From 788ab84e6ec0465aad70c264bffd7b96a4685701 Mon Sep 17 00:00:00 2001 From: Miroslav Date: Sep 27 2011 06:26:31 +0000 Subject: - Make mta_role() active - Add additional gitweb file context labeling - Allow asterisk to connect to jabber client port - Allow sssd to read the contents of /sys/class/net/$IFACE_NAME - Allow fsdaemon dac_override --- diff --git a/policy-F15.patch b/policy-F15.patch index 70cc165..3bad313 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -15778,7 +15778,7 @@ index be4de58..cce681a 100644 ######################################## # diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 2be17d2..d7510f3 100644 +index 2be17d2..4847432 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,53 @@ policy_module(staff, 2.2.0) @@ -15835,7 +15835,7 @@ index 2be17d2..d7510f3 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -27,31 +68,143 @@ optional_policy(` +@@ -27,31 +68,147 @@ optional_policy(` ') optional_policy(` @@ -15897,6 +15897,10 @@ index 2be17d2..d7510f3 100644 +') + +optional_policy(` ++ mta_role(staff_r, staff_t) ++') ++ ++optional_policy(` + mysql_exec(staff_t) +') + @@ -15981,7 +15985,7 @@ index 2be17d2..d7510f3 100644 xserver_role(staff_r, staff_t) ') -@@ -89,10 +242,6 @@ ifndef(`distro_redhat',` +@@ -89,10 +246,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -15992,6 +15996,17 @@ index 2be17d2..d7510f3 100644 gpg_role(staff_r, staff_t) ') +@@ -121,10 +274,6 @@ ifndef(`distro_redhat',` + ') + + optional_policy(` +- mta_role(staff_r, staff_t) +- ') +- +- optional_policy(` + pyzor_role(staff_r, staff_t) + ') + @@ -137,10 +286,6 @@ ifndef(`distro_redhat',` ') @@ -17587,10 +17602,10 @@ index 0000000..dc3f3b7 + +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index e5bfdd4..4ac582b 100644 +index e5bfdd4..724f9be 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te -@@ -12,15 +12,74 @@ role user_r; +@@ -12,15 +12,78 @@ role user_r; userdom_unpriv_user_template(user) @@ -17629,6 +17644,10 @@ index e5bfdd4..4ac582b 100644 +') + +optional_policy(` ++ mta_role(user_r, user_t) ++') ++ ++optional_policy(` + netutils_run_ping_cond(user_t, user_r) + netutils_run_traceroute_cond(user_t, user_r) +') @@ -17665,7 +17684,7 @@ index e5bfdd4..4ac582b 100644 vlock_run(user_t, user_r) ') -@@ -62,10 +121,6 @@ ifndef(`distro_redhat',` +@@ -62,10 +125,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17676,6 +17695,17 @@ index e5bfdd4..4ac582b 100644 gpg_role(user_r, user_t) ') +@@ -98,10 +157,6 @@ ifndef(`distro_redhat',` + ') + + optional_policy(` +- mta_role(user_r, user_t) +- ') +- +- optional_policy(` + postgresql_role(user_r, user_t) + ') + @@ -118,11 +173,7 @@ ifndef(`distro_redhat',` ') @@ -20983,7 +21013,7 @@ index 8b8143e..c1a2b96 100644 init_labeled_script_domtrans($1, asterisk_initrc_exec_t) diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te -index b3b0176..0e8a352 100644 +index b3b0176..dfd730f 100644 --- a/policy/modules/services/asterisk.te +++ b/policy/modules/services/asterisk.te @@ -23,6 +23,7 @@ files_type(asterisk_spool_t) @@ -21016,16 +21046,17 @@ index b3b0176..0e8a352 100644 kernel_read_system_state(asterisk_t) kernel_read_kernel_sysctls(asterisk_t) -@@ -108,6 +110,8 @@ corenet_tcp_bind_generic_port(asterisk_t) +@@ -108,6 +110,9 @@ corenet_tcp_bind_generic_port(asterisk_t) corenet_udp_bind_generic_port(asterisk_t) corenet_dontaudit_udp_bind_all_ports(asterisk_t) corenet_sendrecv_generic_server_packets(asterisk_t) +corenet_tcp_connect_festival_port(asterisk_t) ++corenet_tcp_connect_jabber_client_port(asterisk_t) +corenet_tcp_connect_pktcable_port(asterisk_t) corenet_tcp_connect_postgresql_port(asterisk_t) corenet_tcp_connect_snmp_port(asterisk_t) corenet_tcp_connect_sip_port(asterisk_t) -@@ -116,6 +120,7 @@ dev_rw_generic_usb_dev(asterisk_t) +@@ -116,6 +121,7 @@ dev_rw_generic_usb_dev(asterisk_t) dev_read_sysfs(asterisk_t) dev_read_sound(asterisk_t) dev_write_sound(asterisk_t) @@ -21033,7 +21064,7 @@ index b3b0176..0e8a352 100644 dev_read_urand(asterisk_t) domain_use_interactive_fds(asterisk_t) -@@ -125,6 +130,7 @@ files_search_spool(asterisk_t) +@@ -125,6 +131,7 @@ files_search_spool(asterisk_t) # demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm # are labeled usr_t files_read_usr_files(asterisk_t) @@ -21041,7 +21072,7 @@ index b3b0176..0e8a352 100644 fs_getattr_all_fs(asterisk_t) fs_list_inotifyfs(asterisk_t) -@@ -141,6 +147,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t) +@@ -141,6 +148,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t) userdom_dontaudit_search_user_home_dirs(asterisk_t) optional_policy(` @@ -29211,10 +29242,10 @@ index 99a94de..6dbc203 100644 files_search_etc(gatekeeper_t) diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc -index 54f0737..2b552c5 100644 +index 54f0737..44a9663 100644 --- a/policy/modules/services/git.fc +++ b/policy/modules/services/git.fc -@@ -1,3 +1,13 @@ +@@ -1,3 +1,17 @@ +HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t,s0) +HOME_DIR/\.gitaliases -- gen_context(system_u:object_r:git_session_content_t,s0) +HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t,s0) @@ -29225,10 +29256,14 @@ index 54f0737..2b552c5 100644 + /var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) -/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) ++/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) ++ +/var/lib/git(/.*)? gen_context(system_u:object_r:git_system_content_t,s0) ++ /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) -+/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0) ++/var/www/git/gitweb\.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0) ++/var/www/gitweb-caching/gitweb\.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0) diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if index 458aac6..03645a9 100644 --- a/policy/modules/services/git.if @@ -39648,7 +39683,7 @@ index b64b02f..166e9c3 100644 + read_files_pattern($1, procmail_home_t, procmail_home_t) +') diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te -index 29b9295..609ff86 100644 +index 29b9295..6451f82 100644 --- a/policy/modules/services/procmail.te +++ b/policy/modules/services/procmail.te @@ -10,6 +10,9 @@ type procmail_exec_t; @@ -39670,9 +39705,14 @@ index 29b9295..609ff86 100644 create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) append_files_pattern(procmail_t, procmail_log_t, procmail_log_t) read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t) -@@ -76,9 +79,15 @@ files_search_pids(procmail_t) +@@ -75,10 +78,20 @@ files_search_pids(procmail_t) + # for spamassasin files_read_usr_files(procmail_t) ++application_exec_all(procmail_t) ++ ++init_read_utmp(procmail_t) ++ logging_send_syslog_msg(procmail_t) +logging_append_all_logs(procmail_t) @@ -39686,7 +39726,7 @@ index 29b9295..609ff86 100644 # only works until we define a different type for maildir userdom_manage_user_home_content_dirs(procmail_t) userdom_manage_user_home_content_files(procmail_t) -@@ -87,8 +96,8 @@ userdom_manage_user_home_content_pipes(procmail_t) +@@ -87,8 +100,8 @@ userdom_manage_user_home_content_pipes(procmail_t) userdom_manage_user_home_content_sockets(procmail_t) userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file }) @@ -39697,7 +39737,7 @@ index 29b9295..609ff86 100644 mta_manage_spool(procmail_t) mta_read_queue(procmail_t) -@@ -125,6 +134,11 @@ optional_policy(` +@@ -125,6 +138,11 @@ optional_policy(` postfix_read_spool_files(procmail_t) postfix_read_local_state(procmail_t) postfix_read_master_state(procmail_t) @@ -44140,7 +44180,7 @@ index adea9f9..d5b2d93 100644 init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te -index 606a098..13ffcc1 100644 +index 606a098..8b11acc 100644 --- a/policy/modules/services/smartmon.te +++ b/policy/modules/services/smartmon.te @@ -35,7 +35,7 @@ ifdef(`enable_mls',` @@ -44148,7 +44188,7 @@ index 606a098..13ffcc1 100644 # -allow fsdaemon_t self:capability { setpcap setgid sys_rawio sys_admin }; -+allow fsdaemon_t self:capability { kill setpcap setgid sys_rawio sys_admin }; ++allow fsdaemon_t self:capability { dac_override kill setpcap setgid sys_rawio sys_admin }; dontaudit fsdaemon_t self:capability sys_tty_config; allow fsdaemon_t self:process { getcap setcap signal_perms }; allow fsdaemon_t self:fifo_file rw_fifo_file_perms; @@ -45993,7 +46033,7 @@ index 941380a..6dbfc01 100644 # Allow sssd_t to restart the apache service sssd_initrc_domtrans($1) diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te -index 8ffa257..4ecf377 100644 +index 8ffa257..f6ef6a9 100644 --- a/policy/modules/services/sssd.te +++ b/policy/modules/services/sssd.te @@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t) @@ -46019,7 +46059,7 @@ index 8ffa257..4ecf377 100644 manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) logging_log_filetrans(sssd_t, sssd_var_log_t, file) -@@ -48,8 +50,12 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) +@@ -48,10 +50,15 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) @@ -46031,8 +46071,11 @@ index 8ffa257..4ecf377 100644 + corecmd_exec_bin(sssd_t) ++dev_read_sysfs(sssd_t) dev_read_urand(sssd_t) -@@ -60,6 +66,7 @@ domain_obj_id_change_exemption(sssd_t) + + domain_read_all_domains_state(sssd_t) +@@ -60,6 +67,7 @@ domain_obj_id_change_exemption(sssd_t) files_list_tmp(sssd_t) files_read_etc_files(sssd_t) files_read_usr_files(sssd_t) @@ -46040,7 +46083,7 @@ index 8ffa257..4ecf377 100644 fs_list_inotifyfs(sssd_t) -@@ -69,7 +76,7 @@ seutil_read_file_contexts(sssd_t) +@@ -69,7 +77,7 @@ seutil_read_file_contexts(sssd_t) mls_file_read_to_clearance(sssd_t) @@ -46049,7 +46092,7 @@ index 8ffa257..4ecf377 100644 auth_domtrans_chk_passwd(sssd_t) auth_domtrans_upd_passwd(sssd_t) -@@ -79,6 +86,12 @@ logging_send_syslog_msg(sssd_t) +@@ -79,6 +87,12 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_localization(sssd_t) @@ -46062,7 +46105,7 @@ index 8ffa257..4ecf377 100644 optional_policy(` dbus_system_bus_client(sssd_t) -@@ -87,4 +100,28 @@ optional_policy(` +@@ -87,4 +101,28 @@ optional_policy(` optional_policy(` kerberos_manage_host_rcache(sssd_t) @@ -55399,10 +55442,24 @@ index c7cfb62..ee89659 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 9b5a9ed..d692349 100644 +index 9b5a9ed..dac690e 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te -@@ -19,6 +19,11 @@ type auditd_log_t; +@@ -5,6 +5,13 @@ policy_module(logging, 1.17.0) + # Declarations + # + ++## ++##

++## Allow syslogd daemon to send mail ++##

++## ++gen_tunable(logging_syslogd_can_sendmail, false) ++ + attribute logfile; + + type auditctl_t; +@@ -19,6 +26,11 @@ type auditd_log_t; files_security_file(auditd_log_t) files_security_mountpoint(auditd_log_t) @@ -55414,7 +55471,7 @@ index 9b5a9ed..d692349 100644 type auditd_t; type auditd_exec_t; init_daemon_domain(auditd_t, auditd_exec_t) -@@ -55,11 +60,12 @@ type klogd_var_run_t; +@@ -55,11 +67,12 @@ type klogd_var_run_t; files_pid_file(klogd_var_run_t) type syslog_conf_t; @@ -55428,7 +55485,7 @@ index 9b5a9ed..d692349 100644 type syslogd_initrc_exec_t; init_script_file(syslogd_initrc_exec_t) -@@ -179,10 +185,13 @@ logging_send_syslog_msg(auditd_t) +@@ -179,10 +192,13 @@ logging_send_syslog_msg(auditd_t) logging_domtrans_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t) @@ -55442,7 +55499,7 @@ index 9b5a9ed..d692349 100644 seutil_dontaudit_read_config(auditd_t) -@@ -234,7 +243,12 @@ domain_use_interactive_fds(audisp_t) +@@ -234,7 +250,12 @@ domain_use_interactive_fds(audisp_t) files_read_etc_files(audisp_t) files_read_etc_runtime_files(audisp_t) @@ -55455,7 +55512,7 @@ index 9b5a9ed..d692349 100644 logging_send_syslog_msg(audisp_t) -@@ -244,14 +258,26 @@ sysnet_dns_name_resolve(audisp_t) +@@ -244,14 +265,26 @@ sysnet_dns_name_resolve(audisp_t) optional_policy(` dbus_system_bus_client(audisp_t) @@ -55483,7 +55540,7 @@ index 9b5a9ed..d692349 100644 corenet_all_recvfrom_unlabeled(audisp_remote_t) corenet_all_recvfrom_netlabel(audisp_remote_t) -@@ -265,10 +291,19 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) +@@ -265,10 +298,19 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) files_read_etc_files(audisp_remote_t) @@ -55503,7 +55560,7 @@ index 9b5a9ed..d692349 100644 sysnet_dns_name_resolve(audisp_remote_t) ######################################## -@@ -338,11 +373,12 @@ optional_policy(` +@@ -338,11 +380,12 @@ optional_policy(` # chown fsetid for syslog-ng # sys_admin for the integrated klog of syslog-ng and metalog # cjp: why net_admin! @@ -55518,7 +55575,7 @@ index 9b5a9ed..d692349 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -360,6 +396,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) +@@ -360,6 +403,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) # create/append log files. manage_files_pattern(syslogd_t, var_log_t, var_log_t) rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) @@ -55526,7 +55583,7 @@ index 9b5a9ed..d692349 100644 # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; -@@ -369,9 +406,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -369,9 +413,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -55542,12 +55599,14 @@ index 9b5a9ed..d692349 100644 # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) -@@ -410,9 +453,16 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -410,9 +460,18 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) -+# support for ommail module to send logs via mail -+corenet_tcp_connect_smtp_port(syslogd_t) ++tunable_policy(`logging_syslogd_can_sendmail',` ++ # support for ommail module to send logs via mail ++ corenet_tcp_connect_smtp_port(syslogd_t) ++') + dev_filetrans(syslogd_t, devlog_t, sock_file) dev_read_sysfs(syslogd_t) @@ -55559,7 +55618,7 @@ index 9b5a9ed..d692349 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -432,6 +482,7 @@ term_write_console(syslogd_t) +@@ -432,6 +491,7 @@ term_write_console(syslogd_t) # Allow syslog to a terminal term_write_unallocated_ttys(syslogd_t) @@ -55567,7 +55626,7 @@ index 9b5a9ed..d692349 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -443,6 +494,7 @@ init_use_fds(syslogd_t) +@@ -443,6 +503,7 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -55575,7 +55634,7 @@ index 9b5a9ed..d692349 100644 miscfiles_read_localization(syslogd_t) -@@ -480,6 +532,10 @@ optional_policy(` +@@ -480,6 +541,10 @@ optional_policy(` ') optional_policy(` @@ -55586,7 +55645,7 @@ index 9b5a9ed..d692349 100644 postgresql_stream_connect(syslogd_t) ') -@@ -488,6 +544,10 @@ optional_policy(` +@@ -488,6 +553,10 @@ optional_policy(` ') optional_policy(` @@ -58695,10 +58754,10 @@ index 0000000..da83870 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..2e1f7a0 +index 0000000..2437352 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,224 @@ +@@ -0,0 +1,225 @@ + +policy_module(systemd, 1.0.0) + @@ -58799,6 +58858,7 @@ index 0000000..2e1f7a0 +# systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev +fs_manage_tmpfs_dirs(systemd_tmpfiles_t) +fs_relabel_tmpfs_dirs(systemd_tmpfiles_t) ++fs_list_all(systemd_tmpfiles_t) + +files_delete_kernel_modules(systemd_tmpfiles_t) + diff --git a/selinux-policy.spec b/selinux-policy.spec index ecc8ee6..bf2e153 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 41%{?dist} +Release: 42%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,13 @@ exit 0 %endif %changelog +* Thu Sep 27 2011 Miroslav Grepl 3.9.16-42 +- Make mta_role() active +- Add additional gitweb file context labeling +- Allow asterisk to connect to jabber client port +- Allow sssd to read the contents of /sys/class/net/$IFACE_NAME +- Allow fsdaemon dac_override + * Thu Sep 22 2011 Miroslav Grepl 3.9.16-41 - Add logging_syslogd_can_sendmail boolean - Add support for exim and confined users