From a0a2906d5f3c21a133ef6899d8505ddd8ef1bf47 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jun 22 2009 22:19:38 +0000 Subject: - Allow mysqld_safe to manage db files - Allow udev_t to read/write anon_inodefs --- diff --git a/policy-20090521.patch b/policy-20090521.patch index 670421b..20fb652 100644 --- a/policy-20090521.patch +++ b/policy-20090521.patch @@ -575,21 +575,45 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type lvm_control_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.12/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-05-21 08:27:59.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-06-02 11:47:44.000000000 -0400 -@@ -65,8 +65,8 @@ - ') - - optional_policy(` ++++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-06-22 17:32:05.000000000 -0400 +@@ -44,34 +44,6 @@ + interface(`domain_type',` + # start with basic domain + domain_base_type($1) +- +- ifdef(`distro_redhat',` +- optional_policy(` +- unconfined_use_fds($1) +- ') +- ') +- +- # send init a sigchld and signull +- optional_policy(` +- init_sigchld($1) +- init_signull($1) +- ') +- +- # these seem questionable: +- +- optional_policy(` +- rpm_use_fds($1) +- rpm_read_pipes($1) +- ') +- +- optional_policy(` - selinux_dontaudit_getattr_fs($1) - selinux_dontaudit_read_fs($1) -+ selinux_getattr_fs($1) -+ selinux_search_fs($1) - ') +- ') +- +- optional_policy(` +- seutil_dontaudit_read_config($1) +- ') + ') - optional_policy(` + ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2009-05-21 08:27:59.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-06-12 13:29:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-06-22 17:34:22.000000000 -0400 @@ -91,6 +91,9 @@ kernel_read_proc_symlinks(domain) kernel_read_crypto_sysctls(domain) @@ -600,7 +624,49 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Every domain gets the key ring, so we should default # to no one allowed to look at it; afs kernel support creates # a keyring -@@ -152,8 +155,7 @@ +@@ -108,6 +111,15 @@ + # list the root directory + files_list_root(domain) + ++selinux_getattr_fs(domain) ++selinux_search_fs(domain) ++selinux_dontaudit_read_fs(domain) ++ ++init_sigchld(domain) ++init_signull(domain) ++ ++seutil_dontaudit_read_config(domain) ++ + tunable_policy(`global_ssp',` + # enable reading of urandom for all domains: + # this should be enabled when all programs +@@ -116,6 +128,12 @@ + dev_read_urand(domain) + ') + ++ifdef(`distro_redhat',` ++ optional_policy(` ++ unconfined_use_fds(domain) ++ ') ++') ++ + optional_policy(` + afs_rw_cache(domain) + ') +@@ -125,6 +143,12 @@ + libs_use_shared_libs(domain) + ') + ++# these seem questionable: ++optional_policy(` ++ rpm_use_fds(domain) ++ rpm_read_pipes(domain) ++') ++ + optional_policy(` + setrans_translate_context(domain) + ') +@@ -152,8 +176,7 @@ allow unconfined_domain_type domain:fd use; allow unconfined_domain_type domain:fifo_file rw_file_perms; @@ -911,7 +977,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.12/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-05-21 08:27:59.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/devicekit.te 2009-06-20 06:24:36.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/devicekit.te 2009-06-21 08:58:19.000000000 -0400 @@ -55,7 +55,7 @@ # # DeviceKit-Power local policy @@ -937,6 +1003,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol polkit_domtrans_auth(devicekit_power_t) polkit_read_lib(devicekit_power_t) polkit_read_reload(devicekit_power_t) +@@ -147,6 +149,7 @@ + + allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio }; + allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; ++allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; + + manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) + manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) +@@ -199,6 +202,7 @@ + ') + + optional_policy(` ++ polkit_dbus_chat(devicekit_disk_t) + polkit_domtrans_auth(devicekit_disk_t) + polkit_read_lib(devicekit_disk_t) + polkit_read_reload(devicekit_disk_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.12/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-05-21 08:27:59.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/dnsmasq.te 2009-06-19 07:12:28.000000000 -0400 @@ -1083,6 +1165,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.12/policy/modules/services/mysql.te +--- nsaserefpolicy/policy/modules/services/mysql.te 2009-05-21 08:27:59.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/mysql.te 2009-06-22 17:04:03.000000000 -0400 +@@ -136,10 +136,12 @@ + allow mysqld_safe_t self:capability { dac_override fowner chown }; + allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; + ++allow mysqld_safe_t mysqld_var_run_t:sock_file unlink; ++ + allow mysqld_safe_t mysqld_log_t:file manage_file_perms; + logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) + +-mysql_append_db_files(mysqld_safe_t) ++mysql_manage_db_files(mysqld_safe_t) + mysql_read_config(mysqld_safe_t) + mysql_search_pid_files(mysqld_safe_t) + mysql_write_log(mysqld_safe_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.12/policy/modules/services/pcscd.te --- nsaserefpolicy/policy/modules/services/pcscd.te 2009-04-07 15:54:45.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/pcscd.te 2009-06-16 09:51:56.000000000 -0400 @@ -1296,7 +1395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(uucpd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-05-21 08:27:59.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-06-19 12:42:59.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-06-22 18:00:37.000000000 -0400 @@ -22,6 +22,13 @@ ## @@ -1311,7 +1410,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Allow svirt to manage device configuration, (pci) ##

## -@@ -183,6 +190,7 @@ +@@ -95,6 +102,7 @@ + + manage_files_pattern(virtd_t, virt_image_t, virt_image_t) + manage_blk_files_pattern(virtd_t, virt_image_t, virt_image_t) ++read_lnk_files_pattern(virtd_t, virt_image_t, virt_image_t) + allow virtd_t virt_image_t:file { relabelfrom relabelto }; + allow virtd_t virt_image_t:blk_file { relabelfrom relabelto }; + +@@ -183,6 +191,7 @@ seutil_read_default_contexts(virtd_t) term_getattr_pty_fs(virtd_t) @@ -1319,7 +1426,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) -@@ -214,6 +222,12 @@ +@@ -214,6 +223,12 @@ fs_read_cifs_symlinks(virtd_t) ') @@ -1332,7 +1439,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` brctl_domtrans(virtd_t) ') -@@ -316,16 +330,17 @@ +@@ -307,6 +322,7 @@ + manage_lnk_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) + files_pid_filetrans(svirt_t, svirt_var_run_t, { dir file }) + ++read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t) + allow svirt_t svirt_image_t:dir search_dir_perms; + manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t) + manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t) +@@ -316,16 +332,17 @@ dontaudit svirt_t virt_content_t:file write_file_perms; dontaudit svirt_t virt_content_t:dir write; @@ -1353,7 +1468,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_udp_sendrecv_generic_if(svirt_t) corenet_udp_sendrecv_generic_node(svirt_t) corenet_udp_sendrecv_all_ports(svirt_t) -@@ -353,10 +368,6 @@ +@@ -353,10 +370,6 @@ ') optional_policy(` @@ -1641,8 +1756,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow dhcpc_t self:process { setfscreate ptrace signal_perms }; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.12/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2009-05-21 08:27:59.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-06-12 07:55:17.000000000 -0400 -@@ -196,6 +196,10 @@ ++++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-06-22 13:06:14.000000000 -0400 +@@ -112,6 +112,7 @@ + + fs_getattr_all_fs(udev_t) + fs_list_inotifyfs(udev_t) ++fs_rw_anon_inodefs_files(udev_t) + + mcs_ptrace_all(udev_t) + +@@ -196,6 +197,10 @@ ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index ce77693..dacc158 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 56%{?dist} +Release: 57%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -475,6 +475,10 @@ exit 0 %endif %changelog +* Sat Jun 20 2009 Dan Walsh 3.6.12-57 +- Allow mysqld_safe to manage db files +- Allow udev_t to read/write anon_inodefs + * Sat Jun 20 2009 Dan Walsh 3.6.12-56 - Add gitosis policy