rpms/selinux-policy/F-10 policy-20080710.patch, 1.152, 1.153 selinux-policy.spec, 1.784, 1.785
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Mar 25 13:43:13 UTC 2009
- Previous message (by thread): rpms/setup/devel setup-2.8.2-uidgid.patch, NONE, 1.1 setup.spec, 1.75, 1.76
- Next message (by thread): rpms/libopensync/devel .cvsignore, 1.7, 1.8 libopensync.spec, 1.29, 1.30 sources, 1.7, 1.8 libopensync-python26.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv26612
Modified Files:
policy-20080710.patch selinux-policy.spec
Log Message:
- Add labeling for new devices
- Fix devices policy
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.152
retrieving revision 1.153
diff -u -r1.152 -r1.153
--- policy-20080710.patch 25 Mar 2009 08:14:09 -0000 1.152
+++ policy-20080710.patch 25 Mar 2009 13:43:12 -0000 1.153
@@ -7171,17 +7171,19 @@
network_port(xfs, tcp,7100,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.5.13/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2008-10-17 14:49:14.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/kernel/devices.fc 2009-02-10 15:07:15.000000000 +0100
-@@ -1,7 +1,7 @@
++++ serefpolicy-3.5.13/policy/modules/kernel/devices.fc 2009-03-25 13:47:42.000000000 +0100
+@@ -1,8 +1,9 @@
/dev -d gen_context(system_u:object_r:device_t,s0)
/dev/.* gen_context(system_u:object_r:device_t,s0)
-
-+/dev/3dfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0)
++/dev/3dfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/admmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/adsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -12,42 +12,59 @@
+ /dev/(misc/)?agpgart -c gen_context(system_u:object_r:agp_device_t,s0)
+@@ -12,44 +13,65 @@
/dev/apm_bios -c gen_context(system_u:object_r:apm_bios_t,s0)
/dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
@@ -7190,18 +7192,17 @@
/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
-+/dev/gfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-+/dev/graphics -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-+/dev/gtrsc.* -c gen_context(system_u:object_r:clock_device_t,s0)
-+/dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
++/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/event.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
-+/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0)
++/dev/gfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
++/dev/graphics -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
++/dev/gtrsc.* -c gen_context(system_u:object_r:clock_device_t,s0)
+/dev/hfmodem -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hidraw.* -c gen_context(system_u:object_r:usb_device_t,s0)
@@ -7209,28 +7210,31 @@
/dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
/dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0)
/dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0)
++/dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
+/dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
-+/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/jbm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
+/dev/kqemu -c gen_context(system_u:object_r:qemu_device_t,s0)
+/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0)
++/dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
/dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
++/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0)
/dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
++/dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0)
+/dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0)
+/dev/network_throughput -c gen_context(system_u:object_r:netcontrol_device_t,s0)
/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
@@ -7240,10 +7244,16 @@
+/dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0)
++/dev/pc110pad -c gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
-@@ -69,14 +86,14 @@
+ /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+ /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
+@@ -68,18 +90,20 @@
+ /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
++/dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
-/dev/usbmon[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
-/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0)
@@ -7259,43 +7269,51 @@
/dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
/dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
/dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -91,6 +108,7 @@
++/dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/watchdog -c gen_context(system_u:object_r:watchdog_device_t,s0)
+@@ -91,14 +115,20 @@
/dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
+-/dev/cpu/.* -c gen_context(system_u:object_r:cpu_device_t,s0)
+/dev/cpu_dma_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0)
- /dev/cpu/.* -c gen_context(system_u:object_r:cpu_device_t,s0)
++/dev/cpu.* -c gen_context(system_u:object_r:cpu_device_t,s0)
/dev/cpu/mtrr -c gen_context(system_u:object_r:mtrr_device_t,s0)
-@@ -98,13 +116,25 @@
++/dev/biometric/sensor.* -c gen_context(system_u:object_r:event_device_t,s0)
++
+ /dev/dri/.+ -c gen_context(system_u:object_r:dri_device_t,s0)
/dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-+/dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/input/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/input/.* -c gen_context(system_u:object_r:event_device_t,s0)
+/dev/input/m.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/input/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/input/keyboard.* -c gen_context(system_u:object_r:event_device_t,s0)
-+/dev/input/.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0)
-+/dev/pc110pad -c gen_context(system_u:object_r:mouse_device_t,s0)
-+/dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0)
-+/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
-+/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
-+/dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0)
-+/dev/bometric/sensor.* -c gen_context(system_u:object_r:event_device_t,s0)
+@@ -106,10 +136,15 @@
/dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0)
-+/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-+/dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
++/dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
++
/dev/pts(/.*)? <<none>>
+ /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
+
++/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
++
+ /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0)
+ /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.5.13/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/kernel/devices.if 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/kernel/devices.if 2009-03-25 14:08:22.000000000 +0100
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1, device_t, device_node)
@@ -7305,7 +7323,7 @@
relabelfrom_fifo_files_pattern($1, device_t, device_node)
relabelfrom_sock_files_pattern($1, device_t, device_node)
relabel_blk_files_pattern($1,device_t,{ device_t device_node })
-@@ -167,6 +167,25 @@
+@@ -185,6 +185,24 @@
########################################
## <summary>
@@ -7325,59 +7343,40 @@
+ manage_dirs_pattern($1, device_t, device_t)
+')
+
-+
+########################################
+## <summary>
- ## Delete a directory in the device directory.
+ ## Allow full relabeling (to and from) of directories in /dev.
## </summary>
## <param name="domain">
-@@ -381,6 +400,24 @@
- getattr_chr_files_pattern($1, device_t, device_t)
- ')
-
-+#######################################
-+## <summary>
-+## Allow setattr for generic character device files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_setattr_generic_chr_files',`
-+ gen_require(`
-+ type device_t;
-+ ')
-+
-+ setattr_chr_files_pattern($1, device_t, device_t)
-+')
-+
- ########################################
- ## <summary>
- ## Dontaudit getattr for generic character device files.
-@@ -667,6 +704,7 @@
+@@ -664,9 +682,10 @@
+ interface(`dev_dontaudit_getattr_all_blk_files',`
+ gen_require(`
+ attribute device_node;
++ type device_t;
')
- dontaudit $1 device_node:blk_file getattr;
-+ dev_dontaudit_getattr_generic_blk_files($1)
+- dontaudit $1 device_node:blk_file getattr;
++ dontaudit $1 { device_t device_node }:blk_file getattr;
')
########################################
-@@ -704,6 +742,7 @@
+@@ -701,9 +720,10 @@
+ interface(`dev_dontaudit_getattr_all_chr_files',`
+ gen_require(`
+ attribute device_node;
++ type device_t;
')
- dontaudit $1 device_node:chr_file getattr;
-+ dev_dontaudit_getattr_generic_chr_files($1)
+- dontaudit $1 device_node:chr_file getattr;
++ dontaudit $1 { device_t device_node }:chr_file getattr;
')
########################################
-@@ -1160,6 +1199,25 @@
+@@ -1062,6 +1082,98 @@
########################################
## <summary>
-+## Set the attributes of the CPU
-+## microcode and id interfaces.
++## Get the attributes of the autofs device node.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -7385,24 +7384,36 @@
+## </summary>
+## </param>
+#
-+interface(`dev_setattr_cpu_dev',`
++interface(`dev_getattr_autofs_dev',`
+ gen_require(`
-+ type device_t, cpu_device_t;
++ type device_t, autofs_device_t;
+ ')
+
-+ setattr_chr_files_pattern($1, device_t, cpu_device_t)
++ getattr_chr_files_pattern($1, device_t, autofs_device_t)
+')
+
+########################################
+## <summary>
- ## Read the CPU identity.
- ## </summary>
- ## <param name="domain">
-@@ -1958,6 +2016,42 @@
-
- ########################################
- ## <summary>
-+## Get the attributes of the null device nodes.
++## Do not audit attempts to get the attributes of
++## the autofs device node.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`dev_dontaudit_getattr_autofs_dev',`
++ gen_require(`
++ type autofs_device_t;
++ ')
++
++ dontaudit $1 autofs_device_t:chr_file getattr;
++')
++
++########################################
++## <summary>
++## Set the attributes of the autofs device node.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -7410,17 +7421,36 @@
+## </summary>
+## </param>
+#
-+interface(`dev_getattr_null_dev',`
++interface(`dev_setattr_autofs_dev',`
+ gen_require(`
-+ type device_t, null_device_t;
++ type device_t, autofs_device_t;
+ ')
+
-+ getattr_chr_files_pattern($1, device_t, null_device_t)
++ setattr_chr_files_pattern($1, device_t, autofs_device_t)
+')
+
+########################################
+## <summary>
-+## Set the attributes of the null device nodes.
++## Do not audit attempts to set the attributes of
++## the autofs device node.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`dev_dontaudit_setattr_autofs_dev',`
++ gen_require(`
++ type autofs_device_t;
++ ')
++
++ dontaudit $1 autofs_device_t:chr_file setattr;
++')
++
++########################################
++## <summary>
++## Read and write the autofs device.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -7428,24 +7458,25 @@
+## </summary>
+## </param>
+#
-+interface(`dev_setattr_null_dev',`
++interface(`dev_rw_autofs',`
+ gen_require(`
-+ type device_t, null_device_t;
++ type device_t, autofs_device_t;
+ ')
+
-+ setattr_chr_files_pattern($1, device_t, null_device_t)
++ rw_chr_files_pattern($1, device_t, autofs_device_t)
+')
+
+########################################
+## <summary>
- ## Read and write to the null device (/dev/null).
+ ## Read and write the PCMCIA card manager device.
## </summary>
## <param name="domain">
-@@ -2769,6 +2863,24 @@
+@@ -1160,6 +1272,25 @@
########################################
## <summary>
-+## Read generic the USB devices.
++## Set the attributes of the CPU
++## microcode and id interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -7453,24 +7484,33 @@
+## </summary>
+## </param>
+#
-+interface(`dev_read_generic_usb_dev',`
++interface(`dev_setattr_cpu_dev',`
+ gen_require(`
-+ type usb_device_t;
++ type device_t, cpu_device_t;
+ ')
+
-+ read_chr_files_pattern($1, device_t, usb_device_t)
++ setattr_chr_files_pattern($1, device_t, cpu_device_t)
+')
+
+########################################
+## <summary>
- ## Read and write generic the USB devices.
+ ## Read the CPU identity.
## </summary>
## <param name="domain">
-@@ -2787,6 +2899,97 @@
+@@ -1282,7 +1413,7 @@
+ type dri_device_t;
+ ')
+
+- dontaudit $1 dri_device_t:chr_file { getattr read write ioctl };
++ dontaudit $1 dri_device_t:chr_file rw_chr_file_perms;
+ ')
+
+ ########################################
+@@ -1507,6 +1638,96 @@
########################################
## <summary>
-+## Read and write generic the USB fifo files.
++## Read the kernel messages
+## </summary>
+## <param name="domain">
+## <summary>
@@ -7478,13 +7518,12 @@
+## </summary>
+## </param>
+#
-+interface(`dev_rw_generic_usb_pipes',`
++interface(`dev_read_kmsg',`
+ gen_require(`
-+ type usb_device_t;
++ type device_t, kmsg_device_t;
+ ')
+
-+ allow $1 device_t:dir search_dir_perms;
-+ allow $1 usb_device_t:fifo_file rw_fifo_file_perms;
++ read_chr_files_pattern($1, device_t, kmsg_device_t)
+')
+
+########################################
@@ -7561,17 +7600,14 @@
+
+########################################
+## <summary>
- ## Mount a usbfs filesystem.
+ ## Read the lvm comtrol device.
## </summary>
## <param name="domain">
-@@ -3322,3 +3525,242 @@
+@@ -1958,6 +2179,96 @@
- typeattribute $1 devices_unconfined_type;
- ')
-+
-+########################################
-+## <summary>
-+## Get the attributes of the autofs device node.
+ ########################################
+ ## <summary>
++## Get the attributes of the network control device
+## </summary>
+## <param name="domain">
+## <summary>
@@ -7579,36 +7615,35 @@
+## </summary>
+## </param>
+#
-+interface(`dev_getattr_autofs_dev',`
++interface(`dev_getattr_netcontrol_dev',`
+ gen_require(`
-+ type device_t, autofs_device_t;
++ type device_t, netcontrol_device_t;
+ ')
+
-+ getattr_chr_files_pattern($1, device_t, autofs_device_t)
++ getattr_chr_files_pattern($1, device_t, netcontrol_device_t)
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to get the attributes of
-+## the autofs device node.
++## Read the network control identity.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`dev_dontaudit_getattr_autofs_dev',`
++interface(`dev_read_netcontrol',`
+ gen_require(`
-+ type autofs_device_t;
++ type device_t, netcontrol_device_t;
+ ')
+
-+ dontaudit $1 autofs_device_t:chr_file getattr;
++ read_chr_files_pattern($1, device_t, netcontrol_device_t)
+')
+
+########################################
+## <summary>
-+## Set the attributes of the autofs device node.
++## Read and write the the network control device.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -7616,36 +7651,35 @@
+## </summary>
+## </param>
+#
-+interface(`dev_setattr_autofs_dev',`
++interface(`dev_rw_netcontrol',`
+ gen_require(`
-+ type device_t, autofs_device_t;
++ type device_t, netcontrol_device_t;
+ ')
+
-+ setattr_chr_files_pattern($1, device_t, autofs_device_t)
++ rw_chr_files_pattern($1, device_t, netcontrol_device_t)
+')
+
+########################################
+## <summary>
-+## Do not audit attempts to set the attributes of
-+## the autofs device node.
++## Get the attributes of the null device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`dev_dontaudit_setattr_autofs_dev',`
++interface(`dev_getattr_null_dev',`
+ gen_require(`
-+ type autofs_device_t;
++ type device_t, null_device_t;
+ ')
+
-+ dontaudit $1 autofs_device_t:chr_file setattr;
++ getattr_chr_files_pattern($1, device_t, null_device_t)
+')
+
+########################################
+## <summary>
-+## Read and write the autofs device.
++## Set the attributes of the null device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -7653,17 +7687,24 @@
+## </summary>
+## </param>
+#
-+interface(`dev_rw_autofs',`
++interface(`dev_setattr_null_dev',`
+ gen_require(`
-+ type device_t, autofs_device_t;
++ type device_t, null_device_t;
+ ')
+
-+ rw_chr_files_pattern($1, device_t, autofs_device_t)
++ setattr_chr_files_pattern($1, device_t, null_device_t)
+')
+
+########################################
+## <summary>
-+## Get the attributes of the network control device
+ ## Read and write to the null device (/dev/null).
+ ## </summary>
+ ## <param name="domain">
+@@ -2104,6 +2415,98 @@
+
+ ########################################
+ ## <summary>
++## Read printk devices (e.g., /dev/kmsg /dev/mcelog)
+## </summary>
+## <param name="domain">
+## <summary>
@@ -7671,17 +7712,18 @@
+## </summary>
+## </param>
+#
-+interface(`dev_getattr_netcontrol',`
++interface(`dev_read_printk',`
+ gen_require(`
-+ type device_t, netcontrol_device_t;
++ type device_t, printk_device_t;
+ ')
+
-+ getattr_chr_files_pattern($1, device_t, netcontrol_device_t)
++ read_chr_files_pattern($1, device_t, printk_device_t)
+')
+
+########################################
+## <summary>
-+## Read the network control identity.
++## Get the attributes of the QEMU
++## microcode and id interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -7689,17 +7731,18 @@
+## </summary>
+## </param>
+#
-+interface(`dev_read_netcontrol',`
++interface(`dev_getattr_qemu_dev',`
+ gen_require(`
-+ type device_t, netcontrol_device_t;
++ type device_t, qemu_device_t;
+ ')
+
-+ read_chr_files_pattern($1, device_t, netcontrol_device_t)
++ getattr_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
+########################################
+## <summary>
-+## Read and write the the network control device.
++## Set the attributes of the QEMU
++## microcode and id interfaces.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -7707,18 +7750,17 @@
+## </summary>
+## </param>
+#
-+interface(`dev_rw_netcontrol',`
++interface(`dev_setattr_qemu_dev',`
+ gen_require(`
-+ type device_t, netcontrol_device_t;
++ type device_t, qemu_device_t;
+ ')
+
-+ rw_chr_files_pattern($1, device_t, netcontrol_device_t)
++ setattr_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
+########################################
+## <summary>
-+## Get the attributes of the QEMU
-+## microcode and id interfaces.
++## Read the QEMU device
+## </summary>
+## <param name="domain">
+## <summary>
@@ -7726,18 +7768,17 @@
+## </summary>
+## </param>
+#
-+interface(`dev_getattr_qemu',`
++interface(`dev_read_qemu',`
+ gen_require(`
+ type device_t, qemu_device_t;
+ ')
+
-+ getattr_chr_files_pattern($1, device_t, qemu_device_t)
++ read_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
+########################################
+## <summary>
-+## Set the attributes of the QEMU
-+## microcode and id interfaces.
++## Read and write the the QEMU device.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -7745,17 +7786,25 @@
+## </summary>
+## </param>
+#
-+interface(`dev_setattr_qemu',`
++interface(`dev_rw_qemu',`
+ gen_require(`
+ type device_t, qemu_device_t;
+ ')
+
-+ setattr_chr_files_pattern($1, device_t, qemu_device_t)
++ rw_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
+########################################
+## <summary>
-+## Read the QEMU device
+ ## Read from random number generator
+ ## devices (e.g., /dev/random)
+ ## </summary>
+@@ -2142,6 +2545,25 @@
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to append to random
++## number generator devices (e.g., /dev/random)
+## </summary>
+## <param name="domain">
+## <summary>
@@ -7763,17 +7812,24 @@
+## </summary>
+## </param>
+#
-+interface(`dev_read_qemu',`
++interface(`dev_dontaudit_append_rand',`
+ gen_require(`
-+ type device_t, qemu_device_t;
++ type random_device_t;
+ ')
+
-+ read_chr_files_pattern($1, device_t, qemu_device_t)
++ dontaudit $1 random_device_t:chr_file append_chr_file_perms;
+')
+
+########################################
+## <summary>
-+## Read and write the the QEMU device.
+ ## Write to the random device (e.g., /dev/random). This adds
+ ## entropy used to generate the random data read from the
+ ## random device.
+@@ -2769,6 +3191,24 @@
+
+ ########################################
+ ## <summary>
++## Read generic the USB devices.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -7781,14 +7837,50 @@
+## </summary>
+## </param>
+#
-+interface(`dev_rw_qemu',`
++interface(`dev_read_generic_usb_dev',`
+ gen_require(`
-+ type device_t, qemu_device_t;
++ type usb_device_t;
+ ')
+
-+ rw_chr_files_pattern($1, device_t, qemu_device_t)
++ read_chr_files_pattern($1, device_t, usb_device_t)
++')
++
++########################################
++## <summary>
+ ## Read and write generic the USB devices.
+ ## </summary>
+ ## <param name="domain">
+@@ -2957,6 +3397,25 @@
+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+ ')
+
++#######################################
++## <summary>
++## Read and write generic the USB fifo files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rw_generic_usb_pipes',`
++ gen_require(`
++ type usb_device_t;
++ ')
++
++ allow $1 device_t:dir search_dir_perms;
++ allow $1 usb_device_t:fifo_file rw_fifo_file_perms;
+')
+
+ ########################################
+ ## <summary>
+ ## Get the attributes of video4linux devices.
+@@ -3322,3 +3781,22 @@
+
+ typeattribute $1 devices_unconfined_type;
+ ')
++
+#######################################
+## <summary>
+## Set the attributes of the tty device
@@ -7800,16 +7892,23 @@
+## </param>
+#
+interface(`dev_setattr_tty',`
-+ gen_require(`
-+ type devtty_t;
-+ ')
++ gen_require(`
++ type devtty_t;
++ ')
+
-+ setattr_chr_files_pattern($1, devtty_t, devtty_t)
++ setattr_chr_files_pattern($1, devtty_t, devtty_t)
+')
-+
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.5.13/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/kernel/devices.te 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/kernel/devices.te 2009-03-25 13:47:42.000000000 +0100
+@@ -1,5 +1,5 @@
+
+-policy_module(devices, 1.7.0)
++policy_module(devices, 1.7.1)
+
+ ########################################
+ #
@@ -32,6 +32,12 @@
type apm_bios_t;
dev_node(apm_bios_t)
@@ -7823,20 +7922,7 @@
type cardmgr_dev_t;
dev_node(cardmgr_dev_t)
files_tmp_file(cardmgr_dev_t)
-@@ -49,6 +55,12 @@
- type cpu_device_t;
- dev_node(cpu_device_t)
-
-+#
-+# network control devices
-+#
-+type netcontrol_device_t;
-+dev_node(netcontrol_device_t)
-+
- # for the IBM zSeries z90crypt hardware ssl accelorator
- type crypt_device_t;
- dev_node(crypt_device_t)
-@@ -66,12 +78,25 @@
+@@ -66,12 +72,25 @@
dev_node(framebuf_device_t)
#
@@ -7862,8 +7948,21 @@
# Type for /dev/mapper/control
#
type lvm_control_t;
-@@ -118,6 +143,12 @@
- dev_node(nvram_device_t)
+@@ -104,6 +123,12 @@
+ genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)
+
+ #
++# network control devices
++#
++type netcontrol_device_t;
++dev_node(netcontrol_device_t)
++
++#
+ # null_device_t is the type of /dev/null.
+ #
+ type null_device_t;
+@@ -128,6 +153,12 @@
+ mls_file_write_within_range(printer_device_t)
#
+# qemu control devices
@@ -7872,9 +7971,22 @@
+dev_node(qemu_device_t)
+
+#
- # Type for /dev/pmu
+ # random_device_t is the type of /dev/random
+ #
+ type random_device_t;
+@@ -157,6 +188,12 @@
+ genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
+
+ #
++# Type for /dev/tpm
++#
++type tpm_device_t;
++dev_node(tpm_device_t)
++
++#
+ # urandom_device_t is the type of /dev/urandom
#
- type power_device_t;
+ type urandom_device_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.5.13/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/domain.if 2009-02-10 15:07:15.000000000 +0100
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/selinux-policy.spec,v
retrieving revision 1.784
retrieving revision 1.785
diff -u -r1.784 -r1.785
--- selinux-policy.spec 25 Mar 2009 09:27:49 -0000 1.784
+++ selinux-policy.spec 25 Mar 2009 13:43:12 -0000 1.785
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
-Release: 52%{?dist}
+Release: 53%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -460,6 +460,10 @@
%endif
%changelog
+* Wed Mar 25 2009 Miroslav Grepl <mgrepl at redhat.com> 3.5.13-53
+- Add labeling for new devices
+- Fix devices policy
+
* Wed Mar 25 2009 Miroslav Grepl <mgrepl at redhat.com> 3.5.13-52
- Allow hald_t to read ppp config
- Previous message (by thread): rpms/setup/devel setup-2.8.2-uidgid.patch, NONE, 1.1 setup.spec, 1.75, 1.76
- Next message (by thread): rpms/libopensync/devel .cvsignore, 1.7, 1.8 libopensync.spec, 1.29, 1.30 sources, 1.7, 1.8 libopensync-python26.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list