@ -129,7 +146,11 @@
+@@ -129,7 +144,11 @@
logging_send_syslog_msg(virtd_t)
@@ -23549,7 +23558,7 @@
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -173,16 +194,17 @@
+@@ -173,16 +192,17 @@
iptables_domtrans(virtd_t)
')
@@ -29516,7 +29525,7 @@
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.6/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.6/policy/modules/system/userdomain.if 2009-02-17 17:06:13.000000000 -0500
++++ serefpolicy-3.6.6/policy/modules/system/userdomain.if 2009-02-26 11:25:59.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -29665,7 +29674,7 @@
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
-@@ -116,6 +131,11 @@
+@@ -116,6 +131,12 @@
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
@@ -29673,11 +29682,12 @@
+ optional_policy(`
+ ssh_rw_stream_sockets($1_usertype)
+ ssh_delete_tmp($1_t)
++ ssh_signal($1_t)
+ ')
')
#######################################
-@@ -147,6 +167,7 @@
+@@ -147,6 +168,7 @@
interface(`userdom_ro_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -29685,7 +29695,7 @@
')
role $1 types { user_home_t user_home_dir_t };
-@@ -157,6 +178,7 @@
+@@ -157,6 +179,7 @@
#
type_member $2 user_home_dir_t:dir user_home_dir_t;
@@ -29693,7 +29703,7 @@
# read-only home directory
allow $2 user_home_dir_t:dir list_dir_perms;
-@@ -168,27 +190,6 @@
+@@ -168,27 +191,6 @@
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
@@ -29721,7 +29731,7 @@
')
#######################################
-@@ -220,9 +221,10 @@
+@@ -220,9 +222,10 @@
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -29733,7 +29743,7 @@
##############################
#
-@@ -232,17 +234,20 @@
+@@ -232,17 +235,20 @@
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
@@ -29764,7 +29774,7 @@
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
files_list_home($2)
-@@ -250,25 +255,23 @@
+@@ -250,25 +256,23 @@
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
tunable_policy(`use_nfs_home_dirs',`
@@ -29794,7 +29804,7 @@
')
')
-@@ -303,6 +306,7 @@
+@@ -303,6 +307,7 @@
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
@@ -29802,7 +29812,7 @@
')
#######################################
-@@ -368,46 +372,41 @@
+@@ -368,46 +373,41 @@
#######################################
## <summary>
@@ -29869,7 +29879,7 @@
')
#######################################
-@@ -420,34 +419,43 @@
+@@ -420,34 +420,43 @@
## is the prefix for user_t).
## </summary>
## </param>
@@ -29931,7 +29941,7 @@
')
#######################################
-@@ -497,11 +505,7 @@
+@@ -497,11 +506,7 @@
attribute unpriv_userdomain;
')
@@ -29944,7 +29954,7 @@
##############################
#
-@@ -512,189 +516,198 @@
+@@ -512,189 +517,198 @@
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -30224,7 +30234,7 @@
')
#######################################
-@@ -722,15 +735,29 @@
+@@ -722,15 +736,29 @@
userdom_base_user_template($1)
@@ -30260,7 +30270,7 @@
##############################
#
-@@ -746,70 +773,72 @@
+@@ -746,70 +774,72 @@
allow $1_t self:context contains;
@@ -30366,7 +30376,7 @@
')
')
-@@ -846,6 +875,28 @@
+@@ -846,6 +876,28 @@
# Local policy
#
@@ -30395,7 +30405,7 @@
optional_policy(`
loadkeys_run($1_t,$1_r)
')
-@@ -876,7 +927,7 @@
+@@ -876,7 +928,7 @@
userdom_restricted_user_template($1)
@@ -30404,7 +30414,7 @@
##############################
#
-@@ -884,14 +935,19 @@
+@@ -884,14 +936,19 @@
#
auth_role($1_r, $1_t)
@@ -30429,7 +30439,7 @@
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -899,28 +955,29 @@
+@@ -899,28 +956,29 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -30467,7 +30477,7 @@
')
')
-@@ -931,8 +988,7 @@
+@@ -931,8 +989,7 @@
## </summary>
## <desc>
## <p>
@@ -30477,7 +30487,7 @@
## </p>
## <p>
## This template creates a user domain, types, and
-@@ -954,8 +1010,8 @@
+@@ -954,8 +1011,8 @@
# Declarations
#
@@ -30487,7 +30497,7 @@
userdom_common_user_template($1)
##############################
-@@ -964,11 +1020,12 @@
+@@ -964,11 +1021,12 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -30502,7 +30512,7 @@
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -986,37 +1043,47 @@
+@@ -986,37 +1044,47 @@
')
')
@@ -30564,7 +30574,7 @@
')
#######################################
-@@ -1050,7 +1117,7 @@
+@@ -1050,7 +1118,7 @@
#
template(`userdom_admin_user_template',`
gen_require(`
@@ -30573,7 +30583,7 @@
')
##############################
-@@ -1059,8 +1126,7 @@
+@@ -1059,8 +1127,7 @@
#
# Inherit rules for ordinary users.
@@ -30583,7 +30593,7 @@
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1083,7 +1149,8 @@
+@@ -1083,7 +1150,8 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -30593,7 +30603,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1099,6 +1166,7 @@
+@@ -1099,6 +1167,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -30601,7 +30611,7 @@
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1106,8 +1174,6 @@
+@@ -1106,8 +1175,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -30610,7 +30620,7 @@
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1162,20 +1228,6 @@
+@@ -1162,20 +1229,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -30631,7 +30641,7 @@
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1221,6 +1273,7 @@
+@@ -1221,6 +1274,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -30639,7 +30649,7 @@
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1286,11 +1339,15 @@
+@@ -1286,11 +1340,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -30655,7 +30665,7 @@
')
########################################
-@@ -1387,7 +1444,7 @@
+@@ -1387,7 +1445,7 @@
########################################
## <summary>
@@ -30664,7 +30674,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -1420,6 +1477,14 @@
+@@ -1420,6 +1478,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -30679,7 +30689,7 @@
')
########################################
-@@ -1435,9 +1500,11 @@
+@@ -1435,9 +1501,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -30691,7 +30701,7 @@
')
########################################
-@@ -1494,6 +1561,25 @@
+@@ -1494,6 +1562,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -30717,7 +30727,7 @@
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1547,9 +1633,9 @@
+@@ -1547,9 +1634,9 @@
type user_home_dir_t, user_home_t;
')
@@ -30729,7 +30739,7 @@
')
########################################
-@@ -1568,6 +1654,8 @@
+@@ -1568,6 +1655,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -30738,7 +30748,7 @@
')
########################################
-@@ -1643,6 +1731,7 @@
+@@ -1643,6 +1732,7 @@
type user_home_dir_t, user_home_t;
')
@@ -30746,7 +30756,7 @@
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1741,6 +1830,62 @@
+@@ -1741,6 +1831,62 @@
########################################
## <summary>
@@ -30809,7 +30819,7 @@
## Execute user home files.
## </summary>
## <param name="domain">
-@@ -1757,14 +1902,6 @@
+@@ -1757,14 +1903,6 @@
files_search_home($1)
exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
@@ -30824,7 +30834,7 @@
')
########################################
-@@ -1787,6 +1924,46 @@
+@@ -1787,6 +1925,46 @@
########################################
## <summary>
@@ -30871,7 +30881,7 @@
## Create, read, write, and delete files
## in a user home subdirectory.
## </summary>
-@@ -1799,6 +1976,7 @@
+@@ -1799,6 +1977,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -30879,7 +30889,7 @@
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -1921,7 +2099,7 @@
+@@ -1921,7 +2100,7 @@
########################################
## <summary>
@@ -30888,7 +30898,7 @@
## with an automatic type transition to
## a specified private type.
## </summary>
-@@ -1941,28 +2119,58 @@
+@@ -1941,28 +2120,58 @@
## </summary>
## </param>
#
@@ -30954,7 +30964,7 @@
## <summary>
## The class of the object to be created.
## </summary>
-@@ -2336,6 +2544,27 @@
+@@ -2336,6 +2545,27 @@
## </summary>
## </param>
#
@@ -30982,7 +30992,7 @@
interface(`userdom_rw_user_tmpfs_files',`
gen_require(`
type user_tmpfs_t;
-@@ -2709,6 +2938,24 @@
+@@ -2709,6 +2939,24 @@
########################################
## <summary>
@@ -31007,7 +31017,7 @@
## Inherit the file descriptors from unprivileged user domains.
## </summary>
## <param name="domain">
-@@ -2814,7 +3061,43 @@
+@@ -2814,7 +3062,43 @@
type user_tmp_t;
')
@@ -31052,7 +31062,7 @@
')
########################################
-@@ -2851,6 +3134,7 @@
+@@ -2851,6 +3135,7 @@
')
read_files_pattern($1,userdomain,userdomain)
@@ -31060,7 +31070,7 @@
kernel_search_proc($1)
')
-@@ -2965,6 +3249,24 @@
+@@ -2965,6 +3250,24 @@
########################################
## <summary>
@@ -31085,7 +31095,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -2981,3 +3283,313 @@
+@@ -2981,3 +3284,313 @@
allow $1 userdomain:dbus send_msg;
')
@@ -31485,6 +31495,161 @@
+ fs_read_cifs_named_sockets(userhomereader)
+ fs_read_cifs_named_pipes(userhomereader)
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.fc serefpolicy-3.6.6/policy/modules/system/virtual.fc
+--- nsaserefpolicy/policy/modules/system/virtual.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.6/policy/modules/system/virtual.fc 2009-02-26 17:48:30.000000000 -0500
+@@ -0,0 +1 @@
++# No application file contexts.
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.6/policy/modules/system/virtual.if
+--- nsaserefpolicy/policy/modules/system/virtual.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.6/policy/modules/system/virtual.if 2009-02-26 17:56:43.000000000 -0500
+@@ -0,0 +1,70 @@
++## <summary>Virtual machine emulator and virtualizer</summary>
++
++########################################
++## <summary>
++## Make the specified type a virtual domain
++## </summary>
++## <desc>
++## <p>
++## Make the specified type a virtual domain
++## </p>
++## <p>
++## Gives the basic access required for a virtual operatins system
++## </p>
++## </desc>
++## <param name="type">
++## <summary>
++## Type granted access
++## </summary>
++## </param>
++#
++interface(`virtual_domain',`
++ gen_require(`
++ attribute virtualdomain;
++ ')
++
++ typeattribute $1 virtualdomain;
++')
++
++########################################
++## <summary>
++## Make the specified type usable as a virtual os image
++## </summary>
++## <param name="type">
++## <summary>
++## Type to be used as a virtual image
++## </summary>
++## </param>
++#
++interface(`virtual_image',`
++ gen_require(`
++ attribute virtual_image_type;
++ ')
++
++ typeattribute $1 virtual_image_type;
++ files_type($1)
++
++ # virt images can be assigned to blk devices
++ dev_node($1)
++')
++
++########################################
++## <summary>
++## Allow domain to manage virt image files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`virtual_manage_image',`
++ gen_require(`
++ type virtual_image_type;
++ ')
++
++ manage_dirs_pattern($1, virtual_image_type, virtual_image_type)
++ manage_files_pattern($1, virtual_image_type, virtual_image_type)
++ manage_lnk_files_pattern($1, virtual_image_type, virtual_image_type)
++ rw_blk_files_pattern($1, virtual_image_type, virtual_image_type)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.6/policy/modules/system/virtual.te
+--- nsaserefpolicy/policy/modules/system/virtual.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.6/policy/modules/system/virtual.te 2009-02-26 17:57:06.000000000 -0500
+@@ -0,0 +1,72 @@
++
++policy_module(virtualization, 1.1.2)
++
++########################################
++#
++# Declarations
++#
++
++attribute virtualdomain;
++attribute virtual_image_type;
++
++########################################
++#
++# qemu common policy
++#
++allow virtualdomain self:capability { dac_read_search dac_override };
++allow virtualdomain self:process { execstack execmem signal getsched signull };
++
++allow virtualdomain self:fifo_file rw_file_perms;
++allow virtualdomain self:shm create_shm_perms;
++allow virtualdomain self:unix_stream_socket create_stream_socket_perms;
++allow virtualdomain self:tcp_socket create_stream_socket_perms;
++
++kernel_read_system_state(virtualdomain)
++
++corenet_all_recvfrom_unlabeled(virtualdomain)
++corenet_all_recvfrom_netlabel(virtualdomain)
++corenet_tcp_sendrecv_generic_if(virtualdomain)
++corenet_tcp_sendrecv_generic_node(virtualdomain)
++corenet_tcp_sendrecv_all_ports(virtualdomain)
++corenet_tcp_bind_generic_node(virtualdomain)
++corenet_tcp_bind_vnc_port(virtualdomain)
++corenet_rw_tun_tap_dev(virtualdomain)
++
++dev_read_sound(virtualdomain)
++dev_write_sound(virtualdomain)
++dev_rw_kvm(virtualdomain)
++dev_rw_qemu(virtualdomain)
++
++domain_use_interactive_fds(virtualdomain)
++
++files_read_etc_files(virtualdomain)
++files_read_usr_files(virtualdomain)
++files_read_var_files(virtualdomain)
++files_search_all(virtualdomain)
++
++fs_list_inotifyfs(virtualdomain)
++fs_rw_anon_inodefs_files(virtualdomain)
++fs_rw_tmpfs_files(virtualdomain)
++
++term_use_all_terms(virtualdomain)
++term_getattr_pty_fs(virtualdomain)
++term_use_generic_ptys(virtualdomain)
++term_use_ptmx(virtualdomain)
++
++auth_use_nsswitch(virtualdomain)
++
++miscfiles_read_localization(virtualdomain)
++
++optional_policy(`
++ virt_read_config(virtualdomain)
++ virt_read_lib_files(virtualdomain)
++ virt_read_content(virtualdomain)
++')
++
++optional_policy(`
++ xserver_stream_connect(virtualdomain)
++ xserver_read_xdm_tmp_files(virtualdomain)
++ xserver_read_xdm_pid(virtualdomain)
++ xserver_rw_shm(virtualdomain)
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.6.6/policy/modules/system/xen.fc
--- nsaserefpolicy/policy/modules/system/xen.fc 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.6/policy/modules/system/xen.fc 2009-02-16 13:18:06.000000000 -0500
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.797
retrieving revision 1.798
diff -u -r1.797 -r1.798
--- selinux-policy.spec 26 Feb 2009 00:27:53 -0000 1.797
+++ selinux-policy.spec 27 Feb 2009 21:22:47 -0000 1.798
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.6
-Release: 7%{?dist}
+Release: 8%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -446,6 +446,9 @@
%endif
%changelog
+* Fri Feb 27 2009 Dan Walsh <dwalsh at redhat.com> 3.6.6-8
+- Further confinement of qemu images via svirt
+
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 3.6.6-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
More information about the fedora-extras-commits
mailing list