From 459ead38edf802a86f602f38b45634c318633145 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sep 10 2007 18:25:11 +0000 Subject: - Allow modprobe to setsched on kernel --- diff --git a/policy-20070501.patch b/policy-20070501.patch index e2e0632..af7452d 100644 --- a/policy-20070501.patch +++ b/policy-20070501.patch @@ -469,12 +469,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.t diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmidecode.te serefpolicy-2.6.4/policy/modules/admin/dmidecode.te --- nsaserefpolicy/policy/modules/admin/dmidecode.te 2007-05-07 14:51:05.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/admin/dmidecode.te 2007-08-30 10:26:28.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/admin/dmidecode.te 2007-09-07 17:06:51.000000000 -0400 @@ -22,6 +22,7 @@ # Allow dmidecode to read /dev/mem dev_read_raw_memory(dmidecode_t) -+dev_search_sysfs(dmidecode_t) ++dev_read_sysfs(dmidecode_t) mls_file_read_up(dmidecode_t) @@ -2512,8 +2512,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.6.4/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-05-07 14:51:04.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/kernel/kernel.if 2007-08-07 09:42:35.000000000 -0400 -@@ -333,6 +333,24 @@ ++++ serefpolicy-2.6.4/policy/modules/kernel/kernel.if 2007-09-10 08:58:54.000000000 -0400 +@@ -108,6 +108,24 @@ + + ######################################## + ## ++## Set the priority of kernel threads. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_setsched',` ++ gen_require(` ++ type kernel_t; ++ ') ++ ++ allow $1 kernel_t:process setsched; ++') ++ ++######################################## ++## + ## Send a SIGCHLD signal to kernel threads. + ## + ## +@@ -333,6 +351,24 @@ ######################################## ## @@ -2538,7 +2563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ## Allow link to the kernel key ring. ## ## -@@ -1848,6 +1866,26 @@ +@@ -1848,6 +1884,26 @@ ######################################## ## @@ -2565,7 +2590,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ## Do not audit attempts to list unlabeled directories. ## ## -@@ -2158,9 +2196,6 @@ +@@ -2158,9 +2214,6 @@ ') allow $1 unlabeled_t:association { sendto recvfrom }; @@ -2887,7 +2912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.6.4/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/apache.if 2007-08-30 13:53:01.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/apache.if 2007-09-05 07:17:12.000000000 -0400 @@ -18,10 +18,6 @@ attribute httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; @@ -2899,6 +2924,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac #This type is for webpages type httpd_$1_content_t, httpdcontent; # customizable files_type(httpd_$1_content_t) +@@ -65,13 +61,13 @@ + dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; + + # Allow the script process to search the cgi directory, and users directory +- allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms; ++ allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms; + + append_files_pattern(httpd_$1_script_t,httpd_log_t,httpd_log_t) + logging_search_logs(httpd_$1_script_t) + + can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) +- allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms; ++ allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms; + + allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms }; + read_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t) @@ -120,10 +116,6 @@ can_exec(httpd_$1_script_t, httpdcontent) ') @@ -3567,7 +3608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-2.6.4/policy/modules/services/apcupsd.te --- nsaserefpolicy/policy/modules/services/apcupsd.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/apcupsd.te 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/apcupsd.te 2007-09-10 10:51:56.000000000 -0400 @@ -16,6 +16,9 @@ type apcupsd_log_t; logging_log_file(apcupsd_log_t) @@ -3587,7 +3628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu allow apcupsd_t self:fifo_file rw_file_perms; allow apcupsd_t self:unix_stream_socket create_stream_socket_perms; allow apcupsd_t self:tcp_socket create_stream_socket_perms; -@@ -35,16 +40,23 @@ +@@ -35,16 +40,24 @@ manage_files_pattern(apcupsd_t,apcupsd_log_t,apcupsd_log_t) logging_log_filetrans(apcupsd_t,apcupsd_log_t,{ file dir }) @@ -3610,10 +3651,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu +corenet_tcp_bind_apcupsd_port(apcupsd_t) +corenet_sendrecv_apcupsd_server_packets(apcupsd_t) +corenet_tcp_connect_apcupsd_port(apcupsd_t) ++allow apcupsd_t self:udp_socket create_socket_perms; dev_rw_generic_usb_dev(apcupsd_t) -@@ -53,6 +65,15 @@ +@@ -53,6 +66,15 @@ files_read_etc_files(apcupsd_t) files_search_locks(apcupsd_t) @@ -3629,13 +3671,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu libs_use_ld_so(apcupsd_t) libs_use_shared_libs(apcupsd_t) -@@ -61,7 +82,39 @@ +@@ -61,7 +83,41 @@ miscfiles_read_localization(apcupsd_t) -ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys(apcupsd_t) - term_dontaudit_use_generic_ptys(apcupsd_t) ++sysnet_dns_name_resolve(apcupsd_t) ++ +userdom_use_unpriv_users_ttys(apcupsd_t) +userdom_use_unpriv_users_ptys(apcupsd_t) + @@ -6605,7 +6649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-2.6.4/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/postfix.fc 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/postfix.fc 2007-09-04 17:47:25.000000000 -0400 @@ -5,6 +5,7 @@ /usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) /usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) @@ -9011,7 +9055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.6.4/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/authlogin.te 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/authlogin.te 2007-09-05 12:06:43.000000000 -0400 @@ -9,6 +9,13 @@ attribute can_read_shadow_passwords; attribute can_write_shadow_passwords; @@ -9070,7 +9114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t) userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t) userdom_dontaudit_use_sysadm_terms(system_chkpwd_t) -@@ -302,6 +311,38 @@ +@@ -302,6 +311,36 @@ ') optional_policy(` @@ -9099,16 +9143,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +miscfiles_read_localization(updpwd_t) + +auth_manage_shadow(updpwd_t) ++auth_use_nsswitch(updpwd_t) ++ +term_dontaudit_use_console(updpwd_t) +term_dontaudit_use_console(updpwd_t) +term_dontaudit_use_unallocated_ttys(updpwd_t) +files_manage_etc_files(updpwd_t) +kernel_read_system_state(updpwd_t) +logging_send_syslog_msg(updpwd_t) -+ -+optional_policy(` -+ nscd_socket_use(updpwd_t) -+') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.fc serefpolicy-2.6.4/policy/modules/system/brctl.fc --- nsaserefpolicy/policy/modules/system/brctl.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-2.6.4/policy/modules/system/brctl.fc 2007-08-07 09:42:35.000000000 -0400 @@ -9145,8 +9187,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-2.6.4/policy/modules/system/brctl.te --- nsaserefpolicy/policy/modules/system/brctl.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-2.6.4/policy/modules/system/brctl.te 2007-08-07 09:42:35.000000000 -0400 -@@ -0,0 +1,50 @@ ++++ serefpolicy-2.6.4/policy/modules/system/brctl.te 2007-09-10 08:59:30.000000000 -0400 +@@ -0,0 +1,51 @@ +policy_module(brctl,1.0.0) + +######################################## @@ -9169,6 +9211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl. +allow brctl_t self:tcp_socket create_socket_perms; +allow brctl_t self:unix_dgram_socket create_socket_perms; + ++dev_write_sysfs_dirs(brctl_t) +dev_rw_sysfs(brctl_t) + +# Init script handling @@ -10451,7 +10494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-2.6.4/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/modutils.te 2007-08-21 09:08:39.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/modutils.te 2007-09-10 08:58:12.000000000 -0400 @@ -43,7 +43,7 @@ # insmod local policy # @@ -10461,7 +10504,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; allow insmod_t self:udp_socket create_socket_perms; -@@ -80,6 +80,8 @@ +@@ -64,6 +64,7 @@ + kernel_read_kernel_sysctls(insmod_t) + kernel_rw_kernel_sysctl(insmod_t) + kernel_read_hotplug_sysctls(insmod_t) ++kernel_setsched(insmod_t) + + files_read_kernel_modules(insmod_t) + # for locking: (cjp: ????) +@@ -80,6 +81,8 @@ # cjp: why is this needed? insmod cannot mounton any dir # and it also transitions to mount dev_mount_usbfs(insmod_t) @@ -10470,7 +10521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti fs_getattr_xattr_fs(insmod_t) -@@ -102,6 +104,7 @@ +@@ -102,6 +105,7 @@ init_use_fds(insmod_t) init_use_script_fds(insmod_t) init_use_script_ptys(insmod_t) @@ -10478,7 +10529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti libs_use_ld_so(insmod_t) libs_use_shared_libs(insmod_t) -@@ -123,6 +126,18 @@ +@@ -123,6 +127,18 @@ ') optional_policy(` @@ -10497,7 +10548,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti hotplug_search_config(insmod_t) ') -@@ -155,6 +170,7 @@ +@@ -155,6 +171,7 @@ optional_policy(` rpm_rw_pipes(insmod_t) @@ -10505,7 +10556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ') optional_policy(` -@@ -185,6 +201,7 @@ +@@ -185,6 +202,7 @@ files_read_kernel_symbol_table(depmod_t) files_read_kernel_modules(depmod_t) @@ -10714,7 +10765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-2.6.4/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/selinuxutil.if 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/selinuxutil.if 2007-09-04 16:32:23.000000000 -0400 @@ -445,6 +445,7 @@ role $2 types run_init_t; allow run_init_t $3:chr_file rw_term_perms; @@ -10749,6 +10800,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu manage_files_pattern($1,selinux_config_t,selinux_config_t) read_lnk_files_pattern($1,selinux_config_t,selinux_config_t) ') +@@ -791,6 +795,28 @@ + + ######################################## + ## ++## dontaudit Read the file_contexts files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`seutil_dontaudit_read_file_contexts',` ++ gen_require(` ++ type selinux_config_t, default_context_t, file_context_t; ++ ') ++ ++ files_search_etc($1) ++ dontaudit $1 { selinux_config_t default_context_t }:dir search_dir_perms; ++ dontaudit $1 file_context_t:dir search_dir_perms; ++ dontaudit $1 file_context_t:file r_file_perms; ++') ++ ++######################################## ++## + ## Read and write the file_contexts files. + ## + ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.6.4/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-05-07 14:51:01.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/system/selinuxutil.te 2007-08-07 09:42:35.000000000 -0400 diff --git a/selinux-policy.spec b/selinux-policy.spec index 93304fc..360a2df 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 2.6.4 -Release: 41%{?dist} +Release: 42%{?dist} License: GPL Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -361,6 +361,10 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init %endif %changelog +* Mon Sep 10 2007 Dan Walsh 2.6.4-42 +- Allow modprobe to setsched on kernel + + * Tue Sep 4 2007 Dan Walsh 2.6.4-41 - Allow ktalkd to look at terminals