From 2447e7e2838955b08e3f9a2073ffd8e9df227e3e Mon Sep 17 00:00:00 2001 From: Miroslav Date: Nov 17 2011 10:49:58 +0000 Subject: - We need to treat port_t and unreserved_port_t as generic_port types --- diff --git a/policy-F16.patch b/policy-F16.patch index 88721bd..173c034 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -7944,10 +7944,31 @@ index 0000000..6d0c9e3 +') + diff --git a/policy/modules/apps/kdumpgui.te b/policy/modules/apps/kdumpgui.te -index 2dde73a..8ebd16b 100644 +index 2dde73a..1b16fa4 100644 --- a/policy/modules/apps/kdumpgui.te +++ b/policy/modules/apps/kdumpgui.te -@@ -36,6 +36,8 @@ files_manage_etc_runtime_files(kdumpgui_t) +@@ -9,6 +9,9 @@ type kdumpgui_t; + type kdumpgui_exec_t; + dbus_system_domain(kdumpgui_t, kdumpgui_exec_t) + ++type kdumpgui_tmp_t; ++files_tmp_file(kdumpgui_tmp_t) ++ + ###################################### + # + # system-config-kdump local policy +@@ -18,6 +21,10 @@ allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio }; + allow kdumpgui_t self:fifo_file rw_fifo_file_perms; + allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms; + ++manage_dirs_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t) ++manage_files_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t) ++files_tmp_filetrans(kdumpgui_t, kdumpgui_tmp_t, { dir file }) ++ + kernel_read_system_state(kdumpgui_t) + kernel_read_network_state(kdumpgui_t) + +@@ -36,6 +43,8 @@ files_manage_etc_runtime_files(kdumpgui_t) files_etc_filetrans_etc_runtime(kdumpgui_t, file) files_read_usr_files(kdumpgui_t) @@ -7956,20 +7977,28 @@ index 2dde73a..8ebd16b 100644 storage_raw_read_fixed_disk(kdumpgui_t) storage_raw_write_fixed_disk(kdumpgui_t) -@@ -47,6 +49,12 @@ miscfiles_read_localization(kdumpgui_t) +@@ -45,8 +54,20 @@ logging_send_syslog_msg(kdumpgui_t) + + miscfiles_read_localization(kdumpgui_t) ++mount_exec(kdumpgui_t) ++ init_dontaudit_read_all_script_files(kdumpgui_t) +userdom_dontaudit_search_admin_dir(kdumpgui_t) + +optional_policy(` ++ bootloader_exec(kdumpgui_t) ++') ++ ++optional_policy(` + consoletype_exec(kdumpgui_t) +') + optional_policy(` consoletype_exec(kdumpgui_t) ') -@@ -58,6 +66,7 @@ optional_policy(` +@@ -58,6 +79,7 @@ optional_policy(` optional_policy(` kdump_manage_config(kdumpgui_t) kdump_initrc_domtrans(kdumpgui_t) @@ -12963,7 +12992,7 @@ index 9e9263a..650e796 100644 manage_lnk_files_pattern($1, bin_t, bin_t) ') diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in -index 4f3b542..cf422f4 100644 +index 4f3b542..f4e36ee 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -615,6 +615,24 @@ interface(`corenet_raw_sendrecv_all_if',` @@ -13080,10 +13109,10 @@ index 4f3b542..cf422f4 100644 +# +interface(`corenet_dccp_sendrecv_generic_port',` + gen_require(` -+ type port_t; ++ type port_t, unreserved_port_t; + ') + -+ allow $1 port_t:dccp_socket { send_msg recv_msg }; ++ allow $1 { port_t unreserved_port_t }:dccp_socket { send_msg recv_msg }; +') + +######################################## @@ -13091,10 +13120,19 @@ index 4f3b542..cf422f4 100644 ## Send and receive TCP network traffic on generic ports. ## ## -@@ -1175,6 +1265,26 @@ interface(`corenet_tcp_sendrecv_generic_port',` - - ######################################## - ## +@@ -1167,10 +1257,30 @@ interface(`corenet_raw_bind_all_nodes',` + # + interface(`corenet_tcp_sendrecv_generic_port',` + gen_require(` +- type port_t; ++ type port_t, unreserved_port_t; ++ ') ++ ++ allow $1 { port_t unreserved_port_t }:tcp_socket { send_msg recv_msg }; ++') ++ ++######################################## ++## +## Do not audit attempts to send and +## receive DCCP network traffic on +## generic ports. @@ -13107,17 +13145,53 @@ index 4f3b542..cf422f4 100644 +# +interface(`corenet_dontaudit_dccp_sendrecv_generic_port',` + gen_require(` -+ type port_t; -+ ') -+ -+ dontaudit $1 port_t:dccp_socket { send_msg recv_msg }; -+') -+ -+######################################## -+## - ## Do not audit send and receive TCP network traffic on generic ports. - ## - ## ++ type port_t, unreserved_port_t; + ') + +- allow $1 port_t:tcp_socket { send_msg recv_msg }; ++ dontaudit $1 { port_t unreserved_port_t }:dccp_socket { send_msg recv_msg }; + ') + + ######################################## +@@ -1185,10 +1295,10 @@ interface(`corenet_tcp_sendrecv_generic_port',` + # + interface(`corenet_dontaudit_tcp_sendrecv_generic_port',` + gen_require(` +- type port_t; ++ type port_t, unreserved_port_t; + ') + +- dontaudit $1 port_t:tcp_socket { send_msg recv_msg }; ++ dontaudit $1 { port_t unreserved_port_t }:tcp_socket { send_msg recv_msg }; + ') + + ######################################## +@@ -1203,10 +1313,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',` + # + interface(`corenet_udp_send_generic_port',` + gen_require(` +- type port_t; ++ type port_t, unreserved_port_t; + ') + +- allow $1 port_t:udp_socket send_msg; ++ allow $1 { port_t unreserved_port_t }:udp_socket send_msg; + ') + + ######################################## +@@ -1221,10 +1331,10 @@ interface(`corenet_udp_send_generic_port',` + # + interface(`corenet_udp_receive_generic_port',` + gen_require(` +- type port_t; ++ type port_t, unreserved_port_t; + ') + +- allow $1 port_t:udp_socket recv_msg; ++ allow $1 { port_t unreserved_port_t }:udp_socket recv_msg; + ') + + ######################################## @@ -1244,6 +1354,26 @@ interface(`corenet_udp_sendrecv_generic_port',` ######################################## @@ -13132,11 +13206,11 @@ index 4f3b542..cf422f4 100644 +# +interface(`corenet_dccp_bind_generic_port',` + gen_require(` -+ type port_t; ++ type port_t, unreserved_port_t; + attribute defined_port_type; + ') + -+ allow $1 port_t:dccp_socket name_bind; ++ allow $1 { port_t unreserved_port_t }:dccp_socket name_bind; + dontaudit $1 defined_port_type:dccp_socket name_bind; +') + @@ -13145,16 +13219,17 @@ index 4f3b542..cf422f4 100644 ## Bind TCP sockets to generic ports. ## ## -@@ -1255,11 +1385,30 @@ interface(`corenet_udp_sendrecv_generic_port',` +@@ -1254,12 +1384,31 @@ interface(`corenet_udp_sendrecv_generic_port',` + # interface(`corenet_tcp_bind_generic_port',` gen_require(` - type port_t; +- type port_t; - attribute port_type; ++ type port_t, unreserved_port_t; + attribute defined_port_type; - ') - - allow $1 port_t:tcp_socket name_bind; -- dontaudit $1 { port_type -port_t }:tcp_socket name_bind; ++ ') ++ ++ allow $1 { port_t unreserved_port_t }:tcp_socket name_bind; + dontaudit $1 defined_port_type:tcp_socket name_bind; +') + @@ -13171,23 +13246,39 @@ index 4f3b542..cf422f4 100644 +# +interface(`corenet_dontaudit_dccp_bind_generic_port',` + gen_require(` -+ type port_t; -+ ') -+ -+ dontaudit $1 port_t:dccp_socket name_bind; ++ type port_t, unreserved_port_t; + ') + +- allow $1 port_t:tcp_socket name_bind; +- dontaudit $1 { port_type -port_t }:tcp_socket name_bind; ++ dontaudit $1 { port_t unreserved_port_t }:dccp_socket name_bind; + ') + + ######################################## +@@ -1274,10 +1423,10 @@ interface(`corenet_tcp_bind_generic_port',` + # + interface(`corenet_dontaudit_tcp_bind_generic_port',` + gen_require(` +- type port_t; ++ type port_t, unreserved_port_t; + ') + +- dontaudit $1 port_t:tcp_socket name_bind; ++ dontaudit $1 { port_t unreserved_port_t }:tcp_socket name_bind; ') ######################################## -@@ -1293,11 +1442,29 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',` +@@ -1292,12 +1441,30 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',` + # interface(`corenet_udp_bind_generic_port',` gen_require(` - type port_t; +- type port_t; - attribute port_type; ++ type port_t, unreserved_port_t; + attribute defined_port_type; - ') - - allow $1 port_t:udp_socket name_bind; -- dontaudit $1 { port_type -port_t }:udp_socket name_bind; ++ ') ++ ++ allow $1 { port_t unreserved_port_t }:udp_socket name_bind; + dontaudit $1 defined_port_type:udp_socket name_bind; +') + @@ -13203,17 +13294,28 @@ index 4f3b542..cf422f4 100644 +# +interface(`corenet_dccp_connect_generic_port',` + gen_require(` -+ type port_t; -+ ') -+ -+ allow $1 port_t:dccp_socket name_connect; - ') ++ type port_t, unreserved_port_t; + ') - ######################################## -@@ -1320,6 +1487,24 @@ interface(`corenet_tcp_connect_generic_port',` +- allow $1 port_t:udp_socket name_bind; +- dontaudit $1 { port_type -port_t }:udp_socket name_bind; ++ allow $1 { port_t unreserved_port_t }:dccp_socket name_connect; + ') ######################################## - ## +@@ -1312,10 +1479,28 @@ interface(`corenet_udp_bind_generic_port',` + # + interface(`corenet_tcp_connect_generic_port',` + gen_require(` +- type port_t; ++ type port_t, unreserved_port_t; ++ ') ++ ++ allow $1 { port_t unreserved_port_t }:tcp_socket name_connect; ++') ++ ++######################################## ++## +## Send and receive DCCP network traffic on all ports. +## +## @@ -13225,16 +13327,13 @@ index 4f3b542..cf422f4 100644 +interface(`corenet_dccp_sendrecv_all_ports',` + gen_require(` + attribute port_type; -+ ') -+ + ') + +- allow $1 port_t:tcp_socket name_connect; + allow $1 port_type:dccp_socket { send_msg recv_msg }; -+') -+ -+######################################## -+## - ## Send and receive TCP network traffic on all ports. - ## - ## + ') + + ######################################## @@ -1439,6 +1624,25 @@ interface(`corenet_udp_sendrecv_all_ports',` ######################################## @@ -13459,7 +13558,7 @@ index 4f3b542..cf422f4 100644 ## ## ## -@@ -1729,9 +2007,63 @@ interface(`corenet_tcp_sendrecv_all_reserved_ports',` +@@ -1729,17 +2007,17 @@ interface(`corenet_tcp_sendrecv_all_reserved_ports',` ## ## # @@ -13468,14 +13567,36 @@ index 4f3b542..cf422f4 100644 gen_require(` - attribute reserved_port_type; + type reserved_port_t; -+ ') -+ + ') + +- allow $1 reserved_port_type:udp_socket send_msg; + allow $1 reserved_port_t:tcp_socket name_connect; + ') + + ######################################## + ## +-## Receive UDP network traffic on all reserved ports. ++## Send and receive DCCP network traffic on all reserved ports. + ## + ## + ## +@@ -1747,12 +2025,66 @@ interface(`corenet_udp_send_all_reserved_ports',` + ## + ## + # +-interface(`corenet_udp_receive_all_reserved_ports',` ++interface(`corenet_dccp_sendrecv_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; + ') + +- allow $1 reserved_port_type:udp_socket recv_msg; ++ allow $1 reserved_port_type:dccp_socket { send_msg recv_msg }; +') + +######################################## +## -+## Send and receive DCCP network traffic on all reserved ports. ++## Send and receive TCP network traffic on all reserved ports. +## +## +## @@ -13483,17 +13604,17 @@ index 4f3b542..cf422f4 100644 +## +## +# -+interface(`corenet_dccp_sendrecv_all_reserved_ports',` ++interface(`corenet_tcp_sendrecv_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; + ') + -+ allow $1 reserved_port_type:dccp_socket { send_msg recv_msg }; ++ allow $1 reserved_port_type:tcp_socket { send_msg recv_msg }; +') + +######################################## +## -+## Send and receive TCP network traffic on all reserved ports. ++## Send UDP network traffic on all reserved ports. +## +## +## @@ -13501,17 +13622,17 @@ index 4f3b542..cf422f4 100644 +## +## +# -+interface(`corenet_tcp_sendrecv_all_reserved_ports',` ++interface(`corenet_udp_send_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; + ') + -+ allow $1 reserved_port_type:tcp_socket { send_msg recv_msg }; ++ allow $1 reserved_port_type:udp_socket send_msg; +') + +######################################## +## -+## Send UDP network traffic on all reserved ports. ++## Receive UDP network traffic on all reserved ports. +## +## +## @@ -13519,12 +13640,15 @@ index 4f3b542..cf422f4 100644 +## +## +# -+interface(`corenet_udp_send_all_reserved_ports',` ++interface(`corenet_udp_receive_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; - ') ++ ') ++ ++ allow $1 reserved_port_type:udp_socket recv_msg; + ') - allow $1 reserved_port_type:udp_socket send_msg; + ######################################## @@ -1772,6 +2104,25 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',` ######################################## @@ -13620,9 +13744,8 @@ index 4f3b542..cf422f4 100644 gen_require(` - attribute port_type, reserved_port_type; + attribute unreserved_port_type; - ') - -- allow $1 { port_type -reserved_port_type }:udp_socket name_bind; ++ ') ++ + allow $1 unreserved_port_type:udp_socket name_bind; +') + @@ -13675,8 +13798,9 @@ index 4f3b542..cf422f4 100644 +interface(`corenet_dccp_connect_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; -+ ') -+ + ') + +- allow $1 { port_type -reserved_port_type }:udp_socket name_bind; + allow $1 reserved_port_type:dccp_socket name_connect; ') @@ -14465,7 +14589,7 @@ index 35fed4f..51ad69a 100644 # diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index 6cf8784..12bd6fc 100644 +index 6cf8784..b48524e 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,11 +15,13 @@ @@ -14493,7 +14617,7 @@ index 6cf8784..12bd6fc 100644 /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -126,6 +130,7 @@ ifdef(`distro_suse', ` +@@ -126,12 +130,14 @@ ifdef(`distro_suse', ` /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/watchdog -c gen_context(system_u:object_r:watchdog_device_t,s0) @@ -14501,7 +14625,14 @@ index 6cf8784..12bd6fc 100644 /dev/winradio. -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0) /dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) -@@ -187,8 +192,6 @@ ifdef(`distro_suse', ` + + /dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) + ++/dev/ati/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) + /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) + /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) + +@@ -187,8 +193,6 @@ ifdef(`distro_suse', ` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -14510,7 +14641,7 @@ index 6cf8784..12bd6fc 100644 ifdef(`distro_redhat',` # originally from named.fc /var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0) -@@ -196,3 +199,8 @@ ifdef(`distro_redhat',` +@@ -196,3 +200,8 @@ ifdef(`distro_redhat',` /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) ') @@ -70017,9 +70148,9 @@ index 808ba93..4ff705d 100644 + ') + + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache") -+ #files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~") ++ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~") + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload") -+ #files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") ++ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") +') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index e5836d3..eae9427 100644 diff --git a/selinux-policy.spec b/selinux-policy.spec index 2a15390..cf6329d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 56%{?dist} +Release: 57%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,9 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Nov 16 2011 Miroslav Grepl 3.10.0-57 +- We need to treat port_t and unreserved_port_t as generic_port types + * Wed Nov 16 2011 Miroslav Grepl 3.10.0-56 - Add ssh_dontaudit_search_home_dir - Changes to allow namespace_init_t to work