From a7ceb31ce49e2b5e617da1752c7d97c4423770b8 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mar 01 2010 17:06:47 +0000 Subject: - Add MLS fixes found in RHEL6 testing - Allow domains to append to rpm_tmp_t - Add cachefilesfd policy - Dontaudit leaks when transitioning --- diff --git a/policy-F13.patch b/policy-F13.patch index 5c60784..fffaa75 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -2855,12 +2855,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.7.10/policy/modules/apps/gpg.if --- nsaserefpolicy/policy/modules/apps/gpg.if 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/apps/gpg.if 2010-02-26 14:31:45.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/apps/gpg.if 2010-03-01 11:52:26.000000000 -0500 @@ -52,11 +52,8 @@ ifdef(`hide_broken_symptoms',` #Leaked File Descriptors -+ dontaudit gpg_t $1:socket_class_set { read write }; ++ dontaudit gpg_t $2:socket_class_set { read write }; dontaudit gpg_t $2:fifo_file rw_fifo_file_perms; - dontaudit gpg_t $2:tcp_socket rw_socket_perms; - dontaudit gpg_t $2:udp_socket rw_socket_perms; @@ -3346,8 +3346,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.10/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.10/policy/modules/apps/nsplugin.if 2010-02-26 14:31:12.000000000 -0500 -@@ -0,0 +1,363 @@ ++++ serefpolicy-3.7.10/policy/modules/apps/nsplugin.if 2010-03-01 11:46:38.000000000 -0500 +@@ -0,0 +1,355 @@ + +## policy for nsplugin + @@ -3449,16 +3449,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + can_exec($2, nsplugin_rw_t) + + #Leaked File Descriptors -+ dontaudit nsplugin_t $2:tcp_socket rw_socket_perms; -+ dontaudit nsplugin_t $2:udp_socket rw_socket_perms; -+ dontaudit nsplugin_t $2:unix_stream_socket rw_socket_perms; -+ dontaudit nsplugin_t $2:unix_dgram_socket rw_socket_perms; -+ dontaudit nsplugin_t $2:fifo_file rw_fifo_file_perms; -+ dontaudit nsplugin_config_t $2:tcp_socket rw_socket_perms; -+ dontaudit nsplugin_config_t $2:udp_socket rw_socket_perms; -+ dontaudit nsplugin_config_t $2:unix_stream_socket rw_socket_perms; -+ dontaudit nsplugin_config_t $2:unix_dgram_socket rw_socket_perms; -+ dontaudit nsplugin_config_t $2:fifo_file rw_fifo_file_perms; ++ifdef(`hide_broken_symptoms', ` ++ dontaudit nsplugin_t $2:socket_class_set { read write }; ++ dontaudit nsplugin_t $2:fifo_file rw_inherited_fifo_file_perms; ++ dontaudit nsplugin_config_t $2:socket_class_set { read write }; ++ dontaudit nsplugin_config_t $2:fifo_file rw_inherited_fifo_file_perms; ++') + allow nsplugin_t $2:unix_stream_socket connectto; + dontaudit nsplugin_t $2:process ptrace; + allow nsplugin_t $2:sem rw_sem_perms; @@ -3516,10 +3512,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + domtrans_pattern($2, nsplugin_exec_t, nsplugin_t) + domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t) + -+ifdef(`hide_broken_symptoms', ` -+ dontaudit nsplugin_t $1:socket_class_set { read write }; -+ dontaudit nsplugin_config_t $1:socket_class_set { read write }; -+') +') + +####################################### @@ -32090,7 +32082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.10/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.10/policy/modules/system/selinuxutil.if 2010-03-01 09:57:50.000000000 -0500 ++++ serefpolicy-3.7.10/policy/modules/system/selinuxutil.if 2010-03-01 11:55:49.000000000 -0500 @@ -351,6 +351,27 @@ ######################################## @@ -32263,7 +32255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + ') + + files_search_etc($1) -+ read_dirs_pattern($1, selinux_config_t, semanage_store_t) ++ list_dirs_pattern($1, selinux_config_t, semanage_store_t) + read_files_pattern($1, semanage_store_t, semanage_store_t) +') +