From da6cdbd90edf829c414dea269646e0d8816990a6 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sep 12 2008 14:46:47 +0000 Subject: - Add rpcbind to mls policy - Fix up policy so permissive domains will work --- diff --git a/modules-mls.conf b/modules-mls.conf index 61621b0..4496db9 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -1101,3 +1101,11 @@ auditadm = module # IMAP and POP3 email servers # courier = module + +# Layer: services +# Module: rpcbind +# +# universal addresses to RPC program number mapper +# +rpcbind = module + diff --git a/policy-20071130.patch b/policy-20071130.patch index 9cc1bde..b0ffc66 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -943,8 +943,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 ser .EE diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.3.1/policy/flask/access_vectors --- nsaserefpolicy/policy/flask/access_vectors 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/flask/access_vectors 2008-09-08 11:45:12.000000000 -0400 -@@ -407,141 +407,159 @@ ++++ serefpolicy-3.3.1/policy/flask/access_vectors 2008-09-12 10:30:37.000000000 -0400 +@@ -125,6 +125,7 @@ + reparent + search + rmdir ++ open + } + + class file +@@ -133,6 +134,7 @@ + execute_no_trans + entrypoint + execmod ++ open + } + + class lnk_file +@@ -144,16 +146,23 @@ + execute_no_trans + entrypoint + execmod ++ open + } + + class blk_file + inherits file ++{ ++ open ++} + + class sock_file + inherits file + + class fifo_file + inherits file ++{ ++ open ++} + + class fd + { +@@ -407,141 +416,160 @@ # # SE-X Windows stuff # @@ -1058,6 +1098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors read - store + write ++ append getattr setattr } @@ -1158,12 +1199,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors +} + +class x_event -+{ -+ send -+ receive -+} -+ -+class x_synthetic_event { - pageexec # Paging based non-executable pages - emutramp # Emulate trampolines @@ -1173,12 +1208,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors - segmexec # Segmentation based non-executable pages + send + receive ++} ++ ++class x_synthetic_event ++{ ++ send ++ receive } # +@@ -747,3 +775,10 @@ + { + recv + } ++ ++class x_application_data ++{ ++ paste ++ paste_after_confirm ++ copy ++} diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/security_classes serefpolicy-3.3.1/policy/flask/security_classes --- nsaserefpolicy/policy/flask/security_classes 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/flask/security_classes 2008-09-08 11:45:12.000000000 -0400 ++++ serefpolicy-3.3.1/policy/flask/security_classes 2008-09-12 10:30:52.000000000 -0400 @@ -50,21 +50,19 @@ # passwd/chfn/chsh class passwd # userspace @@ -1214,7 +1266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/security_classe # extended netlink sockets class netlink_route_socket -@@ -112,4 +110,9 @@ +@@ -112,4 +110,10 @@ # Capabilities >= 32 class capability2 @@ -1222,6 +1274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/security_classe +class x_resource # userspace +class x_event # userspace +class x_synthetic_event # userspace ++class x_application_data # userspace + # FLASK diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.3.1/policy/global_tunables @@ -9108,19 +9161,246 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.3.1/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-06-12 23:38:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if 2008-09-08 11:45:12.000000000 -0400 -@@ -851,9 +851,8 @@ ++++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if 2008-09-12 10:26:53.000000000 -0400 +@@ -330,6 +330,11 @@ + + allow $1 self:capability sys_module; + typeattribute $1 can_load_kernmodule; ++ ++ # load_module() calls stop_machine() which ++ # calls sched_setscheduler() ++ allow $1 self:capability sys_nice; ++ kernel_setsched($1) + ') + + ######################################## +@@ -584,7 +589,7 @@ + type debugfs_t; + ') + +- search_dirs_pattern($1,debugfs_t,debugfs_t) ++ search_dirs_pattern($1, debugfs_t, debugfs_t) + ') + + ######################################## +@@ -602,9 +607,9 @@ + type debugfs_t; + ') + +- read_files_pattern($1,debugfs_t,debugfs_t) +- read_lnk_files_pattern($1,debugfs_t,debugfs_t) +- list_dirs_pattern($1,debugfs_t,debugfs_t) ++ read_files_pattern($1, debugfs_t, debugfs_t) ++ read_lnk_files_pattern($1, debugfs_t, debugfs_t) ++ list_dirs_pattern($1, debugfs_t, debugfs_t) + ') + + ######################################## +@@ -676,7 +681,7 @@ + type proc_t; + ') + +- search_dirs_pattern($1,proc_t,proc_t) ++ search_dirs_pattern($1, proc_t, proc_t) + ') + + ######################################## +@@ -694,7 +699,7 @@ + type proc_t; + ') + +- list_dirs_pattern($1,proc_t,proc_t) ++ list_dirs_pattern($1, proc_t, proc_t) + ') + + ######################################## +@@ -731,7 +736,7 @@ + type proc_t; + ') + +- getattr_files_pattern($1,proc_t,proc_t) ++ getattr_files_pattern($1, proc_t, proc_t) + ') + + ######################################## +@@ -749,7 +754,7 @@ + type proc_t; + ') + +- read_lnk_files_pattern($1,proc_t,proc_t) ++ read_lnk_files_pattern($1, proc_t, proc_t) + ') + + ######################################## +@@ -768,10 +773,10 @@ + type proc_t; + ') + +- read_files_pattern($1,proc_t,proc_t) +- read_lnk_files_pattern($1,proc_t,proc_t) ++ read_files_pattern($1, proc_t, proc_t) ++ read_lnk_files_pattern($1, proc_t, proc_t) + +- list_dirs_pattern($1,proc_t,proc_t) ++ list_dirs_pattern($1, proc_t, proc_t) + ') + + ######################################## +@@ -794,7 +799,7 @@ + type proc_t; + ') + +- write_files_pattern($1,proc_t,proc_t) ++ write_files_pattern($1, proc_t, proc_t) + ') + + ######################################## +@@ -851,9 +856,8 @@ type proc_t, proc_afs_t; ') - read_files_pattern($1,proc_t,proc_afs_t) - - list_dirs_pattern($1,proc_t,proc_t) -+ rw_files_pattern($1,proc_afs_t,proc_afs_t) +- list_dirs_pattern($1,proc_t,proc_t) ++ list_dirs_pattern($1, proc_t, proc_t) ++ rw_files_pattern($1, proc_afs_t, proc_afs_t) + ') + + ####################################### +@@ -872,9 +876,9 @@ + type proc_t, proc_mdstat_t; + ') + +- read_files_pattern($1,proc_t,proc_mdstat_t) ++ read_files_pattern($1, proc_t, proc_mdstat_t) + +- list_dirs_pattern($1,proc_t,proc_t) ++ list_dirs_pattern($1, proc_t, proc_t) ') ####################################### -@@ -1194,6 +1193,7 @@ +@@ -892,9 +896,9 @@ + type proc_t, proc_mdstat_t; + ') + +- rw_files_pattern($1,proc_t,proc_mdstat_t) ++ rw_files_pattern($1, proc_t, proc_mdstat_t) + +- list_dirs_pattern($1,proc_t,proc_t) ++ list_dirs_pattern($1, proc_t, proc_t) + ') + + ######################################## +@@ -912,9 +916,9 @@ + type proc_t, proc_kcore_t; + ') + +- getattr_files_pattern($1,proc_t,proc_kcore_t) ++ getattr_files_pattern($1, proc_t, proc_kcore_t) + +- list_dirs_pattern($1,proc_t,proc_t) ++ list_dirs_pattern($1, proc_t, proc_t) + ') + + ######################################## +@@ -953,7 +957,7 @@ + type proc_kmsg_t, proc_t; + ') + +- read_files_pattern($1,proc_t,proc_kmsg_t) ++ read_files_pattern($1, proc_t, proc_kmsg_t) + + typeattribute $1 can_receive_kernel_messages; + ') +@@ -974,7 +978,7 @@ + type proc_kmsg_t, proc_t; + ') + +- getattr_files_pattern($1,proc_t,proc_kmsg_t) ++ getattr_files_pattern($1, proc_t, proc_kmsg_t) + ') + + ######################################## +@@ -1032,7 +1036,7 @@ + type proc_net_t; + ') + +- search_dirs_pattern($1,proc_t,proc_net_t) ++ search_dirs_pattern($1, proc_t, proc_net_t) + ') + + ######################################## +@@ -1051,10 +1055,10 @@ + type proc_t, proc_net_t; + ') + +- read_files_pattern($1,{ proc_t proc_net_t },proc_net_t) +- read_lnk_files_pattern($1,{ proc_t proc_net_t },proc_net_t) ++ read_files_pattern($1, { proc_t proc_net_t }, proc_net_t) ++ read_lnk_files_pattern($1, { proc_t proc_net_t }, proc_net_t) + +- list_dirs_pattern($1,proc_t,proc_net_t) ++ list_dirs_pattern($1, proc_t, proc_net_t) + ') + + ######################################## +@@ -1072,9 +1076,9 @@ + type proc_t, proc_net_t; + ') + +- read_lnk_files_pattern($1,{ proc_t proc_net_t },proc_net_t) ++ read_lnk_files_pattern($1, { proc_t proc_net_t }, proc_net_t) + +- list_dirs_pattern($1,proc_t,proc_net_t) ++ list_dirs_pattern($1, proc_t, proc_net_t) + ') + + ######################################## +@@ -1093,7 +1097,7 @@ + type proc_t, proc_xen_t; + ') + +- search_dirs_pattern($1,proc_t,proc_xen_t) ++ search_dirs_pattern($1, proc_t, proc_xen_t) + ') + + ######################################## +@@ -1132,10 +1136,10 @@ + type proc_t, proc_xen_t; + ') + +- read_files_pattern($1,{ proc_t proc_xen_t },proc_xen_t) +- read_lnk_files_pattern($1,{ proc_t proc_xen_t },proc_xen_t) ++ read_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t) ++ read_lnk_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t) + +- list_dirs_pattern($1,proc_t,proc_xen_t) ++ list_dirs_pattern($1, proc_t, proc_xen_t) + ') + + ######################################## +@@ -1154,9 +1158,9 @@ + type proc_t, proc_xen_t; + ') + +- read_lnk_files_pattern($1,{ proc_t proc_xen_t },proc_xen_t) ++ read_lnk_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t) + +- list_dirs_pattern($1,proc_t,proc_xen_t) ++ list_dirs_pattern($1, proc_t, proc_xen_t) + ') + + ######################################## +@@ -1175,7 +1179,7 @@ + type proc_t, proc_xen_t; + ') + +- write_files_pattern($1,{ proc_t proc_xen_t },proc_xen_t) ++ write_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t) + ') + + ######################################## +@@ -1194,6 +1198,7 @@ ') dontaudit $1 proc_type:dir list_dir_perms; @@ -9128,7 +9408,273 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ') ######################################## -@@ -1764,6 +1764,7 @@ +@@ -1232,7 +1237,7 @@ + type sysctl_t; + ') + +- list_dirs_pattern($1,proc_t,sysctl_t) ++ list_dirs_pattern($1, proc_t, sysctl_t) + ') + + ######################################## +@@ -1251,9 +1256,9 @@ + type proc_t, sysctl_t, sysctl_dev_t; + ') + +- read_files_pattern($1,{ proc_t sysctl_t sysctl_dev_t },sysctl_dev_t) ++ read_files_pattern($1, { proc_t sysctl_t sysctl_dev_t }, sysctl_dev_t) + +- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_dev_t) ++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_dev_t) + ') + + ######################################## +@@ -1272,9 +1277,9 @@ + type proc_t, sysctl_t, sysctl_dev_t; + ') + +- rw_files_pattern($1,{ proc_t sysctl_t sysctl_dev_t },sysctl_dev_t) ++ rw_files_pattern($1, { proc_t sysctl_t sysctl_dev_t }, sysctl_dev_t) + +- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_dev_t) ++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_dev_t) + ') + + ######################################## +@@ -1292,7 +1297,7 @@ + type proc_t, sysctl_t, sysctl_vm_t; + ') + +- search_dirs_pattern($1,{ proc_t sysctl_t },sysctl_vm_t) ++ search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t) + ') + + ######################################## +@@ -1311,9 +1316,9 @@ + type proc_t, sysctl_t, sysctl_vm_t; + ') + +- read_files_pattern($1,{ proc_t sysctl_t sysctl_vm_t },sysctl_vm_t) ++ read_files_pattern($1, { proc_t sysctl_t sysctl_vm_t }, sysctl_vm_t) + +- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_vm_t) ++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t) + ') + + ######################################## +@@ -1332,8 +1337,8 @@ + type proc_t, sysctl_t, sysctl_vm_t; + ') + +- rw_files_pattern($1,{ proc_t sysctl_t sysctl_vm_t },sysctl_vm_t) +- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_vm_t) ++ rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_t }, sysctl_vm_t) ++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t) + + # hal needs this + allow $1 sysctl_vm_t:dir write; +@@ -1354,7 +1359,7 @@ + type proc_t, sysctl_t, sysctl_net_t; + ') + +- search_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t) ++ search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) + ') + + ######################################## +@@ -1391,9 +1396,9 @@ + type proc_t, sysctl_t, sysctl_net_t; + ') + +- read_files_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_t) ++ read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) + +- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t) ++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) + ') + + ######################################## +@@ -1412,9 +1417,9 @@ + type proc_t, sysctl_t, sysctl_net_t; + ') + +- rw_files_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_t) ++ rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) + +- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t) ++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) + ') + + ######################################## +@@ -1434,9 +1439,9 @@ + type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t; + ') + +- read_files_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_unix_t) ++ read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t) + +- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t) ++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) + ') + + ######################################## +@@ -1456,9 +1461,9 @@ + type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t; + ') + +- rw_files_pattern($1,{ proc_t sysctl_t sysctl_net_t },sysctl_net_unix_t) ++ rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t) + +- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_net_t) ++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) + ') + + ######################################## +@@ -1477,9 +1482,9 @@ + type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t; + ') + +- read_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_hotplug_t) ++ read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t) + +- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t) ++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) + ') + + ######################################## +@@ -1498,9 +1503,9 @@ + type proc_t, sysctl_t, sysctl_kernel_t, sysctl_hotplug_t; + ') + +- rw_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_hotplug_t) ++ rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_hotplug_t) + +- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t) ++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) + ') + + ######################################## +@@ -1519,9 +1524,9 @@ + type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t; + ') + +- read_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_modprobe_t) ++ read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t) + +- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t) ++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) + ') + + ######################################## +@@ -1540,9 +1545,9 @@ + type proc_t, sysctl_t, sysctl_kernel_t, sysctl_modprobe_t; + ') + +- rw_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_modprobe_t) ++ rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_modprobe_t) + +- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t) ++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) + ') + + ######################################## +@@ -1578,9 +1583,9 @@ + type proc_t, sysctl_t, sysctl_kernel_t; + ') + +- read_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_kernel_t) ++ read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t) + +- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t) ++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) + ') + + ######################################## +@@ -1617,9 +1622,9 @@ + type proc_t, sysctl_t, sysctl_kernel_t; + ') + +- rw_files_pattern($1,{ proc_t sysctl_t sysctl_kernel_t },sysctl_kernel_t) ++ rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t) + +- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_kernel_t) ++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) + ') + + ######################################## +@@ -1638,9 +1643,9 @@ + type proc_t, sysctl_t, sysctl_fs_t; + ') + +- read_files_pattern($1,{ proc_t sysctl_t sysctl_fs_t },sysctl_fs_t) ++ read_files_pattern($1, { proc_t sysctl_t sysctl_fs_t }, sysctl_fs_t) + +- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_fs_t) ++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t) + ') + + ######################################## +@@ -1659,9 +1664,9 @@ + type proc_t, sysctl_t, sysctl_fs_t; + ') + +- rw_files_pattern($1,{ proc_t sysctl_t sysctl_fs_t },sysctl_fs_t) ++ rw_files_pattern($1, { proc_t sysctl_t sysctl_fs_t }, sysctl_fs_t) + +- list_dirs_pattern($1,{ proc_t sysctl_t },sysctl_fs_t) ++ list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t) + ') + + ######################################## +@@ -1680,9 +1685,9 @@ + type proc_t, sysctl_irq_t; + ') + +- read_files_pattern($1,{ proc_t sysctl_irq_t },sysctl_irq_t) ++ read_files_pattern($1, { proc_t sysctl_irq_t }, sysctl_irq_t) + +- list_dirs_pattern($1,proc_t,sysctl_irq_t) ++ list_dirs_pattern($1, proc_t, sysctl_irq_t) + ') + + ######################################## +@@ -1701,9 +1706,9 @@ + type proc_t, sysctl_irq_t; + ') + +- rw_files_pattern($1,{ proc_t sysctl_irq_t },sysctl_irq_t) ++ rw_files_pattern($1, { proc_t sysctl_irq_t }, sysctl_irq_t) + +- list_dirs_pattern($1,proc_t,sysctl_irq_t) ++ list_dirs_pattern($1, proc_t, sysctl_irq_t) + ') + + ######################################## +@@ -1722,9 +1727,9 @@ + type proc_t, proc_net_t, sysctl_rpc_t; + ') + +- read_files_pattern($1,{ proc_t proc_net_t sysctl_rpc_t },sysctl_rpc_t) ++ read_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t) + +- list_dirs_pattern($1,{ proc_t proc_net_t },sysctl_rpc_t) ++ list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t) + ') + + ######################################## +@@ -1743,9 +1748,9 @@ + type proc_t, proc_net_t, sysctl_rpc_t; + ') + +- rw_files_pattern($1,{ proc_t proc_net_t sysctl_rpc_t },sysctl_rpc_t) ++ rw_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t) + +- list_dirs_pattern($1,{ proc_t proc_net_t },sysctl_rpc_t) ++ list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t) + ') + + ######################################## +@@ -1764,6 +1769,7 @@ ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -9136,10 +9682,95 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ') ######################################## -@@ -2508,3 +2509,33 @@ +@@ -1784,9 +1790,9 @@ + ') + + # proc_net_t for /proc/net/rpc sysctls +- read_files_pattern($1,{ proc_t proc_net_t sysctl_type },sysctl_type) ++ read_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type) + +- list_dirs_pattern($1,{ proc_t proc_net_t },sysctl_type) ++ list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_type) + ') + + ######################################## +@@ -1807,7 +1813,7 @@ + ') + + # proc_net_t for /proc/net/rpc sysctls +- rw_files_pattern($1,{ proc_t proc_net_t sysctl_type },sysctl_type) ++ rw_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type) + + allow $1 sysctl_type:dir list_dir_perms; + # why is setattr needed? +@@ -1938,8 +1944,8 @@ + ') - typeattribute $1 kern_unconfined; + allow $1 unlabeled_t:dir list_dir_perms; +- read_files_pattern($1,unlabeled_t,unlabeled_t) +- read_lnk_files_pattern($1,unlabeled_t,unlabeled_t) ++ read_files_pattern($1, unlabeled_t, unlabeled_t) ++ read_lnk_files_pattern($1, unlabeled_t, unlabeled_t) ') + + +@@ -2493,6 +2499,109 @@ + + ######################################## + ## ++## Receive packets from an unlabeled peer. ++## ++## ++##

++## Receive packets from an unlabeled peer, these packets do not have any ++## peer labeling information present. ++##

++##

++## The corenetwork interface corenet_recvfrom_unlabeled_peer() should ++## be used instead of this one. ++##

++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_recvfrom_unlabeled_peer',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ allow $1 unlabeled_t:peer recv; ++') ++ ++######################################## ++## ++## Do not audit attempts to receive packets from an unlabeled peer. ++## ++## ++##

++## Do not audit attempts to receive packets from an unlabeled peer, ++## these packets do not have any peer labeling information present. ++##

++##

++## The corenetwork interface corenet_dontaudit_*_recvfrom_unlabeled() ++## should be used instead of this one. ++##

++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`kernel_dontaudit_recvfrom_unlabeled_peer',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ dontaudit $1 unlabeled_t:peer recv; ++') + +######################################## +## @@ -9170,9 +9801,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel + allow $1 unlabeled_t:db_blob { setattr relabelfrom }; +') + ++######################################## ++## ++## Relabel to unlabeled context . ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_relabelto_unlabeled',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ allow $1 unlabeled_t:dir_file_class_set relabelto; ++') ++ ++######################################## ++## + ## Unconfined access to kernel module resources. + ## + ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.3.1/policy/modules/kernel/kernel.te --- nsaserefpolicy/policy/modules/kernel/kernel.te 2008-06-12 23:38:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/kernel/kernel.te 2008-09-08 11:45:12.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/kernel/kernel.te 2008-09-12 10:29:36.000000000 -0400 @@ -45,6 +45,15 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) @@ -9189,7 +9843,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel # DebugFS # -@@ -231,6 +240,8 @@ +@@ -54,6 +63,15 @@ + genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) + + # ++# infinibandeventfs fs ++# ++ ++type infinibandeventfs_t; ++fs_type(infinibandeventfs_t) ++allow infinibandeventfs_t self:filesystem associate; ++genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0) ++ ++# + # kvmFS + # + +@@ -151,6 +169,7 @@ + # + type unlabeled_t; + sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) ++fs_associate(unlabeled_t) + + # These initial sids are no longer used, and can be removed: + sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) +@@ -212,6 +231,9 @@ + # connections with invalidated labels: + allow kernel_t unlabeled_t:packet send; + ++# Forwarded network traffic ++allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; ++ + corenet_all_recvfrom_unlabeled(kernel_t) + corenet_all_recvfrom_netlabel(kernel_t) + # Kernel-generated traffic e.g., ICMP replies: +@@ -231,6 +253,8 @@ # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem fs_mount_all_fs(kernel_t) @@ -9198,7 +9886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel selinux_load_policy(kernel_t) -@@ -253,12 +264,16 @@ +@@ -253,12 +277,16 @@ mls_process_read_up(kernel_t) mls_process_write_down(kernel_t) @@ -9215,7 +9903,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel tunable_policy(`read_default_t',` files_list_default(kernel_t) files_read_default_files(kernel_t) -@@ -363,7 +378,7 @@ +@@ -363,7 +391,7 @@ allow kern_unconfined proc_type:{ dir file lnk_file } *; @@ -9224,7 +9912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel allow kern_unconfined kernel_t:system *; -@@ -374,3 +389,4 @@ +@@ -374,3 +402,4 @@ allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; kernel_rw_all_sysctls(kern_unconfined) @@ -16886,6 +17574,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnom + polkit_read_lib(gnomeclock_t) +') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.te serefpolicy-3.3.1/policy/modules/services/gpm.te +--- nsaserefpolicy/policy/modules/services/gpm.te 2008-06-12 23:38:01.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/gpm.te 2008-09-12 10:36:09.000000000 -0400 +@@ -41,8 +41,8 @@ + allow gpm_t gpm_var_run_t:file manage_file_perms; + files_pid_filetrans(gpm_t,gpm_var_run_t,file) + +-allow gpm_t gpmctl_t:sock_file manage_file_perms; +-allow gpm_t gpmctl_t:fifo_file manage_file_perms; ++allow gpm_t gpmctl_t:sock_file manage_sock_file_perms; ++allow gpm_t gpmctl_t:fifo_file manage_fifo_file_perms; + dev_filetrans(gpm_t,gpmctl_t,{ sock_file fifo_file }) + + kernel_read_kernel_sysctls(gpm_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.3.1/policy/modules/services/hal.fc --- nsaserefpolicy/policy/modules/services/hal.fc 2008-06-12 23:38:02.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/services/hal.fc 2008-09-08 11:45:12.000000000 -0400 @@ -18360,7 +19062,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.3.1/policy/modules/services/mailman.te --- nsaserefpolicy/policy/modules/services/mailman.te 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/mailman.te 2008-09-08 11:45:12.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/mailman.te 2008-09-11 13:48:31.000000000 -0400 @@ -53,10 +53,9 @@ apache_use_fds(mailman_cgi_t) apache_dontaudit_append_log(mailman_cgi_t) @@ -18374,7 +19076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail ') ######################################## -@@ -65,8 +64,15 @@ +@@ -65,8 +64,19 @@ # allow mailman_mail_t self:unix_dgram_socket create_socket_perms; @@ -18384,6 +19086,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail + +files_search_spool(mailman_mail_t) +fs_rw_anon_inodefs_files(mailman_mail_t) ++ ++manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) ++manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) ++manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t) mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) +mta_dontaudit_rw_queue(mailman_mail_t) @@ -26300,7 +27006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.3.1/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2008-06-12 23:38:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/snmp.te 2008-09-08 11:45:13.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/snmp.te 2008-09-09 08:43:38.000000000 -0400 @@ -18,12 +18,16 @@ type snmpd_var_lib_t; files_type(snmpd_var_lib_t) @@ -26312,7 +27018,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp # # Local policy # - allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config }; +-allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config }; ++allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config sys_ptrace }; dontaudit snmpd_t self:capability { sys_module sys_tty_config }; +allow snmpd_t self:process { getsched setsched }; allow snmpd_t self:fifo_file rw_fifo_file_perms; @@ -26326,7 +27033,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp kernel_read_net_sysctls(snmpd_t) kernel_read_proc_symlinks(snmpd_t) kernel_read_system_state(snmpd_t) -@@ -81,8 +86,7 @@ +@@ -76,13 +81,14 @@ + domain_use_interactive_fds(snmpd_t) + domain_signull_all_domains(snmpd_t) + domain_read_all_domains_state(snmpd_t) ++domain_dontaudit_ptrace_all_domains(snmpd_t) ++domain_exec_all_entry_files(snmpd_t) + + files_read_etc_files(snmpd_t) files_read_usr_files(snmpd_t) files_read_etc_runtime_files(snmpd_t) files_search_home(snmpd_t) @@ -26336,6 +27050,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp fs_getattr_all_dirs(snmpd_t) fs_getattr_all_fs(snmpd_t) +@@ -94,6 +100,8 @@ + init_read_utmp(snmpd_t) + init_dontaudit_write_utmp(snmpd_t) + ++auth_use_nsswitch(snmpd_t) ++ + libs_use_ld_so(snmpd_t) + libs_use_shared_libs(snmpd_t) + +@@ -120,7 +128,7 @@ + ') + + optional_policy(` +- auth_use_nsswitch(snmpd_t) ++ consoletype_exec(snmpd_t) + ') + + optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.fc serefpolicy-3.3.1/policy/modules/services/snort.fc --- nsaserefpolicy/policy/modules/services/snort.fc 2008-06-12 23:38:01.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/services/snort.fc 2008-09-08 11:45:13.000000000 -0400 @@ -34151,7 +34883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.3.1/policy/modules/system/selinuxutil.fc --- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.fc 2008-09-08 11:45:13.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.fc 2008-09-12 09:58:16.000000000 -0400 @@ -38,7 +38,7 @@ /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0) /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0) @@ -34161,19 +34893,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu /usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0) /usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0) +@@ -46,3 +46,8 @@ + # /var/run + # + /var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0) ++ ++# ++# /var/lib ++# ++/var/lib/selinux(/.*)? gen_context(system_u:object_r:selinux_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.3.1/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.if 2008-09-08 11:45:13.000000000 -0400 -@@ -215,8 +215,6 @@ - seutil_domtrans_newrole($1) - role $2 types newrole_t; - allow newrole_t $3:chr_file rw_term_perms; -- -- auth_run_upd_passwd(newrole_t, $2, $3) - ') ++++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.if 2008-09-12 09:57:55.000000000 -0400 +@@ -430,6 +430,7 @@ + role system_r; + ') - ######################################## -@@ -553,6 +551,59 @@ ++ auth_run_chk_passwd(run_init_t, $2, $3) + seutil_domtrans_runinit($1) + role $2 types run_init_t; + allow run_init_t $3:chr_file rw_term_perms; +@@ -474,6 +475,7 @@ + role system_r; + ') + ++ auth_run_chk_passwd(run_init_t, $2, $3) + seutil_init_script_domtrans_runinit($1) + role $2 types run_init_t; + allow run_init_t $3:chr_file rw_term_perms; +@@ -553,6 +555,59 @@ ######################################## ## @@ -34192,7 +34940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + + files_search_usr($1) + corecmd_search_bin($1) -+ domtrans_pattern($1,setfiles_exec_t,setfiles_mac_t) ++ domtrans_pattern($1, setfiles_exec_t, setfiles_mac_t) +') + +######################################## @@ -34233,7 +34981,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Execute setfiles in the caller domain. ## ## -@@ -587,7 +638,7 @@ +@@ -587,7 +642,7 @@ type selinux_config_t; ') @@ -34242,7 +34990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ') ######################################## -@@ -606,7 +657,7 @@ +@@ -606,7 +661,7 @@ type selinux_config_t; ') @@ -34251,15 +34999,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu dontaudit $1 selinux_config_t:file { getattr read }; ') -@@ -698,6 +749,7 @@ +@@ -698,6 +753,7 @@ ') files_search_etc($1) -+ manage_dirs_pattern($1,selinux_config_t,selinux_config_t) ++ manage_dirs_pattern($1, selinux_config_t, selinux_config_t) manage_files_pattern($1,selinux_config_t,selinux_config_t) read_lnk_files_pattern($1,selinux_config_t,selinux_config_t) ') -@@ -807,6 +859,28 @@ +@@ -807,6 +863,28 @@ ######################################## ## @@ -34288,7 +35036,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Read and write the file_contexts files. ## ## -@@ -997,6 +1071,26 @@ +@@ -817,7 +895,7 @@ + # + interface(`seutil_rw_file_contexts',` + gen_require(` +- type selinux_config_t, file_context_t; ++ type selinux_config_t, file_context_t, default_context_t; + ') + + files_search_etc($1) +@@ -838,7 +916,7 @@ + # + interface(`seutil_manage_file_contexts',` + gen_require(` +- type selinux_config_t, file_context_t; ++ type selinux_config_t, file_context_t, default_context_t; + ') + + files_search_etc($1) +@@ -997,6 +1075,26 @@ ######################################## ## @@ -34307,7 +35073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + + files_search_usr($1) + corecmd_search_bin($1) -+ domtrans_pattern($1,setsebool_exec_t,setsebool_t) ++ domtrans_pattern($1, setsebool_exec_t, setsebool_t) +') + +######################################## @@ -34315,7 +35081,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Execute semanage in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. -@@ -1008,7 +1102,7 @@ +@@ -1008,7 +1106,7 @@ ## ## ## @@ -34324,7 +35090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## ## ## -@@ -1030,6 +1124,39 @@ +@@ -1030,6 +1128,39 @@ ######################################## ## @@ -34364,7 +35130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Full management of the semanage ## module store. ## -@@ -1141,3 +1268,260 @@ +@@ -1141,3 +1272,260 @@ selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') @@ -34408,12 +35174,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + + type $1_setsebool_t; + domain_type($1_setsebool_t) -+ domain_entry_file($1_setsebool_t,setsebool_exec_t) ++ domain_entry_file($1_setsebool_t, setsebool_exec_t) + role $3 types $1_setsebool_t; + + files_search_usr($2) + corecmd_search_bin($2) -+ domtrans_pattern($2,setsebool_exec_t,$1_setsebool_t) ++ domtrans_pattern($2, setsebool_exec_t, $1_setsebool_t) + seutil_semanage_policy($1_setsebool_t) + + # Need to define per type booleans @@ -34608,7 +35374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + fs_rw_tmpfs_chr_files($1) +') + -+ifdef(`distro_redhat', ` ++ifdef(`distro_redhat',` + fs_rw_tmpfs_chr_files($1) + fs_rw_tmpfs_blk_files($1) + fs_relabel_tmpfs_blk_file($1) @@ -34627,8 +35393,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.3.1/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te 2008-09-08 11:45:13.000000000 -0400 -@@ -75,7 +75,6 @@ ++++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te 2008-09-12 09:54:59.000000000 -0400 +@@ -23,6 +23,9 @@ + type selinux_config_t; + files_type(selinux_config_t) + ++type selinux_var_lib_t; ++files_type(selinux_var_lib_t) ++ + type checkpolicy_t, can_write_binary_policy; + type checkpolicy_exec_t; + application_domain(checkpolicy_t, checkpolicy_exec_t) +@@ -75,7 +78,6 @@ type restorecond_exec_t; init_daemon_domain(restorecond_t,restorecond_exec_t) domain_obj_id_change_exemption(restorecond_t) @@ -34636,7 +35412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu type restorecond_var_run_t; files_pid_file(restorecond_var_run_t) -@@ -92,6 +91,10 @@ +@@ -92,6 +94,10 @@ domain_interactive_fd(semanage_t) role system_r types semanage_t; @@ -34647,7 +35423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu type semanage_store_t; files_type(semanage_store_t) -@@ -109,6 +112,11 @@ +@@ -109,6 +115,11 @@ init_system_domain(setfiles_t,setfiles_exec_t) domain_obj_id_change_exemption(setfiles_t) @@ -34659,7 +35435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ######################################## # # Checkpolicy local policy -@@ -168,6 +176,7 @@ +@@ -168,6 +179,7 @@ files_read_etc_runtime_files(load_policy_t) fs_getattr_xattr_fs(load_policy_t) @@ -34667,7 +35443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu mls_file_read_all_levels(load_policy_t) -@@ -195,15 +204,6 @@ +@@ -195,15 +207,6 @@ ') ') @@ -34683,7 +35459,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ######################################## # # Newrole local policy -@@ -221,7 +221,7 @@ +@@ -221,7 +224,7 @@ allow newrole_t self:msg { send receive }; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -34692,7 +35468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu read_files_pattern(newrole_t,default_context_t,default_context_t) read_lnk_files_pattern(newrole_t,default_context_t,default_context_t) -@@ -277,6 +277,7 @@ +@@ -277,6 +280,7 @@ libs_use_ld_so(newrole_t) libs_use_shared_libs(newrole_t) @@ -34700,16 +35476,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu logging_send_syslog_msg(newrole_t) miscfiles_read_localization(newrole_t) -@@ -347,6 +348,8 @@ +@@ -347,6 +351,9 @@ seutil_libselinux_linked(restorecond_t) +userdom_read_all_users_home_dirs_symlinks(restorecond_t) ++userdom_read_all_users_home_content_symlinks(restorecond_t) + ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(restorecond_t) -@@ -365,7 +368,7 @@ +@@ -365,7 +372,7 @@ allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; @@ -34718,7 +35495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit -@@ -396,7 +399,6 @@ +@@ -396,7 +403,6 @@ auth_use_nsswitch(run_init_t) auth_domtrans_chk_passwd(run_init_t) @@ -34726,7 +35503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu auth_dontaudit_read_shadow(run_init_t) init_spec_domtrans_script(run_init_t) -@@ -435,67 +437,28 @@ +@@ -435,64 +441,22 @@ # semodule local policy # @@ -34747,9 +35524,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu -corecmd_exec_bin(semanage_t) - -dev_read_urand(semanage_t) -- ++seutil_semanage_policy(semanage_t) ++allow semanage_t self:fifo_file rw_fifo_file_perms; + -domain_use_interactive_fds(semanage_t) -- ++manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) ++manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) + -files_read_etc_files(semanage_t) -files_read_etc_runtime_files(semanage_t) -files_read_usr_files(semanage_t) @@ -34762,7 +35543,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu -selinux_get_enforce_mode(semanage_t) -selinux_getattr_fs(semanage_t) -# for setsebool: -+seutil_semanage_policy(semanage_t) selinux_set_boolean(semanage_t) +can_exec(semanage_t, semanage_exec_t) @@ -34777,11 +35557,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu -locallogin_use_fds(semanage_t) - -logging_send_syslog_msg(semanage_t) +- +-miscfiles_read_localization(semanage_t) +# Admins are creating pp files in random locations +auth_read_all_files_except_shadow(semanage_t) --miscfiles_read_localization(semanage_t) -- -seutil_libselinux_linked(semanage_t) seutil_manage_file_contexts(semanage_t) seutil_manage_config(semanage_t) @@ -34796,6 +35576,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # netfilter_contexts: seutil_manage_default_contexts(semanage_t) +@@ -501,12 +465,30 @@ + files_read_var_lib_symlinks(semanage_t) + ') + +userdom_search_sysadm_home_dirs(semanage_t) + +optional_policy(` @@ -34804,10 +35588,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + consoletype_exec(semanage_t) +') + - ifdef(`distro_debian',` - files_read_var_lib_files(semanage_t) - files_read_var_lib_symlinks(semanage_t) -@@ -507,6 +470,11 @@ ++ifdef(`distro_debian',` ++ files_read_var_lib_files(semanage_t) ++ files_read_var_lib_symlinks(semanage_t) ++') ++ + ifdef(`distro_ubuntu',` + optional_policy(` + unconfined_domain(semanage_t) ') ') @@ -34819,7 +35607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files -@@ -514,121 +482,35 @@ +@@ -514,121 +496,42 @@ # Handle pp files created in homedir and /tmp userdom_read_sysadm_home_content_files(semanage_t) userdom_read_sysadm_tmp_files(semanage_t) @@ -34936,31 +35724,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu - unconfined_domain(setfiles_t) - ') -') -- --ifdef(`hide_broken_symptoms',` -- optional_policy(` -- udev_dontaudit_rw_dgram_sockets(setfiles_t) -- ') +######################################## +# +# Setfiles local policy +# +-ifdef(`hide_broken_symptoms',` +- optional_policy(` +- udev_dontaudit_rw_dgram_sockets(setfiles_t) +- ') ++seutil_setfiles(setfiles_t) ++# During boot in Rawhide ++term_use_generic_ptys(setfiles_t) + - # cjp: cover up stray file descriptors. - optional_policy(` - unconfined_dontaudit_read_pipes(setfiles_t) - unconfined_dontaudit_rw_tcp_sockets(setfiles_t) - ') --') -+seutil_setfiles(setfiles_t) - - optional_policy(` -- hotplug_use_fds(setfiles_t) ++optional_policy(` + cron_system_entry(setfiles_t, setfiles_exec_t) ') -+ + +seutil_setfiles(setfiles_mac_t) ++allow setfiles_mac_t self:capability2 mac_admin; ++kernel_relabelto_unlabeled(setfiles_mac_t) + + optional_policy(` +- hotplug_use_fds(setfiles_t) ++ unconfined_domain(setfiles_mac_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.fc serefpolicy-3.3.1/policy/modules/system/setrans.fc --- nsaserefpolicy/policy/modules/system/setrans.fc 2008-06-12 23:38:01.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/system/setrans.fc 2008-09-08 11:45:13.000000000 -0400 @@ -40922,8 +41715,71 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/file_patterns +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.3.1/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/support/obj_perm_sets.spt 2008-09-08 11:45:13.000000000 -0400 -@@ -315,3 +315,13 @@ ++++ serefpolicy-3.3.1/policy/support/obj_perm_sets.spt 2008-09-12 10:31:36.000000000 -0400 +@@ -193,7 +193,7 @@ + define(`create_dir_perms',`{ getattr create }') + define(`rename_dir_perms',`{ getattr rename }') + define(`delete_dir_perms',`{ getattr rmdir }') +-define(`manage_dir_perms',`{ create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }') ++define(`manage_dir_perms',`{ create open getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }') + define(`relabelfrom_dir_perms',`{ getattr relabelfrom }') + define(`relabelto_dir_perms',`{ getattr relabelto }') + define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') +@@ -209,10 +209,10 @@ + define(`append_file_perms',`{ getattr append lock ioctl }') + define(`write_file_perms',`{ getattr write append lock ioctl }') + define(`rw_file_perms',`{ getattr read write append ioctl lock }') +-define(`create_file_perms',`{ getattr create }') ++define(`create_file_perms',`{ getattr create open }') + define(`rename_file_perms',`{ getattr rename }') + define(`delete_file_perms',`{ getattr unlink }') +-define(`manage_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }') ++define(`manage_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }') + define(`relabelfrom_file_perms',`{ getattr relabelfrom }') + define(`relabelto_file_perms',`{ getattr relabelto }') + define(`relabel_file_perms',`{ getattr relabelfrom relabelto }') +@@ -223,7 +223,8 @@ + define(`getattr_lnk_file_perms',`{ getattr }') + define(`setattr_lnk_file_perms',`{ setattr }') + define(`read_lnk_file_perms',`{ getattr read }') +-define(`write_lnk_file_perms',`{ getattr write lock ioctl }') ++define(`append_lnk_file_perms',`{ getattr append lock ioctl }') ++define(`write_lnk_file_perms',`{ getattr append write lock ioctl }') + define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }') + define(`create_lnk_file_perms',`{ create getattr }') + define(`rename_lnk_file_perms',`{ getattr rename }') +@@ -242,10 +243,10 @@ + define(`append_fifo_file_perms',`{ getattr append lock ioctl }') + define(`write_fifo_file_perms',`{ getattr write append lock ioctl }') + define(`rw_fifo_file_perms',`{ getattr read write append ioctl lock }') +-define(`create_fifo_file_perms',`{ getattr create }') ++define(`create_fifo_file_perms',`{ getattr create open }') + define(`rename_fifo_file_perms',`{ getattr rename }') + define(`delete_fifo_file_perms',`{ getattr unlink }') +-define(`manage_fifo_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }') ++define(`manage_fifo_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }') + define(`relabelfrom_fifo_file_perms',`{ getattr relabelfrom }') + define(`relabelto_fifo_file_perms',`{ getattr relabelto }') + define(`relabel_fifo_file_perms',`{ getattr relabelfrom relabelto }') +@@ -278,7 +279,7 @@ + define(`create_blk_file_perms',`{ getattr create }') + define(`rename_blk_file_perms',`{ getattr rename }') + define(`delete_blk_file_perms',`{ getattr unlink }') +-define(`manage_blk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }') ++define(`manage_blk_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }') + define(`relabelfrom_blk_file_perms',`{ getattr relabelfrom }') + define(`relabelto_blk_file_perms',`{ getattr relabelto }') + define(`relabel_blk_file_perms',`{ getattr relabelfrom relabelto }') +@@ -295,7 +296,7 @@ + define(`create_chr_file_perms',`{ getattr create }') + define(`rename_chr_file_perms',`{ getattr rename }') + define(`delete_chr_file_perms',`{ getattr unlink }') +-define(`manage_chr_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }') ++define(`manage_chr_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }') + define(`relabelfrom_chr_file_perms',`{ getattr relabelfrom }') + define(`relabelto_chr_file_perms',`{ getattr relabelto }') + define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }') +@@ -315,3 +316,13 @@ # define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }') diff --git a/selinux-policy.spec b/selinux-policy.spec index d917763..f58083f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 89.1%{?dist} +Release: 90%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -386,6 +386,10 @@ exit 0 %endif %changelog +* Tue Sep 2 2008 Dan Walsh 3.3.1-90 +- Add rpcbind to mls policy +- Fix up policy so permissive domains will work + * Tue Sep 2 2008 Dan Walsh 3.3.1-89 - Fix init script paths