From 8a46f519b8f657caddffff6fee4c700ee8e0e87a Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Apr 15 2008 20:26:28 +0000
Subject: - Dontaudit validating context when using kerberos libraries

- Allow postfix_virtual write access to postfix_private sockets

---

diff --git a/policy-20070703.patch b/policy-20070703.patch
index c77132c..e29ab00 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -6393,7 +6393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.0.8/policy/modules/kernel/selinux.if
 --- nsaserefpolicy/policy/modules/kernel/selinux.if	2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/selinux.if	2008-04-04 16:11:03.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/selinux.if	2008-04-15 13:51:50.000000000 -0400
 @@ -138,6 +138,7 @@
  		type security_t;
  	')
@@ -6460,7 +6460,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
  
  	if(!secure_mode_policyload) {
  		allow $1 security_t:security setbool;
-@@ -463,3 +495,23 @@
+@@ -336,6 +368,28 @@
+ 
+ ########################################
+ ## <summary>
++##	dontaudit caller to validate security contexts.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The process type permitted to validate contexts.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`selinux_dontaudit_validate_context',`
++	gen_require(`
++		type security_t;
++	')
++
++	dontaudit $1 security_t:dir list_dir_perms;
++	dontaudit $1 security_t:file { getattr read write };
++	dontaudit $1 security_t:security check_context;
++')
++
++
++########################################
++## <summary>
+ ##	Allows caller to compute an access vector.
+ ## </summary>
+ ## <param name="domain">
+@@ -463,3 +517,23 @@
  
  	typeattribute $1 selinux_unconfined_type;
  ')
@@ -6759,8 +6788,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
  dev_read_rand(amavis_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.0.8/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc	2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/apache.fc	2008-04-04 16:11:03.000000000 -0400
-@@ -16,7 +16,6 @@
++++ serefpolicy-3.0.8/policy/modules/services/apache.fc	2008-04-14 16:03:57.000000000 -0400
+@@ -6,6 +6,7 @@
+ /etc/httpd			-d	gen_context(system_u:object_r:httpd_config_t,s0)
+ /etc/httpd/conf.*			gen_context(system_u:object_r:httpd_config_t,s0)
+ /etc/httpd/logs				gen_context(system_u:object_r:httpd_log_t,s0)
++/var/www(/.*)?/logs(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
+ /etc/httpd/modules			gen_context(system_u:object_r:httpd_modules_t,s0)
+ /etc/vhosts			--	gen_context(system_u:object_r:httpd_config_t,s0)
+ 
+@@ -16,7 +17,6 @@
  
  /usr/lib/apache-ssl/.+		--	gen_context(system_u:object_r:httpd_exec_t,s0)
  /usr/lib/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -6768,7 +6805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  /usr/lib(64)?/apache(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
  /usr/lib(64)?/apache2/modules(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
  /usr/lib(64)?/apache(2)?/suexec(2)? --	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-@@ -33,6 +32,7 @@
+@@ -33,6 +33,7 @@
  /usr/sbin/httpd2-.*		--	gen_context(system_u:object_r:httpd_exec_t,s0)
  ')
  
@@ -6776,7 +6813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  /usr/share/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /usr/share/openca/htdocs(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -48,6 +48,7 @@
+@@ -48,6 +49,7 @@
  
  /var/lib/cacti/rra(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /var/lib/dav(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -6784,7 +6821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  /var/lib/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /var/lib/httpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
  /var/lib/php/session(/.*)?		gen_context(system_u:object_r:httpd_var_run_t,s0)
-@@ -71,5 +72,16 @@
+@@ -71,5 +73,16 @@
  
  /var/www(/.*)?				gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /var/www/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -11111,14 +11148,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
 +/var/tmp/host_0			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.0.8/policy/modules/services/kerberos.if
 --- nsaserefpolicy/policy/modules/services/kerberos.if	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/kerberos.if	2008-04-07 20:47:25.000000000 -0400
-@@ -42,11 +42,17 @@
++++ serefpolicy-3.0.8/policy/modules/services/kerberos.if	2008-04-15 15:34:14.000000000 -0400
+@@ -42,11 +42,18 @@
  	dontaudit $1 krb5_conf_t:file write;
  	dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
  	dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
 +	
 +	#kerberos libraries are attempting to set the correct file context
 +	dontaudit $1 self:process setfscreate;
++	selinux_dontaudit_validate_context($1)
 +	seutil_dontaudit_read_file_contexts($1)
  
  	tunable_policy(`allow_kerberos',`
@@ -11130,7 +11168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  		corenet_all_recvfrom_unlabeled($1)
  		corenet_all_recvfrom_netlabel($1)
  		corenet_tcp_sendrecv_all_if($1)
-@@ -61,9 +67,6 @@
+@@ -61,9 +68,6 @@
  		corenet_tcp_connect_ocsp_port($1)
  		corenet_sendrecv_kerberos_client_packets($1)
  		corenet_sendrecv_ocsp_client_packets($1)
@@ -11140,7 +11178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  	')
  
  	optional_policy(`
-@@ -169,6 +172,53 @@
+@@ -169,6 +173,53 @@
  	')
  
  	files_search_etc($1)
@@ -11197,7 +11235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.0.8/policy/modules/services/kerberos.te
 --- nsaserefpolicy/policy/modules/services/kerberos.te	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/kerberos.te	2008-04-04 16:11:03.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/kerberos.te	2008-04-15 15:35:49.000000000 -0400
 @@ -54,6 +54,9 @@
  type krb5kdc_var_run_t;
  files_pid_file(krb5kdc_var_run_t)
@@ -11225,7 +11263,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  
  corenet_all_recvfrom_unlabeled(kadmind_t)
  corenet_all_recvfrom_netlabel(kadmind_t)
-@@ -118,6 +122,9 @@
+@@ -115,9 +119,15 @@
+ fs_getattr_all_fs(kadmind_t)
+ fs_search_auto_mountpoints(kadmind_t)
+ 
++selinux_validate_context(kadmind_t)
++seutil_read_file_contexts(kadmind_t)
++
  domain_use_interactive_fds(kadmind_t)
  
  files_read_etc_files(kadmind_t)
@@ -11235,7 +11279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  
  libs_use_ld_so(kadmind_t)
  libs_use_shared_libs(kadmind_t)
-@@ -127,6 +134,7 @@
+@@ -127,6 +137,7 @@
  miscfiles_read_localization(kadmind_t)
  
  sysnet_read_config(kadmind_t)
@@ -11243,7 +11287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  
  userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
  userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
-@@ -137,6 +145,7 @@
+@@ -137,6 +148,7 @@
  
  optional_policy(`
  	seutil_sigchld_newrole(kadmind_t)
@@ -11251,7 +11295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  ')
  
  optional_policy(`
-@@ -151,7 +160,7 @@
+@@ -151,7 +163,7 @@
  # Use capabilities. Surplus capabilities may be allowed.
  allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
  dontaudit krb5kdc_t self:capability sys_tty_config;
@@ -11260,7 +11304,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
  allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
  allow krb5kdc_t self:udp_socket create_socket_perms;
-@@ -223,6 +232,7 @@
+@@ -215,6 +227,9 @@
+ files_read_usr_symlinks(krb5kdc_t)
+ files_read_var_files(krb5kdc_t)
+ 
++selinux_validate_context(krb5kdc_t)
++seutil_read_file_contexts(krb5kdc_t)
++
+ libs_use_ld_so(krb5kdc_t)
+ libs_use_shared_libs(krb5kdc_t)
+ 
+@@ -223,6 +238,7 @@
  miscfiles_read_localization(krb5kdc_t)
  
  sysnet_read_config(krb5kdc_t)
@@ -11268,7 +11322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  
  userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
  userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
-@@ -233,6 +243,7 @@
+@@ -233,6 +249,7 @@
  
  optional_policy(`
  	seutil_sigchld_newrole(krb5kdc_t)
@@ -11463,7 +11517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.0.8/policy/modules/services/mailman.te
 --- nsaserefpolicy/policy/modules/services/mailman.te	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mailman.te	2008-04-04 16:11:03.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/mailman.te	2008-04-15 14:13:47.000000000 -0400
 @@ -55,6 +55,8 @@
  	apache_use_fds(mailman_cgi_t)
  	apache_dontaudit_append_log(mailman_cgi_t)
@@ -11473,7 +11527,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
  
  	optional_policy(`
  		nscd_socket_use(mailman_cgi_t)
-@@ -67,6 +69,16 @@
+@@ -67,6 +69,17 @@
  #
  
  allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
@@ -11487,10 +11541,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
 +auth_use_nsswitch(mailman_mail_t)
 +
 +files_search_spool(mailman_mail_t)
++fs_rw_anon_inodefs_files(mailman_mail_t)
  
  mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
  
-@@ -96,6 +108,7 @@
+@@ -96,6 +109,7 @@
  kernel_read_proc_symlinks(mailman_queue_t)
  
  auth_domtrans_chk_passwd(mailman_queue_t)
@@ -13398,7 +13453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.0.8/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/postfix.te	2008-04-14 14:31:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/postfix.te	2008-04-15 13:43:34.000000000 -0400
 @@ -6,6 +6,14 @@
  # Declarations
  #
@@ -13664,7 +13719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 +files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
 +
 +# connect to master process
-+stream_connect_pattern(postfix_virtual_t,postfix_public_t,postfix_public_t,postfix_master_t)
++stream_connect_pattern(postfix_virtual_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
 +
 +allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
 +
@@ -17998,7 +18053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.te	2008-04-14 09:15:01.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.te	2008-04-14 14:44:39.000000000 -0400
 @@ -16,6 +16,13 @@
  
  ## <desc>
@@ -18063,7 +18118,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)	
  manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
- files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file)
+-files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file)
++files_var_lib_filetrans(xdm_t,xdm_var_lib_t,{ file dir })
 +# Read machine-id
 +files_read_var_lib_files(xdm_t)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 695835f..c193d04 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 99%{?dist}
+Release: 100%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,10 @@ exit 0
 %endif
 
 %changelog
+* Tue Apr 15 2008 Dan Walsh <dwalsh@redhat.com> 3.0.8-100
+- Dontaudit validating context when using kerberos libraries
+- Allow postfix_virtual write access to postfix_private sockets
+
 * Tue Apr 8 2008 Dan Walsh <dwalsh@redhat.com> 3.0.8-99
 - Allow privoxy to write to /etc/privoxy/default\.action