From 06686c20a2d9a1f17fe30ced1afd800d7226ac9a Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Apr 10 2008 19:45:47 +0000 Subject: - Allow dhcpd to read kernel network state --- diff --git a/policy-20071130.patch b/policy-20071130.patch index 3f4d3b5..2234fa9 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -7892,7 +7892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.3.1/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if 2008-04-04 12:06:55.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if 2008-04-10 13:50:44.000000000 -0400 @@ -851,9 +851,8 @@ type proc_t, proc_afs_t; ') @@ -7916,7 +7916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ') dontaudit $1 sysctl_type:dir list_dir_perms; -+ dontaudit $1 sysctl_type:file getattr; ++ dontaudit $1 sysctl_type:file read_file_perms; ') ######################################## @@ -8382,7 +8382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.3.1/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-04-05 07:45:49.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-04-10 13:06:52.000000000 -0400 @@ -13,21 +13,16 @@ # template(`apache_content_template',` @@ -8538,7 +8538,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_t httpd_$1_content_t:dir list_dir_perms; read_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t) -@@ -177,48 +159,6 @@ +@@ -151,9 +133,13 @@ + # privileged users run the script: + domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t) + ++ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms; ++ + # apache runs the script: + domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t) + ++ allow httpd_t httpd_$1_script_exec_t:file read_file_perms; ++ + allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop }; + allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms; + +@@ -177,48 +163,6 @@ miscfiles_read_localization(httpd_$1_script_t) ') @@ -8587,7 +8601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac optional_policy(` tunable_policy(`httpd_enable_cgi && allow_ypbind',` nis_use_ypbind_uncond(httpd_$1_script_t) -@@ -265,72 +205,77 @@ +@@ -265,72 +209,77 @@ template(`apache_per_role_template', ` gen_require(` attribute httpdcontent, httpd_script_domains; @@ -8718,7 +8732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -352,12 +297,11 @@ +@@ -352,12 +301,11 @@ # template(`apache_read_user_scripts',` gen_require(` @@ -8735,7 +8749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -378,12 +322,12 @@ +@@ -378,12 +326,12 @@ # template(`apache_read_user_content',` gen_require(` @@ -8752,7 +8766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -761,6 +705,7 @@ +@@ -761,6 +709,7 @@ ') allow $1 httpd_modules_t:dir list_dir_perms; @@ -8760,7 +8774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -841,12 +786,16 @@ +@@ -841,12 +790,16 @@ # sysadm_t to run scripts interface(`apache_domtrans_sys_script',` gen_require(` @@ -8779,7 +8793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -932,7 +881,7 @@ +@@ -932,7 +885,7 @@ type httpd_squirrelmail_t; ') @@ -8788,7 +8802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -1023,16 +972,16 @@ +@@ -1023,16 +976,16 @@ # interface(`apache_manage_all_user_content',` gen_require(` @@ -8812,7 +8826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -1088,3 +1037,142 @@ +@@ -1088,3 +1041,142 @@ allow httpd_t $1:process signal; ') @@ -13399,7 +13413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.3.1/policy/modules/services/dhcp.te --- nsaserefpolicy/policy/modules/services/dhcp.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/dhcp.te 2008-04-04 12:06:55.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/dhcp.te 2008-04-10 11:29:00.000000000 -0400 @@ -19,18 +19,20 @@ type dhcpd_var_run_t; files_pid_file(dhcpd_var_run_t) @@ -13423,7 +13437,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp allow dhcpd_t self:tcp_socket create_stream_socket_perms; allow dhcpd_t self:udp_socket create_socket_perms; # Allow dhcpd_t to use packet sockets -@@ -88,6 +90,8 @@ +@@ -51,6 +53,7 @@ + + kernel_read_system_state(dhcpd_t) + kernel_read_kernel_sysctls(dhcpd_t) ++kernel_read_network_state(dhcpd_t) + + corenet_all_recvfrom_unlabeled(dhcpd_t) + corenet_all_recvfrom_netlabel(dhcpd_t) +@@ -88,6 +91,8 @@ files_read_etc_runtime_files(dhcpd_t) files_search_var_lib(dhcpd_t) @@ -13432,7 +13454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp libs_use_ld_so(dhcpd_t) libs_use_shared_libs(dhcpd_t) -@@ -95,7 +99,6 @@ +@@ -95,7 +100,6 @@ miscfiles_read_localization(dhcpd_t) @@ -13440,7 +13462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp sysnet_read_dhcp_config(dhcpd_t) userdom_dontaudit_use_unpriv_user_fds(dhcpd_t) -@@ -116,14 +119,6 @@ +@@ -116,14 +120,6 @@ ') optional_policy(` @@ -27809,7 +27831,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.3.1/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2007-12-12 11:35:28.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-04-05 14:44:00.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/logging.if 2008-04-10 10:48:18.000000000 -0400 @@ -213,12 +213,7 @@ ## # @@ -27905,7 +27927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') ######################################## -@@ -804,3 +838,127 @@ +@@ -804,3 +838,128 @@ logging_admin_audit($1, $2, $3) logging_admin_syslog($1, $2, $3) ') @@ -28013,6 +28035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin + domtrans_pattern(audisp_t,$2,$1) + + allow audisp_t $2:file getattr; ++ allow $1 audisp_t:unix_stream_socket rw_socket_perms; +') + +######################################## diff --git a/selinux-policy.spec b/selinux-policy.spec index 02945d0..010f8cb 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 32%{?dist} +Release: 33%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -383,6 +383,9 @@ exit 0 %endif %changelog +* Thu Apr 10 2008 Dan Walsh 3.3.1-33 +- Allow dhcpd to read kernel network state + * Thu Apr 10 2008 Dan Walsh 3.3.1-32 - Label /var/run/gdm correctly - Fix unconfined_u user creation