From 33024a50f4478ec0cdf0e9ed5d76a4261cb64e24 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: May 27 2011 16:27:21 +0000 Subject: - Add label for dev/ati/card* - Allowe secadm to manage selinux config files --- diff --git a/policy-F15.patch b/policy-F15.patch index 12492a9..a7734b1 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -11116,7 +11116,7 @@ index 5a07a43..096bc60 100644 corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 0757523..48d40c2 100644 +index 0757523..323326b 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -16,6 +16,7 @@ attribute rpc_port_type; @@ -11216,7 +11216,7 @@ index 0757523..48d40c2 100644 network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) -@@ -126,43 +151,58 @@ network_port(iscsi, tcp,3260,s0) +@@ -126,43 +151,59 @@ network_port(iscsi, tcp,3260,s0) network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -11224,6 +11224,7 @@ index 0757523..48d40c2 100644 -network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) -network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) +network_port(jabber_router, tcp,5347,s0) ++network_port(jboss_management, tcp,4712,s0, udp,4712,s0) +network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0) +network_port(kerberos_admin, tcp,749,s0) +network_port(kerberos_password, tcp,464,s0, udp,464,s0) @@ -11281,7 +11282,7 @@ index 0757523..48d40c2 100644 network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -177,24 +217,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) +@@ -177,24 +218,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) @@ -11315,7 +11316,7 @@ index 0757523..48d40c2 100644 network_port(syslogd, udp,514,s0) network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) -@@ -205,20 +250,22 @@ network_port(transproxy, tcp,8081,s0) +@@ -205,20 +251,22 @@ network_port(transproxy, tcp,8081,s0) network_port(ups, tcp,3493,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) @@ -11341,7 +11342,7 @@ index 0757523..48d40c2 100644 network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; -@@ -272,9 +319,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -272,9 +320,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -11355,7 +11356,7 @@ index 0757523..48d40c2 100644 +allow corenet_unconfined_type port_type:{ dccp_socket tcp_socket udp_socket rawip_socket } name_bind; +allow corenet_unconfined_type node_type:{ dccp_socket tcp_socket udp_socket rawip_socket } node_bind; diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index 6cf8784..5a6e602 100644 +index 6cf8784..e244a9d 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -20,6 +20,7 @@ @@ -11374,7 +11375,15 @@ index 6cf8784..5a6e602 100644 /dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0) /dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0) /dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0) -@@ -187,8 +189,6 @@ ifdef(`distro_suse', ` +@@ -133,6 +135,7 @@ ifdef(`distro_suse', ` + /dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) + + /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) ++/dev/ati/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) + /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) + + /dev/cpu_dma_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) +@@ -187,8 +190,6 @@ ifdef(`distro_suse', ` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -11383,7 +11392,7 @@ index 6cf8784..5a6e602 100644 ifdef(`distro_redhat',` # originally from named.fc /var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0) -@@ -196,3 +196,8 @@ ifdef(`distro_redhat',` +@@ -196,3 +197,8 @@ ifdef(`distro_redhat',` /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) ') @@ -15262,7 +15271,7 @@ index 1cb7311..1de82b2 100644 + +gen_user(guest_u, user, guest_r, s0, s0) diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te -index be4de58..2efb6e9 100644 +index be4de58..cce681a 100644 --- a/policy/modules/roles/secadm.te +++ b/policy/modules/roles/secadm.te @@ -9,6 +9,8 @@ role secadm_r; @@ -15274,21 +15283,11 @@ index be4de58..2efb6e9 100644 ######################################## # -@@ -39,6 +41,9 @@ logging_read_audit_log(secadm_t) - logging_read_generic_logs(secadm_t) - logging_read_audit_config(secadm_t) - -+seutil_rw_config(secadm_t) -+seutil_rw_default_contexts(secadm_t) -+ - optional_policy(` - aide_run(secadm_t, secadm_r) - ') diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 2be17d2..dc6fd50 100644 +index 2be17d2..d7510f3 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te -@@ -8,12 +8,51 @@ policy_module(staff, 2.2.0) +@@ -8,12 +8,53 @@ policy_module(staff, 2.2.0) role staff_r; userdom_unpriv_user_template(staff) @@ -15308,6 +15307,8 @@ index 2be17d2..dc6fd50 100644 +kernel_read_software_raid_state(staff_usertype) +kernel_read_fs_sysctls(staff_usertype) + ++dev_read_cpuid(staff_usertype) ++ +domain_read_all_domains_state(staff_usertype) +domain_getattr_all_domains(staff_usertype) +domain_obj_id_change_exemption(staff_t) @@ -15340,7 +15341,7 @@ index 2be17d2..dc6fd50 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -27,31 +66,143 @@ optional_policy(` +@@ -27,31 +68,143 @@ optional_policy(` ') optional_policy(` @@ -15486,7 +15487,7 @@ index 2be17d2..dc6fd50 100644 xserver_role(staff_r, staff_t) ') -@@ -89,10 +240,6 @@ ifndef(`distro_redhat',` +@@ -89,10 +242,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -15497,7 +15498,7 @@ index 2be17d2..dc6fd50 100644 gpg_role(staff_r, staff_t) ') -@@ -137,10 +284,6 @@ ifndef(`distro_redhat',` +@@ -137,10 +286,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -15508,7 +15509,7 @@ index 2be17d2..dc6fd50 100644 spamassassin_role(staff_r, staff_t) ') -@@ -172,3 +315,7 @@ ifndef(`distro_redhat',` +@@ -172,3 +317,7 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -21500,7 +21501,7 @@ index 6ee2cc8..3105b09 100644 # interface(`ccs_domtrans',` diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te -index 4c90b57..af806c2 100644 +index 4c90b57..418eb6b 100644 --- a/policy/modules/services/ccs.te +++ b/policy/modules/services/ccs.te @@ -10,7 +10,7 @@ type ccs_exec_t; @@ -21521,7 +21522,15 @@ index 4c90b57..af806c2 100644 manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir }) -@@ -107,7 +107,7 @@ sysnet_dns_name_resolve(ccs_t) +@@ -97,6 +97,7 @@ files_read_etc_files(ccs_t) + files_read_etc_runtime_files(ccs_t) + + init_rw_script_tmp_files(ccs_t) ++init_signal(ccs_t) + + logging_send_syslog_msg(ccs_t) + +@@ -107,7 +108,7 @@ sysnet_dns_name_resolve(ccs_t) userdom_manage_unpriv_user_shared_mem(ccs_t) userdom_manage_unpriv_user_semaphores(ccs_t) @@ -21530,7 +21539,7 @@ index 4c90b57..af806c2 100644 corecmd_dontaudit_write_bin_dirs(ccs_t) files_manage_isid_type_files(ccs_t) ') -@@ -118,5 +118,10 @@ optional_policy(` +@@ -118,5 +119,10 @@ optional_policy(` ') optional_policy(` @@ -34260,7 +34269,7 @@ index e80f8c0..be0d107 100644 init_labeled_script_domtrans($1, ntpd_initrc_exec_t) diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te -index c61adc8..11909b0 100644 +index c61adc8..666425b 100644 --- a/policy/modules/services/ntp.te +++ b/policy/modules/services/ntp.te @@ -15,6 +15,9 @@ init_daemon_domain(ntpd_t, ntpd_exec_t) @@ -34286,6 +34295,17 @@ index c61adc8..11909b0 100644 term_use_ptmx(ntpd_t) +@@ -148,6 +154,10 @@ optional_policy(` + ') + + optional_policy(` ++ samba_read_config(ntpd_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(ntpd_t) + ') + diff --git a/policy/modules/services/nut.te b/policy/modules/services/nut.te index ff962dd..3cf3fe3 100644 --- a/policy/modules/services/nut.te @@ -57472,7 +57492,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 28b88de..b5bbbf5 100644 +index 28b88de..1f0bf32 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -58749,15 +58769,23 @@ index 28b88de..b5bbbf5 100644 auth_relabel_all_files_except_shadow($1) auth_relabel_shadow($1) -@@ -1237,6 +1513,7 @@ template(`userdom_security_admin_template',` +@@ -1237,8 +1513,15 @@ template(`userdom_security_admin_template',` seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) + seutil_run_setsebool($1,$2) seutil_run_setfiles($1, $2) ++ seutil_manage_bin_policy($1) ++ seutil_manage_default_contexts($1) ++ seutil_manage_file_contexts($1) ++ seutil_manage_module_store($1) ++ seutil_manage_config($1) ++ optional_policy(` -@@ -1279,11 +1556,37 @@ template(`userdom_security_admin_template',` + aide_run($1,$2) + ') +@@ -1279,11 +1562,37 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -58795,7 +58823,7 @@ index 28b88de..b5bbbf5 100644 ubac_constrained($1) ') -@@ -1395,6 +1698,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1395,6 +1704,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -58803,7 +58831,7 @@ index 28b88de..b5bbbf5 100644 files_search_home($1) ') -@@ -1441,6 +1745,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1751,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -58818,7 +58846,7 @@ index 28b88de..b5bbbf5 100644 ') ######################################## -@@ -1456,9 +1768,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1774,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -58830,7 +58858,7 @@ index 28b88de..b5bbbf5 100644 ') ######################################## -@@ -1515,10 +1829,10 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,10 +1835,10 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -58843,7 +58871,7 @@ index 28b88de..b5bbbf5 100644 ## ## ## -@@ -1526,18 +1840,54 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1526,14 +1846,50 @@ interface(`userdom_relabelto_user_home_dirs',` ## ## # @@ -58858,10 +58886,8 @@ index 28b88de..b5bbbf5 100644 + allow $1 user_home_t:file relabelto; ') - - ######################################## - ## --## Do a domain transition to the specified --## domain when executing a program in the ++######################################## ++## +## Relabel user home files. +## +## @@ -58897,14 +58923,10 @@ index 28b88de..b5bbbf5 100644 + files_home_filetrans($1, user_home_dir_t, dir) +') + -+######################################## -+## -+## Do a domain transition to the specified -+## domain when executing a program in the - ## user home directory. - ## - ## -@@ -1589,6 +1939,8 @@ interface(`userdom_dontaudit_search_user_home_content',` + ######################################## + ## + ## Do a domain transition to the specified +@@ -1589,6 +1945,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -58913,7 +58935,7 @@ index 28b88de..b5bbbf5 100644 ') ######################################## -@@ -1603,10 +1955,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +1961,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -58928,7 +58950,7 @@ index 28b88de..b5bbbf5 100644 ') ######################################## -@@ -1649,6 +2003,25 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +2009,25 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -58954,7 +58976,7 @@ index 28b88de..b5bbbf5 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1700,12 +2073,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2079,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -58987,7 +59009,7 @@ index 28b88de..b5bbbf5 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2109,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2115,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -59005,7 +59027,7 @@ index 28b88de..b5bbbf5 100644 ') ######################################## -@@ -1779,6 +2175,24 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1779,6 +2181,24 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -59030,7 +59052,7 @@ index 28b88de..b5bbbf5 100644 ## Do not audit attempts to write user home files. ## ## -@@ -1810,8 +2224,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2230,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -59040,7 +59062,7 @@ index 28b88de..b5bbbf5 100644 ') ######################################## -@@ -1827,20 +2240,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2246,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -59065,7 +59087,7 @@ index 28b88de..b5bbbf5 100644 ######################################## ## -@@ -2008,7 +2415,7 @@ interface(`userdom_user_home_dir_filetrans',` +@@ -2008,7 +2421,7 @@ interface(`userdom_user_home_dir_filetrans',` type user_home_dir_t; ') @@ -59074,7 +59096,7 @@ index 28b88de..b5bbbf5 100644 files_search_home($1) ') -@@ -2182,7 +2589,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2595,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -59083,7 +59105,7 @@ index 28b88de..b5bbbf5 100644 ') ######################################## -@@ -2435,13 +2842,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +2848,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -59099,7 +59121,7 @@ index 28b88de..b5bbbf5 100644 ## ## ## -@@ -2462,26 +2870,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +2876,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -59126,7 +59148,7 @@ index 28b88de..b5bbbf5 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2570,6 +2958,24 @@ interface(`userdom_use_user_ttys',` +@@ -2570,6 +2964,24 @@ interface(`userdom_use_user_ttys',` allow $1 user_tty_device_t:chr_file rw_term_perms; ') @@ -59151,7 +59173,7 @@ index 28b88de..b5bbbf5 100644 ######################################## ## ## Read and write a user domain pty. -@@ -2588,6 +2994,24 @@ interface(`userdom_use_user_ptys',` +@@ -2588,6 +3000,24 @@ interface(`userdom_use_user_ptys',` allow $1 user_devpts_t:chr_file rw_term_perms; ') @@ -59176,7 +59198,7 @@ index 28b88de..b5bbbf5 100644 ######################################## ## ## Read and write a user TTYs and PTYs. -@@ -2815,7 +3239,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2815,7 +3245,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -59185,7 +59207,7 @@ index 28b88de..b5bbbf5 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2831,11 +3255,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2831,11 +3261,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -59201,7 +59223,7 @@ index 28b88de..b5bbbf5 100644 ') ######################################## -@@ -2917,7 +3343,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2917,7 +3349,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -59210,7 +59232,7 @@ index 28b88de..b5bbbf5 100644 ') ######################################## -@@ -2972,7 +3398,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -2972,7 +3404,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -59257,7 +59279,7 @@ index 28b88de..b5bbbf5 100644 ') ######################################## -@@ -3009,6 +3473,7 @@ interface(`userdom_read_all_users_state',` +@@ -3009,6 +3479,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -59265,7 +59287,7 @@ index 28b88de..b5bbbf5 100644 kernel_search_proc($1) ') -@@ -3087,6 +3552,24 @@ interface(`userdom_signal_all_users',` +@@ -3087,6 +3558,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -59290,7 +59312,7 @@ index 28b88de..b5bbbf5 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3139,3 +3622,1058 @@ interface(`userdom_dbus_send_all_users',` +@@ -3139,3 +3628,1058 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 51a4f13..5ea380b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 25%{?dist} +Release: 26%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,10 @@ exit 0 %endif %changelog +* Fri May 27 2011 Miroslav Grepl 3.9.16-26 +- Add label for dev/ati/card* +- Allowe secadm to manage selinux config files + * Thu May 26 2011 Miroslav Grepl 3.9.16-25 - Add Dominicks patch for dccp_socket - dnsmasq needs to read nm-dns-dnsmasq.conf in /var/run/