From 989462718c4443c033b3435c2743bc17f2b4f68d Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Aug 25 2010 14:32:54 +0000 Subject: - Allow seunshare fowner capability - Allow dovecot to manage postfix privet socket --- diff --git a/policy-F13.patch b/policy-F13.patch index b0b3a13..9caefb4 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -6587,8 +6587,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +# No types are sandbox_exec_t diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.19/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2010-05-28 09:42:00.004610972 +0200 -@@ -0,0 +1,314 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2010-08-25 16:02:58.406085258 +0200 +@@ -0,0 +1,315 @@ + +## policy for sandbox + @@ -6626,6 +6626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + allow $1 sandbox_x_domain:process { signal_perms transition }; + dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh }; + allow sandbox_x_domain $1:process { sigchld signull }; ++ dontaudit sandbox_domain $1:process signal; + role $2 types sandbox_x_domain; + role $2 types sandbox_xserver_t; + allow $1 sandbox_xserver_t:process signal_perms; @@ -6905,8 +6906,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-08-24 14:07:38.336335117 +0200 -@@ -0,0 +1,397 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-08-25 16:17:36.953085328 +0200 +@@ -0,0 +1,402 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -7135,6 +7136,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + +userdom_dontaudit_use_user_terminals(sandbox_x_domain) +userdom_read_user_home_content_symlinks(sandbox_x_domain) ++userdom_search_user_home_content(sandbox_x_domain) + +#============= sandbox_x_t ============== +files_search_home(sandbox_x_t) @@ -7184,6 +7186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +allow sandbox_web_type self:netlink_selinux_socket create_socket_perms; + +kernel_dontaudit_search_kernel_sysctl(sandbox_web_type) ++kernel_request_load_module(sandbox_web_type) + +dev_read_rand(sandbox_web_type) +dev_write_sound(sandbox_web_type) @@ -7216,6 +7219,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +corenet_sendrecv_ftp_client_packets(sandbox_web_type) +corenet_sendrecv_ipp_client_packets(sandbox_web_type) +corenet_sendrecv_generic_client_packets(sandbox_web_type) ++corenet_tcp_sendrecv_squid_port(sandbox_web_type) ++corenet_sendrecv_squid_client_packets(sandbox_web_type) ++corenet_tcp_connect_squid_port(sandbox_web_type) +# Should not need other ports +corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type) +corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type) @@ -7412,7 +7418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.19/policy/modules/apps/seunshare.te --- nsaserefpolicy/policy/modules/apps/seunshare.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/apps/seunshare.te 2010-08-10 16:20:13.598085356 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/seunshare.te 2010-08-25 16:06:59.968119755 +0200 @@ -6,40 +6,45 @@ # Declarations # @@ -7427,7 +7433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar # # seunshare local policy # -+allow seunshare_domain self:capability { setuid dac_override setpcap sys_admin sys_nice }; ++allow seunshare_domain self:capability { fowner setuid dac_override setpcap sys_admin sys_nice }; +allow seunshare_domain self:process { fork setexec signal getcap setcap setsched }; -allow seunshare_t self:capability { setuid dac_override setpcap sys_admin }; @@ -14494,7 +14500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.19/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-08-24 14:04:00.070084847 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-08-25 09:32:04.821085078 +0200 @@ -13,17 +13,13 @@ # template(`apache_content_template',` @@ -14740,7 +14746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_search_var($1) ') -@@ -836,11 +892,60 @@ +@@ -836,11 +892,62 @@ ') files_search_var($1) @@ -14768,6 +14774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + ') + + files_search_var($1) ++ apache_search_sys_content($1) + manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) + manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) + manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) @@ -14791,6 +14798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + ') + + files_search_tmp($1) ++ apache_search_sys_content($1) + delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) + delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) + delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) @@ -14801,7 +14809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## ## ## Execute all web scripts in the system -@@ -858,6 +963,11 @@ +@@ -858,6 +965,11 @@ gen_require(` attribute httpdcontent; type httpd_sys_script_t; @@ -14813,7 +14821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -945,7 +1055,7 @@ +@@ -945,7 +1057,7 @@ type httpd_squirrelmail_t; ') @@ -14822,7 +14830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -985,6 +1095,24 @@ +@@ -985,6 +1097,24 @@ allow $1 httpd_sys_content_t:dir search_dir_perms; ') @@ -14847,7 +14855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## ## ## Read apache system content. -@@ -1086,6 +1214,25 @@ +@@ -1086,6 +1216,25 @@ read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -14873,7 +14881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## ## ## Dontaudit attempts to write -@@ -1102,7 +1249,7 @@ +@@ -1102,7 +1251,7 @@ type httpd_tmp_t; ') @@ -14882,7 +14890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -1172,7 +1319,7 @@ +@@ -1172,7 +1321,7 @@ type httpd_modules_t, httpd_lock_t; type httpd_var_run_t, httpd_php_tmp_t; type httpd_suexec_tmp_t, httpd_tmp_t; @@ -14891,7 +14899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') allow $1 httpd_t:process { getattr ptrace signal_perms }; -@@ -1202,12 +1349,62 @@ +@@ -1202,12 +1351,62 @@ kernel_search_proc($1) allow $1 httpd_t:dir list_dir_perms; @@ -25541,8 +25549,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.19/policy/modules/services/nut.te --- nsaserefpolicy/policy/modules/services/nut.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/nut.te 2010-05-28 09:42:00.142610728 +0200 -@@ -104,6 +104,10 @@ ++++ serefpolicy-3.7.19/policy/modules/services/nut.te 2010-08-25 16:04:52.823085230 +0200 +@@ -67,13 +67,15 @@ + allow nut_upsmon_t self:fifo_file rw_fifo_file_perms; + allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto }; + allow nut_upsmon_t self:tcp_socket create_socket_perms; ++allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto }; + + read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) + + # pid file + manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) + manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) +-files_pid_filetrans(nut_upsmon_t, nut_var_run_t, file) ++manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) ++files_pid_filetrans(nut_upsmon_t, nut_var_run_t, { file sock_file }) + + kernel_read_kernel_sysctls(nut_upsmon_t) + kernel_read_system_state(nut_upsmon_t) +@@ -104,6 +106,10 @@ mta_send_mail(nut_upsmon_t) @@ -27231,7 +27256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.19/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/postfix.if 2010-08-10 16:47:59.294085327 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/postfix.if 2010-08-25 16:01:16.678085053 +0200 @@ -46,6 +46,7 @@ allow postfix_$1_t postfix_etc_t:dir list_dir_perms; @@ -27240,7 +27265,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post can_exec(postfix_$1_t, postfix_$1_exec_t) -@@ -79,6 +80,7 @@ +@@ -76,9 +77,11 @@ + + files_read_etc_files(postfix_$1_t) + files_read_etc_runtime_files(postfix_$1_t) ++ files_read_usr_files(postfix_$1_t) files_read_usr_symlinks(postfix_$1_t) files_search_spool(postfix_$1_t) files_getattr_tmp_dirs(postfix_$1_t) @@ -27248,7 +27277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post init_dontaudit_use_fds(postfix_$1_t) init_sigchld(postfix_$1_t) -@@ -110,6 +112,13 @@ +@@ -110,6 +113,13 @@ template(`postfix_server_domain_template',` postfix_domain_template($1) @@ -27262,7 +27291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post allow postfix_$1_t self:capability { setuid setgid dac_override }; allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; allow postfix_$1_t self:tcp_socket create_socket_perms; -@@ -174,9 +183,8 @@ +@@ -174,9 +184,8 @@ type postfix_etc_t; ') @@ -27274,7 +27303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post files_search_etc($1) ') -@@ -232,6 +240,25 @@ +@@ -232,6 +241,25 @@ ######################################## ## @@ -27300,7 +27329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## Allow domain to read postfix local process state ## ## -@@ -349,6 +376,25 @@ +@@ -349,6 +377,25 @@ domtrans_pattern($1, postfix_master_exec_t, postfix_master_t) ') @@ -27326,7 +27355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## ## ## Execute the master postfix program in the -@@ -368,6 +414,25 @@ +@@ -368,6 +415,25 @@ can_exec($1, postfix_master_exec_t) ') @@ -27352,7 +27381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## ## ## Create a named socket in a postfix private directory. -@@ -378,7 +443,7 @@ +@@ -378,7 +444,7 @@ ## ## # @@ -27361,7 +27390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post gen_require(` type postfix_private_t; ') -@@ -389,6 +454,25 @@ +@@ -389,6 +455,25 @@ ######################################## ## @@ -27387,7 +27416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## Execute the master postfix program in the ## postfix_master domain. ## -@@ -418,10 +502,10 @@ +@@ -418,10 +503,10 @@ # interface(`postfix_search_spool',` gen_require(` @@ -27400,7 +27429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post files_search_spool($1) ') -@@ -437,11 +521,30 @@ +@@ -437,11 +522,30 @@ # interface(`postfix_list_spool',` gen_require(` @@ -27433,7 +27462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') ######################################## -@@ -456,16 +559,16 @@ +@@ -456,16 +560,16 @@ # interface(`postfix_read_spool_files',` gen_require(` @@ -27453,7 +27482,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## ## ## -@@ -475,11 +578,11 @@ +@@ -475,11 +579,11 @@ # interface(`postfix_manage_spool_files',` gen_require(` @@ -27467,7 +27496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') ######################################## -@@ -500,3 +603,158 @@ +@@ -500,3 +604,158 @@ typeattribute $1 postfix_user_domtrans; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 4005798..2af40c3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 50%{?dist} +Release: 51%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,10 @@ exit 0 %endif %changelog +* Wed Aug 25 2010 Miroslav Grepl 3.7.19-51 +- Allow seunshare fowner capability +- Allow dovecot to manage postfix privet socket + * Tue Aug 24 2010 Miroslav Grepl 3.7.19-50 - Fixes for boinc policy - Fixes for shorewall policy