From b5f115f2fb820d5c1d0f89b8ef825431a6a6c389 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Oct 26 2010 09:52:51 +0000 Subject: - Dontaudit init leaks --- diff --git a/policy-F13.patch b/policy-F13.patch index 78717b0..4ea86b4 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -2475,8 +2475,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.7.19/policy/modules/admin/shutdown.te --- nsaserefpolicy/policy/modules/admin/shutdown.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2010-09-24 14:23:58.850635407 +0200 -@@ -0,0 +1,67 @@ ++++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2010-10-26 10:35:13.462651140 +0200 +@@ -0,0 +1,68 @@ +policy_module(shutdown,1.0.0) + +######################################## @@ -2525,6 +2525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow +init_read_utmp(shutdown_t) +init_rw_utmp(shutdown_t) +init_telinit(shutdown_t) ++init_dontaudit_leaks(shutdown_t) + +logging_search_logs(shutdown_t) +logging_send_audit_msgs(shutdown_t) @@ -2779,7 +2780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.19/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/admin/usermanage.te 2010-10-01 15:16:38.939348984 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/usermanage.te 2010-10-26 10:37:40.688650931 +0200 @@ -199,6 +199,7 @@ term_use_all_ttys(groupadd_t) @@ -2825,7 +2826,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman domain_use_interactive_fds(passwd_t) -@@ -333,6 +341,7 @@ +@@ -315,6 +323,7 @@ + # /usr/bin/passwd asks for w access to utmp, but it will operate + # correctly without it. Do not audit write denials to utmp. + init_dontaudit_rw_utmp(passwd_t) ++init_dontaudit_leaks(passwd_t) + init_use_fds(passwd_t) + + logging_send_audit_msgs(passwd_t) +@@ -333,6 +342,7 @@ # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -2833,7 +2842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman optional_policy(` nscd_domtrans(passwd_t) -@@ -427,7 +436,7 @@ +@@ -427,7 +437,7 @@ # Useradd local policy # @@ -2842,7 +2851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; -@@ -450,6 +459,7 @@ +@@ -450,6 +460,7 @@ corecmd_exec_bin(useradd_t) domain_use_interactive_fds(useradd_t) @@ -2850,7 +2859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman files_manage_etc_files(useradd_t) files_search_var_lib(useradd_t) -@@ -498,12 +508,8 @@ +@@ -498,12 +509,8 @@ userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories @@ -2864,7 +2873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman mta_manage_spool(useradd_t) -@@ -527,6 +533,12 @@ +@@ -527,6 +534,12 @@ ') optional_policy(` @@ -7295,8 +7304,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-10-18 15:03:16.043900000 +0200 -@@ -0,0 +1,421 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-10-25 18:09:55.337651301 +0200 +@@ -0,0 +1,425 @@ +policy_module(sandbox,1.0.0) + +dbus_stub() @@ -7661,6 +7670,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +userdom_delete_user_tmpfs_files(sandbox_web_type) + +optional_policy(` ++ alsa_read_rw_config(sandbox_web_type) ++') ++ ++optional_policy(` + bluetooth_dontaudit_dbus_chat(sandbox_web_type) +') + @@ -32958,7 +32971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.19/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/samba.te 2010-10-08 10:26:42.307649666 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/samba.te 2010-10-26 10:38:39.378650869 +0200 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -33174,7 +33187,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -536,6 +574,8 @@ +@@ -532,10 +570,14 @@ + + domain_use_interactive_fds(smbcontrol_t) + ++init_dontaudit_leaks(smbcontrol_t) ++ + files_read_etc_files(smbcontrol_t) miscfiles_read_localization(smbcontrol_t) @@ -33183,7 +33202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # # smbmount Local policy -@@ -618,7 +658,7 @@ +@@ -618,7 +660,7 @@ # SWAT Local policy # @@ -33192,7 +33211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t self:process { setrlimit signal_perms }; allow swat_t self:fifo_file rw_fifo_file_perms; allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -@@ -626,23 +666,25 @@ +@@ -626,23 +668,25 @@ allow swat_t self:udp_socket create_socket_perms; allow swat_t self:unix_stream_socket connectto; @@ -33226,7 +33245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t smbd_exec_t:file mmap_file_perms ; allow swat_t smbd_t:process signull; -@@ -657,11 +699,14 @@ +@@ -657,11 +701,14 @@ files_pid_filetrans(swat_t, swat_var_run_t, file) allow swat_t winbind_exec_t:file mmap_file_perms; @@ -33242,7 +33261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) kernel_read_network_state(swat_t) -@@ -700,6 +745,8 @@ +@@ -700,6 +747,8 @@ miscfiles_read_localization(swat_t) @@ -33251,7 +33270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -713,12 +760,23 @@ +@@ -713,12 +762,23 @@ kerberos_use(swat_t) ') @@ -33276,7 +33295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb dontaudit winbind_t self:capability sys_tty_config; allow winbind_t self:process { signal_perms getsched setsched }; allow winbind_t self:fifo_file rw_fifo_file_perms; -@@ -763,6 +821,7 @@ +@@ -763,6 +823,7 @@ kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) @@ -33284,7 +33303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb corecmd_exec_bin(winbind_t) -@@ -779,6 +838,9 @@ +@@ -779,6 +840,9 @@ corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -33294,7 +33313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) -@@ -788,7 +850,7 @@ +@@ -788,7 +852,7 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) @@ -33303,7 +33322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb domain_use_interactive_fds(winbind_t) -@@ -866,6 +928,18 @@ +@@ -866,6 +930,18 @@ # optional_policy(` @@ -33322,7 +33341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -876,9 +950,12 @@ +@@ -876,9 +952,12 @@ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -38626,7 +38645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f # /var diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.19/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/init.if 2010-09-13 16:15:23.146085276 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/init.if 2010-10-26 10:34:57.510650962 +0200 @@ -193,8 +193,10 @@ gen_require(` attribute direct_run_init, direct_init, direct_init_entry; @@ -38859,7 +38878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i ') ######################################## -@@ -1712,3 +1808,74 @@ +@@ -1712,3 +1808,92 @@ ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -38918,6 +38937,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i + +####################################### +## ++## dontaudit read and write an leaked file descriptors ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`init_dontaudit_leaks',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ dontaudit $1 init_t:fifo_file rw_inherited_fifo_file_perms; ++') ++ ++####################################### ++## +## Manage init script +## status files. +## @@ -41896,7 +41933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.19/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.te 2010-10-13 09:09:23.135649707 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.te 2010-10-26 10:36:50.480651251 +0200 @@ -23,6 +23,9 @@ type selinux_config_t; files_type(selinux_config_t) @@ -42135,7 +42172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # netfilter_contexts: seutil_manage_default_contexts(semanage_t) -@@ -484,12 +457,23 @@ +@@ -484,12 +457,24 @@ files_read_var_lib_symlinks(semanage_t) ') @@ -42154,12 +42191,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +optional_policy(` + #signal mcstrans on reload + init_spec_domtrans_script(semanage_t) ++ init_dontaudit_leaks(semanage_t) +') + # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files -@@ -499,112 +483,54 @@ +@@ -499,112 +484,54 @@ userdom_read_user_tmp_files(semanage_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 444a548..172d278 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 68%{?dist} +Release: 69%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,9 @@ exit 0 %endif %changelog +* Tue Oct 26 2010 Miroslav Grepl 3.7.19-69 +- Dontaudit init leaks + * Mon Oct 25 2010 Miroslav Grepl 3.7.19-68 - Fix httpd_setrlimit boolean to allow sys_resource capability - Allow lowatch to use zz-disk_space logwatch script