From a0a2906d5f3c21a133ef6899d8505ddd8ef1bf47 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh
Date: Jun 22 2009 22:19:38 +0000
Subject: - Allow mysqld_safe to manage db files
- Allow udev_t to read/write anon_inodefs
---
diff --git a/policy-20090521.patch b/policy-20090521.patch
index 670421b..20fb652 100644
--- a/policy-20090521.patch
+++ b/policy-20090521.patch
@@ -575,21 +575,45 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type lvm_control_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.12/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-06-02 11:47:44.000000000 -0400
-@@ -65,8 +65,8 @@
- ')
-
- optional_policy(`
++++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-06-22 17:32:05.000000000 -0400
+@@ -44,34 +44,6 @@
+ interface(`domain_type',`
+ # start with basic domain
+ domain_base_type($1)
+-
+- ifdef(`distro_redhat',`
+- optional_policy(`
+- unconfined_use_fds($1)
+- ')
+- ')
+-
+- # send init a sigchld and signull
+- optional_policy(`
+- init_sigchld($1)
+- init_signull($1)
+- ')
+-
+- # these seem questionable:
+-
+- optional_policy(`
+- rpm_use_fds($1)
+- rpm_read_pipes($1)
+- ')
+-
+- optional_policy(`
- selinux_dontaudit_getattr_fs($1)
- selinux_dontaudit_read_fs($1)
-+ selinux_getattr_fs($1)
-+ selinux_search_fs($1)
- ')
+- ')
+-
+- optional_policy(`
+- seutil_dontaudit_read_config($1)
+- ')
+ ')
- optional_policy(`
+ ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-06-12 13:29:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-06-22 17:34:22.000000000 -0400
@@ -91,6 +91,9 @@
kernel_read_proc_symlinks(domain)
kernel_read_crypto_sysctls(domain)
@@ -600,7 +624,49 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Every domain gets the key ring, so we should default
# to no one allowed to look at it; afs kernel support creates
# a keyring
-@@ -152,8 +155,7 @@
+@@ -108,6 +111,15 @@
+ # list the root directory
+ files_list_root(domain)
+
++selinux_getattr_fs(domain)
++selinux_search_fs(domain)
++selinux_dontaudit_read_fs(domain)
++
++init_sigchld(domain)
++init_signull(domain)
++
++seutil_dontaudit_read_config(domain)
++
+ tunable_policy(`global_ssp',`
+ # enable reading of urandom for all domains:
+ # this should be enabled when all programs
+@@ -116,6 +128,12 @@
+ dev_read_urand(domain)
+ ')
+
++ifdef(`distro_redhat',`
++ optional_policy(`
++ unconfined_use_fds(domain)
++ ')
++')
++
+ optional_policy(`
+ afs_rw_cache(domain)
+ ')
+@@ -125,6 +143,12 @@
+ libs_use_shared_libs(domain)
+ ')
+
++# these seem questionable:
++optional_policy(`
++ rpm_use_fds(domain)
++ rpm_read_pipes(domain)
++')
++
+ optional_policy(`
+ setrans_translate_context(domain)
+ ')
+@@ -152,8 +176,7 @@
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
@@ -911,7 +977,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.12/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/devicekit.te 2009-06-20 06:24:36.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/devicekit.te 2009-06-21 08:58:19.000000000 -0400
@@ -55,7 +55,7 @@
#
# DeviceKit-Power local policy
@@ -937,6 +1003,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
polkit_domtrans_auth(devicekit_power_t)
polkit_read_lib(devicekit_power_t)
polkit_read_reload(devicekit_power_t)
+@@ -147,6 +149,7 @@
+
+ allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio };
+ allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
++allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
+ manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
+@@ -199,6 +202,7 @@
+ ')
+
+ optional_policy(`
++ polkit_dbus_chat(devicekit_disk_t)
+ polkit_domtrans_auth(devicekit_disk_t)
+ polkit_read_lib(devicekit_disk_t)
+ polkit_read_reload(devicekit_disk_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.12/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/dnsmasq.te 2009-06-19 07:12:28.000000000 -0400
@@ -1083,6 +1165,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.12/policy/modules/services/mysql.te
+--- nsaserefpolicy/policy/modules/services/mysql.te 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/mysql.te 2009-06-22 17:04:03.000000000 -0400
+@@ -136,10 +136,12 @@
+ allow mysqld_safe_t self:capability { dac_override fowner chown };
+ allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
+
++allow mysqld_safe_t mysqld_var_run_t:sock_file unlink;
++
+ allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
+ logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
+
+-mysql_append_db_files(mysqld_safe_t)
++mysql_manage_db_files(mysqld_safe_t)
+ mysql_read_config(mysqld_safe_t)
+ mysql_search_pid_files(mysqld_safe_t)
+ mysql_write_log(mysqld_safe_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.12/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 2009-04-07 15:54:45.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/pcscd.te 2009-06-16 09:51:56.000000000 -0400
@@ -1296,7 +1395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(uucpd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-06-19 12:42:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-06-22 18:00:37.000000000 -0400
@@ -22,6 +22,13 @@
##
@@ -1311,7 +1410,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Allow svirt to manage device configuration, (pci)
##
##
-@@ -183,6 +190,7 @@
+@@ -95,6 +102,7 @@
+
+ manage_files_pattern(virtd_t, virt_image_t, virt_image_t)
+ manage_blk_files_pattern(virtd_t, virt_image_t, virt_image_t)
++read_lnk_files_pattern(virtd_t, virt_image_t, virt_image_t)
+ allow virtd_t virt_image_t:file { relabelfrom relabelto };
+ allow virtd_t virt_image_t:blk_file { relabelfrom relabelto };
+
+@@ -183,6 +191,7 @@
seutil_read_default_contexts(virtd_t)
term_getattr_pty_fs(virtd_t)
@@ -1319,7 +1426,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
-@@ -214,6 +222,12 @@
+@@ -214,6 +223,12 @@
fs_read_cifs_symlinks(virtd_t)
')
@@ -1332,7 +1439,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
brctl_domtrans(virtd_t)
')
-@@ -316,16 +330,17 @@
+@@ -307,6 +322,7 @@
+ manage_lnk_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t)
+ files_pid_filetrans(svirt_t, svirt_var_run_t, { dir file })
+
++read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t)
+ allow svirt_t svirt_image_t:dir search_dir_perms;
+ manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
+ manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
+@@ -316,16 +332,17 @@
dontaudit svirt_t virt_content_t:file write_file_perms;
dontaudit svirt_t virt_content_t:dir write;
@@ -1353,7 +1468,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_udp_sendrecv_generic_if(svirt_t)
corenet_udp_sendrecv_generic_node(svirt_t)
corenet_udp_sendrecv_all_ports(svirt_t)
-@@ -353,10 +368,6 @@
+@@ -353,10 +370,6 @@
')
optional_policy(`
@@ -1641,8 +1756,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow dhcpc_t self:process { setfscreate ptrace signal_perms };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.12/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-06-12 07:55:17.000000000 -0400
-@@ -196,6 +196,10 @@
++++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-06-22 13:06:14.000000000 -0400
+@@ -112,6 +112,7 @@
+
+ fs_getattr_all_fs(udev_t)
+ fs_list_inotifyfs(udev_t)
++fs_rw_anon_inodefs_files(udev_t)
+
+ mcs_ptrace_all(udev_t)
+
+@@ -196,6 +197,10 @@
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ce77693..dacc158 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 56%{?dist}
+Release: 57%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -475,6 +475,10 @@ exit 0
%endif
%changelog
+* Sat Jun 20 2009 Dan Walsh 3.6.12-57
+- Allow mysqld_safe to manage db files
+- Allow udev_t to read/write anon_inodefs
+
* Sat Jun 20 2009 Dan Walsh 3.6.12-56
- Add gitosis policy