diff --git a/policy-20070501.patch b/policy-20070501.patch index b9bcced..a9a792f 100644 --- a/policy-20070501.patch +++ b/policy-20070501.patch @@ -186,15 +186,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te logging_log_file(acct_data_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-2.6.4/policy/modules/admin/alsa.fc --- nsaserefpolicy/policy/modules/admin/alsa.fc 2007-05-07 14:51:05.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/admin/alsa.fc 2007-08-07 09:42:34.000000000 -0400 -@@ -1,4 +1,7 @@ ++++ serefpolicy-2.6.4/policy/modules/admin/alsa.fc 2007-10-02 11:59:34.000000000 -0400 +@@ -1,4 +1,9 @@ /etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) ++/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) +/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) -+/etc/asound\.state gen_context(system_u:object_r:alsa_etc_rw_t,s0) ++/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) /usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) +/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) ++/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-2.6.4/policy/modules/admin/alsa.te --- nsaserefpolicy/policy/modules/admin/alsa.te 2007-05-07 14:51:05.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/admin/alsa.te 2007-08-07 09:42:34.000000000 -0400 @@ -2249,7 +2251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.6.4/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/kernel/files.if 2007-09-11 14:40:52.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/kernel/files.if 2007-10-05 10:05:49.000000000 -0400 @@ -343,8 +343,7 @@ ######################################## @@ -2377,7 +2379,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Manage temporary files and directories in /tmp. ## ## -@@ -3310,6 +3364,43 @@ +@@ -3203,6 +3257,44 @@ + + ######################################## + ## ++## Do not audit attempts to get the attributes ++## of all tmp sock_file. ++## ++## ++## ++## Domain not to audit. ++## ++## ++# ++interface(`files_dontaudit_getattr_all_tmp_sockets',` ++ gen_require(` ++ attribute tmpfile; ++ ') ++ ++ dontaudit $1 tmpfile:sock_file getattr; ++') ++ ++######################################## ++## ++## Allow attempts to get the attributes ++## of all tmp files. ++## ++## ++## ++## Domain not to audit. ++## ++## ++# ++interface(`files_getattr_all_tmp_files',` ++ gen_require(` ++ attribute tmpfile; ++ ') ++ ++ allow $1 tmpfile:file getattr; ++') ++ ++######################################## ++## + ## Read all tmp files. + ## + ## +@@ -3310,6 +3402,43 @@ ######################################## ## @@ -2421,7 +2468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Get the attributes of files in /usr. ## ## -@@ -3386,6 +3477,24 @@ +@@ -3386,6 +3515,24 @@ ######################################## ## @@ -2446,7 +2493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Read symbolic links in /usr. ## ## -@@ -3432,6 +3541,24 @@ +@@ -3432,6 +3579,24 @@ ######################################## ## @@ -2471,7 +2518,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Do not audit attempts to search /usr/src. ## ## -@@ -3637,7 +3764,7 @@ +@@ -3637,7 +3802,7 @@ type var_t; ') @@ -2480,7 +2527,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -3993,7 +4120,7 @@ +@@ -3993,7 +4158,7 @@ type var_lock_t; ') @@ -2489,7 +2536,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4012,7 +4139,7 @@ +@@ -4012,7 +4177,7 @@ type var_t, var_lock_t; ') @@ -2498,7 +2545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4181,7 +4308,7 @@ +@@ -4181,7 +4346,7 @@ type var_run_t; ') @@ -2507,7 +2554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4529,6 +4656,8 @@ +@@ -4529,6 +4694,8 @@ # Need to give access to /selinux/member selinux_compute_member($1) @@ -2516,7 +2563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # Need sys_admin capability for mounting allow $1 self:capability { chown fsetid sys_admin }; -@@ -4551,6 +4680,8 @@ +@@ -4551,6 +4718,8 @@ # Default type for mountpoints allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -2525,7 +2572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4588,3 +4719,28 @@ +@@ -4588,3 +4757,28 @@ allow $1 { file_type -security_file_type }:dir manage_dir_perms; ') @@ -4794,7 +4841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.6.4/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/cups.te 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/cups.te 2007-10-05 08:56:23.000000000 -0400 @@ -93,8 +93,6 @@ # generic socket here until appletalk socket is available in kernels allow cupsd_t self:socket create_socket_perms; @@ -4846,7 +4893,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups auth_dontaudit_read_pam_pid(cupsd_t) # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp -@@ -207,6 +209,7 @@ +@@ -199,14 +201,17 @@ + files_read_var_symlinks(cupsd_t) + # for /etc/printcap + files_dontaudit_write_etc_files(cupsd_t) +-# smbspool seems to be iterating through all existing tmp files. +-# redhat bug #214953 +-# cjp: this might be a broken behavior +-files_dontaudit_getattr_all_tmp_files(cupsd_t) ++ ++# smbspool is iterating through all existing tmp files. ++# Looking for kerberos files ++files_getattr_all_tmp_files(cupsd_t) ++files_read_all_tmp_files(cupsd_t) ++files_dontaudit_getattr_all_tmp_sockets(cupsd_t) + selinux_compute_access_vector(cupsd_t) init_exec_script_files(cupsd_t) @@ -4854,7 +4915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups libs_use_ld_so(cupsd_t) libs_use_shared_libs(cupsd_t) -@@ -214,6 +217,7 @@ +@@ -214,6 +219,7 @@ libs_read_lib_files(cupsd_t) logging_send_syslog_msg(cupsd_t) @@ -4862,7 +4923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups miscfiles_read_localization(cupsd_t) # invoking ghostscript needs to read fonts -@@ -223,6 +227,7 @@ +@@ -223,6 +229,7 @@ sysnet_read_config(cupsd_t) @@ -4870,7 +4931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups userdom_dontaudit_use_unpriv_user_fds(cupsd_t) userdom_dontaudit_search_all_users_home_content(cupsd_t) -@@ -233,6 +238,10 @@ +@@ -233,6 +240,10 @@ lpd_relabel_spool(cupsd_t) ') @@ -4881,7 +4942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ifdef(`targeted_policy',` files_dontaudit_read_root_files(cupsd_t) -@@ -284,6 +293,10 @@ +@@ -284,6 +295,10 @@ ') optional_policy(` @@ -4892,7 +4953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups nscd_socket_use(cupsd_t) ') -@@ -294,6 +307,10 @@ +@@ -294,6 +309,10 @@ ') optional_policy(` @@ -4903,7 +4964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups seutil_sigchld_newrole(cupsd_t) ') -@@ -587,7 +604,7 @@ +@@ -587,7 +606,7 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -5371,353 +5432,195 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-2.6.4/policy/modules/services/exim.fc --- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-2.6.4/policy/modules/services/exim.fc 2007-09-13 12:59:21.000000000 -0400 -@@ -0,0 +1,6 @@ ++++ serefpolicy-2.6.4/policy/modules/services/exim.fc 2007-10-05 09:28:27.000000000 -0400 +@@ -0,0 +1,16 @@ ++# $Id: policy-20070501.patch,v 1.63 2007/10/06 13:01:10 dwalsh Exp $ ++# Draft SELinux refpolicy module for the Exim MTA ++# ++# Devin Carraway ++ ++/var/spool/exim4?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0) ++/var/run/exim4?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0) ++/var/log/exim4?(/.*)? gen_context(system_u:object_r:exim_log_t,s0) ++/usr/sbin/exim4? gen_context(system_u:object_r:exim_exec_t,s0) ++ifdef(`distro_debian', ` ++/usr/sbin/update-exim4\.conf gen_context(system_u:object_r:exim_conf_update_exec_t,s0) ++# work around a misparse if the word template appears without adjustment ++/usr/sbin/update-exim4\.conf\.[t]emplate gen_context(system_u:object_r:exim_conf_update_exec_t,s0) ++/var/lib/exim4?(/.*)? gen_context(system_u:object_r:exim_lib_t,s0) ++') + -+/usr/sbin/exim -- gen_context(system_u:object_r:exim_exec_t,s0) -+/etc/rc.d/init.d/exim -- gen_context(system_u:object_r:exim_script_exec_t,s0) -+/var/run/exim.pid -- gen_context(system_u:object_r:exim_var_run_t,s0) -+/var/log/exim(/.*)? gen_context(system_u:object_r:exim_log_t,s0) -+/var/spool/exim(/.*)? gen_context(system_u:object_r:exim_spool_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-2.6.4/policy/modules/services/exim.if --- nsaserefpolicy/policy/modules/services/exim.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-2.6.4/policy/modules/services/exim.if 2007-09-13 12:59:21.000000000 -0400 -@@ -0,0 +1,330 @@ -+ -+## policy for exim ++++ serefpolicy-2.6.4/policy/modules/services/exim.if 2007-10-05 09:28:30.000000000 -0400 +@@ -0,0 +1,157 @@ ++## Exim service + +######################################## +## -+## Execute a domain transition to run exim. ++## Permit transitions to the exim domain +## +## -+## -+## Domain allowed to transition. -+## ++## ++## Domain allowed access. ++## +## +# +interface(`exim_domtrans',` + gen_require(` + type exim_t; -+ type exim_exec_t; ++ type exim_exec_t; + ') + -+ domain_auto_trans($1,exim_exec_t,exim_t) -+ -+ allow exim_t $1:fd use; -+ allow exim_t $1:fifo_file rw_file_perms; -+ allow exim_t $1:process sigchld; ++ corecmd_search_sbin($1) ++ domtrans_pattern($1, exim_t, exim_exec_t) +') + -+ +######################################## +## -+## Execute exim server in the exim domain. ++## Read generated exim configuration +## +## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`exim_script_domtrans',` -+ gen_require(` -+ type exim_script_exec_t; -+ ') -+ -+ init_script_domtrans_spec($1,exim_script_exec_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to read, -+## exim tmp files -+## -+## -+## -+## Domain to not audit. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`exim_dontaudit_read_tmp_files',` ++interface(`exim_read_lib',` + gen_require(` -+ type exim_tmp_t; ++ type exim_lib_t; + ') + -+ dontaudit $1 exim_tmp_t:file r_file_perms; ++ files_search_var_lib($1) ++ read_files_pattern($1, exim_lib_t, exim_lib_t); +') + +######################################## +## -+## Allow domain to read, exim tmp files ++## Manage generated exim configuration +## +## -+## -+## Domain to not audit. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`exim_read_tmp_files',` ++interface(`exim_manage_lib',` + gen_require(` -+ type exim_tmp_t; ++ type exim_lib_t; + ') + -+ allow $1 exim_tmp_t:file r_file_perms; ++ files_search_var_lib($1) ++ manage_files_pattern($1, exim_lib_t, exim_lib_t); +') + +######################################## +## -+## Allow domain to manage exim tmp files ++## Grants readonly access to Exim logs +## +## -+## -+## Domain to not audit. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`exim_manage_tmp',` -+ gen_require(` -+ type exim_tmp_t; -+ ') -+ -+ manage_dir_perms($1,exim_tmp_t,exim_tmp_t) -+ manage_file_perms($1,exim_tmp_t,exim_tmp_t) -+ manage_lnk_file_perms($1,exim_tmp_t,exim_tmp_t) -+') -+ -+######################################## -+## -+## Read exim PID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`exim_read_pid_files',` -+ gen_require(` -+ type exim_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 exim_var_run_t:file r_file_perms; -+') -+ -+######################################## -+## -+## Manage exim var_run files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`exim_manage_var_run',` -+ gen_require(` -+ type exim_var_run_t; -+ ') -+ -+ manage_dir_perms($1,exim_var_run_t,exim_var_run_t) -+ manage_file_perms($1,exim_var_run_t,exim_var_run_t) -+ manage_lnk_file_perms($1,exim_var_run_t,exim_var_run_t) -+') -+ -+ -+######################################## -+## -+## Allow the specified domain to read exim's log files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`exim_read_log',` ++interface(`exim_read_logs',` + gen_require(` + type exim_log_t; + ') + -+ logging_search_logs($1) -+ allow $1 exim_log_t:dir r_dir_perms; -+ allow $1 exim_log_t:file { read getattr lock }; -+') -+ -+######################################## -+## -+## Allow the specified domain to append -+## exim log files. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`exim_append_log',` -+ gen_require(` -+ type var_log_t, exim_log_t; -+ ') -+ -+ logging_search_logs($1) -+ allow $1 exim_log_t:dir r_dir_perms; -+ allow $1 exim_log_t:file { getattr append }; ++ files_search_var($1) ++ read_files_pattern($1, exim_log_t, exim_log_t) +') + +######################################## +## -+## Allow domain to manage exim log files ++## Manage exim logs +## +## -+## -+## Domain to not audit. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`exim_manage_log',` ++interface(`exim_manage_logs',` + gen_require(` + type exim_log_t; + ') + -+ manage_dir_perms($1,exim_log_t,exim_log_t) -+ manage_file_perms($1,exim_log_t,exim_log_t) -+ manage_lnk_file_perms($1,exim_log_t,exim_log_t) ++ files_search_var($1) ++ manage_files_pattern($1, exim_log_t, exim_log_t) +') + +######################################## +## -+## Search exim spool directories. ++## Read contents of exim spool +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`exim_search_spool',` ++interface(`exim_read_spool',` + gen_require(` + type exim_spool_t; + ') + -+ allow $1 exim_spool_t:dir search_dir_perms; + files_search_spool($1) ++ list_dirs_pattern($1, exim_spool_t, exim_spool_t) ++ read_files_pattern($1, exim_spool_t, exim_spool_t) +') + +######################################## +## -+## Read exim spool files. ++## Modify/delete contents of exim mail spool +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`exim_read_spool_files',` -+ gen_require(` -+ type exim_spool_t; -+ ') -+ -+ allow $1 exim_spool_t:file r_file_perms; -+ allow $1 exim_spool_t:dir list_dir_perms; -+ files_search_spool($1) -+') -+ -+######################################## -+## -+## Create, read, write, and delete -+## exim spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`exim_manage_spool_files',` ++interface(`exim_manage_spool',` + gen_require(` + type exim_spool_t; + ') + -+ allow $1 exim_spool_t:file manage_file_perms; -+ allow $1 exim_spool_t:dir rw_dir_perms; + files_search_spool($1) ++ manage_dirs_pattern($1, exim_spool_t, exim_spool_t) ++ manage_files_pattern($1, exim_spool_t, exim_spool_t) +') + +######################################## +## -+## Allow domain to manage exim spool files ++## Create an exim mail spool (implies creating dirs in var_spool_t). +## +## -+## -+## Domain to not audit. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`exim_manage_spool',` ++interface(`exim_create_spool',` + gen_require(` ++ type var_spool_t; + type exim_spool_t; + ') + -+ manage_dir_perms($1,exim_spool_t,exim_spool_t) -+ manage_file_perms($1,exim_spool_t,exim_spool_t) -+ manage_lnk_file_perms($1,exim_spool_t,exim_spool_t) -+') -+ -+ -+######################################## -+## -+## All of the rules required to administrate an exim environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The role to be allowed to manage the exim domain. -+## -+## -+## -+## -+## The type of the terminal allow the dmidecode domain to use. -+## -+## -+## -+# -+interface(`exim_admin',` -+ gen_require(` -+ type exim_t; -+ ') -+ -+ allow $1 exim_t:process { ptrace signal_perms getattr }; -+ read_files_pattern($1, exim_t, exim_t) -+ -+ -+ # Allow $1 to restart the apache service -+ exim_script_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 exim_script_exec_t system_r; -+ allow $2 system_r; -+ -+ exim_manage_tmp($1) -+ -+ exim_manage_var_run($1) -+ -+ exim_manage_log($1) -+ -+ exim_manage_spool($1) -+ ++ create_dirs_pattern($1, var_spool_t, exim_spool_t) ++ filetrans_pattern($1, var_spool_t, exim_spool_t, dir) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-2.6.4/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-2.6.4/policy/modules/services/exim.te 2007-09-13 12:59:21.000000000 -0400 -@@ -0,0 +1,108 @@ -+policy_module(exim,1.0.0) ++++ serefpolicy-2.6.4/policy/modules/services/exim.te 2007-10-05 09:28:22.000000000 -0400 +@@ -0,0 +1,229 @@ ++# $Id: policy-20070501.patch,v 1.63 2007/10/06 13:01:10 dwalsh Exp $ ++# Draft SELinux refpolicy module for the Exim MTA ++# ++# Devin Carraway ++ ++policy_module(exim, 1.0.0) + +######################################## +# @@ -5726,14 +5629,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim + +type exim_t; +type exim_exec_t; -+domain_type(exim_t) -+init_daemon_domain(exim_t, exim_exec_t) ++mta_mailserver(exim_t, exim_exec_t) ++mta_mailserver_user_agent(exim_t) ++application_executable_file(exim_exec_t) ++mta_mailclient(exim_exec_t) + +type exim_script_exec_t; +init_script_type(exim_script_exec_t) + -+type exim_tmp_t; -+files_tmp_file(exim_tmp_t) ++type exim_spool_t; ++files_type(exim_spool_t) + +type exim_var_run_t; +files_pid_file(exim_var_run_t) @@ -5741,78 +5646,153 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim +type exim_log_t; +logging_log_file(exim_log_t) + -+type exim_spool_t; -+files_type(exim_spool_t) ++######################################## ++# ++# exim booleans ++# ++ ++## ++##

++## Allow exim to connect to databases (postgres, mysql) ++##

++## ++gen_tunable(exim_can_connect_db, false) ++ ++## ++##

++## Allow exim to read files in users homedirectories ++##

++## ++gen_tunable(exim_read_user_files, false) ++ ++## ++##

++## Allow exim to manage files in users homedirectories ++##

++## ++gen_tunable(exim_manage_user_files, false) + +######################################## +# +# exim local policy +# + -+allow exim_t self:capability { dac_override dac_read_search setuid setgid }; -+ -+## internal communication is often done using fifo and unix sockets. ++allow exim_t self:capability { sys_resource dac_override dac_read_search setuid setgid fowner chown }; ++allow exim_t self:process { setrlimit setpgid }; +allow exim_t self:fifo_file rw_file_perms; ++allow exim_t self:tcp_socket create_stream_socket_perms; ++allow exim_t self:udp_socket create_socket_perms; +allow exim_t self:unix_stream_socket create_stream_socket_perms; + -+allow exim_t exim_tmp_t:file manage_file_perms; -+allow exim_t exim_tmp_t:dir create_dir_perms; -+files_tmp_filetrans(exim_t,exim_tmp_t, { file dir }) ++corenet_all_recvfrom_unlabeled(exim_t) ++corenet_all_recvfrom_netlabel(exim_t) ++corenet_udp_sendrecv_all_if(exim_t) ++corenet_udp_sendrecv_all_nodes(exim_t) ++corenet_tcp_sendrecv_all_if(exim_t) ++corenet_tcp_sendrecv_all_nodes(exim_t) ++corenet_tcp_bind_all_nodes(exim_t) ++corenet_tcp_bind_amavisd_send_port(exim_t) ++corenet_tcp_bind_smtp_port(exim_t) ++corenet_tcp_connect_smtp_port(exim_t) ++corenet_tcp_sendrecv_smtp_port(exim_t) ++corenet_sendrecv_smtp_server_packets(exim_t) ++corenet_sendrecv_all_client_packets(exim_t) + -+allow exim_t exim_var_run_t:file manage_file_perms; -+allow exim_t exim_var_run_t:dir manage_dir_perms; -+files_pid_filetrans(exim_t,exim_var_run_t, { file dir }) ++# make identd connections ++corenet_tcp_connect_auth_port(exim_t) ++corenet_tcp_sendrecv_auth_port(exim_t) + -+allow exim_t exim_log_t:file manage_file_perms; -+allow exim_t exim_log_t:dir { rw_dir_perms setattr }; -+logging_log_filetrans(exim_t,exim_log_t,{ file dir }) ++# connect to spamassassin ++corenet_tcp_connect_spamd_port(exim_t) ++corenet_tcp_sendrecv_spamd_port(exim_t) + -+allow exim_t exim_spool_t:dir manage_dir_perms; -+allow exim_t exim_spool_t:file manage_file_perms; -+allow exim_t exim_spool_t:sock_file create_file_perms; -+files_spool_filetrans(exim_t,exim_spool_t, { file dir sock_file }) ++libs_use_ld_so(exim_t) ++libs_read_lib_files(exim_t) ++libs_exec_lib_files(exim_t) ++libs_use_shared_libs(exim_t) ++libs_legacy_use_shared_libs(exim_t) ++ ++# PID files ++manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t) ++files_pid_filetrans(exim_t, exim_var_run_t, file) + +auth_use_nsswitch(exim_t) + -+can_exec(exim_t,exim_exec_t) ++# Exim uses BerkeleyDB, which checks /var/tmp but doesn't actually use it ++files_dontaudit_getattr_tmp_dirs(exim_t) ++files_search_usr(exim_t) ++files_search_var(exim_t) ++files_read_etc_files(exim_t) ++ ++fs_getattr_xattr_fs(exim_t) ++ ++kernel_read_kernel_sysctls(exim_t) ++kernel_dontaudit_read_system_state(exim_t) ++ ++miscfiles_read_localization(exim_t) ++miscfiles_read_certs(exim_t) ++ ++mta_read_aliases(exim_t) ++mta_read_config(exim_t) ++mta_rw_spool(exim_t) ++mta_mailserver_delivery(exim_t) + +# Init script handling +domain_use_interactive_fds(exim_t) + -+files_read_etc_files(exim_t) ++can_exec(exim_t,exim_exec_t) + -+sysnet_dns_name_resolve(exim_t) -+corenet_all_recvfrom_unlabeled(exim_t) ++exim_create_spool(exim_t) ++exim_manage_spool(exim_t) ++allow exim_t exim_spool_t:sock_file create_file_perms; ++files_spool_filetrans(exim_t,exim_spool_t, { file dir sock_file }) + -+allow exim_t self:tcp_socket create_stream_socket_perms; -+corenet_tcp_sendrecv_all_if(exim_t) -+corenet_tcp_sendrecv_all_nodes(exim_t) -+corenet_tcp_sendrecv_all_ports(exim_t) -+corenet_tcp_bind_all_nodes(exim_t) -+corenet_tcp_bind_smtp_port(exim_t) -+corenet_tcp_bind_amavisd_send_port(exim_t) -+corenet_tcp_connect_auth_port(exim_t) -+corenet_tcp_connect_inetd_child_port(exim_t) ++## logging ++logging_send_syslog_msg(exim_t) ++exim_manage_logs(exim_t) ++logging_log_filetrans(exim_t, exim_log_t, { file dir }) + +corecmd_search_bin(exim_t) + -+libs_use_ld_so(exim_t) -+libs_use_shared_libs(exim_t) -+logging_send_syslog_msg(exim_t) ++# TLS sessions need entropy ++dev_read_urand(exim_t) ++dev_read_rand(exim_t) + -+miscfiles_read_localization(exim_t) ++tunable_policy(`exim_can_connect_db',` ++ corenet_tcp_connect_mysqld_port(exim_t) ++ corenet_sendrecv_mysqld_client_packets(exim_t) ++ corenet_tcp_connect_postgresql_port(exim_t) ++ corenet_sendrecv_postgresql_client_packets(exim_t) ++') + -+kernel_read_kernel_sysctls(exim_t) ++optional_policy(` ++ tunable_policy(`exim_can_connect_db',` ++ mysql_stream_connect(exim_t) ++ ') ++') + -+mta_mailclient(exim_exec_t) -+mta_read_aliases(exim_t) -+mta_rw_spool(exim_t) ++optional_policy(` ++ tunable_policy(`exim_can_connect_db',` ++ postgresql_stream_connect(exim_t) ++ ') ++') ++ ++optional_policy(` ++ mailman_read_data_files(exim_t) ++ mailman_domtrans(exim_t) ++') + -+userdom_dontaudit_search_sysadm_home_dirs(exim_t) -+userdom_dontaudit_search_generic_user_home_dirs(exim_t) ++optional_policy(` ++ procmail_domtrans(exim_t) ++') + -+bool exim_read_user_files false; -+bool exim_manage_user_files false; ++optional_policy(` ++ sasl_connect(exim_t) ++') ++ ++optional_policy(` ++ cyrus_stream_connect(exim_t) ++') + +if (exim_read_user_files) { + userdom_read_unpriv_users_home_content_files(exim_t) @@ -5825,9 +5805,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim + userdom_write_unpriv_users_tmp_files(exim_t) +} + ++## receipt & validation ++ ++optional_policy(` ++ clamav_domtrans_clamscan(exim_t) ++ clamav_stream_connect(exim_t) ++') ++ ++optional_policy(` ++ spamassassin_exec(exim_t) ++ spamassassin_exec_client(exim_t) ++') ++ ++# courier authdaemon; authdaemon doesn't have a type for its UNIX domain ++# socket, nor a public interface for it yet. ++ifdef(`TODO', ` ++optional_policy(` ++ gen_require(` ++ type courier_var_run_t; ++ ') ++ files_search_pids(exim_t) ++ stream_connect_pattern(exim_t, courier_var_run_t, courier_var_run_t) ++') ++') ++ ++# Debian uses a template based config generator which generates config ++# files under /var ++ifdef(`distro_debian',` ++ type exim_lib_t; ++ files_config_file(exim_lib_t) ++ exim_read_lib(exim_t) ++ ++ type exim_lib_update_t; ++ type exim_lib_update_exec_t; ++ init_domain(exim_lib_update_t, exim_lib_update_exec_t) ++ domain_entry_file(exim_lib_update_t, exim_lib_update_exec_t) ++ mta_read_lib(exim_lib_update_t) ++ exim_manage_var_lib(exim_lib_update_t) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.6.4/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/ftp.te 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/ftp.te 2007-10-04 10:58:50.000000000 -0400 @@ -88,6 +88,7 @@ allow ftpd_t self:unix_stream_socket create_stream_socket_perms; allow ftpd_t self:tcp_socket create_stream_socket_perms; @@ -5836,7 +5855,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. allow ftpd_t ftpd_etc_t:file read_file_perms; -@@ -156,6 +157,7 @@ +@@ -105,9 +106,10 @@ + manage_sock_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t) + fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + ++manage_dirs_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t) + manage_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t) + manage_sock_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t) +-files_pid_filetrans(ftpd_t,ftpd_var_run_t,file) ++files_pid_filetrans(ftpd_t,ftpd_var_run_t,{ file dir} ) + + # proftpd requires the client side to bind a socket so that + # it can stat the socket to perform access control decisions, +@@ -122,6 +124,7 @@ + + kernel_read_kernel_sysctls(ftpd_t) + kernel_read_system_state(ftpd_t) ++kernel_search_network_state(ftpd_t) + + dev_read_sysfs(ftpd_t) + dev_read_urand(ftpd_t) +@@ -156,6 +159,7 @@ auth_use_nsswitch(ftpd_t) auth_domtrans_chk_passwd(ftpd_t) @@ -5844,7 +5883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. # Append to /var/log/wtmp. auth_append_login_records(ftpd_t) #kerberized ftp requires the following -@@ -167,6 +169,8 @@ +@@ -167,6 +171,8 @@ libs_use_ld_so(ftpd_t) libs_use_shared_libs(ftpd_t) @@ -5853,7 +5892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. logging_send_syslog_msg(ftpd_t) miscfiles_read_localization(ftpd_t) -@@ -223,10 +227,15 @@ +@@ -223,10 +229,15 @@ userdom_manage_all_users_home_content_dirs(ftpd_t) userdom_manage_all_users_home_content_files(ftpd_t) userdom_manage_all_users_home_content_symlinks(ftpd_t) @@ -5871,8 +5910,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-2.6.4/policy/modules/services/hal.fc --- nsaserefpolicy/policy/modules/services/hal.fc 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/hal.fc 2007-09-11 15:14:23.000000000 -0400 -@@ -2,15 +2,22 @@ ++++ serefpolicy-2.6.4/policy/modules/services/hal.fc 2007-10-05 09:47:34.000000000 -0400 +@@ -2,15 +2,25 @@ /etc/hal/device\.d/printer_remove\.hal -- gen_context(system_u:object_r:hald_exec_t,s0) /etc/hal/capability\.d/printer_update\.hal -- gen_context(system_u:object_r:hald_exec_t,s0) @@ -5900,6 +5939,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. + +/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) +/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0) ++ ++/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) ++/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-2.6.4/policy/modules/services/hal.if --- nsaserefpolicy/policy/modules/services/hal.if 2007-05-07 14:51:01.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/hal.if 2007-08-07 09:42:35.000000000 -0400 @@ -6004,7 +6046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.6.4/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/hal.te 2007-09-21 14:56:10.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/hal.te 2007-10-05 09:47:20.000000000 -0400 @@ -61,8 +61,6 @@ # For backwards compatibility with older kernels allow hald_t self:netlink_socket create_socket_perms; @@ -6610,7 +6652,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## Read sendmail binary. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.6.4/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/mta.te 2007-09-13 13:02:46.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/mta.te 2007-10-06 08:53:21.000000000 -0400 @@ -6,6 +6,7 @@ # Declarations # @@ -6629,7 +6671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. mta_base_mail_template(system) role system_r types system_mail_t; -@@ -52,6 +54,7 @@ +@@ -52,9 +54,12 @@ kernel_read_system_state(system_mail_t) kernel_read_network_state(system_mail_t) @@ -6637,7 +6679,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. dev_read_rand(system_mail_t) dev_read_urand(system_mail_t) -@@ -91,12 +94,14 @@ ++fs_rw_anon_inodefs_files(system_mail_t) ++ + init_use_script_ptys(system_mail_t) + + userdom_use_sysadm_terms(system_mail_t) +@@ -91,12 +96,14 @@ optional_policy(` apache_read_squirrelmail_data(system_mail_t) apache_append_squirrelmail_data(system_mail_t) @@ -6652,7 +6699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -109,6 +114,7 @@ +@@ -109,6 +116,7 @@ optional_policy(` cron_read_system_job_tmp_files(system_mail_t) @@ -10031,6 +10078,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs. corecmd_list_bin(xfs_t) dev_read_sysfs(xfs_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-2.6.4/policy/modules/services/xserver.fc +--- nsaserefpolicy/policy/modules/services/xserver.fc 2007-05-07 14:51:01.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/xserver.fc 2007-10-02 11:51:15.000000000 -0400 +@@ -92,7 +92,7 @@ + /var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) + /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) + +-/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) ++/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) + /var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) + /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) + /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.6.4/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-05-07 14:51:01.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/xserver.if 2007-08-07 09:42:35.000000000 -0400 diff --git a/selinux-policy.spec b/selinux-policy.spec index 40cc08e..17945c6 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 2.6.4 -Release: 46%{?dist} +Release: 47%{?dist} License: GPL Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -361,6 +361,9 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init %endif %changelog +* Thu Oct 4 2007 Dan Walsh 2.6.4-47 +- Fixes for proftp + * Mon Oct 1 2007 Dan Walsh 2.6.4-46 - Allow smbcontrol to work on terminal windows