From ad73a213ba1fa3a0d4b48d092510a29cbf8d3caf Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Nov 05 2007 20:47:14 +0000 Subject: - Allow system_mail_t to domtrans to exim_t --- diff --git a/modules-targeted.conf b/modules-targeted.conf index 9547e64..2a9fb0a 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -110,7 +110,14 @@ automount = base # avahi = base -# Layer: services +# Layer: modules +# Module: awstats +# +# awstats executable +# +awstats = module + + # Layer: services # Module: bind # # Berkeley internet name domain DNS server. @@ -1529,3 +1536,9 @@ kismet = module # munin = module +# Layer: services +# Module: bitlbee +# +# An IRC to other chat networks gateway +# +bitlbee = module diff --git a/policy-20070703.patch b/policy-20070703.patch index e6fd65d..eed5ac4 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -1050,7 +1050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.t # Init script handling diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.0.8/policy/modules/admin/consoletype.te --- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/admin/consoletype.te 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/admin/consoletype.te 2007-11-02 13:11:15.000000000 -0400 @@ -8,9 +8,11 @@ type consoletype_t; @@ -1066,7 +1066,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console role system_r types consoletype_t; ######################################## -@@ -48,7 +50,7 @@ +@@ -43,12 +45,12 @@ + mls_file_write_all_levels(consoletype_t) + + term_use_console(consoletype_t) +-term_use_unallocated_ttys(consoletype_t) ++term_use_all_terms(consoletype_t) + init_use_fds(consoletype_t) init_use_script_ptys(consoletype_t) init_use_script_fds(consoletype_t) @@ -2315,6 +2321,142 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ada.if s + role $2 types ada_t; + allow ada_t $3:chr_file rw_term_perms; +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.fc serefpolicy-3.0.8/policy/modules/apps/awstats.fc +--- nsaserefpolicy/policy/modules/apps/awstats.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/apps/awstats.fc 2007-11-05 15:32:38.000000000 -0500 +@@ -0,0 +1,5 @@ ++/usr/share/awstats/tools/.+\.pl -- gen_context(system_u:object_r:awstats_exec_t,s0) ++/usr/share/awstats/wwwroot(/.*)? gen_context(system_u:object_r:httpd_awstats_content_t,s0) ++/usr/share/awstats/wwwroot/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_awstats_script_exec_t,s0) ++ ++/var/lib/awstats(/.*)? gen_context(system_u:object_r:awstats_var_lib_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.if serefpolicy-3.0.8/policy/modules/apps/awstats.if +--- nsaserefpolicy/policy/modules/apps/awstats.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/apps/awstats.if 2007-11-05 15:32:38.000000000 -0500 +@@ -0,0 +1,42 @@ ++## ++## AWStats is a free powerful and featureful tool that generates advanced ++## web, streaming, ftp or mail server statistics, graphically. ++## ++ ++######################################## ++## ++## Read and write awstats unnamed pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`awstats_rw_pipes',` ++ gen_require(` ++ type awstats_t; ++ ') ++ ++ allow $1 awstats_t:fifo_file rw_fifo_file_perms; ++') ++ ++######################################## ++## ++## Execute awstats cgi scripts in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`awstats_cgi_exec',` ++ gen_require(` ++ type httpd_awstats_script_exec_t; ++ ') ++ ++ allow $1 httpd_awstats_content_t:dir search_dir_perms; ++ allow $1 httpd_awstats_script_exec_t:dir search_dir_perms; ++ can_exec($1,httpd_awstats_script_exec_t) ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.0.8/policy/modules/apps/awstats.te +--- nsaserefpolicy/policy/modules/apps/awstats.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/apps/awstats.te 2007-11-05 15:32:38.000000000 -0500 +@@ -0,0 +1,77 @@ ++ ++policy_module(awstats,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type awstats_t; ++type awstats_exec_t; ++domain_type(awstats_t) ++domain_entry_file(awstats_t, awstats_exec_t) ++role system_r types awstats_t; ++ ++type awstats_tmp_t; ++files_tmp_file(awstats_tmp_t) ++ ++type awstats_var_lib_t; ++files_type(awstats_var_lib_t) ++ ++apache_content_template(awstats) ++ ++######################################## ++# ++# awstats policy ++# ++ ++awstats_rw_pipes(awstats_t) ++awstats_cgi_exec(awstats_t) ++ ++manage_dirs_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t) ++manage_files_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t) ++files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file }) ++ ++manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t) ++files_var_lib_filetrans(awstats_t, awstats_var_lib_t, file) ++ ++# dontaudit access to /proc/meminfo ++kernel_dontaudit_read_system_state(awstats_t) ++ ++corecmd_exec_bin(awstats_t) ++corecmd_exec_shell(awstats_t) ++ ++dev_read_urand(awstats_t) ++ ++files_read_etc_files(awstats_t) ++# e.g. /usr/share/awstats/lang/awstats-en.txt ++files_read_usr_files(awstats_t) ++ ++libs_read_lib_files(awstats_t) ++libs_use_ld_so(awstats_t) ++libs_use_shared_libs(awstats_t) ++ ++miscfiles_read_localization(awstats_t) ++ ++sysnet_dns_name_resolve(awstats_t) ++ ++apache_read_log(awstats_t) ++ ++optional_policy(` ++ cron_system_entry(awstats_t, awstats_exec_t) ++') ++ ++optional_policy(` ++ # dontaudit searching nscd pid directory ++ nscd_dontaudit_search_pid(awstats_t) ++') ++ ++######################################## ++# ++# awstats cgi script policy ++# ++ ++allow httpd_awstats_script_t awstats_var_lib_t:dir read; ++ ++read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t) ++files_search_var_lib(httpd_awstats_script_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.0.8/policy/modules/apps/gnome.fc --- nsaserefpolicy/policy/modules/apps/gnome.fc 2007-10-22 13:21:41.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/apps/gnome.fc 2007-10-29 23:59:29.000000000 -0400 @@ -3576,7 +3718,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-10-22 13:21:41.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2007-11-05 11:44:18.000000000 -0500 @@ -55,6 +55,11 @@ type reserved_port_t, port_type, reserved_port_type; @@ -3589,7 +3731,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene # server_packet_t is the default type of IPv4 and IPv6 server packets. # type server_packet_t, packet_type, server_packet_type; -@@ -93,10 +98,11 @@ +@@ -67,6 +72,7 @@ + network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0) + network_port(amavisd_recv, tcp,10024,s0) + network_port(amavisd_send, tcp,10025,s0) ++network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0) + network_port(apcupsd, tcp,3551,s0, udp,3551,s0) + network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0) + network_port(auth, tcp,113,s0) +@@ -93,10 +99,11 @@ network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port network_port(howl, tcp,5335,s0, udp,5353,s0) @@ -3603,7 +3753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(innd, tcp,119,s0) network_port(ipp, tcp,631,s0, udp,631,s0) network_port(ircd, tcp,6667,s0) -@@ -108,12 +114,13 @@ +@@ -108,12 +115,15 @@ network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0) network_port(ktalkd, udp,517,s0, udp,518,s0) @@ -3612,14 +3762,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon network_port(lmtp, tcp,24,s0, udp,24,s0) network_port(mail, tcp,2000,s0) ++network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) -network_port(mysqld, tcp,3306,s0) ++network_port(msnp, tcp,1863,s0, udp,1863,s0) +network_port(mysqld, tcp,3306,s0, tcp,1186,s0) +portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) network_port(nessus, tcp,1241,s0) network_port(netsupport, tcp,5405,s0, udp,5405,s0) network_port(nmbd, udp,137,s0, udp,138,s0) -@@ -146,7 +153,7 @@ +@@ -146,7 +156,7 @@ network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0) network_port(spamd, tcp,783,s0) network_port(ssh, tcp,22,s0) @@ -3628,7 +3780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene type socks_port_t, port_type; dnl network_port(socks) # no defined portcon type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp -@@ -160,13 +167,19 @@ +@@ -160,13 +170,19 @@ type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) network_port(vnc, tcp,5900,s0) @@ -3678,7 +3830,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.8/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-22 13:21:41.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-10-31 09:46:00.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-11-01 14:02:44.000000000 -0400 +@@ -65,7 +65,7 @@ + + relabelfrom_dirs_pattern($1,device_t,device_node) + relabelfrom_files_pattern($1,device_t,device_node) +- relabelfrom_lnk_files_pattern($1,device_t,device_node) ++ relabelfrom_lnk_files_pattern($1,device_t,{ device_t device_node }) + relabelfrom_fifo_files_pattern($1,device_t,device_node) + relabelfrom_sock_files_pattern($1,device_t,device_node) + relabel_blk_files_pattern($1,device_t,{ device_t device_node }) @@ -1306,6 +1306,44 @@ ######################################## @@ -4383,7 +4544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-11-02 11:06:28.000000000 -0400 @@ -271,45 +271,6 @@ ######################################## @@ -4481,7 +4642,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy interface(`fs_dontaudit_read_ramfs_files',` gen_require(` type ramfs_t; -@@ -3533,3 +3513,42 @@ +@@ -3322,6 +3302,24 @@ + + ######################################## + ## ++## Dontaudit Search all directories with a filesystem type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_dontaudit_search_all',` ++ gen_require(` ++ attribute filesystem_type; ++ ') ++ ++ dontaudit $1 filesystem_type:dir search_dir_perms; ++') ++ ++######################################## ++## + ## List all directories with a filesystem type. + ## + ## +@@ -3533,3 +3531,42 @@ relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs) relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs) ') @@ -7620,7 +7806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.0.8/policy/modules/services/exim.if --- nsaserefpolicy/policy/modules/services/exim.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.0.8/policy/modules/services/exim.if 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/exim.if 2007-11-05 15:39:00.000000000 -0500 @@ -0,0 +1,157 @@ +## Exim service + @@ -7640,7 +7826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim + type exim_exec_t; + ') + -+ corecmd_search_sbin($1) ++ corecmd_search_bin($1) + domtrans_pattern($1, exim_exec_t, exim_t) +') + @@ -8806,7 +8992,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-10-31 07:35:09.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-11-02 09:53:17.000000000 -0400 @@ -6,6 +6,8 @@ # Declarations # @@ -8871,6 +9057,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. cron_dontaudit_write_pipes(system_mail_t) ') +@@ -81,6 +96,10 @@ + ') + + optional_policy(` ++ exim_domtrans(system_mail_t) ++') ++ ++optional_policy(` + logrotate_read_tmp_files(system_mail_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.0.8/policy/modules/services/munin.if --- nsaserefpolicy/policy/modules/services/munin.if 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/munin.if 2007-10-29 23:59:29.000000000 -0400 @@ -11022,7 +11219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.8/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/samba.te 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/samba.te 2007-11-01 13:41:52.000000000 -0400 @@ -137,6 +137,11 @@ type winbind_var_run_t; files_pid_file(winbind_var_run_t) @@ -11823,7 +12020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.0.8/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2007-10-31 09:26:27.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2007-11-01 13:43:05.000000000 -0400 @@ -81,7 +81,7 @@ # var/lib files for spamd @@ -11833,6 +12030,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +@@ -150,10 +150,12 @@ + userdom_dontaudit_search_sysadm_home_dirs(spamd_t) + + tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_dirs(spamd_t) + fs_manage_nfs_files(spamd_t) + ') + + tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_dirs(spamd_t) + fs_manage_cifs_files(spamd_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.0.8/policy/modules/services/squid.fc --- nsaserefpolicy/policy/modules/services/squid.fc 2007-10-22 13:21:36.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/squid.fc 2007-10-29 23:59:29.000000000 -0400 @@ -12095,6 +12305,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') + + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tcpd.if serefpolicy-3.0.8/policy/modules/services/tcpd.if +--- nsaserefpolicy/policy/modules/services/tcpd.if 2007-10-22 13:21:36.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/tcpd.if 2007-11-05 15:37:04.000000000 -0500 +@@ -15,5 +15,31 @@ + type tcpd_t, tcpd_exec_t; + ') + +- domtrans_pattern($1,tcpd_exec_t,tcpd_t) ++ domtrans_pattern($1, tcpd_exec_t, tcpd_t) ++') ++ ++######################################## ++## ++## Create a domain for services that ++## utilize tcp wrappers. ++## ++## ++## ++## Type to be used as a domain. ++## ++## ++## ++## ++## Type of the program to be used as an entry point to this domain. ++## ++## ++# ++interface(`tcpd_wrapped_domain',` ++ gen_require(` ++ type tcpd_t; ++ role system_r; ++ ') ++ ++ domtrans_pattern(tcpd_t, $2, $1) ++ role system_r types $1; + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.0.8/policy/modules/services/telnet.te --- nsaserefpolicy/policy/modules/services/telnet.te 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/telnet.te 2007-10-29 23:59:29.000000000 -0400 @@ -16201,7 +16447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.0.8/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.te 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.te 2007-11-01 11:58:24.000000000 -0400 @@ -45,7 +45,7 @@ dontaudit dhcpc_t self:capability sys_tty_config; # for access("/etc/bashrc", X_OK) on Red Hat @@ -16238,7 +16484,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet # for the dhcp client to run ping to check IP addresses optional_policy(` netutils_domtrans_ping(dhcpc_t) -@@ -203,9 +209,7 @@ +@@ -187,6 +193,10 @@ + ') + + optional_policy(` ++ networkmanager_domtrans(dhcpc_t) ++') ++ ++optional_policy(` + nis_use_ypbind(dhcpc_t) + nis_signal_ypbind(dhcpc_t) + nis_read_ypbind_pid(dhcpc_t) +@@ -203,9 +213,7 @@ ') optional_policy(` @@ -16249,7 +16506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') optional_policy(` -@@ -216,6 +220,7 @@ +@@ -216,6 +224,7 @@ optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -16257,7 +16514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') optional_policy(` -@@ -227,6 +232,10 @@ +@@ -227,6 +236,10 @@ ') optional_policy(` @@ -16268,7 +16525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet kernel_read_xen_state(dhcpc_t) kernel_write_xen_state(dhcpc_t) xen_append_log(dhcpc_t) -@@ -240,7 +249,6 @@ +@@ -240,7 +253,6 @@ allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow ifconfig_t self:capability { net_raw net_admin sys_tty_config }; @@ -16276,7 +16533,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet allow ifconfig_t self:fd use; allow ifconfig_t self:fifo_file rw_fifo_file_perms; -@@ -254,6 +262,7 @@ +@@ -254,6 +266,7 @@ allow ifconfig_t self:sem create_sem_perms; allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; @@ -16284,7 +16541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; -@@ -270,6 +279,8 @@ +@@ -270,6 +283,8 @@ kernel_read_network_state(ifconfig_t) kernel_search_network_sysctl(ifconfig_t) kernel_rw_net_sysctls(ifconfig_t) @@ -16293,7 +16550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet corenet_rw_tun_tap_dev(ifconfig_t) -@@ -280,8 +291,11 @@ +@@ -280,8 +295,11 @@ fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) @@ -16305,7 +16562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet domain_use_interactive_fds(ifconfig_t) -@@ -327,6 +341,14 @@ +@@ -327,6 +345,14 @@ ') optional_policy(` @@ -16322,7 +16579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet xen_append_log(ifconfig_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/udev.te 2007-10-30 19:53:35.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/udev.te 2007-11-01 14:06:19.000000000 -0400 @@ -132,6 +132,7 @@ init_read_utmp(udev_t) @@ -16376,7 +16633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-11-01 13:52:56.000000000 -0400 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -16677,7 +16934,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-11-01 13:54:05.000000000 -0400 @@ -5,36 +5,52 @@ # # Declarations @@ -16895,7 +17152,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -225,8 +242,21 @@ +@@ -219,14 +236,28 @@ + + allow unconfined_execmem_t self:process { execstack execmem }; + unconfined_domain_noaudit(unconfined_execmem_t) ++allow unconfined_execmem_t unconfined_t:process transition; + + optional_policy(` + dbus_stub(unconfined_execmem_t) init_dbus_chat_script(unconfined_execmem_t) unconfined_dbus_chat(unconfined_execmem_t) @@ -16928,7 +17192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-02 11:09:48.000000000 -0400 @@ -29,8 +29,9 @@ ') @@ -17524,7 +17788,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo samba_stream_connect_winbind($1_t) ') -@@ -954,21 +887,167 @@ +@@ -954,21 +887,166 @@ ## ## # @@ -17613,8 +17877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + fs_get_all_fs_quotas($1_usertype) + fs_getattr_all_fs($1_usertype) -+ fs_getattr_all_dirs($1_usertype) -+ fs_search_auto_mountpoints($1_usertype) ++ fs_search_all($1_usertype) + fs_list_inotifyfs($1_usertype) + + fs_rw_anon_inodefs_files($1_usertype) @@ -17698,7 +17961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; -@@ -977,23 +1056,51 @@ +@@ -977,23 +1055,51 @@ typeattribute $1_tmp_t user_tmpfile; typeattribute $1_tty_device_t user_ttynode; @@ -17761,7 +18024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # port access is audited even if dac would not have allowed it, so dontaudit it here corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) -@@ -1029,15 +1136,11 @@ +@@ -1029,15 +1135,11 @@ # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_all_nodes($1_t) @@ -17779,7 +18042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') optional_policy(` -@@ -1054,17 +1157,6 @@ +@@ -1054,17 +1156,6 @@ setroubleshoot_stream_connect($1_t) ') @@ -17797,7 +18060,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1102,6 +1194,8 @@ +@@ -1102,6 +1193,8 @@ class passwd { passwd chfn chsh rootok crontab }; ') @@ -17806,7 +18069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # # Declarations -@@ -1127,7 +1221,7 @@ +@@ -1127,7 +1220,7 @@ # $1_t local policy # @@ -17815,7 +18078,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1_t self:process { setexec setfscreate }; # Set password information for other users. -@@ -1139,7 +1233,11 @@ +@@ -1139,7 +1232,11 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -17828,7 +18091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1277,6 +1375,7 @@ +@@ -1277,6 +1374,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -17836,7 +18099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1642,9 +1741,13 @@ +@@ -1642,9 +1740,13 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -17850,7 +18113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_type($2) ') -@@ -1894,10 +1997,46 @@ +@@ -1894,10 +1996,46 @@ template(`userdom_manage_user_home_content_dirs',` gen_require(` type $1_home_dir_t, $1_home_t; @@ -17898,7 +18161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3078,7 +3217,7 @@ +@@ -3078,7 +3216,7 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -17907,7 +18170,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_tmp_filetrans($2,$1_tmp_t,$3) -@@ -4609,11 +4748,29 @@ +@@ -4609,11 +4747,29 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -17938,7 +18201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4633,6 +4790,14 @@ +@@ -4633,6 +4789,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -17953,7 +18216,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5323,7 +5488,7 @@ +@@ -5323,7 +5487,7 @@ attribute user_tmpfile; ') @@ -17962,7 +18225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5529,6 +5694,24 @@ +@@ -5529,6 +5693,24 @@ ######################################## ## @@ -17987,7 +18250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5559,3 +5742,386 @@ +@@ -5559,3 +5741,386 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 17adab4..1b6912d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.8 -Release: 44%{?dist} +Release: 45%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -290,7 +290,7 @@ semodule -s targeted -r moilscanner 2>/dev/null %loadpolicy targeted if [ $1 = 1 ]; then -semanage user -a -P unconfined -R "unconfined_r system_r" unconfined_u +semanage user -a -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u semanage login -m -s "unconfined_u" __default__ 2> /dev/null semanage login -m -s "system_u" root 2> /dev/null semanage user -a -P guest -R guest_r guest_u @@ -302,6 +302,10 @@ fi exit 0 +%triggerpostun targeted -- selinux-policy-targeted < 3.0.8-44-1 +semanage user -m -r s0-s0:c0.c1023 unconfined_u 2> /dev/null +exit 0 + %triggerpostun targeted -- selinux-policy-targeted < 3.0.8-14-1 setsebool -P use_nfs_home_dirs=1 semanage login -m -s "system_u" __default__ 2> /dev/null @@ -375,6 +379,9 @@ exit 0 %endif %changelog +* Thu Nov 2 2007 Dan Walsh 3.0.8-45 +- Allow system_mail_t to domtrans to exim_t + * Thu Nov 1 2007 Dan Walsh 3.0.8-44 - Add policy.xml to devel - Dontaudit tmpreaper getattr on lost_found dir