From 37ebfc9102be3b243a11a9c00ba4c69e2ba4ceaf Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Apr 30 2009 22:22:00 +0000 Subject: - Add shorewall policy --- diff --git a/modules-targeted.conf b/modules-targeted.conf index 9f3c5bf..ee6680c 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1179,20 +1179,6 @@ rsync = module rwho = module # Layer: services -# Module: sasl -# -# SASL authentication server -# -sasl = module - -# Layer: services -# Module: sendmail -# -# Policy for sendmail. -# -sendmail = base - -# Layer: services # Module: samba # # SMB and CIFS client/server programs for UNIX and @@ -1208,6 +1194,13 @@ samba = module # sambagui = module +# Layer: services +# Module: sasl +# +# SASL authentication server +# +sasl = module + # Layer: apps # Module: screen # @@ -1230,6 +1223,20 @@ selinux = base # selinuxutil = base +# Layer: services +# Module: sendmail +# +# Policy for sendmail. +# +sendmail = base + +# Layer: services +# Module: shorewall +# +# Policy for shorewall +# +shorewall = base + # Layer: system # Module: setrans # Required in base diff --git a/policy-20090105.patch b/policy-20090105.patch index bffe5d2..8693697 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -788,7 +788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/usr/sbin/readahead -- gen_context(system_u:object_r:readahead_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te --- nsaserefpolicy/policy/modules/admin/readahead.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-04-28 15:47:35.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-04-30 14:18:18.000000000 -0400 @@ -11,8 +11,8 @@ init_daemon_domain(readahead_t, readahead_exec_t) application_domain(readahead_t, readahead_exec_t) @@ -820,7 +820,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(readahead_t) kernel_dontaudit_getattr_core_if(readahead_t) -@@ -46,6 +49,7 @@ +@@ -46,10 +49,12 @@ storage_raw_read_fixed_disk(readahead_t) domain_use_interactive_fds(readahead_t) @@ -828,7 +828,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_dontaudit_getattr_all_sockets(readahead_t) files_list_non_security(readahead_t) -@@ -58,6 +62,7 @@ + files_read_non_security_files(readahead_t) ++files_dontaudit_getattr_non_security_blk_files(readahead_t) + + fs_getattr_all_fs(readahead_t) + fs_search_auto_mountpoints(readahead_t) +@@ -58,6 +63,7 @@ fs_dontaudit_search_ramfs(readahead_t) fs_dontaudit_read_ramfs_pipes(readahead_t) fs_dontaudit_read_ramfs_files(readahead_t) @@ -836,7 +841,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_read_tmpfs_symlinks(readahead_t) fs_list_inotifyfs(readahead_t) -@@ -72,6 +77,7 @@ +@@ -72,6 +78,7 @@ init_getattr_initctl(readahead_t) logging_send_syslog_msg(readahead_t) @@ -4847,7 +4852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +corecmd_executable_file(wm_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-03-05 10:34:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-04-30 08:31:43.000000000 -0400 @@ -32,6 +32,8 @@ # # /etc @@ -4866,7 +4871,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /usr # -@@ -299,3 +303,20 @@ +@@ -210,6 +214,7 @@ + /usr/share/Modules/init(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) + + /usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) +@@ -299,3 +304,20 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -5388,7 +5401,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-30 14:18:05.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -10372,7 +10385,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-04-29 13:51:27.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-04-30 17:45:01.000000000 -0400 @@ -13,6 +13,9 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -10451,7 +10464,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` unconfined_dbus_chat(consolekit_t) -@@ -61,6 +94,32 @@ +@@ -61,6 +94,33 @@ ') optional_policy(` @@ -10466,6 +10479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_stream_connect(consolekit_t) + xserver_ptrace_xdm(consolekit_t) + xserver_common_app(consolekit_t) ++ corenet_tcp_connect_xserver_port(consolekit_t) +') + +optional_policy(` @@ -14990,8 +15004,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_system_entry(mailman_queue_t, mailman_queue_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.6.12/policy/modules/services/milter.fc --- nsaserefpolicy/policy/modules/services/milter.fc 2008-11-25 09:01:08.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/milter.fc 2009-04-29 10:14:21.000000000 -0400 -@@ -1,6 +1,10 @@ ++++ serefpolicy-3.6.12/policy/modules/services/milter.fc 2009-04-30 17:48:59.000000000 -0400 +@@ -1,6 +1,15 @@ -/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) -/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) @@ -15004,6 +15018,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/miltermilter.* gen_context(system_u:object_r:spamass_milter_state_t,s0) + +/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) ++/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) ++ ++/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) ++/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) ++/var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.6.12/policy/modules/services/milter.if --- nsaserefpolicy/policy/modules/services/milter.if 2008-11-25 09:01:08.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/milter.if 2009-04-24 13:45:41.000000000 -0400 @@ -15043,7 +15062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.te serefpolicy-3.6.12/policy/modules/services/milter.te --- nsaserefpolicy/policy/modules/services/milter.te 2008-11-25 09:01:08.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/milter.te 2009-04-24 08:31:02.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/milter.te 2009-04-30 18:09:54.000000000 -0400 @@ -14,6 +14,12 @@ milter_template(regex) milter_template(spamass) @@ -15068,6 +15087,47 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(spamass_milter_t) # When used with -b or -B options, the milter invokes sendmail to send mail +@@ -53,3 +63,40 @@ + + # The main job of the milter is to pipe spam through spamc and act on the result + spamassassin_domtrans_client(spamass_milter_t) ++ ++######################################## ++# ++# milter-greylist Declarations ++# ++ ++milter_template(greylist) ++ ++######################################## ++# ++# milter-greylist local policy ++# ensure smtp clients retry mail like real MTAs and not spamware ++# http://hcpnet.free.fr/milter-greylist/ ++# ++ ++# Look up username for dropping privs ++auth_use_nsswitch(greylist_milter_t) ++ ++# It creates a pid file /var/run/milter-greylist.pid ++files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file) ++ ++# It removes any existing socket (not owned by root) whilst running as root, ++# fixes permissions, renices itself and then calls setgid() and setuid() to ++# drop privileges ++kernel_read_kernel_sysctls(greylist_milter_t) ++allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice }; ++allow greylist_milter_t self:process { setsched getsched }; ++ ++# Allow the milter to read a GeoIP database in /usr/share ++files_read_usr_files(greylist_milter_t) ++ ++# The milter runs from /var/lib/milter-greylist and maintains files there ++files_search_var_lib(greylist_milter_t); ++ ++# Config is in /etc/mail/greylist.conf ++mta_read_config(greylist_milter_t) ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.12/policy/modules/services/mta.fc --- nsaserefpolicy/policy/modules/services/mta.fc 2008-09-12 10:48:05.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/mta.fc 2009-04-23 09:44:57.000000000 -0400 @@ -15103,7 +15163,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.12/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/mta.if 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/mta.if 2009-04-30 08:19:03.000000000 -0400 @@ -130,6 +130,15 @@ sendmail_create_log($1_mail_t) ') @@ -15112,7 +15172,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + exim_read_log($1_mail_t) + exim_append_log($1_mail_t) + exim_manage_spool_files($1_mail_t) -+') ++ ') + + optional_policy(` + uucp_manage_spool($1_mail_t) @@ -21425,7 +21485,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.12/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/sendmail.if 2009-04-29 13:03:31.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/sendmail.if 2009-04-30 08:12:22.000000000 -0400 @@ -89,7 +89,7 @@ type sendmail_t; ') @@ -21886,6 +21946,298 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpm_read_db(setroubleshootd_t) rpm_dontaudit_manage_db(setroubleshootd_t) rpm_use_script_fds(setroubleshootd_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.fc serefpolicy-3.6.12/policy/modules/services/shorewall.fc +--- nsaserefpolicy/policy/modules/services/shorewall.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/shorewall.fc 2009-04-30 08:33:41.000000000 -0400 +@@ -0,0 +1,12 @@ ++ ++/etc/rc\.d/init\.d/shorewall -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/shorewall-lite -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0) ++ ++/etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) ++/etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0) ++ ++/sbin/shorewall -- gen_context(system_u:object_r:shorewall_exec_t,s0) ++/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0) ++ ++/var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) ++/var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.if serefpolicy-3.6.12/policy/modules/services/shorewall.if +--- nsaserefpolicy/policy/modules/services/shorewall.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/shorewall.if 2009-04-30 08:29:56.000000000 -0400 +@@ -0,0 +1,166 @@ ++## policy for shorewall ++ ++######################################## ++## ++## Execute a domain transition to run shorewall. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`shorewall_domtrans',` ++ gen_require(` ++ type shorewall_t; ++ type shorewall_exec_t; ++ ') ++ ++ domtrans_pattern($1, shorewall_exec_t, shorewall_t) ++') ++ ++####################################### ++## ++## Read shorewall etc configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`shorewall_read_etc',` ++ gen_require(` ++ type shorewall_etc_t; ++ ') ++ ++ files_search_etc($1) ++ read_files_pattern($1, shorewall_etc_t, shorewall_etc_t) ++') ++ ++####################################### ++## ++## Read shorewall PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`shorewall_read_pid_files',` ++ gen_require(` ++ type shorewall_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) ++') ++ ++####################################### ++## ++## Read and write shorewall PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`shorewall_rw_pid_files',` ++ gen_require(` ++ type shorewall_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t) ++') ++ ++###################################### ++## ++## Read shorewall /var/lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`shorewall_read_var_lib',` ++ gen_require(` ++ type shorewall_t; ++ ') ++ ++ files_search_var_lib($1) ++ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) ++ read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) ++') ++ ++####################################### ++## ++## Read and write shorewall /var/lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`shorewall_rw_var_lib',` ++ gen_require(` ++ type shorewall_t; ++ ') ++ ++ files_search_var_lib($1) ++ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) ++ rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) ++') ++ ++####################################### ++## ++## All of the rules required to administrate ++## an shorewall environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the syslog domain. ++## ++## ++## ++# ++interface(`shorewall_admin',` ++ gen_require(` ++ type shorewall_t, shorewall_var_run_t, shorewall_lock_t; ++ type shorewall_initrc_exec_t, shorewall_var_lib_t; ++ type shorewall_tmp_t; ++ ') ++ ++ allow $1 shorewall_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, shorewall_t) ++ ++ init_labeled_script_domtrans($1, shorewall_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 shorewall_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ files_search_etc($1) ++ admin_pattern($1, shorewall_etc_t) ++ ++ files_search_locks($1) ++ admin_pattern($1, shorewall_lock_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, shorewall_var_run_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, shorewall_var_lib_t) ++ ++ files_search_tmp($1) ++ admin_pattern($1, shorewall_tmp_t) ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.te serefpolicy-3.6.12/policy/modules/services/shorewall.te +--- nsaserefpolicy/policy/modules/services/shorewall.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/shorewall.te 2009-04-30 08:29:56.000000000 -0400 +@@ -0,0 +1,102 @@ ++policy_module(shorewall,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type shorewall_t; ++type shorewall_exec_t; ++init_daemon_domain(shorewall_t, shorewall_exec_t) ++ ++type shorewall_initrc_exec_t; ++init_script_file(shorewall_initrc_exec_t) ++ ++# etc files ++type shorewall_etc_t; ++files_config_file(shorewall_etc_t) ++ ++# lock files ++type shorewall_lock_t; ++files_lock_file(shorewall_lock_t) ++ ++# tmp files ++type shorewall_tmp_t; ++files_tmp_file(shorewall_tmp_t) ++ ++# var/lib files ++type shorewall_var_lib_t; ++files_type(shorewall_var_lib_t) ++ ++######################################## ++# ++# shorewall local policy ++# ++ ++allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace}; ++dontaudit shorewall_t self:capability sys_tty_config; ++ ++allow shorewall_t self:fifo_file rw_fifo_file_perms; ++ ++# etc file ++read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t) ++list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t) ++ ++# lock files ++manage_files_pattern(shorewall_t,shorewall_lock_t,shorewall_lock_t) ++files_lock_filetrans(shorewall_t, shorewall_lock_t, file) ++ ++# var/lib files for shorewall ++exec_files_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t) ++manage_dirs_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t) ++manage_files_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t) ++files_var_lib_filetrans(shorewall_t,shorewall_var_lib_t, { dir file }) ++ ++# tmp files for shorewall ++manage_dirs_pattern(shorewall_t,shorewall_tmp_t,shorewall_tmp_t) ++manage_files_pattern(shorewall_t,shorewall_tmp_t,shorewall_tmp_t) ++files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir }) ++ ++kernel_read_kernel_sysctls(shorewall_t) ++kernel_read_system_state(shorewall_t) ++kernel_read_network_state(shorewall_t) ++kernel_rw_net_sysctls(shorewall_t) ++ ++corecmd_exec_bin(shorewall_t) ++corecmd_exec_shell(shorewall_t) ++ ++dev_read_urand(shorewall_t) ++ ++fs_getattr_all_fs(shorewall_t) ++ ++domain_read_all_domains_state(shorewall_t) ++ ++files_getattr_kernel_modules(shorewall_t) ++files_read_etc_files(shorewall_t) ++files_read_usr_files(shorewall_t) ++files_search_kernel_modules(shorewall_t) ++ ++init_rw_utmp(shorewall_t) ++ ++libs_use_ld_so(shorewall_t) ++libs_use_shared_libs(shorewall_t) ++ ++logging_send_syslog_msg(shorewall_t) ++ ++miscfiles_read_localization(shorewall_t) ++ ++userdom_dontaudit_list_admin_dir(shorewall_t) ++ ++sysnet_domtrans_ifconfig(shorewall_t) ++iptables_domtrans(shorewall_t) ++ ++optional_policy(` ++ modutils_domtrans_insmod(shorewall_t) ++') ++ ++optional_policy(` ++ ulogd_search_log(shorewall_t) ++') ++ ++permissive shorewall_t; ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.12/policy/modules/services/smartmon.te --- nsaserefpolicy/policy/modules/services/smartmon.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/smartmon.te 2009-04-23 09:44:57.000000000 -0400 @@ -22122,7 +22474,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-04-27 11:45:25.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-04-30 08:12:59.000000000 -0400 @@ -20,6 +20,35 @@ ## gen_tunable(spamd_enable_home_dirs, true) @@ -22178,7 +22530,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type spamd_spool_t; files_type(spamd_spool_t) -@@ -159,6 +195,7 @@ +@@ -110,6 +146,7 @@ + dev_read_urand(spamassassin_t) + + fs_search_auto_mountpoints(spamassassin_t) ++fs_getattr_all_fs(spamassassin_t) + + # this should probably be removed + corecmd_list_bin(spamassassin_t) +@@ -159,6 +196,7 @@ corenet_udp_sendrecv_all_ports(spamassassin_t) corenet_tcp_connect_all_ports(spamassassin_t) corenet_sendrecv_all_client_packets(spamassassin_t) @@ -22186,7 +22546,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sysnet_read_config(spamassassin_t) ') -@@ -216,16 +253,32 @@ +@@ -195,6 +233,7 @@ + optional_policy(` + mta_read_config(spamassassin_t) + sendmail_stub(spamassassin_t) ++ sendmail_rw_unix_stream_sockets(spamassassin_t) + ') + + ######################################## +@@ -216,16 +255,32 @@ allow spamc_t self:unix_stream_socket connectto; allow spamc_t self:tcp_socket create_stream_socket_perms; allow spamc_t self:udp_socket create_socket_perms; @@ -22219,7 +22587,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(spamc_t) corenet_all_recvfrom_netlabel(spamc_t) -@@ -239,6 +292,7 @@ +@@ -239,6 +294,7 @@ corenet_sendrecv_all_client_packets(spamc_t) fs_search_auto_mountpoints(spamc_t) @@ -22227,7 +22595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: these should probably be removed: corecmd_list_bin(spamc_t) -@@ -255,9 +309,15 @@ +@@ -255,9 +311,15 @@ files_dontaudit_search_var(spamc_t) # cjp: this may be removable: files_list_home(spamc_t) @@ -22243,7 +22611,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(spamc_t) # cjp: this should probably be removed: -@@ -265,13 +325,16 @@ +@@ -265,13 +327,16 @@ sysnet_read_config(spamc_t) @@ -22267,7 +22635,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -280,16 +343,21 @@ +@@ -280,16 +345,21 @@ ') optional_policy(` @@ -22291,7 +22659,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -301,7 +369,7 @@ +@@ -301,7 +371,7 @@ # setuids to the user running spamc. Comment this if you are not # using this ability. @@ -22300,7 +22668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; -@@ -317,10 +385,13 @@ +@@ -317,10 +387,13 @@ allow spamd_t self:unix_stream_socket connectto; allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; @@ -22315,7 +22683,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -@@ -329,10 +400,11 @@ +@@ -329,10 +402,11 @@ # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -22328,7 +22696,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) kernel_read_all_sysctls(spamd_t) -@@ -382,22 +454,27 @@ +@@ -382,22 +456,27 @@ init_dontaudit_rw_utmp(spamd_t) @@ -22360,7 +22728,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_manage_cifs_files(spamd_t) ') -@@ -415,6 +492,7 @@ +@@ -415,6 +494,7 @@ optional_policy(` dcc_domtrans_client(spamd_t) @@ -22368,7 +22736,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dcc_stream_connect_dccifd(spamd_t) ') -@@ -424,10 +502,6 @@ +@@ -424,10 +504,6 @@ ') optional_policy(` @@ -22379,7 +22747,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol postfix_read_config(spamd_t) ') -@@ -442,6 +516,10 @@ +@@ -442,6 +518,10 @@ optional_policy(` razor_domtrans(spamd_t) @@ -22390,7 +22758,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -454,5 +532,9 @@ +@@ -454,5 +534,9 @@ ') optional_policy(` @@ -23312,8 +23680,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.if serefpolicy-3.6.12/policy/modules/services/ulogd.if --- nsaserefpolicy/policy/modules/services/ulogd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/ulogd.if 2009-04-23 09:44:57.000000000 -0400 -@@ -0,0 +1,127 @@ ++++ serefpolicy-3.6.12/policy/modules/services/ulogd.if 2009-04-30 08:29:56.000000000 -0400 +@@ -0,0 +1,146 @@ +## policy for ulogd + +######################################## @@ -23378,6 +23746,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t) +') + ++####################################### ++## ++## Allow the specified domain to search ulogd's log files. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ulogd_search_log',` ++ gen_require(` ++ type ulogd_var_log_t; ++ ') ++ ++ logging_search_logs($1) ++ allow $1 ulogd_var_log_t:dir search_dir_perms; ++') ++ +######################################## +## +## Allow the specified domain to append to ulogd's log files. @@ -23693,7 +24080,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-27 11:40:19.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-30 18:07:51.000000000 -0400 @@ -8,19 +8,24 @@ ## @@ -23905,11 +24292,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -198,5 +272,80 @@ - ') +@@ -195,8 +269,84 @@ - optional_policy(` -- unconfined_domain(virtd_t) + xen_stream_connect(virtd_t) + xen_stream_connect_xenstore(virtd_t) ++ xen_read_image_files(virtd_t) ++') ++ ++optional_policy(` + udev_domtrans(virtd_t) +') + @@ -23982,9 +24372,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +optional_policy(` + xen_rw_image_files(svirt_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- unconfined_domain(virtd_t) + xen_rw_image_files(svirt_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.12/policy/modules/services/w3c.te @@ -24081,7 +24472,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.12/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/xserver.if 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/xserver.if 2009-04-30 17:44:47.000000000 -0400 @@ -90,7 +90,7 @@ allow $2 xauth_home_t:file manage_file_perms; allow $2 xauth_home_t:file { relabelfrom relabelto }; @@ -26711,8 +27102,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_urand(racoon_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.12/policy/modules/system/iptables.fc --- nsaserefpolicy/policy/modules/system/iptables.fc 2009-04-06 12:42:08.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/system/iptables.fc 2009-04-23 09:44:57.000000000 -0400 -@@ -1,9 +1,12 @@ ++++ serefpolicy-3.6.12/policy/modules/system/iptables.fc 2009-04-30 08:29:56.000000000 -0400 +@@ -1,9 +1,11 @@ /sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) @@ -26727,7 +27118,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) - /var/lib/shorewall(/.*)? -- gen_context(system_u:object_r:iptables_var_run_t,s0) +-/var/lib/shorewall(/.*)? -- gen_context(system_u:object_r:iptables_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.12/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2009-04-06 12:42:08.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/iptables.te 2009-04-23 09:44:57.000000000 -0400 @@ -28774,7 +29165,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.12/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.if 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.if 2009-04-30 18:03:37.000000000 -0400 @@ -43,6 +43,39 @@ sysnet_domtrans_dhcpc($1) @@ -28945,7 +29336,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.12/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.te 2009-04-30 18:03:46.000000000 -0400 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpc_t,dhcpc_exec_t) role system_r types dhcpc_t; @@ -28983,16 +29374,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(dhcpc_t,dhcpc_state_t,dhcpc_state_t) filetrans_pattern(dhcpc_t,dhcp_state_t,dhcpc_state_t,file) -@@ -65,7 +69,7 @@ +@@ -65,7 +69,8 @@ # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. -allow dhcpc_t net_conf_t:file manage_file_perms; +sysnet_manage_config(dhcpc_t) ++allow dhcpc_t net_conf_t:file relabel_file_perms; files_etc_filetrans(dhcpc_t,net_conf_t,file) # create temp files -@@ -116,7 +120,7 @@ +@@ -116,7 +121,7 @@ corecmd_exec_shell(dhcpc_t) domain_use_interactive_fds(dhcpc_t) @@ -29001,7 +29393,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(dhcpc_t) files_read_etc_runtime_files(dhcpc_t) -@@ -183,25 +187,23 @@ +@@ -183,25 +188,23 @@ ') optional_policy(` @@ -29035,7 +29427,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -212,6 +214,7 @@ +@@ -212,6 +215,7 @@ optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -29043,7 +29435,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -223,6 +226,10 @@ +@@ -223,6 +227,10 @@ ') optional_policy(` @@ -29054,7 +29446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_xen_state(dhcpc_t) kernel_write_xen_state(dhcpc_t) xen_append_log(dhcpc_t) -@@ -236,7 +243,6 @@ +@@ -236,7 +244,6 @@ allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow ifconfig_t self:capability { net_raw net_admin sys_tty_config }; @@ -29062,7 +29454,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow ifconfig_t self:fd use; allow ifconfig_t self:fifo_file rw_fifo_file_perms; -@@ -250,6 +256,7 @@ +@@ -250,6 +257,7 @@ allow ifconfig_t self:sem create_sem_perms; allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; @@ -29070,7 +29462,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; -@@ -259,13 +266,20 @@ +@@ -259,13 +267,20 @@ allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read }; allow ifconfig_t self:tcp_socket { create ioctl }; @@ -29091,7 +29483,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_rw_tun_tap_dev(ifconfig_t) -@@ -276,8 +290,13 @@ +@@ -276,8 +291,13 @@ fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) @@ -29105,7 +29497,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(ifconfig_t) -@@ -296,6 +315,8 @@ +@@ -296,6 +316,8 @@ seutil_use_runinit_fds(ifconfig_t) @@ -29114,7 +29506,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_use_user_terminals(ifconfig_t) userdom_use_all_users_fds(ifconfig_t) -@@ -332,6 +353,14 @@ +@@ -332,6 +354,14 @@ ') optional_policy(` @@ -32215,8 +32607,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.12/policy/modules/system/xen.if --- nsaserefpolicy/policy/modules/system/xen.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/xen.if 2009-04-23 09:44:57.000000000 -0400 -@@ -167,11 +167,14 @@ ++++ serefpolicy-3.6.12/policy/modules/system/xen.if 2009-04-30 18:08:14.000000000 -0400 +@@ -71,6 +71,8 @@ + ') + + files_list_var_lib($1) ++ ++ list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) + read_files_pattern($1,{ xend_var_lib_t xen_image_t },xen_image_t) + ') + +@@ -167,11 +169,14 @@ # interface(`xen_stream_connect',` gen_require(` @@ -32232,7 +32633,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -191,3 +194,46 @@ +@@ -191,3 +196,46 @@ domtrans_pattern($1,xm_exec_t,xm_t) ') @@ -32571,7 +32972,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.12/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-03-12 11:16:47.000000000 -0400 -+++ serefpolicy-3.6.12/policy/support/obj_perm_sets.spt 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/support/obj_perm_sets.spt 2009-04-30 18:02:45.000000000 -0400 @@ -225,7 +225,7 @@ define(`create_lnk_file_perms',`{ create getattr }') define(`rename_lnk_file_perms',`{ getattr rename }') diff --git a/selinux-policy.spec b/selinux-policy.spec index 981eb9a..b63b10f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 25%{?dist} +Release: 26%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -480,7 +480,10 @@ exit 0 %endif %changelog -* Wed Apr 28 2009 Dan Walsh 3.6.12-25 +* Thu Apr 30 2009 Dan Walsh 3.6.12-26 +- Add shorewall policy + +* Wed Apr 29 2009 Dan Walsh 3.6.12-25 - Additional rules for fprintd and sssd * Tue Apr 28 2009 Dan Walsh 3.6.12-24