From f49c57d5e69706830ba9f8bf1918cd5af2769421 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Apr 03 2009 14:45:58 +0000 Subject: - Allow setroubelshoot exec* privs to prevent crash from bad libraries - add cpufreqselector --- diff --git a/modules-minimum.conf b/modules-minimum.conf index 33c687a..e4ca505 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -32,6 +32,13 @@ alsa = base # ada = module +# Layer: apps +# Module: cpufreqselector +# +# cpufreqselector executable +# +cpufreqselector = module + # Layer: modules # Module: awstats # diff --git a/modules-mls.conf b/modules-mls.conf index 28fdf9a..bf8f813 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -32,6 +32,13 @@ alsa = base # ada = module +# Layer: apps +# Module: cpufreqselector +# +# cpufreqselector executable +# +cpufreqselector = module + # Layer: modules # Module: awstats # diff --git a/modules-targeted.conf b/modules-targeted.conf index 33c687a..e4ca505 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -32,6 +32,13 @@ alsa = base # ada = module +# Layer: apps +# Module: cpufreqselector +# +# cpufreqselector executable +# +cpufreqselector = module + # Layer: modules # Module: awstats # diff --git a/policy-20090105.patch b/policy-20090105.patch index fd0c50c..ba5769e 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -1593,8 +1593,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.te --- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.te 2009-04-02 10:05:45.000000000 -0400 -@@ -0,0 +1,47 @@ ++++ serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.te 2009-04-03 10:09:12.000000000 -0400 +@@ -0,0 +1,44 @@ +policy_module(cpufreqselector,1.0.0) + +######################################## @@ -1624,9 +1624,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +fs_list_inotifyfs(cpufreqselector_t) + -+libs_use_ld_so(cpufreqselector_t) -+libs_use_shared_libs(cpufreqselector_t) -+ +userdom_read_all_users_state(cpufreqselector_t) + +nscd_dontaudit_search_pid(cpufreqselector_t) @@ -10987,8 +10984,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.10/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/devicekit.te 2009-03-30 10:09:41.000000000 -0400 -@@ -0,0 +1,210 @@ ++++ serefpolicy-3.6.10/policy/modules/services/devicekit.te 2009-04-03 08:12:27.000000000 -0400 +@@ -0,0 +1,211 @@ +policy_module(devicekit,1.0.0) + +######################################## @@ -11150,6 +11147,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +dev_read_sysfs(devicekit_disk_t) +dev_read_urand(devicekit_disk_t) +dev_getattr_usbfs_dirs(devicekit_disk_t) ++dev_manage_generic_files(devicekit_disk_t) + +kernel_read_software_raid_state(devicekit_disk_t) + @@ -19761,7 +19759,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.10/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/setroubleshoot.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/services/setroubleshoot.te 2009-04-03 10:25:52.000000000 -0400 @@ -11,6 +11,9 @@ domain_type(setroubleshootd_t) init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) @@ -19772,7 +19770,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type setroubleshoot_var_lib_t; files_type(setroubleshoot_var_lib_t) -@@ -27,8 +30,8 @@ +@@ -27,8 +30,10 @@ # setroubleshootd local policy # @@ -19780,10 +19778,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -allow setroubleshootd_t self:process { signull signal getattr getsched }; +allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config }; +allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal }; ++# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run ++allow setroubleshootd_t self:process { execmem execstack }; allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -52,7 +55,10 @@ +@@ -52,7 +57,10 @@ kernel_read_kernel_sysctls(setroubleshootd_t) kernel_read_system_state(setroubleshootd_t) @@ -19794,7 +19794,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) -@@ -68,16 +74,24 @@ +@@ -68,16 +76,24 @@ dev_read_urand(setroubleshootd_t) dev_read_sysfs(setroubleshootd_t) @@ -19820,7 +19820,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) -@@ -94,22 +108,24 @@ +@@ -94,22 +110,24 @@ locallogin_dontaudit_use_fds(setroubleshootd_t) @@ -27011,7 +27011,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.10/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/unconfined.if 2009-04-01 14:58:39.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/system/unconfined.if 2009-04-03 10:28:13.000000000 -0400 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -27130,7 +27130,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + type unconfined_t; + ') + -+ dontaudit $1 unconfined_t:unix_stream_socket rw_file_perms; ++ dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms; +') + +######################################## @@ -27668,7 +27668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.10/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/userdomain.if 2009-04-01 14:59:58.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/system/userdomain.if 2009-04-03 10:26:58.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -29532,7 +29532,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + attribute userdomain; + ') + -+ dontaudit $1 userdomain:unix_stream_socket rw_file_perms; ++ dontaudit $1 userdomain:unix_stream_socket rw_socket_perms; +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.10/policy/modules/system/userdomain.te diff --git a/selinux-policy.spec b/selinux-policy.spec index ae2a379..43f6437 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -15,12 +15,12 @@ %endif %define POLICYVER 23 %define libsepolver 2.0.20-1 -%define POLICYCOREUTILSVER 2.0.61-7 +%define POLICYCOREUTILSVER 2.0.62-7 %define CHECKPOLICYVER 2.0.16-3 Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.10 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -444,6 +444,10 @@ exit 0 %endif %changelog +* Fri Apr 3 2009 Dan Walsh 3.6.10-7 +- Allow setroubelshoot exec* privs to prevent crash from bad libraries +- add cpufreqselector + * Thu Apr 2 2009 Dan Walsh 3.6.10-6 - Dontaudit listing of /root directory for cron system jobs