From 2a9ef9a51a6629b138f4f4e6590bd2af29adc060 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: May 11 2009 13:11:09 +0000 Subject: - Allow rpcd_t to send signals to kernel threads --- diff --git a/policy-20090105.patch b/policy-20090105.patch index 80e0831..001a2d0 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -6015,7 +6015,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.12/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-05-08 11:48:52.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-05-11 08:03:38.000000000 -0400 +@@ -157,7 +157,7 @@ + type kernel_t; + ') + +- allow kernel_t $1:process signal; ++ allow $1 kernel_t:process signal; + ') + + ######################################## @@ -1197,6 +1197,26 @@ ') @@ -20679,7 +20688,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.12/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2009-03-20 12:39:39.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-05-04 12:28:35.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-05-11 09:09:05.000000000 -0400 @@ -23,7 +23,7 @@ gen_tunable(allow_nfsd_anon_write, false) @@ -20689,7 +20698,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpc_domain_template(gssd) -@@ -74,21 +74,33 @@ +@@ -69,26 +69,37 @@ + kernel_read_sysctl(rpcd_t) + kernel_rw_fs_sysctls(rpcd_t) + kernel_dontaudit_getattr_core_if(rpcd_t) ++kernel_signal(rpcd_t) + + corecmd_exec_bin(rpcd_t) files_manage_mounttab(rpcd_t) @@ -20701,8 +20716,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +storage_getattr_fixed_disk_dev(rpcd_t) + -+kernel_signal(rpcd_t) -+ selinux_dontaudit_read_fs(rpcd_t) miscfiles_read_certs(rpcd_t) @@ -20723,7 +20736,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # NFSD local policy -@@ -116,8 +128,9 @@ +@@ -116,8 +127,9 @@ # for exportfs and rpc.mountd files_getattr_tmp_dirs(nfsd_t) # cjp: this should really have its own type @@ -20734,7 +20747,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_mount_nfsd_fs(nfsd_t) fs_search_nfsd_fs(nfsd_t) fs_getattr_all_fs(nfsd_t) -@@ -125,6 +138,7 @@ +@@ -125,6 +137,7 @@ fs_rw_nfsd_fs(nfsd_t) storage_dontaudit_read_fixed_disk(nfsd_t) @@ -20742,7 +20755,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Read access to public_content_t and public_content_rw_t miscfiles_read_public_files(nfsd_t) -@@ -141,6 +155,7 @@ +@@ -141,6 +154,7 @@ fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) ') @@ -20750,7 +20763,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`nfs_export_all_ro',` dev_getattr_all_blk_files(nfsd_t) -@@ -175,6 +190,7 @@ +@@ -175,6 +189,7 @@ corecmd_exec_bin(gssd_t) @@ -20758,7 +20771,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_list_rpc(gssd_t) fs_rw_rpc_sockets(gssd_t) fs_read_rpc_files(gssd_t) -@@ -183,9 +199,12 @@ +@@ -183,9 +198,12 @@ files_read_usr_symlinks(gssd_t) auth_use_nsswitch(gssd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 419c2eb..cc34eb9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 33%{?dist} +Release: 34%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,9 @@ exit 0 %endif %changelog +* Mon May 11 2009 Dan Walsh 3.6.12-34 +- Allow rpcd_t to send signals to kernel threads + * Fri May 7 2009 Dan Walsh 3.6.12-33 - Fix upgrade for F10 to F11