From 996d67cf9a3b07f4989f395a8ef759f21dabc24e Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jan 08 2008 19:57:58 +0000 Subject: *** empty log message *** --- diff --git a/policy-20070501.patch b/policy-20070501.patch index 10fb70a..1a04465 100644 --- a/policy-20070501.patch +++ b/policy-20070501.patch @@ -6605,6 +6605,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus sysnet_domtrans_dhcpc(system_dbusd_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-2.6.4/policy/modules/services/dcc.te +--- nsaserefpolicy/policy/modules/services/dcc.te 2007-05-07 14:51:01.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/dcc.te 2008-01-04 09:46:23.000000000 -0500 +@@ -126,7 +126,7 @@ + # dcc procmail interface local policy + # + +-allow dcc_client_t self:capability setuid; ++allow dcc_client_t self:capability { setgid setuid }; + allow dcc_client_t self:unix_dgram_socket create_socket_perms; + allow dcc_client_t self:udp_socket create_socket_perms; + +@@ -149,6 +149,10 @@ + files_read_etc_files(dcc_client_t) + files_read_etc_runtime_files(dcc_client_t) + ++kernel_read_system_state(dcc_client_t) ++ ++auth_use_nsswitch(dcc_client_t) ++ + libs_use_ld_so(dcc_client_t) + libs_use_shared_libs(dcc_client_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-2.6.4/policy/modules/services/dhcp.te --- nsaserefpolicy/policy/modules/services/dhcp.te 2007-05-07 14:50:57.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/dhcp.te 2008-01-02 11:27:47.000000000 -0500 @@ -6927,7 +6950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim --- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-2.6.4/policy/modules/services/exim.fc 2008-01-02 11:27:47.000000000 -0500 @@ -0,0 +1,16 @@ -+# $Id: policy-20070501.patch,v 1.89 2008/01/04 14:29:21 dwalsh Exp $ ++# $Id: policy-20070501.patch,v 1.90 2008/01/08 19:57:58 dwalsh Exp $ +# Draft SELinux refpolicy module for the Exim MTA +# +# Devin Carraway @@ -7108,7 +7131,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim --- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-2.6.4/policy/modules/services/exim.te 2008-01-02 11:27:47.000000000 -0500 @@ -0,0 +1,231 @@ -+# $Id: policy-20070501.patch,v 1.89 2008/01/04 14:29:21 dwalsh Exp $ ++# $Id: policy-20070501.patch,v 1.90 2008/01/08 19:57:58 dwalsh Exp $ +# Draft SELinux refpolicy module for the Exim MTA +# +# Devin Carraway @@ -10216,15 +10239,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.6.4/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/rpc.te 2008-01-02 11:27:47.000000000 -0500 -@@ -59,10 +59,14 @@ ++++ serefpolicy-2.6.4/policy/modules/services/rpc.te 2008-01-08 13:55:38.000000000 -0500 +@@ -1,5 +1,5 @@ + +-policy_module(rpc,1.5.0) ++policy_module(rpc,1.7.0) + + ######################################## + # +@@ -8,7 +8,7 @@ + + ## + ##

+-## Allow gssd to read temp directory. ++## Allow gssd to read temp directory. For access to kerberos tgt. + ##

+ ## + gen_tunable(allow_gssd_read_tmp,true) +@@ -16,7 +16,8 @@ + ## + ##

+ ## Allow nfs servers to modify public files +-## used for public file transfer services. ++## used for public file transfer services. Files/Directories must be ++## labeled public_content_rw_t. + ##

+ ## + gen_tunable(allow_nfsd_anon_write,false) +@@ -59,10 +60,14 @@ manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t) files_pid_filetrans(rpcd_t,rpcd_var_run_t,file) +corecmd_exec_bin(rpcd_t) + kernel_read_system_state(rpcd_t) - kernel_search_network_state(rpcd_t) +-kernel_search_network_state(rpcd_t) ++kernel_read_network_state(rpcd_t) # for rpc.rquotad kernel_read_sysctl(rpcd_t) +kernel_rw_fs_sysctls(rpcd_t) @@ -10232,21 +10282,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. fs_list_rpc(rpcd_t) fs_read_rpc_files(rpcd_t) -@@ -79,6 +83,7 @@ +@@ -76,11 +81,17 @@ + miscfiles_read_certs(rpcd_t) + + seutil_dontaudit_search_config(rpcd_t) ++selinux_dontaudit_read_fs(rpcd_t) optional_policy(` nis_read_ypserv_config(rpcd_t) -+ nis_use_ypbind(rpcd_t) ') ++# automount -> mount -> rpcd ++optional_policy(` ++ automount_dontaudit_use_fds(rpcd_t) ++') ++ ######################################## -@@ -91,9 +96,13 @@ + # + # NFSD local policy +@@ -91,9 +102,16 @@ allow nfsd_t exports_t:file { getattr read }; allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; +dev_dontaudit_getattr_all_blk_files(nfsd_t) +dev_dontaudit_getattr_all_chr_files(nfsd_t) + ++dev_read_lvm_control(nfsd_t) ++storage_dontaudit_raw_read_fixed_disk(nfsd_t) ++ # for /proc/fs/nfs/exports - should we have a new type? kernel_read_system_state(nfsd_t) kernel_read_network_state(nfsd_t) @@ -10254,7 +10317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. corenet_tcp_bind_all_rpc_ports(nfsd_t) corenet_udp_bind_all_rpc_ports(nfsd_t) -@@ -123,6 +132,7 @@ +@@ -123,6 +141,7 @@ tunable_policy(`nfs_export_all_rw',` fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) @@ -10262,6 +10325,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ') tunable_policy(`nfs_export_all_ro',` +@@ -143,6 +162,7 @@ + manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t) + files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) + ++kernel_read_system_state(gssd_t) + kernel_read_network_state(gssd_t) + kernel_read_network_state_symlinks(gssd_t) + kernel_search_network_sysctl(gssd_t) +@@ -156,14 +176,12 @@ + files_list_tmp(gssd_t) + files_read_usr_symlinks(gssd_t) + ++auth_read_cache(gssd_t) ++ + miscfiles_read_certs(gssd_t) + +-ifdef(`targeted_policy',` +- files_read_generic_tmp_files(gssd_t) +- files_read_generic_tmp_symlinks(gssd_t) +- # Manage the users kerberos tgt file +- files_manage_generic_tmp_files(gssd_t) +-') ++userdom_dontaudit_search_users_home_dirs(rpcd_t) ++userdom_dontaudit_search_sysadm_home_dirs(rpcd_t) + + tunable_policy(`allow_gssd_read_tmp',` + userdom_list_unpriv_users_tmp(gssd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-2.6.4/policy/modules/services/rshd.te --- nsaserefpolicy/policy/modules/services/rshd.te 2007-05-07 14:51:01.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/rshd.te 2008-01-02 11:27:47.000000000 -0500 @@ -10555,7 +10645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-2.6.4/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/samba.if 2008-01-02 11:27:47.000000000 -0500 ++++ serefpolicy-2.6.4/policy/modules/services/samba.if 2008-01-08 13:41:08.000000000 -0500 @@ -177,6 +177,27 @@ ######################################## @@ -10667,7 +10757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ## Allow the specified domain to write to smbmount tcp sockets. ## ## -@@ -377,3 +462,121 @@ +@@ -377,3 +462,122 @@ allow $1 samba_var_t:dir search_dir_perms; stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t) ') @@ -10736,6 +10826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb + type samba_share_t; + ') + ++ allow $1 samba_share_t:filesystem getattr; + read_files_pattern($1, samba_share_t, samba_share_t) +') + @@ -10791,7 +10882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.6.4/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/samba.te 2008-01-02 11:27:47.000000000 -0500 ++++ serefpolicy-2.6.4/policy/modules/services/samba.te 2008-01-08 13:40:55.000000000 -0500 @@ -16,6 +16,14 @@ ## @@ -10901,7 +10992,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow smbd_t samba_net_tmp_t:file getattr; -@@ -231,7 +258,8 @@ +@@ -214,6 +241,7 @@ + manage_dirs_pattern(smbd_t,samba_share_t,samba_share_t) + manage_files_pattern(smbd_t,samba_share_t,samba_share_t) + manage_lnk_files_pattern(smbd_t,samba_share_t,samba_share_t) ++allow smbd_t samba_share_t:filesystem getattr; + + manage_dirs_pattern(smbd_t,samba_var_t,samba_var_t) + manage_files_pattern(smbd_t,samba_var_t,samba_var_t) +@@ -231,7 +259,8 @@ manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t) files_pid_filetrans(smbd_t,smbd_var_run_t,file) @@ -10911,7 +11010,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) -@@ -241,6 +269,9 @@ +@@ -241,6 +270,9 @@ kernel_read_software_raid_state(smbd_t) kernel_read_system_state(smbd_t) @@ -10921,7 +11020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb corenet_tcp_sendrecv_all_if(smbd_t) corenet_udp_sendrecv_all_if(smbd_t) corenet_raw_sendrecv_all_if(smbd_t) -@@ -265,11 +296,14 @@ +@@ -265,11 +297,14 @@ fs_get_xattr_fs_quotas(smbd_t) fs_search_auto_mountpoints(smbd_t) fs_getattr_rpc_dirs(smbd_t) @@ -10936,7 +11035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb files_list_var_lib(smbd_t) files_read_etc_files(smbd_t) -@@ -290,8 +324,6 @@ +@@ -290,8 +325,6 @@ miscfiles_read_localization(smbd_t) miscfiles_read_public_files(smbd_t) @@ -10945,7 +11044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb userdom_dontaudit_search_sysadm_home_dirs(smbd_t) userdom_dontaudit_use_unpriv_user_fds(smbd_t) userdom_use_unpriv_users_fds(smbd_t) -@@ -312,10 +344,27 @@ +@@ -312,10 +345,27 @@ miscfiles_manage_public_files(smbd_t) ') @@ -10973,7 +11072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') optional_policy(` -@@ -339,6 +388,23 @@ +@@ -339,6 +389,23 @@ udev_read_db(smbd_t) ') @@ -10997,7 +11096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # # nmbd Local policy -@@ -352,7 +418,7 @@ +@@ -352,7 +419,7 @@ allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -11006,7 +11105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow nmbd_t self:tcp_socket create_stream_socket_perms; allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; -@@ -362,9 +428,11 @@ +@@ -362,9 +429,11 @@ files_pid_filetrans(nmbd_t,nmbd_var_run_t,file) read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t) @@ -11020,7 +11119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb read_files_pattern(nmbd_t,samba_log_t,samba_log_t) create_files_pattern(nmbd_t,samba_log_t,samba_log_t) allow nmbd_t samba_log_t:dir setattr; -@@ -373,6 +441,8 @@ +@@ -373,6 +442,8 @@ allow nmbd_t smbd_var_run_t:dir rw_dir_perms; @@ -11029,7 +11128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) kernel_read_kernel_sysctls(nmbd_t) -@@ -391,6 +461,7 @@ +@@ -391,6 +462,7 @@ corenet_udp_bind_nmbd_port(nmbd_t) corenet_sendrecv_nmbd_server_packets(nmbd_t) corenet_sendrecv_nmbd_client_packets(nmbd_t) @@ -11037,7 +11136,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb dev_read_sysfs(nmbd_t) dev_getattr_mtrr_dev(nmbd_t) -@@ -402,6 +473,7 @@ +@@ -402,6 +474,7 @@ files_read_usr_files(nmbd_t) files_read_etc_files(nmbd_t) @@ -11045,7 +11144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb libs_use_ld_so(nmbd_t) libs_use_shared_libs(nmbd_t) -@@ -411,8 +483,6 @@ +@@ -411,8 +484,6 @@ miscfiles_read_localization(nmbd_t) @@ -11054,7 +11153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb userdom_dontaudit_search_sysadm_home_dirs(nmbd_t) userdom_dontaudit_use_unpriv_user_fds(nmbd_t) userdom_use_unpriv_users_fds(nmbd_t) -@@ -457,6 +527,7 @@ +@@ -457,6 +528,7 @@ allow smbmount_t samba_secrets_t:file manage_file_perms; @@ -11062,7 +11161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow smbmount_t samba_var_t:dir rw_dir_perms; manage_files_pattern(smbmount_t,samba_var_t,samba_var_t) manage_lnk_files_pattern(smbmount_t,samba_var_t,samba_var_t) -@@ -489,6 +560,8 @@ +@@ -489,6 +561,8 @@ term_list_ptys(smbmount_t) term_use_controlling_term(smbmount_t) @@ -11071,7 +11170,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb corecmd_list_bin(smbmount_t) files_list_mnt(smbmount_t) -@@ -508,21 +581,11 @@ +@@ -508,21 +582,11 @@ logging_search_logs(smbmount_t) @@ -11094,7 +11193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') ######################################## -@@ -530,22 +593,36 @@ +@@ -530,22 +594,36 @@ # SWAT Local policy # @@ -11138,7 +11237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t smbd_t:process signull; -@@ -558,7 +635,11 @@ +@@ -558,7 +636,11 @@ manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t) files_pid_filetrans(swat_t,swat_var_run_t,file) @@ -11151,7 +11250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -582,23 +663,24 @@ +@@ -582,23 +664,24 @@ dev_read_urand(swat_t) @@ -11178,7 +11277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -612,32 +694,30 @@ +@@ -612,32 +695,30 @@ kerberos_use(swat_t) ') @@ -11218,7 +11317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb manage_files_pattern(winbind_t,samba_etc_t,samba_secrets_t) filetrans_pattern(winbind_t,samba_etc_t,samba_secrets_t,file) -@@ -645,6 +725,8 @@ +@@ -645,6 +726,8 @@ manage_files_pattern(winbind_t,samba_log_t,samba_log_t) manage_lnk_files_pattern(winbind_t,samba_log_t,samba_log_t) @@ -11227,7 +11326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb manage_files_pattern(winbind_t,samba_var_t,samba_var_t) manage_lnk_files_pattern(winbind_t,samba_var_t,samba_var_t) -@@ -682,7 +764,9 @@ +@@ -682,7 +765,9 @@ fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) @@ -11237,7 +11336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb domain_use_interactive_fds(winbind_t) -@@ -695,9 +779,6 @@ +@@ -695,9 +780,6 @@ miscfiles_read_localization(winbind_t) @@ -11247,7 +11346,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_dontaudit_search_sysadm_home_dirs(winbind_t) userdom_priveleged_home_dir_manager(winbind_t) -@@ -713,10 +794,6 @@ +@@ -713,10 +795,6 @@ ') optional_policy(` @@ -11258,7 +11357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb seutil_sigchld_newrole(winbind_t) ') -@@ -736,8 +813,11 @@ +@@ -736,8 +814,11 @@ read_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t) read_lnk_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t) @@ -11270,7 +11369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t) term_list_ptys(winbind_helper_t) -@@ -757,10 +837,68 @@ +@@ -757,10 +838,68 @@ ') optional_policy(`