From 0100c2a27c74ce58505a91dd274a7cb94790c199 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jun 11 2009 11:20:23 +0000 Subject: - Allow rpcd to send signals to automount --- diff --git a/policy-20080710.patch b/policy-20080710.patch index 09d723d..90b6f67 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -6875,8 +6875,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.te se +wm_domain_template(user,xdm) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-10-17 14:49:14.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc 2009-06-03 07:57:01.000000000 +0200 -@@ -73,10 +73,16 @@ ++++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc 2009-06-08 16:02:14.000000000 +0200 +@@ -65,6 +65,8 @@ + + /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) + ++/etc/racoon/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) ++ + /etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0) + + +@@ -73,10 +75,16 @@ /etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/netconsole -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/readonly-root -- gen_context(system_u:object_r:bin_t,s0) @@ -6897,7 +6906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0) -@@ -123,12 +129,18 @@ +@@ -123,12 +131,18 @@ /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -6916,7 +6925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco # # /usr # -@@ -176,6 +188,8 @@ +@@ -176,6 +190,8 @@ /usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) @@ -6925,7 +6934,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -184,10 +198,8 @@ +@@ -184,10 +200,8 @@ /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -6938,7 +6947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -202,6 +214,7 @@ +@@ -202,6 +216,7 @@ /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -6946,7 +6955,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) -@@ -222,14 +235,15 @@ +@@ -222,14 +237,15 @@ /usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -6964,7 +6973,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0) -@@ -292,3 +306,14 @@ +@@ -292,3 +308,14 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -11249,6 +11258,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav ## All of the rules required to administrate ## an amavis environment ## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.5.13/policy/modules/services/amavis.te +--- nsaserefpolicy/policy/modules/services/amavis.te 2008-10-17 14:49:13.000000000 +0200 ++++ serefpolicy-3.5.13/policy/modules/services/amavis.te 2009-06-11 12:21:57.000000000 +0200 +@@ -103,6 +103,8 @@ + kernel_dontaudit_read_proc_symlinks(amavis_t) + kernel_dontaudit_read_system_state(amavis_t) + ++fs_getattr_xattr_fs(amavis_t) ++ + # find perl + corecmd_exec_bin(amavis_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.5.13/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2008-10-17 14:49:13.000000000 +0200 +++ serefpolicy-3.5.13/policy/modules/services/apache.fc 2009-06-03 08:00:14.000000000 +0200 @@ -12921,6 +12942,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audi fs_getattr_all_fs(entropyd_t) fs_search_auto_mountpoints(entropyd_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.5.13/policy/modules/services/automount.if +--- nsaserefpolicy/policy/modules/services/automount.if 2008-10-17 14:49:13.000000000 +0200 ++++ serefpolicy-3.5.13/policy/modules/services/automount.if 2009-06-08 16:14:26.000000000 +0200 +@@ -107,6 +107,24 @@ + dontaudit $1 automount_tmp_t:dir getattr; + ') + ++###################################### ++## ++## Send signal to automount process ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`automount_signal',` ++ gen_require(` ++ type automount_t; ++ ') ++ ++ allow $1 automount_t:process signal; ++') ++ + ######################################## + ## + ## All of the rules required to administrate diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.5.13/policy/modules/services/automount.te --- nsaserefpolicy/policy/modules/services/automount.te 2008-10-17 14:49:11.000000000 +0200 +++ serefpolicy-3.5.13/policy/modules/services/automount.te 2009-02-10 15:07:15.000000000 +0100 @@ -16137,7 +16186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.5.13/policy/modules/services/dcc.te --- nsaserefpolicy/policy/modules/services/dcc.te 2008-10-17 14:49:11.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/dcc.te 2009-03-30 16:36:54.000000000 +0200 ++++ serefpolicy-3.5.13/policy/modules/services/dcc.te 2009-06-11 12:19:36.000000000 +0200 @@ -105,6 +105,8 @@ files_read_etc_files(cdcc_t) files_read_etc_runtime_files(cdcc_t) @@ -16168,7 +16217,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. allow dcc_client_t self:unix_dgram_socket create_socket_perms; allow dcc_client_t self:udp_socket create_socket_perms; -@@ -141,6 +136,7 @@ +@@ -136,11 +131,12 @@ + + # Access files in /var/dcc. The map file can be updated + allow dcc_client_t dcc_var_t:dir list_dir_perms; +-read_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) ++manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) + read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) corenet_all_recvfrom_unlabeled(dcc_client_t) corenet_all_recvfrom_netlabel(dcc_client_t) @@ -16176,10 +16231,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. corenet_udp_sendrecv_generic_if(dcc_client_t) corenet_udp_sendrecv_all_nodes(dcc_client_t) corenet_udp_sendrecv_all_ports(dcc_client_t) -@@ -148,6 +144,10 @@ +@@ -148,6 +144,12 @@ files_read_etc_files(dcc_client_t) files_read_etc_runtime_files(dcc_client_t) ++fs_getattr_xattr_fs(dcc_client_t) ++ +kernel_read_system_state(dcc_client_t) + +auth_use_nsswitch(dcc_client_t) @@ -16187,20 +16244,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. libs_use_ld_so(dcc_client_t) libs_use_shared_libs(dcc_client_t) -@@ -155,11 +155,8 @@ +@@ -155,11 +157,12 @@ miscfiles_read_localization(dcc_client_t) -sysnet_read_config(dcc_client_t) -sysnet_dns_name_resolve(dcc_client_t) -- ++optional_policy(` ++ amavis_read_spool_files(dcc_client_t) ++') + optional_policy(` - nscd_socket_use(dcc_client_t) + spamassassin_read_spamd_tmp_files(dcc_client_t) ') ######################################## -@@ -191,6 +188,8 @@ +@@ -191,6 +194,8 @@ files_read_etc_files(dcc_dbclean_t) files_read_etc_runtime_files(dcc_dbclean_t) @@ -16209,7 +16269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. libs_use_ld_so(dcc_dbclean_t) libs_use_shared_libs(dcc_dbclean_t) -@@ -198,13 +197,6 @@ +@@ -198,13 +203,6 @@ miscfiles_read_localization(dcc_dbclean_t) @@ -16223,7 +16283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. ######################################## # # Server daemon local policy -@@ -262,6 +254,8 @@ +@@ -262,6 +260,8 @@ fs_getattr_all_fs(dccd_t) fs_search_auto_mountpoints(dccd_t) @@ -16232,7 +16292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. libs_use_ld_so(dccd_t) libs_use_shared_libs(dccd_t) -@@ -277,10 +271,6 @@ +@@ -277,10 +277,6 @@ sysadm_dontaudit_search_home_dirs(dccd_t) optional_policy(` @@ -16243,7 +16303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. seutil_sigchld_newrole(dccd_t) ') -@@ -336,6 +326,8 @@ +@@ -336,6 +332,8 @@ fs_getattr_all_fs(dccifd_t) fs_search_auto_mountpoints(dccifd_t) @@ -16252,7 +16312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. libs_use_ld_so(dccifd_t) libs_use_shared_libs(dccifd_t) -@@ -343,18 +335,10 @@ +@@ -343,18 +341,10 @@ miscfiles_read_localization(dccifd_t) @@ -16271,7 +16331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. seutil_sigchld_newrole(dccifd_t) ') -@@ -409,6 +393,8 @@ +@@ -409,6 +399,8 @@ fs_getattr_all_fs(dccm_t) fs_search_auto_mountpoints(dccm_t) @@ -16280,7 +16340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc. libs_use_ld_so(dccm_t) libs_use_shared_libs(dccm_t) -@@ -416,18 +402,10 @@ +@@ -416,18 +408,10 @@ miscfiles_read_localization(dccm_t) @@ -25664,7 +25724,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.5.13/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2008-10-17 14:49:11.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/pyzor.te 2009-02-10 15:07:15.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/services/pyzor.te 2009-06-11 12:20:09.000000000 +0200 @@ -6,6 +6,38 @@ # Declarations # @@ -25728,7 +25788,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo ######################################## # # Pyzor local policy -@@ -68,6 +108,8 @@ +@@ -46,6 +86,8 @@ + kernel_read_kernel_sysctls(pyzor_t) + kernel_read_system_state(pyzor_t) + ++fs_getattr_xattr_fs(pyzor_t) ++ + corecmd_list_bin(pyzor_t) + corecmd_getattr_bin_files(pyzor_t) + +@@ -68,6 +110,8 @@ miscfiles_read_localization(pyzor_t) @@ -25737,7 +25806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo sysadm_dontaudit_search_home_dirs(pyzor_t) optional_policy(` -@@ -76,8 +118,13 @@ +@@ -76,8 +120,13 @@ ') optional_policy(` @@ -26271,7 +26340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.5.13/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2008-10-17 14:49:11.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/rpc.te 2009-05-05 14:18:33.000000000 +0200 ++++ serefpolicy-3.5.13/policy/modules/services/rpc.te 2009-06-08 16:17:53.000000000 +0200 @@ -23,7 +23,7 @@ gen_tunable(allow_nfsd_anon_write, false) @@ -26302,7 +26371,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. selinux_dontaudit_read_fs(rpcd_t) miscfiles_read_certs(rpcd_t) -@@ -101,6 +105,7 @@ +@@ -85,6 +89,10 @@ + seutil_dontaudit_search_config(rpcd_t) + + optional_policy(` ++ automount_signal(rpcd_t) ++') ++ ++optional_policy(` + nis_read_ypserv_config(rpcd_t) + ') + +@@ -101,6 +109,7 @@ # for /proc/fs/nfs/exports - should we have a new type? kernel_read_system_state(nfsd_t) kernel_read_network_state(nfsd_t) @@ -26310,7 +26390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. corenet_tcp_bind_all_rpc_ports(nfsd_t) corenet_udp_bind_all_rpc_ports(nfsd_t) -@@ -116,6 +121,7 @@ +@@ -116,6 +125,7 @@ # cjp: this should really have its own type files_manage_mounttab(rpcd_t) @@ -26318,7 +26398,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. fs_mount_nfsd_fs(nfsd_t) fs_search_nfsd_fs(nfsd_t) fs_getattr_all_fs(nfsd_t) -@@ -123,6 +129,7 @@ +@@ -123,6 +133,7 @@ fs_rw_nfsd_fs(nfsd_t) storage_dontaudit_read_fixed_disk(nfsd_t) @@ -26326,7 +26406,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. # Read access to public_content_t and public_content_rw_t miscfiles_read_public_files(nfsd_t) -@@ -133,13 +140,22 @@ +@@ -133,13 +144,22 @@ ') tunable_policy(`nfs_export_all_rw',` @@ -26350,7 +26430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ') ######################################## -@@ -162,6 +178,7 @@ +@@ -162,6 +182,7 @@ corecmd_exec_bin(gssd_t) @@ -26358,7 +26438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. fs_list_rpc(gssd_t) fs_read_rpc_sockets(gssd_t) fs_read_rpc_files(gssd_t) -@@ -170,9 +187,14 @@ +@@ -170,9 +191,14 @@ files_read_usr_symlinks(gssd_t) auth_use_nsswitch(gssd_t) @@ -26373,7 +26453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. tunable_policy(`allow_gssd_read_tmp',` userdom_list_unpriv_users_tmp(gssd_t) userdom_read_unpriv_users_tmp_files(gssd_t) -@@ -180,8 +202,7 @@ +@@ -180,8 +206,7 @@ ') optional_policy(` @@ -26458,7 +26538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn +/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.5.13/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/rsync.te 2009-02-10 15:07:15.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/services/rsync.te 2009-06-11 12:35:05.000000000 +0200 @@ -45,7 +45,7 @@ # Local policy # @@ -26468,10 +26548,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn allow rsync_t self:process signal_perms; allow rsync_t self:fifo_file rw_fifo_file_perms; allow rsync_t self:tcp_socket create_stream_socket_perms; -@@ -122,5 +122,10 @@ +@@ -121,6 +121,13 @@ + ') tunable_policy(`rsync_export_all_ro',` - fs_read_noxattr_fs_files(rsync_t) +- fs_read_noxattr_fs_files(rsync_t) ++ fs_read_noxattr_fs_files(rsync_t) ++ fs_read_nfs_files(rsync_t) ++ fs_read_cifs_files(rsync_t) + auth_read_all_dirs_except_shadow(rsync_t) auth_read_all_files_except_shadow(rsync_t) + auth_read_all_symlinks_except_shadow(rsync_t) @@ -28814,7 +28898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.5.13/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-10-17 14:49:11.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/spamassassin.te 2009-04-27 10:20:11.000000000 +0200 ++++ serefpolicy-3.5.13/policy/modules/services/spamassassin.te 2009-06-11 12:21:25.000000000 +0200 @@ -21,16 +21,24 @@ gen_tunable(spamd_enable_home_dirs, true) @@ -28998,7 +29082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') optional_policy(` -@@ -211,5 +261,142 @@ +@@ -211,5 +261,144 @@ ') optional_policy(` @@ -29055,6 +29139,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +files_list_var_lib(spamc_t) +read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) + ++fs_getattr_xattr_fs(spamc_t) ++ +fs_search_auto_mountpoints(spamc_t) +fs_list_inotifyfs(spamc_t) + @@ -33504,7 +33590,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.5.13/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/system/ipsec.te 2009-02-10 15:07:15.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/system/ipsec.te 2009-06-11 12:49:17.000000000 +0200 @@ -55,11 +55,12 @@ allow ipsec_t self:capability { net_admin dac_override dac_read_search }; @@ -33561,7 +33647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. seutil_sigchld_newrole(ipsec_t) ') -@@ -160,9 +162,9 @@ +@@ -160,10 +162,11 @@ allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search }; allow ipsec_mgmt_t self:process { signal setrlimit }; allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; @@ -33569,11 +33655,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. +allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; -allow ipsec_mgmt_t self:key_socket { create setopt }; +-allow ipsec_mgmt_t self:fifo_file rw_file_perms; +allow ipsec_mgmt_t self:key_socket create_socket_perms; - allow ipsec_mgmt_t self:fifo_file rw_file_perms; ++allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms; ++ allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; -@@ -171,6 +173,8 @@ + files_lock_filetrans(ipsec_mgmt_t,ipsec_mgmt_lock_t,file) +@@ -171,6 +174,8 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file) @@ -33582,7 +33671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. manage_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t) manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t) -@@ -226,6 +230,7 @@ +@@ -226,6 +231,7 @@ # the ipsec wrapper wants to run /usr/bin/logger (should we put # it in its own domain?) corecmd_exec_bin(ipsec_mgmt_t) @@ -33590,7 +33679,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. domain_use_interactive_fds(ipsec_mgmt_t) # denials when ps tries to search /proc. Do not audit these denials. -@@ -283,7 +288,7 @@ +@@ -279,11 +285,12 @@ + # + + allow racoon_t self:capability { net_admin net_bind_service }; ++allow racoon_t self:fifo_file rw_fifo_file_perms; + allow racoon_t self:netlink_route_socket create_netlink_socket_perms; allow racoon_t self:unix_dgram_socket { connect create ioctl write }; allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; @@ -33599,7 +33693,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. # manage pid file manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t) -@@ -305,6 +310,7 @@ +@@ -301,10 +308,18 @@ + kernel_read_system_state(racoon_t) + kernel_read_network_state(racoon_t) + ++can_exec(racoon_t, racoon_exec_t) ++ ++corecmd_exec_shell(racoon_t) ++corecmd_exec_bin(racoon_t) ++ ++sysnet_exec_ifconfig(racoon_t) ++ + corenet_all_recvfrom_unlabeled(racoon_t) corenet_tcp_bind_all_nodes(racoon_t) corenet_udp_bind_all_nodes(racoon_t) corenet_udp_bind_isakmp_port(racoon_t) @@ -33607,7 +33712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. corenet_udp_bind_ipsecnat_port(racoon_t) dev_read_urand(racoon_t) -@@ -319,6 +325,8 @@ +@@ -319,6 +334,8 @@ ipsec_setcontext_default_spd(racoon_t) @@ -33616,7 +33721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec. libs_use_ld_so(racoon_t) libs_use_shared_libs(racoon_t) -@@ -335,7 +343,7 @@ +@@ -335,7 +352,7 @@ # allow setkey_t self:capability net_admin; @@ -33718,7 +33823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. allow iscsid_t iscsi_tmp_t:dir manage_dir_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2009-04-03 10:47:07.000000000 +0200 ++++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2009-06-11 12:23:47.000000000 +0200 @@ -60,12 +60,15 @@ # # /opt @@ -33880,7 +33985,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -291,6 +320,8 @@ +@@ -283,6 +312,7 @@ + /usr/(local/)?matlab.*/bin/glnx86/libmwlapack\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/(local/)?matlab.*/bin/glnx86/(libmw(lapack|mathutil|services)|lapack|libmkl)\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/(local/)?matlab.*/sys/os/glnx86/libtermcap\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/local/Zend/lib/ZendExtensionManager\.so gen_context(system_u:object_r:textrel_shlib_t,s0) + + /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +@@ -291,6 +321,8 @@ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -33889,7 +34002,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar ') dnl end distro_redhat # -@@ -307,6 +338,36 @@ +@@ -307,6 +339,36 @@ /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 52ca0ef..e6438a5 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -462,7 +462,7 @@ exit 0 %endif %changelog -* Wed Jun 11 2009 Miroslav Grepl 3.5.13-64 +* Thu Jun 11 2009 Miroslav Grepl 3.5.13-64 - Allow rpcd to send signals to automount * Wed Jun 3 2009 Miroslav Grepl 3.5.13-63