From c8bc906ed52484917657d980e4eedbe5370bc05e Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mar 17 2010 14:08:33 +0000 Subject: - Allow boinc to read kernel sysctl - Fix snmp port definitions - Allow apache to read anon_inodefs --- diff --git a/policy-F13.patch b/policy-F13.patch index f0e21ca..ab2fa06 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -2568,7 +2568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.14/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.14/policy/modules/apps/gnome.if 2010-03-12 09:30:00.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/apps/gnome.if 2010-03-17 08:37:44.000000000 -0400 @@ -74,6 +74,24 @@ ######################################## @@ -2594,7 +2594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if ## manage gnome homedir content (.config) ## ## -@@ -84,10 +102,228 @@ +@@ -84,10 +102,246 @@ # interface(`gnome_manage_config',` gen_require(` @@ -2729,6 +2729,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if + +######################################## +## ++## Append gconf home files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_append_gconf_home_files',` ++ gen_require(` ++ type gconf_home_t; ++ ') ++ ++ append_files_pattern($1, gconf_home_t, gconf_home_t) ++') ++ ++######################################## ++## +## manage gconf home files +## +## @@ -6093,7 +6111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.14/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-03-08 14:49:44.000000000 -0500 -+++ serefpolicy-3.7.14/policy/modules/kernel/corenetwork.te.in 2010-03-12 09:30:00.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/kernel/corenetwork.te.in 2010-03-16 10:29:41.000000000 -0400 @@ -65,6 +65,7 @@ type server_packet_t, packet_type, server_packet_type; @@ -6171,7 +6189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -176,6 +192,7 @@ +@@ -176,16 +192,18 @@ network_port(rsync, tcp,873,s0, udp,873,s0) network_port(rwho, udp,513,s0) network_port(sap, tcp,9875,s0, udp,9875,s0) @@ -6179,7 +6197,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0) network_port(smbd, tcp,137-139,s0, tcp,445,s0) network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) -@@ -186,6 +203,7 @@ +-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0) ++network_port(snmp, tcp,161,s0, udp,161,s0, tcp,162,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0) + type socks_port_t, port_type; dnl network_port(socks) # no defined portcon + network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) + network_port(spamd, tcp,783,s0) network_port(speech, tcp,8036,s0) network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp network_port(ssh, tcp,22,s0) @@ -6813,7 +6835,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /var/lib/nfs/rpc_pipefs(/.*)? <> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.14/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.14/policy/modules/kernel/files.if 2010-03-12 09:30:00.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/kernel/files.if 2010-03-17 08:58:55.000000000 -0400 @@ -1053,10 +1053,8 @@ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -6827,7 +6849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # satisfy the assertions: seutil_relabelto_bin_policy($1) -@@ -1428,6 +1426,24 @@ +@@ -1428,6 +1426,42 @@ ######################################## ## @@ -6849,10 +6871,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + +######################################## +## ++## Write all mount points. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_write_all_mountpoints',` ++ gen_require(` ++ attribute mountpoint; ++ ') ++ ++ allow $1 mountpoint:dir write; ++') ++ ++######################################## ++## ## List the contents of the root directory. ## ## -@@ -1552,6 +1568,24 @@ +@@ -1552,6 +1586,24 @@ ######################################## ## @@ -6877,7 +6917,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Remove entries from the root directory. ## ## -@@ -2209,6 +2243,24 @@ +@@ -1697,6 +1749,24 @@ + + ######################################## + ## ++## manage directories in /boot ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_boot_dirs',` ++ gen_require(` ++ type boot_t; ++ ') ++ ++ allow $1 boot_t:dir manage_dir_perms; ++') ++ ++######################################## ++## + ## Create a private type object in boot + ## with an automatic type transition + ## +@@ -1740,7 +1810,7 @@ + type boot_t; + ') + +- manage_files_pattern($1, boot_t, boot_t) ++ read_files_pattern($1, boot_t, boot_t) + ') + + ######################################## +@@ -2209,6 +2279,24 @@ allow $1 etc_t:dir rw_dir_perms; ') @@ -6902,7 +6976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ########################################## ## ## Manage generic directories in /etc -@@ -2280,6 +2332,8 @@ +@@ -2280,6 +2368,8 @@ allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -6911,7 +6985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2362,6 +2416,24 @@ +@@ -2362,6 +2452,24 @@ ######################################## ## @@ -6936,7 +7010,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Execute generic files in /etc. ## ## -@@ -2789,6 +2861,101 @@ +@@ -2789,6 +2897,101 @@ ######################################## ## @@ -7038,7 +7112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Create, read, write, and delete files ## on new filesystems that have not yet been labeled. ## -@@ -2899,6 +3066,7 @@ +@@ -2899,6 +3102,7 @@ ') allow $1 home_root_t:dir getattr; @@ -7046,7 +7120,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2919,6 +3087,7 @@ +@@ -2919,6 +3123,7 @@ ') dontaudit $1 home_root_t:dir getattr; @@ -7054,7 +7128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2937,6 +3106,7 @@ +@@ -2937,6 +3142,7 @@ ') allow $1 home_root_t:dir search_dir_perms; @@ -7062,7 +7136,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2956,6 +3126,7 @@ +@@ -2956,6 +3162,7 @@ ') dontaudit $1 home_root_t:dir search_dir_perms; @@ -7070,7 +7144,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2975,6 +3146,7 @@ +@@ -2975,6 +3182,7 @@ ') dontaudit $1 home_root_t:dir list_dir_perms; @@ -7078,7 +7152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2993,6 +3165,7 @@ +@@ -2993,6 +3201,7 @@ ') allow $1 home_root_t:dir list_dir_perms; @@ -7086,7 +7160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -3502,6 +3675,64 @@ +@@ -3502,6 +3711,64 @@ allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -7151,7 +7225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Allow the specified type to associate -@@ -3687,6 +3918,32 @@ +@@ -3687,6 +3954,32 @@ ######################################## ## @@ -7184,7 +7258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Manage temporary files and directories in /tmp. ## ## -@@ -3900,6 +4157,13 @@ +@@ -3900,6 +4193,13 @@ delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -7198,7 +7272,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4008,7 +4272,7 @@ +@@ -4008,7 +4308,7 @@ type usr_t; ') @@ -7207,7 +7281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4089,6 +4353,24 @@ +@@ -4089,6 +4389,24 @@ ######################################## ## @@ -7232,7 +7306,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## dontaudit write of /usr files ## ## -@@ -5014,6 +5296,25 @@ +@@ -5014,6 +5332,25 @@ search_dirs_pattern($1, var_t, var_run_t) ') @@ -7258,7 +7332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Do not audit attempts to search -@@ -5073,6 +5374,24 @@ +@@ -5073,6 +5410,24 @@ ######################################## ## @@ -7283,7 +7357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Create an object in the process ID directory, with a private type. ## ## -@@ -5148,6 +5467,24 @@ +@@ -5148,6 +5503,24 @@ ######################################## ## @@ -7308,7 +7382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Do not audit attempts to write to daemon runtime data files. ## ## -@@ -5201,6 +5538,7 @@ +@@ -5201,6 +5574,7 @@ list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -7316,7 +7390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -5269,6 +5607,24 @@ +@@ -5269,6 +5643,24 @@ ######################################## ## @@ -7341,7 +7415,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Search the contents of generic spool ## directories (/var/spool). ## -@@ -5457,12 +5813,15 @@ +@@ -5457,12 +5849,15 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -7358,7 +7432,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ') -@@ -5483,3 +5842,211 @@ +@@ -5483,3 +5878,211 @@ typeattribute $1 files_unconfined_type; ') @@ -7953,7 +8027,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.14/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-02-18 14:06:31.000000000 -0500 -+++ serefpolicy-3.7.14/policy/modules/kernel/terminal.if 2010-03-12 09:30:00.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/kernel/terminal.if 2010-03-16 14:27:31.000000000 -0400 @@ -292,9 +292,11 @@ interface(`term_dontaudit_use_console',` gen_require(` @@ -7967,7 +8041,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin ') ######################################## -@@ -829,7 +831,7 @@ +@@ -672,6 +674,25 @@ + + ######################################## + ## ++## Do not audit attempts to get attributes ++## on the pty multiplexor (/dev/ptmx). ++## ++## ++## ++## The type of the process to not audit. ++## ++## ++# ++interface(`term_dontaudit_getattr_ptmx',` ++ gen_require(` ++ type ptmx_t; ++ ') ++ ++ dontaudit $1 ptmx_t:chr_file getattr; ++') ++ ++######################################## ++## + ## Do not audit attempts to read and + ## write the pty multiplexor (/dev/ptmx). + ## +@@ -829,7 +850,7 @@ attribute ptynode; ') @@ -7976,7 +8076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin ') ######################################## -@@ -1196,7 +1198,7 @@ +@@ -1196,7 +1217,7 @@ type tty_device_t; ') @@ -7985,7 +8085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin ') ######################################## -@@ -1333,7 +1335,7 @@ +@@ -1333,7 +1354,7 @@ attribute ttynode; ') @@ -11614,7 +11714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.14/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-03-09 19:04:58.000000000 -0500 -+++ serefpolicy-3.7.14/policy/modules/services/apache.te 2010-03-12 09:30:00.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/apache.te 2010-03-17 09:55:47.000000000 -0400 @@ -19,6 +19,8 @@ # Declarations # @@ -11883,11 +11983,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac corenet_sendrecv_http_server_packets(httpd_t) # Signal self for shutdown corenet_tcp_connect_http_port(httpd_t) -@@ -342,15 +417,15 @@ +@@ -342,15 +417,16 @@ fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) +fs_read_iso9660_files(httpd_t) ++fs_read_anon_inodefs_files(httpd_t) auth_use_nsswitch(httpd_t) @@ -11902,7 +12003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) -@@ -365,6 +440,10 @@ +@@ -365,6 +441,10 @@ files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -11913,7 +12014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac libs_read_lib_files(httpd_t) -@@ -379,18 +458,33 @@ +@@ -379,18 +459,33 @@ userdom_use_unpriv_users_fds(httpd_t) @@ -11951,7 +12052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -398,32 +492,71 @@ +@@ -398,32 +493,71 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -12028,7 +12129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -431,14 +564,21 @@ +@@ -431,14 +565,21 @@ fs_read_nfs_symlinks(httpd_t) ') @@ -12053,7 +12154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_ssi_exec',` -@@ -463,7 +603,18 @@ +@@ -463,7 +604,18 @@ ') optional_policy(` @@ -12072,7 +12173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -475,8 +626,24 @@ +@@ -475,8 +627,24 @@ ') optional_policy(` @@ -12099,7 +12200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -484,22 +651,19 @@ +@@ -484,22 +652,19 @@ mailman_domtrans_cgi(httpd_t) # should have separate types for public and private archives mailman_search_data(httpd_t) @@ -12125,7 +12226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -510,12 +674,23 @@ +@@ -510,12 +675,23 @@ ') optional_policy(` @@ -12149,7 +12250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -524,6 +699,11 @@ +@@ -524,6 +700,11 @@ ') optional_policy(` @@ -12161,7 +12262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -551,6 +731,23 @@ +@@ -551,6 +732,23 @@ userdom_use_user_terminals(httpd_helper_t) @@ -12185,7 +12286,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -580,20 +777,32 @@ +@@ -580,20 +778,32 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -12224,7 +12325,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -611,23 +820,24 @@ +@@ -611,23 +821,24 @@ append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) @@ -12253,7 +12354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -640,6 +850,7 @@ +@@ -640,6 +851,7 @@ logging_send_syslog_msg(httpd_suexec_t) miscfiles_read_localization(httpd_suexec_t) @@ -12261,7 +12362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; -@@ -647,22 +858,31 @@ +@@ -647,22 +859,31 @@ corenet_all_recvfrom_unlabeled(httpd_suexec_t) corenet_all_recvfrom_netlabel(httpd_suexec_t) @@ -12300,7 +12401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -688,16 +908,16 @@ +@@ -688,16 +909,16 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -12321,7 +12422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac dontaudit httpd_sys_script_t httpd_config_t:dir search; -@@ -712,15 +932,29 @@ +@@ -712,15 +933,29 @@ files_search_var_lib(httpd_sys_script_t) files_search_spool(httpd_sys_script_t) @@ -12353,7 +12454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -728,6 +962,35 @@ +@@ -728,6 +963,35 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -12389,7 +12490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -740,6 +1003,10 @@ +@@ -740,6 +1004,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -12400,7 +12501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -751,6 +1018,8 @@ +@@ -751,6 +1019,8 @@ # httpd_rotatelogs local policy # @@ -12409,7 +12510,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -770,11 +1039,88 @@ +@@ -770,11 +1040,88 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -12992,8 +13093,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.14/policy/modules/services/boinc.te --- nsaserefpolicy/policy/modules/services/boinc.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.14/policy/modules/services/boinc.te 2010-03-15 14:49:29.000000000 -0400 -@@ -0,0 +1,76 @@ ++++ serefpolicy-3.7.14/policy/modules/services/boinc.te 2010-03-16 14:27:36.000000000 -0400 +@@ -0,0 +1,80 @@ + +policy_module(boinc,1.0.0) + @@ -13039,6 +13140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +files_var_lib_filetrans(boinc_t, boinc_var_lib_t, { file dir } ) + +kernel_read_system_state(boinc_t) ++kernel_read_kernel_sysctls(boinc_t) + +corecmd_exec_bin(boinc_t) +corecmd_exec_shell(boinc_t) @@ -13065,11 +13167,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin + +fs_getattr_all_fs(boinc_t) + ++term_dontaudit_getattr_ptmx(boinc_t) ++ +miscfiles_read_localization(boinc_t) + +logging_send_syslog_msg(boinc_t) + +sysnet_dns_name_resolve(boinc_t) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.7.14/policy/modules/services/cachefilesd.fc --- nsaserefpolicy/policy/modules/services/cachefilesd.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.7.14/policy/modules/services/cachefilesd.fc 2010-03-12 09:30:00.000000000 -0500 @@ -15731,7 +15836,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi allow $1 devicekit_t:process { ptrace signal_perms getattr }; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.14/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.14/policy/modules/services/devicekit.te 2010-03-15 17:07:58.000000000 -0400 ++++ serefpolicy-3.7.14/policy/modules/services/devicekit.te 2010-03-17 08:59:10.000000000 -0400 @@ -42,6 +42,8 @@ files_read_etc_files(devicekit_t) @@ -15753,7 +15858,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) -@@ -71,29 +75,61 @@ +@@ -71,29 +75,62 @@ manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) @@ -15791,6 +15896,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi +files_getattr_all_sockets(devicekit_disk_t) +files_getattr_all_mountpoints(devicekit_disk_t) +files_getattr_all_files(devicekit_disk_t) ++files_manage_boot_dirs(devicekit_disk_t) +files_manage_isid_type_dirs(devicekit_disk_t) files_manage_mnt_dirs(devicekit_disk_t) files_read_etc_files(devicekit_disk_t) @@ -15817,7 +15923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi auth_use_nsswitch(devicekit_disk_t) miscfiles_read_localization(devicekit_disk_t) -@@ -102,6 +138,16 @@ +@@ -102,6 +139,16 @@ userdom_search_user_home_dirs(devicekit_disk_t) optional_policy(` @@ -15834,7 +15940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi fstools_domtrans(devicekit_disk_t) ') -@@ -110,28 +156,27 @@ +@@ -110,28 +157,27 @@ ') optional_policy(` @@ -15872,7 +15978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi ') ######################################## -@@ -139,9 +184,11 @@ +@@ -139,9 +185,11 @@ # DeviceKit-Power local policy # @@ -15885,7 +15991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) -@@ -151,6 +198,8 @@ +@@ -151,6 +199,8 @@ kernel_read_system_state(devicekit_power_t) kernel_rw_hotplug_sysctls(devicekit_power_t) kernel_rw_kernel_sysctl(devicekit_power_t) @@ -15894,7 +16000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi corecmd_exec_bin(devicekit_power_t) corecmd_exec_shell(devicekit_power_t) -@@ -159,7 +208,9 @@ +@@ -159,7 +209,9 @@ domain_read_all_domains_state(devicekit_power_t) @@ -15904,7 +16010,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) -@@ -167,12 +218,17 @@ +@@ -167,12 +219,17 @@ files_read_etc_files(devicekit_power_t) files_read_usr_files(devicekit_power_t) @@ -15922,7 +16028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi userdom_read_all_users_state(devicekit_power_t) optional_policy(` -@@ -180,6 +236,10 @@ +@@ -180,6 +237,10 @@ ') optional_policy(` @@ -15933,7 +16039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi dbus_system_bus_client(devicekit_power_t) allow devicekit_power_t devicekit_t:dbus send_msg; -@@ -203,17 +263,23 @@ +@@ -203,17 +264,23 @@ optional_policy(` hal_domtrans_mac(devicekit_power_t) @@ -27184,7 +27290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c. corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.14/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.14/policy/modules/services/xserver.fc 2010-03-12 09:30:01.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/services/xserver.fc 2010-03-16 16:05:59.000000000 -0400 @@ -3,12 +3,21 @@ # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) @@ -27236,8 +27342,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # /usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) -+/usr/bin/lxdm gen_context(system_u:object_r:xdm_exec_t,s0) -+/usr/bin/lxdm-binary gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/(s)?bin/lxdm -- gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/(s)?bin/lxdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) @@ -27802,7 +27908,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.14/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.14/policy/modules/services/xserver.te 2010-03-15 17:15:49.000000000 -0400 ++++ serefpolicy-3.7.14/policy/modules/services/xserver.te 2010-03-17 08:37:53.000000000 -0400 @@ -36,6 +36,13 @@ ## @@ -28304,7 +28410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -520,12 +663,49 @@ +@@ -520,12 +663,50 @@ ') optional_policy(` @@ -28348,13 +28454,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` + gnome_read_gconf_config(xdm_t) + gnome_read_config(xdm_t) ++ gnome_append_gconf_home_files(xdm_t) +') + +optional_policy(` hostname_exec(xdm_t) ') -@@ -543,9 +723,43 @@ +@@ -543,20 +724,59 @@ ') optional_policy(` @@ -28398,7 +28505,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` seutil_sigchld_newrole(xdm_t) ') -@@ -555,8 +769,9 @@ + + optional_policy(` ++ shutdown_domtrans(xdm_t) ++') ++ ++optional_policy(` + udev_read_db(xdm_t) ') optional_policy(` @@ -28410,7 +28523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -565,7 +780,6 @@ +@@ -565,7 +785,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -28418,7 +28531,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -576,6 +790,10 @@ +@@ -576,6 +795,10 @@ ') optional_policy(` @@ -28429,7 +28542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xfs_stream_connect(xdm_t) ') -@@ -600,10 +818,9 @@ +@@ -600,10 +823,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -28441,7 +28554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -615,6 +832,18 @@ +@@ -615,6 +837,18 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -28460,7 +28573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -634,12 +863,19 @@ +@@ -634,12 +868,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -28482,7 +28595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -673,7 +909,6 @@ +@@ -673,7 +914,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -28490,7 +28603,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -683,9 +918,12 @@ +@@ -683,9 +923,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -28504,7 +28617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -700,8 +938,13 @@ +@@ -700,8 +943,13 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -28518,7 +28631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -723,11 +966,14 @@ +@@ -723,11 +971,14 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -28533,7 +28646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -779,12 +1025,24 @@ +@@ -779,12 +1030,24 @@ ') optional_policy(` @@ -28559,7 +28672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser unconfined_domtrans(xserver_t) ') -@@ -811,7 +1069,7 @@ +@@ -811,7 +1074,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -28568,7 +28681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -832,9 +1090,14 @@ +@@ -832,9 +1095,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -28583,7 +28696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -849,11 +1112,14 @@ +@@ -849,11 +1117,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -28600,7 +28713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -999,3 +1265,33 @@ +@@ -999,3 +1270,33 @@ allow xserver_unconfined_type xextension_type:x_extension *; allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -31768,7 +31881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.14/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.14/policy/modules/system/mount.te 2010-03-12 09:30:01.000000000 -0500 ++++ serefpolicy-3.7.14/policy/modules/system/mount.te 2010-03-16 17:04:35.000000000 -0400 @@ -18,8 +18,15 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -31818,7 +31931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. allow mount_t mount_loopback_t:file read_file_perms; -@@ -47,21 +71,38 @@ +@@ -47,30 +71,49 @@ files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) @@ -31858,8 +31971,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. files_search_all(mount_t) files_read_etc_files(mount_t) -@@ -70,7 +111,7 @@ + files_manage_etc_runtime_files(mount_t) + files_etc_filetrans_etc_runtime(mount_t, file) files_mounton_all_mountpoints(mount_t) ++# ntfs-3g checks whether the mountpoint is writable before mounting ++files_write_all_mountpoints(mount_t) files_unmount_rootfs(mount_t) # These rules need to be generalized. Only admin, initrc should have it: -files_relabelto_all_file_type_fs(mount_t) @@ -31867,7 +31983,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. files_mount_all_file_type_fs(mount_t) files_unmount_all_file_type_fs(mount_t) # for when /etc/mtab loses its type -@@ -80,15 +121,18 @@ +@@ -80,15 +123,18 @@ files_read_usr_files(mount_t) files_list_mnt(mount_t) @@ -31889,7 +32005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. mls_file_read_all_levels(mount_t) mls_file_write_all_levels(mount_t) -@@ -99,6 +143,7 @@ +@@ -99,6 +145,7 @@ storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) @@ -31897,7 +32013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. term_use_all_terms(mount_t) -@@ -107,6 +152,8 @@ +@@ -107,6 +154,8 @@ init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -31906,7 +32022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. logging_send_syslog_msg(mount_t) -@@ -117,6 +164,8 @@ +@@ -117,6 +166,8 @@ seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -31915,7 +32031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ifdef(`distro_redhat',` optional_policy(` -@@ -132,10 +181,17 @@ +@@ -132,10 +183,17 @@ ') ') @@ -31933,7 +32049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -165,6 +221,8 @@ +@@ -165,6 +223,8 @@ fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -31942,7 +32058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -172,6 +230,25 @@ +@@ -172,6 +232,25 @@ ') optional_policy(` @@ -31968,7 +32084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -179,6 +256,11 @@ +@@ -179,6 +258,11 @@ ') ') @@ -31980,7 +32096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -186,6 +268,19 @@ +@@ -186,6 +270,19 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -32000,7 +32116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') ######################################## -@@ -195,5 +290,41 @@ +@@ -195,5 +292,41 @@ optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t, file) @@ -33546,8 +33662,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.f +/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.14/policy/modules/system/udev.if --- nsaserefpolicy/policy/modules/system/udev.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.14/policy/modules/system/udev.if 2010-03-12 09:30:01.000000000 -0500 -@@ -192,6 +192,7 @@ ++++ serefpolicy-3.7.14/policy/modules/system/udev.if 2010-03-16 15:36:01.000000000 -0400 +@@ -20,6 +20,24 @@ + + ######################################## + ## ++## Send kill signals to udev. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`udev_kill',` ++ gen_require(` ++ type udev_t; ++ ') ++ ++ allow $1 udev_t:process sigkill; ++') ++ ++######################################## ++## + ## Execute udev in the udev domain. + ## + ## +@@ -192,6 +210,7 @@ dev_list_all_dev_nodes($1) allow $1 udev_tbl_t:file rw_file_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index f9409ff..93f58eb 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.14 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,12 @@ exit 0 %endif %changelog +* Tue Mar 16 2010 Dan Walsh 3.7.14-5 +- Allow boinc to read kernel sysctl +- Fix snmp port definitions +- Allow apache to read anon_inodefs + + * Sun Mar 14 2010 Dan Walsh 3.7.14-4 - Allow shutdown dac_override