From 7868ff51f9ed8085324109c1fe51623ee2ea0c9b Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jun 02 2011 14:56:25 +0000 Subject: - Add label for /var/lock/ppp - Fixes for colord policy - Allow sys_chroot for postfix domains --- diff --git a/policy-F15.patch b/policy-F15.patch index a7734b1..214d01b 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -2634,10 +2634,62 @@ index 74354da..0852738 100644 + modutils_read_module_deps(usbmodules_t) +') diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if -index 81fb26f..cd18ca8 100644 +index 81fb26f..fa853d7 100644 --- a/policy/modules/admin/usermanage.if +++ b/policy/modules/admin/usermanage.if -@@ -285,6 +285,9 @@ interface(`usermanage_run_useradd',` +@@ -73,6 +73,25 @@ interface(`usermanage_domtrans_groupadd',` + + ######################################## + ## ++## Check access to the groupadd executable. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`usermanage_access_check_groupadd',` ++ gen_require(` ++ type groupadd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ allow $1 groupadd_exec_t:file { getattr_file_perms audit_access }; ++') ++ ++######################################## ++## + ## Execute groupadd in the groupadd domain, and + ## allow the specified role the groupadd domain. + ## +@@ -170,6 +189,25 @@ interface(`usermanage_run_passwd',` + + ######################################## + ## ++## Check access to the passwd executable ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`usermanage_access_check_passwd',` ++ gen_require(` ++ type passwd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ allow $1 passwd_exec_t:file { getattr_file_perms audit_access }; ++') ++ ++######################################## ++## + ## Execute password admin functions in + ## the admin passwd domain. + ## +@@ -285,6 +323,9 @@ interface(`usermanage_run_useradd',` usermanage_domtrans_useradd($1) role $2 types useradd_t; @@ -2647,6 +2699,32 @@ index 81fb26f..cd18ca8 100644 seutil_run_semanage(useradd_t, $2) optional_policy(` +@@ -294,6 +335,25 @@ interface(`usermanage_run_useradd',` + + ######################################## + ## ++## Check access to the useradd executable. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`usermanage_access_check_useradd',` ++ gen_require(` ++ type useradd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ allow $1 useradd_exec_t:file { getattr_file_perms audit_access }; ++') ++ ++######################################## ++## + ## Read the crack database. + ## + ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index 441cf22..73e9eba 100644 --- a/policy/modules/admin/usermanage.te @@ -7886,10 +7964,10 @@ index 0000000..6caef63 +/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0) diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if new file mode 100644 -index 0000000..0fedd57 +index 0000000..3b6af20 --- /dev/null +++ b/policy/modules/apps/sandbox.if -@@ -0,0 +1,305 @@ +@@ -0,0 +1,341 @@ + +## policy for sandbox + @@ -8125,6 +8203,42 @@ index 0000000..0fedd57 + +######################################## +## ++## Delete sandbox symbolic links ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`sandbox_delete_lnk_files',` ++ gen_require(` ++ type sandbox_file_t; ++ ') ++ ++ delete_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t) ++') ++ ++######################################## ++## ++## Delete sandbox fifo files ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`sandbox_delete_pipes',` ++ gen_require(` ++ type sandbox_file_t; ++ ') ++ ++ delete_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t) ++') ++ ++######################################## ++## +## Delete sandbox sock files +## +## @@ -8162,7 +8276,7 @@ index 0000000..0fedd57 + +######################################## +## -+## allow domain to delete sandbox files ++## Delete sandbox directories +## +## +## @@ -13648,10 +13762,38 @@ index 59bae6a..2e55e71 100644 +/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) +/dev/hugepages(/.*)? <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index dfe361a..6d0cc0b 100644 +index dfe361a..8617d89 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if -@@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',` +@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` + + ######################################## + ## ++## Get attributes of cgroup files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_getattr_cgroup_files',` ++ gen_require(` ++ type cgroup_t; ++ ++ ') ++ ++ getattr_files_pattern($1, cgroup_t, cgroup_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) ++') ++ ++######################################## ++## + ## Search cgroup directories. + ## + ## +@@ -646,11 +667,31 @@ interface(`fs_search_cgroup_dirs',` ') search_dirs_pattern($1, cgroup_t, cgroup_t) @@ -13683,7 +13825,7 @@ index dfe361a..6d0cc0b 100644 ## list cgroup directories. ## ## -@@ -665,9 +685,29 @@ interface(`fs_list_cgroup_dirs', ` +@@ -665,9 +706,29 @@ interface(`fs_list_cgroup_dirs', ` ') list_dirs_pattern($1, cgroup_t, cgroup_t) @@ -13713,7 +13855,7 @@ index dfe361a..6d0cc0b 100644 ######################################## ## ## Delete cgroup directories. -@@ -684,6 +724,7 @@ interface(`fs_delete_cgroup_dirs', ` +@@ -684,6 +745,7 @@ interface(`fs_delete_cgroup_dirs', ` ') delete_dirs_pattern($1, cgroup_t, cgroup_t) @@ -13721,7 +13863,7 @@ index dfe361a..6d0cc0b 100644 dev_search_sysfs($1) ') -@@ -704,6 +745,7 @@ interface(`fs_manage_cgroup_dirs',` +@@ -704,6 +766,7 @@ interface(`fs_manage_cgroup_dirs',` ') manage_dirs_pattern($1, cgroup_t, cgroup_t) @@ -13729,7 +13871,7 @@ index dfe361a..6d0cc0b 100644 dev_search_sysfs($1) ') -@@ -724,6 +766,7 @@ interface(`fs_read_cgroup_files',` +@@ -724,6 +787,7 @@ interface(`fs_read_cgroup_files',` ') read_files_pattern($1, cgroup_t, cgroup_t) @@ -13737,7 +13879,7 @@ index dfe361a..6d0cc0b 100644 dev_search_sysfs($1) ') -@@ -743,6 +786,7 @@ interface(`fs_write_cgroup_files', ` +@@ -743,6 +807,7 @@ interface(`fs_write_cgroup_files', ` ') write_files_pattern($1, cgroup_t, cgroup_t) @@ -13745,7 +13887,7 @@ index dfe361a..6d0cc0b 100644 dev_search_sysfs($1) ') -@@ -763,6 +807,7 @@ interface(`fs_rw_cgroup_files',` +@@ -763,6 +828,7 @@ interface(`fs_rw_cgroup_files',` ') rw_files_pattern($1, cgroup_t, cgroup_t) @@ -13753,7 +13895,7 @@ index dfe361a..6d0cc0b 100644 dev_search_sysfs($1) ') -@@ -803,6 +848,7 @@ interface(`fs_manage_cgroup_files',` +@@ -803,6 +869,7 @@ interface(`fs_manage_cgroup_files',` ') manage_files_pattern($1, cgroup_t, cgroup_t) @@ -13761,7 +13903,34 @@ index dfe361a..6d0cc0b 100644 dev_search_sysfs($1) ') -@@ -1052,6 +1098,24 @@ interface(`fs_list_noxattr_fs',` +@@ -1032,6 +1099,26 @@ interface(`fs_getattr_noxattr_fs',` + allow $1 noxattrfs:filesystem getattr; + ') + ++####################################### ++## ++## Dontaudit Get the attributes of filesystems that ++## do not have extended attribute support. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`fs_dontaudit_getattr_noxattr_fs',` ++ gen_require(` ++ attribute noxattrfs; ++ ') ++ ++ dontaudit $1 noxattrfs:filesystem getattr; ++') ++ + ######################################## + ## + ## Read all noxattrfs directories. +@@ -1052,6 +1139,24 @@ interface(`fs_list_noxattr_fs',` ######################################## ## @@ -13786,7 +13955,7 @@ index dfe361a..6d0cc0b 100644 ## Create, read, write, and delete all noxattrfs directories. ## ## -@@ -1088,6 +1152,42 @@ interface(`fs_read_noxattr_fs_files',` +@@ -1088,6 +1193,42 @@ interface(`fs_read_noxattr_fs_files',` ######################################## ## @@ -13829,7 +13998,7 @@ index dfe361a..6d0cc0b 100644 ## Dont audit attempts to write to noxattrfs files. ## ## -@@ -1227,6 +1327,42 @@ interface(`fs_dontaudit_append_cifs_files',` +@@ -1227,6 +1368,42 @@ interface(`fs_dontaudit_append_cifs_files',` ######################################## ## @@ -13872,7 +14041,7 @@ index dfe361a..6d0cc0b 100644 ## Do not audit attempts to read or ## write files on a CIFS or SMB filesystem. ## -@@ -1241,7 +1377,7 @@ interface(`fs_dontaudit_rw_cifs_files',` +@@ -1241,7 +1418,7 @@ interface(`fs_dontaudit_rw_cifs_files',` type cifs_t; ') @@ -13881,7 +14050,7 @@ index dfe361a..6d0cc0b 100644 ') ######################################## -@@ -1504,6 +1640,25 @@ interface(`fs_cifs_domtrans',` +@@ -1504,6 +1681,25 @@ interface(`fs_cifs_domtrans',` domain_auto_transition_pattern($1, cifs_t, $2) ') @@ -13907,7 +14076,7 @@ index dfe361a..6d0cc0b 100644 ####################################### ## ## Create, read, write, and delete dirs -@@ -1659,6 +1814,25 @@ interface(`fs_search_dos',` +@@ -1659,6 +1855,25 @@ interface(`fs_search_dos',` ######################################## ## @@ -13933,7 +14102,7 @@ index dfe361a..6d0cc0b 100644 ## Create, read, write, and delete dirs ## on a DOS filesystem. ## -@@ -1774,6 +1948,24 @@ interface(`fs_unmount_fusefs',` +@@ -1774,6 +1989,24 @@ interface(`fs_unmount_fusefs',` ######################################## ## @@ -13958,7 +14127,7 @@ index dfe361a..6d0cc0b 100644 ## Search directories ## on a FUSEFS filesystem. ## -@@ -1892,6 +2084,26 @@ interface(`fs_manage_fusefs_files',` +@@ -1892,6 +2125,26 @@ interface(`fs_manage_fusefs_files',` ######################################## ## @@ -13985,7 +14154,7 @@ index dfe361a..6d0cc0b 100644 ## Do not audit attempts to create, ## read, write, and delete files ## on a FUSEFS filesystem. -@@ -1931,7 +2143,26 @@ interface(`fs_read_fusefs_symlinks',` +@@ -1931,7 +2184,26 @@ interface(`fs_read_fusefs_symlinks',` ######################################## ## @@ -14013,7 +14182,7 @@ index dfe361a..6d0cc0b 100644 ## ## ## -@@ -1946,6 +2177,41 @@ interface(`fs_rw_hugetlbfs_files',` +@@ -1946,6 +2218,41 @@ interface(`fs_rw_hugetlbfs_files',` rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') @@ -14055,7 +14224,7 @@ index dfe361a..6d0cc0b 100644 ######################################## ## -@@ -1999,6 +2265,7 @@ interface(`fs_list_inotifyfs',` +@@ -1999,6 +2306,7 @@ interface(`fs_list_inotifyfs',` ') allow $1 inotifyfs_t:dir list_dir_perms; @@ -14063,7 +14232,7 @@ index dfe361a..6d0cc0b 100644 ') ######################################## -@@ -2331,6 +2598,7 @@ interface(`fs_read_nfs_files',` +@@ -2331,6 +2639,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -14071,7 +14240,7 @@ index dfe361a..6d0cc0b 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2369,6 +2637,7 @@ interface(`fs_write_nfs_files',` +@@ -2369,6 +2678,7 @@ interface(`fs_write_nfs_files',` type nfs_t; ') @@ -14079,7 +14248,7 @@ index dfe361a..6d0cc0b 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2395,6 +2664,25 @@ interface(`fs_exec_nfs_files',` +@@ -2395,6 +2705,25 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -14105,7 +14274,7 @@ index dfe361a..6d0cc0b 100644 ## Append files ## on a NFS filesystem. ## -@@ -2435,6 +2723,42 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2435,6 +2764,42 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -14148,7 +14317,7 @@ index dfe361a..6d0cc0b 100644 ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2449,7 +2773,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2449,7 +2814,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -14157,7 +14326,7 @@ index dfe361a..6d0cc0b 100644 ') ######################################## -@@ -2637,6 +2961,24 @@ interface(`fs_dontaudit_read_removable_files',` +@@ -2637,6 +3002,24 @@ interface(`fs_dontaudit_read_removable_files',` ######################################## ## @@ -14182,7 +14351,7 @@ index dfe361a..6d0cc0b 100644 ## Read removable storage symbolic links. ## ## -@@ -2653,6 +2995,25 @@ interface(`fs_read_removable_symlinks',` +@@ -2653,6 +3036,25 @@ interface(`fs_read_removable_symlinks',` read_lnk_files_pattern($1, removable_t, removable_t) ') @@ -14208,7 +14377,7 @@ index dfe361a..6d0cc0b 100644 ######################################## ## ## Read and write block nodes on removable filesystems. -@@ -2779,6 +3140,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2779,6 +3181,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -14216,7 +14385,7 @@ index dfe361a..6d0cc0b 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -2819,6 +3181,7 @@ interface(`fs_manage_nfs_files',` +@@ -2819,6 +3222,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -14224,7 +14393,7 @@ index dfe361a..6d0cc0b 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -2845,7 +3208,7 @@ interface(`fs_dontaudit_manage_nfs_files',` +@@ -2845,7 +3249,7 @@ interface(`fs_dontaudit_manage_nfs_files',` ######################################### ## ## Create, read, write, and delete symbolic links @@ -14233,7 +14402,7 @@ index dfe361a..6d0cc0b 100644 ## ## ## -@@ -2859,6 +3222,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -2859,6 +3263,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -14241,7 +14410,7 @@ index dfe361a..6d0cc0b 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3772,6 +4136,42 @@ interface(`fs_dontaudit_list_tmpfs',` +@@ -3772,6 +4177,42 @@ interface(`fs_dontaudit_list_tmpfs',` ######################################## ## @@ -14284,7 +14453,7 @@ index dfe361a..6d0cc0b 100644 ## Create, read, write, and delete ## tmpfs directories ## -@@ -3989,6 +4389,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -3989,6 +4430,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -14309,7 +14478,7 @@ index dfe361a..6d0cc0b 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4271,6 +4689,8 @@ interface(`fs_mount_all_fs',` +@@ -4271,6 +4730,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -14318,7 +14487,7 @@ index dfe361a..6d0cc0b 100644 ') ######################################## -@@ -4317,7 +4737,7 @@ interface(`fs_unmount_all_fs',` +@@ -4317,7 +4778,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -14327,7 +14496,7 @@ index dfe361a..6d0cc0b 100644 ## Example attributes: ##

##
    -@@ -4681,3 +5101,24 @@ interface(`fs_unconfined',` +@@ -4681,3 +5142,24 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -23044,10 +23213,10 @@ index 0000000..939d76e +') diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te new file mode 100644 -index 0000000..c151fe6 +index 0000000..67db20a --- /dev/null +++ b/policy/modules/services/colord.te -@@ -0,0 +1,117 @@ +@@ -0,0 +1,120 @@ +policy_module(colord,1.0.0) + +######################################## @@ -23121,10 +23290,13 @@ index 0000000..c151fe6 +files_read_etc_files(colord_t) +files_read_usr_files(colord_t) + ++fs_getattr_all_fs(colord_t) +fs_search_all(colord_t) ++fs_list_noxattr_fs(colord_t) +fs_read_noxattr_fs_files(colord_t) + +storage_getattr_fixed_disk_dev(colord_t) ++storage_getattr_removable_dev(colord_t) +storage_read_scsi_generic(colord_t) +storage_write_scsi_generic(colord_t) + @@ -23137,11 +23309,11 @@ index 0000000..c151fe6 +userdom_read_inherited_user_home_content_files(colord_t) + +tunable_policy(`use_nfs_home_dirs',` -+ fs_read_nfs_files(colord_t) ++ fs_read_nfs_files(colord_t) +') + +tunable_policy(`use_samba_home_dirs',` -+ fs_read_cifs_files(colord_t) ++ fs_read_cifs_files(colord_t) +') + +optional_policy(` @@ -26639,7 +26811,7 @@ index e1d7dc5..673f185 100644 admin_pattern($1, dovecot_var_run_t) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te -index cbe14e4..778b174 100644 +index cbe14e4..ce42295 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t; @@ -26759,7 +26931,7 @@ index cbe14e4..778b174 100644 postfix_search_spool(dovecot_auth_t) ') -@@ -249,23 +273,40 @@ optional_policy(` +@@ -249,23 +273,42 @@ optional_policy(` # # dovecot deliver local policy # @@ -26774,8 +26946,6 @@ index cbe14e4..778b174 100644 +read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t) +read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t) + - allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; - +allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; + +append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) @@ -26784,8 +26954,12 @@ index cbe14e4..778b174 100644 +manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t) +files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) + -+can_exec(dovecot_deliver_t, dovecot_deliver_exec_t) + allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; ++read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t) ++dovecot_stream_connect(dovecot_deliver_t) + ++can_exec(dovecot_deliver_t, dovecot_deliver_exec_t) + kernel_read_all_sysctls(dovecot_deliver_t) kernel_read_system_state(dovecot_deliver_t) @@ -26802,7 +26976,7 @@ index cbe14e4..778b174 100644 miscfiles_read_localization(dovecot_deliver_t) -@@ -301,5 +342,15 @@ tunable_policy(`use_samba_home_dirs',` +@@ -301,5 +344,15 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` @@ -32306,7 +32480,7 @@ index 256166a..15daf47 100644 /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if -index 343cee3..3d7edf0 100644 +index 343cee3..4238760 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -37,9 +37,9 @@ interface(`mta_stub',` @@ -32465,7 +32639,37 @@ index 343cee3..3d7edf0 100644 ## Execute sendmail in the caller domain. ##
## -@@ -474,7 +511,8 @@ interface(`mta_write_config',` +@@ -438,6 +475,29 @@ interface(`mta_sendmail_exec',` + + ######################################## + ## ++<<<<<<< HEAD ++======= ++## Check whether sendmail executable ++## files are executable. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mta_sendmail_access_check',` ++ gen_require(` ++ type sendmail_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ allow $1 sendmail_exec_t:file { getattr_file_perms audit_access }; ++') ++ ++######################################## ++## ++>>>>>>> 884c081... Extend audit_access interfaces to allow get attributes. + ## Read mail server configuration. + ## + ## +@@ -474,7 +534,8 @@ interface(`mta_write_config',` type etc_mail_t; ') @@ -32475,7 +32679,15 @@ index 343cee3..3d7edf0 100644 ') ######################################## -@@ -552,7 +590,7 @@ interface(`mta_rw_aliases',` +@@ -494,6 +555,7 @@ interface(`mta_read_aliases',` + + files_search_etc($1) + allow $1 etc_aliases_t:file read_file_perms; ++ allow $1 etc_aliases_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -552,7 +614,7 @@ interface(`mta_rw_aliases',` ') files_search_etc($1) @@ -32484,7 +32696,7 @@ index 343cee3..3d7edf0 100644 ') ####################################### -@@ -646,8 +684,8 @@ interface(`mta_dontaudit_getattr_spool_files',` +@@ -646,8 +708,8 @@ interface(`mta_dontaudit_getattr_spool_files',` files_dontaudit_search_spool($1) dontaudit $1 mail_spool_t:dir search_dir_perms; @@ -32495,7 +32707,7 @@ index 343cee3..3d7edf0 100644 ') ####################################### -@@ -697,8 +735,8 @@ interface(`mta_rw_spool',` +@@ -697,8 +759,8 @@ interface(`mta_rw_spool',` files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; @@ -32506,7 +32718,7 @@ index 343cee3..3d7edf0 100644 read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') -@@ -838,7 +876,7 @@ interface(`mta_dontaudit_rw_queue',` +@@ -838,7 +900,7 @@ interface(`mta_dontaudit_rw_queue',` ') dontaudit $1 mqueue_spool_t:dir search_dir_perms; @@ -32515,7 +32727,7 @@ index 343cee3..3d7edf0 100644 ') ######################################## -@@ -899,3 +937,50 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -899,3 +961,50 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -36477,14 +36689,14 @@ index 55e62d2..6082184 100644 /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if -index 46bee12..f064487 100644 +index 46bee12..b90c902 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -34,8 +34,9 @@ template(`postfix_domain_template',` domain_entry_file(postfix_$1_t, postfix_$1_exec_t) role system_r types postfix_$1_t; -+ allow postfix_$1_t self:capability sys_nice; ++ allow postfix_$1_t self:capability { sys_nice sys_chroot }; dontaudit postfix_$1_t self:capability sys_tty_config; - allow postfix_$1_t self:process { signal_perms setpgid }; + allow postfix_$1_t self:process { signal_perms setpgid setsched }; @@ -36508,6 +36720,15 @@ index 46bee12..f064487 100644 files_read_usr_symlinks(postfix_$1_t) files_search_spool(postfix_$1_t) files_getattr_tmp_dirs(postfix_$1_t) +@@ -115,7 +117,7 @@ template(`postfix_server_domain_template',` + type postfix_$1_tmp_t; + files_tmp_file(postfix_$1_tmp_t) + +- allow postfix_$1_t self:capability { setuid setgid dac_override }; ++ allow postfix_$1_t $self:capability { setuid setgid sys_chroot dac_override }; + allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; + allow postfix_$1_t self:tcp_socket create_socket_perms; + allow postfix_$1_t self:udp_socket create_socket_perms; @@ -165,6 +167,8 @@ template(`postfix_user_domain_template',` domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t) @@ -37344,6 +37565,18 @@ index ad15fde..6f55445 100644 ') allow $1 postgrey_t:process { ptrace signal_perms }; +diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc +index 2d82c6d..a41b55f 100644 +--- a/policy/modules/services/ppp.fc ++++ b/policy/modules/services/ppp.fc +@@ -34,5 +34,7 @@ + # Fix pptp sockets + /var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0) + ++/var/lock/ppp(/.*)? gen_context(system_u:object_r:pppd_lock_t,s0) ++ + /var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0) + /var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0) diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if index b524673..9d90fb3 100644 --- a/policy/modules/services/ppp.if @@ -37983,7 +38216,7 @@ index 2855a44..0456b11 100644 type puppet_tmp_t; ') diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te -index 64c5f95..ebb9b4d 100644 +index 64c5f95..c65b6ce 100644 --- a/policy/modules/services/puppet.te +++ b/policy/modules/services/puppet.te @@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0) @@ -38098,7 +38331,7 @@ index 64c5f95..ebb9b4d 100644 optional_policy(` hostname_exec(puppetmaster_t) ') -@@ -231,3 +264,8 @@ optional_policy(` +@@ -231,3 +264,9 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') @@ -38106,6 +38339,7 @@ index 64c5f95..ebb9b4d 100644 +optional_policy(` + usermanage_domtrans_groupadd(puppetmaster_t) + usermanage_domtrans_useradd(puppetmaster_t) ++ usermanage_access_check_passwd(puppetmaster_t) +') diff --git a/policy/modules/services/pyzor.fc b/policy/modules/services/pyzor.fc index d4a7750..705196e 100644 @@ -56157,10 +56391,10 @@ index 0000000..4dfe28c +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..2b6d19b +index 0000000..bdca6ab --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,190 @@ +@@ -0,0 +1,194 @@ + +policy_module(systemd, 1.0.0) + @@ -56326,6 +56560,8 @@ index 0000000..2b6d19b + sandbox_list(systemd_tmpfiles_t) + sandbox_delete_dirs(systemd_tmpfiles_t) + sandbox_delete_files(systemd_tmpfiles_t) ++ sandbox_delete_lnk_files(systemd_tmpfiles_t) ++ sandbox_delete_pipes(systemd_tmpfiles_t) + sandbox_delete_sock_files(systemd_tmpfiles_t) + sandbox_setattr_dirs(systemd_tmpfiles_t) +') @@ -56344,6 +56580,8 @@ index 0000000..2b6d19b + +files_read_etc_files(systemd_notify_t) + ++fs_getattr_cgroup_files(systemd_notify_t) ++ +auth_use_nsswitch(systemd_notify_t) + +miscfiles_read_localization(systemd_notify_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 5ea380b..5113d4a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 26%{?dist} +Release: 27%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,11 @@ exit 0 %endif %changelog +* Thu Jun 2 2011 Miroslav Grepl 3.9.16-27 +- Add label for /var/lock/ppp +- Fixes for colord policy +- Allow sys_chroot for postfix domains + * Fri May 27 2011 Miroslav Grepl 3.9.16-26 - Add label for dev/ati/card* - Allowe secadm to manage selinux config files