From a8290e36904bbf6b44498aa50b994aebccce3f50 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jun 24 2008 11:14:24 +0000 Subject: - Allow system_mail_t to exec other mail clients - Label mogrel_rails as an apache server --- diff --git a/policy-20071130.patch b/policy-20071130.patch index d011bad..03eef7f 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -2079,7 +2079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.3.1/policy/modules/admin/mrtg.te --- nsaserefpolicy/policy/modules/admin/mrtg.te 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/admin/mrtg.te 2008-06-12 23:38:03.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/admin/mrtg.te 2008-06-24 06:27:18.000000000 -0400 @@ -78,6 +78,7 @@ dev_read_urand(mrtg_t) @@ -2088,6 +2088,53 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te files_read_usr_files(mrtg_t) files_search_var(mrtg_t) +@@ -101,6 +102,8 @@ + init_read_utmp(mrtg_t) + init_dontaudit_write_utmp(mrtg_t) + ++auth_use_nsswitch(mrtg_t) ++ + libs_read_lib_files(mrtg_t) + libs_use_ld_so(mrtg_t) + libs_use_shared_libs(mrtg_t) +@@ -111,11 +114,9 @@ + + selinux_dontaudit_getattr_dir(mrtg_t) + +-# Use the network. +-sysnet_read_config(mrtg_t) +- + userdom_dontaudit_use_unpriv_user_fds(mrtg_t) + userdom_use_sysadm_terms(mrtg_t) ++userdom_dontaudit_list_sysadm_home_dirs(mrtg_t) + + ifdef(`enable_mls',` + corenet_udp_sendrecv_lo_if(mrtg_t) +@@ -139,14 +140,6 @@ + ') + + optional_policy(` +- nis_use_ypbind(mrtg_t) +-') +- +-optional_policy(` +- nscd_dontaudit_search_pid(mrtg_t) +-') +- +-optional_policy(` + seutil_sigchld_newrole(mrtg_t) + ') + +@@ -162,9 +155,3 @@ + udev_read_db(mrtg_t) + ') + +-ifdef(`TODO',` +- # should not need this! +- dontaudit mrtg_t { staff_home_dir_t sysadm_home_dir_t }:dir { search read getattr }; +- dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr; +- dontaudit mrtg_t root_t:lnk_file getattr; +-') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.3.1/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2008-06-12 23:38:01.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/admin/netutils.te 2008-06-12 23:38:03.000000000 -0400 @@ -9294,7 +9341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav # amavis local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.3.1/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2008-06-12 23:38:04.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2008-06-24 07:10:15.000000000 -0400 @@ -1,10 +1,8 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0) - @@ -9308,7 +9355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) /etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0) /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) -@@ -16,7 +14,6 @@ +@@ -16,13 +14,13 @@ /usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) @@ -9316,7 +9363,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) /usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) /usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) -@@ -33,6 +30,7 @@ + /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) + /usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) + ++/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) + /usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) + /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) + /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) +@@ -33,6 +31,7 @@ /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') @@ -9324,7 +9378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -@@ -48,11 +46,14 @@ +@@ -48,11 +47,14 @@ /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) @@ -9339,7 +9393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -@@ -66,10 +67,21 @@ +@@ -66,10 +68,21 @@ /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -15995,8 +16049,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gami +/usr/libexec/gam_server -- gen_context(system_u:object_r:gamin_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.if serefpolicy-3.3.1/policy/modules/services/gamin.if --- nsaserefpolicy/policy/modules/services/gamin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/gamin.if 2008-06-12 23:38:04.000000000 -0400 -@@ -0,0 +1,39 @@ ++++ serefpolicy-3.3.1/policy/modules/services/gamin.if 2008-06-24 06:43:23.000000000 -0400 +@@ -0,0 +1,57 @@ + +## policy for gamin + @@ -16021,6 +16075,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gami + +######################################## +## ++## Execute gamin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`gamin_exec',` ++ gen_require(` ++ type gamin_exec_t; ++ ') ++ ++ can_exec($1,gamin_exec_t) ++') ++ ++######################################## ++## +## Connect to gamin over an unix stream socket. +## +## @@ -16038,8 +16110,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gami +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.te serefpolicy-3.3.1/policy/modules/services/gamin.te --- nsaserefpolicy/policy/modules/services/gamin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/gamin.te 2008-06-12 23:38:04.000000000 -0400 -@@ -0,0 +1,40 @@ ++++ serefpolicy-3.3.1/policy/modules/services/gamin.te 2008-06-24 06:30:34.000000000 -0400 +@@ -0,0 +1,41 @@ +policy_module(gamin,1.0.0) + +######################################## @@ -16050,6 +16122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gami +type gamin_t; +type gamin_exec_t; +init_daemon_domain(gamin_t, gamin_exec_t) ++application_domain(gamin_t, gamin_exec_t) + +######################################## +# @@ -17754,7 +17827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.3.1/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2008-06-12 23:38:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/mta.te 2008-06-22 08:32:51.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/mta.te 2008-06-24 05:41:39.000000000 -0400 @@ -6,6 +6,8 @@ # Declarations # @@ -17772,13 +17845,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. mta_base_mail_template(system) role system_r types system_mail_t; -@@ -37,30 +40,49 @@ +@@ -37,30 +40,51 @@ # # newalias required this, not sure if it is needed in 'if' file -allow system_mail_t self:capability { dac_override }; +allow system_mail_t self:capability { dac_override fowner }; +allow system_mail_t self:fifo_file rw_fifo_file_perms; ++ ++can_exec(system_mail_t, mailclient_exec_type) read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t) +read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type) @@ -17823,7 +17898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -73,7 +95,18 @@ +@@ -73,7 +97,18 @@ optional_policy(` cron_read_system_job_tmp_files(system_mail_t) @@ -17842,7 +17917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -81,6 +114,11 @@ +@@ -81,6 +116,11 @@ ') optional_policy(` @@ -17854,7 +17929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. logrotate_read_tmp_files(system_mail_t) ') -@@ -136,11 +174,38 @@ +@@ -136,11 +176,38 @@ ') optional_policy(` @@ -17894,7 +17969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. optional_policy(` # why is mail delivered to a directory of type arpwatch_data_t? arpwatch_search_data(mailserver_delivery) -@@ -154,3 +219,4 @@ +@@ -154,3 +221,4 @@ cron_read_system_job_tmp_files(mta_user_agent) ') ') @@ -21111,8 +21186,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel +/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_lml_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.3.1/policy/modules/services/prelude.if --- nsaserefpolicy/policy/modules/services/prelude.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/prelude.if 2008-06-23 08:18:35.000000000 -0400 -@@ -0,0 +1,190 @@ ++++ serefpolicy-3.3.1/policy/modules/services/prelude.if 2008-06-24 06:33:34.000000000 -0400 +@@ -0,0 +1,191 @@ +## Prelude hybrid intrusion detection system + +######################################## @@ -21204,6 +21279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel + ') + + files_search_spool($1) ++ list_dirs_pattern($1, prelude_spool_t, prelude_spool_t) + rw_files_pattern($1, prelude_spool_t, prelude_spool_t) +') + @@ -21305,8 +21381,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.3.1/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-06-23 08:14:23.000000000 -0400 -@@ -0,0 +1,244 @@ ++++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-06-24 06:34:17.000000000 -0400 +@@ -0,0 +1,248 @@ + +policy_module(prelude, 1.0.0) + @@ -21526,6 +21602,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel +miscfiles_read_localization(prelude_lml_t) + +optional_policy(` ++ gamin_exec(prelude_lml_t) ++') ++ ++optional_policy(` + apache_read_log(prelude_lml_t) +') + @@ -29053,6 +29133,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr kernel_read_kernel_sysctls(zebra_t) kernel_rw_net_sysctls(zebra_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.3.1/policy/modules/system/application.te +--- nsaserefpolicy/policy/modules/system/application.te 2008-06-12 23:38:01.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/application.te 2008-06-24 05:55:28.000000000 -0400 +@@ -7,6 +7,8 @@ + # Executables to be run by user + attribute application_exec_type; + ++userdom_append_unpriv_users_home_content_files(application_domain_type) ++ + optional_policy(` + ssh_sigchld(application_domain_type) + ssh_rw_stream_sockets(application_domain_type) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.3.1/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2008-06-12 23:38:01.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/system/authlogin.fc 2008-06-12 23:38:02.000000000 -0400 @@ -34060,7 +34152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-06-14 07:17:14.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-06-24 06:25:05.000000000 -0400 @@ -29,9 +29,14 @@ ') diff --git a/selinux-policy.spec b/selinux-policy.spec index f05bbbe..3081e79 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 70%{?dist} +Release: 71%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -385,7 +385,11 @@ exit 0 %endif %changelog -* Mon Jun 23 2008 Dan Walsh 3.3.1-69 +* Mon Jun 23 2008 Dan Walsh 3.3.1-71 +- Allow system_mail_t to exec other mail clients +- Label mogrel_rails as an apache server + +* Mon Jun 23 2008 Dan Walsh 3.3.1-70 - Apply unconfined_execmem_exec_t to haskell programs * Sun Jun 22 2008 Dan Walsh 3.3.1-69