From 20afc9e7b2b1cd79ec5ac26a144f913f33035a4e Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 16 2009 13:30:14 +0000 Subject: - Dontaudit udp_socket leaks for xauth_t - Dontaudit rules for iceauth_t - Let locate read symlinks on noxattr file systems - Remove wine from unconfined domain if unconfined pp removed - Add labels for vhostmd - Add port 546 as a dhcpc port - Add labeled for /dev/dahdi - Add certmonger policy - Allow sysadm to communicate with racoon and zebra - Allow dbus service dbus_chat with unconfined_t - Fixes for xguest - Add dontaudits for abrt - file contexts for mythtv - Lots of fixes for asterisk - Fix file context for certmaster - Add log dir for dovecot - Policy for ksmtuned - File labeling and fixes for mysql and mysql_safe - New plugin infrstructure for nagios - Allow nut_upsd_t dac_override - File context fixes for nx - Allow oddjob_mkhomedir to create homedir - Add pcscd_pub interfaces to be used by xdm - Add stream connect from fenced to corosync - Fixes for swat - Allow fsdaemon to manage scsi devices - Policy for tgtd - Policy for vhostmd - Allow ipsec to create tmp files - Change label on fusermount --- diff --git a/modules-minimum.conf b/modules-minimum.conf index fe466ef..94c79ba 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -233,6 +233,13 @@ certwatch = module certmaster = module # Layer: services +# Module: certmonger +# +# Certificate status monitor and PKI enrollment client +# +certmonger = module + +# Layer: services # Module: cipe # # Encrypted tunnel daemon diff --git a/policy-F12.patch b/policy-F12.patch index 9d7cb43..2031eb5 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -18065,7 +18065,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2009-12-15 10:06:29.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2009-12-16 08:29:46.000000000 -0500 @@ -6,17 +6,23 @@ # Declarations # @@ -18104,7 +18104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type nrpe_t; type nrpe_exec_t; init_daemon_domain(nrpe_t, nrpe_exec_t) -@@ -33,6 +42,31 @@ +@@ -33,6 +42,34 @@ type nrpe_etc_t; files_config_file(nrpe_etc_t) @@ -18127,7 +18127,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +files_tmp_file(nagios_system_plugin_tmp_t) + +nagios_plugin_template(unconfined) -+unconfined_domain(nagios_unconfined_plugin_t) ++ ++optional_policy(` ++ unconfined_domain(nagios_unconfined_plugin_t) ++') + +permissive nagios_checkdisk_plugin_t; +permissive nagios_services_plugin_t; @@ -18136,7 +18139,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Nagios local policy -@@ -45,6 +79,9 @@ +@@ -45,6 +82,9 @@ allow nagios_t self:tcp_socket create_stream_socket_perms; allow nagios_t self:udp_socket create_socket_perms; @@ -18146,7 +18149,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t) read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t) allow nagios_t nagios_etc_t:dir list_dir_perms; -@@ -60,6 +97,8 @@ +@@ -60,6 +100,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) files_pid_filetrans(nagios_t, nagios_var_run_t, file) @@ -18155,7 +18158,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(nagios_t) kernel_read_kernel_sysctls(nagios_t) -@@ -86,6 +125,7 @@ +@@ -86,6 +128,7 @@ files_read_etc_files(nagios_t) files_read_etc_runtime_files(nagios_t) files_read_kernel_symbol_table(nagios_t) @@ -18163,7 +18166,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(nagios_t) fs_search_auto_mountpoints(nagios_t) -@@ -127,52 +167,59 @@ +@@ -127,52 +170,59 @@ # # Nagios CGI local policy # @@ -18173,46 +18176,46 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -allow nagios_cgi_t self:process signal_perms; -allow nagios_cgi_t self:fifo_file rw_fifo_file_perms; -- ++allow httpd_nagios_script_t self:process signal_perms; + -read_files_pattern(nagios_cgi_t, nagios_t, nagios_t) -read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t) -+allow httpd_nagios_script_t self:process signal_perms; ++read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) ++read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) -allow nagios_cgi_t nagios_etc_t:dir list_dir_perms; -read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) -read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) -+read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) -+read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) ++files_search_spool(httpd_nagios_script_t) ++rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t) -allow nagios_cgi_t nagios_log_t:dir list_dir_perms; -read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) -read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) -+files_search_spool(httpd_nagios_script_t) -+rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t) - --kernel_read_system_state(nagios_cgi_t) +allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms; +read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) +read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) --corecmd_exec_bin(nagios_cgi_t) +-kernel_read_system_state(nagios_cgi_t) +allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; +read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) +read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) --domain_dontaudit_read_all_domains_state(nagios_cgi_t) +-corecmd_exec_bin(nagios_cgi_t) +kernel_read_system_state(httpd_nagios_script_t) +-domain_dontaudit_read_all_domains_state(nagios_cgi_t) ++domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) + -files_read_etc_files(nagios_cgi_t) -files_read_etc_runtime_files(nagios_cgi_t) -files_read_kernel_symbol_table(nagios_cgi_t) -+domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) - --logging_send_syslog_msg(nagios_cgi_t) --logging_search_logs(nagios_cgi_t) +files_read_etc_runtime_files(httpd_nagios_script_t) +files_read_kernel_symbol_table(httpd_nagios_script_t) +-logging_send_syslog_msg(nagios_cgi_t) +-logging_search_logs(nagios_cgi_t) +- -miscfiles_read_localization(nagios_cgi_t) - -optional_policy(` @@ -18230,10 +18233,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow nrpe_t self:process { setpgid signal_perms }; allow nrpe_t self:fifo_file rw_fifo_file_perms; +allow nrpe_t self:tcp_socket create_stream_socket_perms; -+ -+domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) -allow nrpe_t nrpe_etc_t:file read_file_perms; ++domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) ++ +read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t) files_search_etc(nrpe_t) @@ -18248,7 +18251,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(nrpe_t) kernel_read_kernel_sysctls(nrpe_t) -@@ -183,15 +230,19 @@ +@@ -183,15 +233,19 @@ dev_read_urand(nrpe_t) domain_use_interactive_fds(nrpe_t) @@ -18268,7 +18271,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(nrpe_t) optional_policy(` -@@ -209,3 +260,84 @@ +@@ -209,3 +263,84 @@ optional_policy(` udev_read_db(nrpe_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index d5ccdfa..58b88a3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -181,7 +181,7 @@ FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ selinuxenabled; \ if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \ fixfiles -C ${FILE_CONTEXT}.pre restore; \ - restorecon -R /root /var/log /var/run /var/lib 2> /dev/null;\ + restorecon -R /root /var/log /var/run /var/lib 2> /dev/null; \ rm -f ${FILE_CONTEXT}.pre; \ fi;