diff --git a/policy-20071130.patch b/policy-20071130.patch index 25ea4cb..c32ef7a 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -381,6 +381,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console logrotate_dontaudit_use_fds(consoletype_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.if serefpolicy-3.2.6/policy/modules/admin/firstboot.if +--- nsaserefpolicy/policy/modules/admin/firstboot.if 2007-04-10 12:52:58.000000000 -0400 ++++ serefpolicy-3.2.6/policy/modules/admin/firstboot.if 2008-02-05 15:40:19.000000000 -0500 +@@ -141,4 +141,6 @@ + ') + + dontaudit $1 firstboot_t:fifo_file { read write }; ++ dontaudit $1 firstboot_t:unix_stream_socket { read write }; ++ + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.2.6/policy/modules/admin/firstboot.te --- nsaserefpolicy/policy/modules/admin/firstboot.te 2007-12-19 05:32:18.000000000 -0500 +++ serefpolicy-3.2.6/policy/modules/admin/firstboot.te 2008-02-01 16:01:42.000000000 -0500 @@ -4754,7 +4764,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.6/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-12-12 11:35:27.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/kernel/corecommands.fc 2008-02-04 11:10:30.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/kernel/corecommands.fc 2008-02-05 14:59:46.000000000 -0500 @@ -7,11 +7,11 @@ /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -4777,7 +4787,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0) /etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0) /etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0) -@@ -127,6 +129,8 @@ +@@ -67,6 +69,12 @@ + + /etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0) + ++ ++/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0) ++/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0) ++/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0) ++/etc/sysconfig/netconsole -- gen_context(system_u:object_r:bin_t,s0) ++/etc/sysconfig/readonly-root -- gen_context(system_u:object_r:bin_t,s0) + /etc/sysconfig/network-scripts/ifup-.* -- gen_context(system_u:object_r:bin_t,s0) + /etc/sysconfig/network-scripts/ifup-.* -l gen_context(system_u:object_r:bin_t,s0) + /etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0) +@@ -127,6 +135,8 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -4786,7 +4809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco # # /usr # -@@ -147,7 +151,7 @@ +@@ -147,7 +157,7 @@ /usr/lib(64)?/cups/backend(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/cups/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -4795,7 +4818,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) -@@ -186,7 +190,10 @@ +@@ -186,7 +196,10 @@ /usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -4806,7 +4829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) -@@ -284,3 +291,7 @@ +@@ -284,3 +297,7 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -4827,7 +4850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.6/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-02-01 09:12:53.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/kernel/corenetwork.te.in 2008-02-02 10:38:16.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/kernel/corenetwork.te.in 2008-02-05 14:00:55.000000000 -0500 @@ -82,6 +82,7 @@ network_port(clockspeed, udp,4041,s0) network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0) @@ -4853,7 +4876,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(mysqld, tcp,1186,s0, tcp,3306,s0) portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) network_port(nessus, tcp,1241,s0) -@@ -133,6 +137,7 @@ +@@ -133,10 +137,12 @@ network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) network_port(postfix_policyd, tcp,10031,s0) @@ -4861,7 +4884,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postgresql, tcp,5432,s0) -@@ -148,7 +153,7 @@ + network_port(postgrey, tcp,60000,s0) ++network_port(prelude, tcp,4690,s0, udp,4690,s0) + network_port(printer, tcp,515,s0) + network_port(ptal, tcp,5703,s0) + network_port(pxe, udp,4011,s0) +@@ -148,7 +154,7 @@ network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) @@ -4870,7 +4898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(rsh, tcp,514,s0) network_port(rsync, tcp,873,s0, udp,873,s0) network_port(rwho, udp,513,s0) -@@ -171,6 +176,8 @@ +@@ -171,6 +177,8 @@ type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) network_port(vnc, tcp,5900,s0) @@ -15915,8 +15943,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.2.6/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/services/prelude.te 2008-02-01 16:01:42.000000000 -0500 -@@ -0,0 +1,114 @@ ++++ serefpolicy-3.2.6/policy/modules/services/prelude.te 2008-02-05 14:42:50.000000000 -0500 +@@ -0,0 +1,117 @@ +policy_module(prelude,1.0.0) + +######################################## @@ -15957,6 +15985,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel +# Init script handling +domain_use_interactive_fds(prelude_t) + ++allow prelude_t self:capability sys_tty_config; ++ +## internal communication is often done using fifo and unix sockets. +allow prelude_t self:fifo_file rw_file_perms; +allow prelude_t self:unix_stream_socket create_stream_socket_perms; @@ -15967,6 +15997,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel +dev_read_rand(prelude_t) +dev_read_urand(prelude_t) + ++manage_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) +manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) +files_pid_filetrans(prelude_t, prelude_var_run_t, file) + @@ -15994,7 +16025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel +corenet_tcp_sendrecv_all_if(prelude_t) +corenet_tcp_sendrecv_all_nodes(prelude_t) +corenet_tcp_bind_all_nodes(prelude_t) -+#corenet_tcp_bind_generic_port(prelude_t) ++corenet_tcp_bind_prelude_port(prelude_t) + +corecmd_search_bin(prelude_t) + @@ -17709,7 +17740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.2.6/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/services/samba.te 2008-02-01 16:01:42.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/services/samba.te 2008-02-05 14:45:20.000000000 -0500 @@ -26,28 +26,28 @@ ## @@ -22082,7 +22113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.2.6/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-02-01 09:12:53.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/system/authlogin.if 2008-02-02 00:19:44.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/system/authlogin.if 2008-02-05 13:32:05.000000000 -0500 @@ -99,7 +99,7 @@ template(`authlogin_per_role_template',` @@ -22191,7 +22222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + type system_chkpwd_t, chkpwd_exec_t, shadow_t; + ') + -+ corecmd_search_sbin($1) ++ corecmd_search_bin($1) + domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t) + dontaudit $1 shadow_t:file { getattr read }; + auth_domtrans_upd_passwd($1) @@ -23131,7 +23162,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.2.6/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2007-12-12 11:35:28.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/system/logging.if 2008-02-01 16:01:42.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/system/logging.if 2008-02-05 14:03:48.000000000 -0500 @@ -213,12 +213,7 @@ ## # @@ -23227,7 +23258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') ######################################## -@@ -804,3 +800,125 @@ +@@ -804,3 +800,127 @@ logging_admin_audit($1, $2, $3) logging_admin_syslog($1, $2, $3) ') @@ -23333,6 +23364,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin + role system_r types $1; + + domtrans_pattern(audisp_t,$2,$1) ++ ++ allow audisp_t $2:file getattr; +') + +######################################## @@ -25276,7 +25309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.6/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/system/unconfined.te 2008-02-05 09:47:51.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/system/unconfined.te 2008-02-05 13:44:43.000000000 -0500 @@ -6,35 +6,59 @@ # Declarations # @@ -25397,10 +25430,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf optional_policy(` init_dbus_chat_script(unconfined_t) -@@ -101,12 +140,20 @@ +@@ -101,12 +140,24 @@ ') optional_policy(` ++ gnomeclock_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` + kerneloops_dbus_chat(unconfined_t) + ') + @@ -25418,7 +25455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -118,11 +165,7 @@ +@@ -118,11 +169,7 @@ ') optional_policy(` @@ -25431,7 +25468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -134,14 +177,6 @@ +@@ -134,14 +181,6 @@ ') optional_policy(` @@ -25446,27 +25483,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf oddjob_domtrans_mkhomedir(unconfined_t) ') -@@ -154,38 +189,32 @@ +@@ -154,38 +193,32 @@ ') optional_policy(` - postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - # cjp: this should probably be removed: - postfix_domtrans_master(unconfined_t) +-') +- +- +-optional_policy(` +- pyzor_per_role_template(unconfined) + qemu_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') - - optional_policy(` -- pyzor_per_role_template(unconfined) --') -- -optional_policy(` - # cjp: this should probably be removed: - rpc_domtrans_nfsd(unconfined_t) -') -- --optional_policy(` + + optional_policy(` rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + # Allow SELinux aware applications to request rpm_script execution + rpm_transition_script(unconfined_t) @@ -25492,7 +25529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -205,11 +234,30 @@ +@@ -205,11 +238,30 @@ ') optional_policy(` @@ -25506,10 +25543,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + +optional_policy(` + mono_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) - ') - - optional_policy(` -- xserver_domtrans_xdm_xserver(unconfined_t) ++') ++ ++optional_policy(` + mozilla_per_role_template(unconfined, unconfined_t, unconfined_r) + unconfined_domain(unconfined_mozilla_t) + allow unconfined_mozilla_t self:process { execstack execmem }; @@ -25517,15 +25553,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + +optional_policy(` + kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t }) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- xserver_domtrans_xdm_xserver(unconfined_t) + xserver_run_xdm_xserver(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + xserver_xdm_rw_shm(unconfined_t) ') ######################################## -@@ -219,14 +267,34 @@ +@@ -219,14 +271,34 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -25545,11 +25582,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf - ') +optional_policy(` + avahi_dbus_chat(unconfined_execmem_t) - ') ++') + +optional_policy(` + hal_dbus_chat(unconfined_execmem_t) -+') + ') + +optional_policy(` + xserver_xdm_rw_shm(unconfined_execmem_t) @@ -28122,7 +28159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.2.6/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/system/userdomain.te 2008-02-01 16:01:42.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/system/userdomain.te 2008-02-05 13:44:01.000000000 -0500 @@ -2,12 +2,7 @@ policy_module(userdomain,2.5.0) diff --git a/selinux-policy.spec b/selinux-policy.spec index c0a6abf..99b9f01 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.2.6 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -387,6 +387,9 @@ exit 0 %endif %changelog +* Tue Feb 5 2008 Dan Walsh 3.2.6-7 +- Fixes for staff_t + * Tue Feb 5 2008 Dan Walsh 3.2.6-6 - Add policy for kerneloops - Add policy for gnomeclock