From a493e4ea0040a156379b64546f74839d1d055973 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jul 20 2009 13:25:10 +0000 Subject: - Allow setroubleshootd to read all symlinks --- diff --git a/policy-20080710.patch b/policy-20080710.patch index a3a9458..fa31505 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -12944,7 +12944,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audi fs_search_auto_mountpoints(entropyd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.5.13/policy/modules/services/automount.if --- nsaserefpolicy/policy/modules/services/automount.if 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/automount.if 2009-06-08 16:14:26.000000000 +0200 ++++ serefpolicy-3.5.13/policy/modules/services/automount.if 2009-07-20 14:45:58.000000000 +0200 @@ -107,6 +107,24 @@ dontaudit $1 automount_tmp_t:dir getattr; ') @@ -26344,7 +26344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.5.13/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2008-10-17 14:49:11.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/rpc.te 2009-06-08 16:17:53.000000000 +0200 ++++ serefpolicy-3.5.13/policy/modules/services/rpc.te 2009-07-20 14:45:25.000000000 +0200 @@ -23,7 +23,7 @@ gen_tunable(allow_nfsd_anon_write, false) @@ -27941,7 +27941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.5.13/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2008-10-17 14:49:11.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/setroubleshoot.te 2009-03-12 12:57:27.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/services/setroubleshoot.te 2009-07-17 08:50:57.000000000 +0200 @@ -11,6 +11,9 @@ domain_type(setroubleshootd_t) init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) @@ -27974,7 +27974,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) -@@ -68,16 +74,23 @@ +@@ -68,16 +74,24 @@ dev_read_urand(setroubleshootd_t) dev_read_sysfs(setroubleshootd_t) @@ -27983,6 +27983,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr domain_dontaudit_search_all_domains_state(setroubleshootd_t) ++files_read_all_symlinks(setroubleshootd_t) files_read_usr_files(setroubleshootd_t) files_read_etc_files(setroubleshootd_t) -files_getattr_all_dirs(setroubleshootd_t) @@ -27999,7 +28000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) -@@ -97,23 +110,30 @@ +@@ -97,23 +111,30 @@ locallogin_dontaudit_use_fds(setroubleshootd_t) @@ -33301,7 +33302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.13/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/system/init.te 2009-04-14 11:07:25.000000000 +0200 ++++ serefpolicy-3.5.13/policy/modules/system/init.te 2009-07-20 14:40:59.000000000 +0200 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart,false) @@ -33446,11 +33447,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -521,6 +553,31 @@ +@@ -521,6 +553,32 @@ ') ') +domain_dontaudit_use_interactive_fds(daemon) ++userdom_dontaudit_rw_stream(daemon) + +sysadm_dontaudit_search_home_dirs(daemon) + @@ -33478,7 +33480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -575,6 +632,10 @@ +@@ -575,6 +633,10 @@ dbus_read_config(initrc_t) optional_policy(` @@ -33489,7 +33491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t networkmanager_dbus_chat(initrc_t) ') ') -@@ -660,12 +721,6 @@ +@@ -660,12 +722,6 @@ mta_read_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') @@ -33502,7 +33504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ifdef(`distro_redhat',` -@@ -726,6 +781,9 @@ +@@ -726,6 +782,9 @@ # why is this needed: rpm_manage_db(initrc_t) @@ -33512,7 +33514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -738,10 +796,12 @@ +@@ -738,10 +797,12 @@ squid_manage_logs(initrc_t) ') @@ -33525,7 +33527,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -759,6 +819,15 @@ +@@ -759,6 +820,15 @@ uml_setattr_util_sockets(initrc_t) ') @@ -33541,7 +33543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` unconfined_domain(initrc_t) -@@ -773,6 +842,10 @@ +@@ -773,6 +843,10 @@ ') optional_policy(` @@ -33552,7 +33554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t vmware_read_system_config(initrc_t) vmware_append_system_config(initrc_t) ') -@@ -795,3 +868,19 @@ +@@ -795,3 +869,19 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -36015,9 +36017,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.13/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te 2009-06-24 09:52:07.000000000 +0200 -@@ -20,6 +20,9 @@ ++++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te 2009-07-17 09:06:00.000000000 +0200 +@@ -18,8 +18,12 @@ + type dhcpc_t; + type dhcpc_exec_t; init_daemon_domain(dhcpc_t,dhcpc_exec_t) ++domain_obj_id_change_exemption(dhcpc_t) role system_r types dhcpc_t; +type dhcpc_helper_exec_t; @@ -36026,7 +36031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet type dhcpc_state_t; files_type(dhcpc_state_t) -@@ -41,21 +44,22 @@ +@@ -41,21 +45,22 @@ # # DHCP client local policy # @@ -36054,7 +36059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet manage_files_pattern(dhcpc_t,dhcpc_state_t,dhcpc_state_t) filetrans_pattern(dhcpc_t,dhcp_state_t,dhcpc_state_t,file) -@@ -65,7 +69,7 @@ +@@ -65,7 +70,7 @@ # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. @@ -36063,7 +36068,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet files_etc_filetrans(dhcpc_t,net_conf_t,file) # create temp files -@@ -116,7 +120,7 @@ +@@ -116,7 +121,7 @@ corecmd_exec_shell(dhcpc_t) domain_use_interactive_fds(dhcpc_t) @@ -36072,7 +36077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet files_read_etc_files(dhcpc_t) files_read_etc_runtime_files(dhcpc_t) -@@ -135,8 +139,6 @@ +@@ -135,8 +140,6 @@ modutils_domtrans_insmod(dhcpc_t) @@ -36081,7 +36086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ifdef(`distro_redhat', ` files_exec_etc_files(dhcpc_t) ') -@@ -185,25 +187,23 @@ +@@ -185,25 +188,23 @@ ') optional_policy(` @@ -36115,7 +36120,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') optional_policy(` -@@ -214,6 +214,11 @@ +@@ -214,6 +215,11 @@ optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -36127,7 +36132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') optional_policy(` -@@ -225,6 +230,10 @@ +@@ -225,6 +231,10 @@ ') optional_policy(` @@ -36138,7 +36143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet kernel_read_xen_state(dhcpc_t) kernel_write_xen_state(dhcpc_t) xen_append_log(dhcpc_t) -@@ -238,7 +247,6 @@ +@@ -238,7 +248,6 @@ allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow ifconfig_t self:capability { net_raw net_admin sys_tty_config }; @@ -36146,7 +36151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet allow ifconfig_t self:fd use; allow ifconfig_t self:fifo_file rw_fifo_file_perms; -@@ -252,6 +260,7 @@ +@@ -252,6 +261,7 @@ allow ifconfig_t self:sem create_sem_perms; allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; @@ -36154,7 +36159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; -@@ -261,13 +270,20 @@ +@@ -261,13 +271,20 @@ allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read }; allow ifconfig_t self:tcp_socket { create ioctl }; @@ -36175,7 +36180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet corenet_rw_tun_tap_dev(ifconfig_t) -@@ -278,8 +294,13 @@ +@@ -278,8 +295,13 @@ fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) @@ -36189,7 +36194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet domain_use_interactive_fds(ifconfig_t) -@@ -300,6 +321,8 @@ +@@ -300,6 +322,8 @@ seutil_use_runinit_fds(ifconfig_t) @@ -36198,7 +36203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -335,6 +358,14 @@ +@@ -335,6 +359,14 @@ ') optional_policy(` @@ -36739,7 +36744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.5.13/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2009-03-20 09:28:45.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2009-07-20 14:36:41.000000000 +0200 @@ -6,35 +6,78 @@ # Declarations # @@ -36826,7 +36831,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -@@ -42,28 +85,39 @@ +@@ -42,7 +85,10 @@ logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) @@ -36837,8 +36842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - unconfined_domain(unconfined_t) -+domain_mmap_low(unconfined_t) +@@ -50,20 +96,27 @@ userdom_priveleged_home_dir_manager(unconfined_t) @@ -36870,7 +36874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -75,12 +129,6 @@ +@@ -75,12 +128,6 @@ ') optional_policy(` @@ -36883,7 +36887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf init_dbus_chat_script(unconfined_t) dbus_stub(unconfined_t) -@@ -106,12 +154,24 @@ +@@ -106,12 +153,24 @@ ') optional_policy(` @@ -36908,7 +36912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -123,79 +183,95 @@ +@@ -123,79 +182,95 @@ ') optional_policy(` @@ -37025,7 +37029,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -203,7 +279,7 @@ +@@ -203,7 +278,7 @@ ') optional_policy(` @@ -37034,7 +37038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -215,11 +291,12 @@ +@@ -215,11 +290,12 @@ ') optional_policy(` @@ -37049,7 +37053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -229,14 +306,61 @@ +@@ -229,14 +305,61 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -37128,7 +37132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2009-04-14 10:42:32.000000000 +0200 ++++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2009-07-20 14:40:31.000000000 +0200 @@ -28,10 +28,14 @@ class context contains; ') @@ -39349,7 +39353,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5513,3 +5725,642 @@ +@@ -5513,3 +5725,661 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -39992,6 +39996,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + dontaudit $1 admin_home_t:dir list_dir_perms; +') + ++####################################### ++## ++## Do not audit attempts to read and write ++## unserdomain stream. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_rw_stream',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ dontaudit $1 userdomain:unix_stream_socket rw_file_perms; ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.5.13/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2008-10-17 14:49:13.000000000 +0200 +++ serefpolicy-3.5.13/policy/modules/system/userdomain.te 2009-02-10 15:07:15.000000000 +0100 diff --git a/selinux-policy.spec b/selinux-policy.spec index 5f49d29..43249ec 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.5.13 -Release: 66%{?dist} +Release: 67%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -462,6 +462,9 @@ exit 0 %endif %changelog +* Mon Jul 20 2009 Miroslav Grepl 3.5.13-67 +- Allow setroubleshootd to read all symlinks + * Fri Jul 3 2009 Miroslav Grepl 3.5.13-66 - Allow ftpd to create shm