From cb24e588c30fe29f01ca938bfc0a47d57dca0c3b Mon Sep 17 00:00:00 2001 From: Miroslav Date: Dec 15 2011 16:20:10 +0000 Subject: +- Add httpd_can_connect_ldap() interface +- NetworkManager needs to write to /sys/class/net/ib*/mode +- Dont audit writes to leaked file descriptors or redirected output for nacl +- Add label for /var/lib/iscan/interpreter +- Add labeling for /sbin/iscsiuio +- Allow all jabberd domain to read system state +- Allow munin services plugins to use NSCD services +- More fixes for boinc --- diff --git a/policy-F16.patch b/policy-F16.patch index c3ef4df..0ae075c 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -4900,10 +4900,10 @@ index 0000000..1553356 +') diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te new file mode 100644 -index 0000000..8eccbc2 +index 0000000..9da72e0 --- /dev/null +++ b/policy/modules/apps/chrome.te -@@ -0,0 +1,181 @@ +@@ -0,0 +1,187 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -4932,6 +4932,7 @@ index 0000000..8eccbc2 +# +# chrome_sandbox local policy +# ++ +allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace }; +allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack }; +allow chrome_sandbox_t self:process setsched; @@ -5085,6 +5086,11 @@ index 0000000..8eccbc2 +userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t) +userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t) +userdom_read_inherited_user_tmp_files(chrome_sandbox_nacl_t) ++ ++optional_policy(` ++ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t) ++') ++ diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te index 37475dd..7db4a01 100644 --- a/policy/modules/apps/cpufreqselector.te @@ -5645,10 +5651,10 @@ index 00a19e3..9f6139c 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..5597c91 100644 +index f5afe78..eeeebbb 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if -@@ -1,44 +1,861 @@ +@@ -1,44 +1,879 @@ ## GNU network object model environment (GNOME) -############################################################ @@ -5882,6 +5888,24 @@ index f5afe78..5597c91 100644 + +######################################## +## ++## Dontaudit write gnome homedir content (.config) ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`gnome_dontaudit_write_config_files',` ++ gen_require(` ++ attribute gnome_home_type; ++ ') ++ ++ dontaudit $1 gnome_home_type:file write; ++') ++ ++######################################## ++## +## manage gnome homedir content (.config) +## +## @@ -6528,7 +6552,7 @@ index f5afe78..5597c91 100644 ## ## ## -@@ -46,37 +863,92 @@ interface(`gnome_role',` +@@ -46,37 +881,92 @@ interface(`gnome_role',` ## ## # @@ -6632,7 +6656,7 @@ index f5afe78..5597c91 100644 ## ## ## -@@ -84,37 +956,53 @@ template(`gnome_read_gconf_config',` +@@ -84,37 +974,53 @@ template(`gnome_read_gconf_config',` ## ## # @@ -6697,7 +6721,7 @@ index f5afe78..5597c91 100644 ## ## ## -@@ -122,17 +1010,17 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,17 +1028,17 @@ interface(`gnome_stream_connect_gconf',` ## ## # @@ -6719,7 +6743,7 @@ index f5afe78..5597c91 100644 ## ## ## -@@ -140,51 +1028,299 @@ interface(`gnome_domtrans_gconfd',` +@@ -140,51 +1046,299 @@ interface(`gnome_domtrans_gconfd',` ## ## # @@ -12726,7 +12750,7 @@ index 223ad43..d95e720 100644 rsync_exec(yam_t) ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 3fae11a..63712be 100644 +index 3fae11a..a768ca5 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -97,8 +97,6 @@ ifdef(`distro_redhat',` @@ -12952,18 +12976,19 @@ index 3fae11a..63712be 100644 /usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0) ') -@@ -375,8 +391,8 @@ ifdef(`distro_suse', ` +@@ -375,8 +391,9 @@ ifdef(`distro_suse', ` /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) -/usr/lib64/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) ++/var/lib/iscan/interpreter gen_context(system_u:object_r:bin_t,s0) +/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) + /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -385,3 +401,12 @@ ifdef(`distro_suse', ` +@@ -385,3 +402,12 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -23928,7 +23953,7 @@ index 0b827c5..b2d6129 100644 + dontaudit $1 abrt_t:sock_file write; +') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..7a32618 100644 +index 30861ec..2006219 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0) @@ -24035,7 +24060,7 @@ index 30861ec..7a32618 100644 # abrt var/cache files manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -@@ -82,10 +134,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +@@ -82,10 +134,10 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) @@ -24044,10 +24069,11 @@ index 30861ec..7a32618 100644 kernel_read_ring_buffer(abrt_t) -kernel_read_system_state(abrt_t) ++kernel_request_load_module(abrt_t) kernel_rw_kernel_sysctl(abrt_t) corecmd_exec_bin(abrt_t) -@@ -104,6 +155,8 @@ corenet_tcp_connect_all_ports(abrt_t) +@@ -104,6 +156,8 @@ corenet_tcp_connect_all_ports(abrt_t) corenet_sendrecv_http_client_packets(abrt_t) dev_getattr_all_chr_files(abrt_t) @@ -24056,7 +24082,7 @@ index 30861ec..7a32618 100644 dev_read_urand(abrt_t) dev_rw_sysfs(abrt_t) dev_dontaudit_read_raw_memory(abrt_t) -@@ -113,7 +166,8 @@ domain_read_all_domains_state(abrt_t) +@@ -113,7 +167,8 @@ domain_read_all_domains_state(abrt_t) domain_signull_all_domains(abrt_t) files_getattr_all_files(abrt_t) @@ -24066,7 +24092,7 @@ index 30861ec..7a32618 100644 files_read_var_symlinks(abrt_t) files_read_var_lib_files(abrt_t) files_read_usr_files(abrt_t) -@@ -121,6 +175,8 @@ files_read_generic_tmp_files(abrt_t) +@@ -121,6 +176,8 @@ files_read_generic_tmp_files(abrt_t) files_read_kernel_modules(abrt_t) files_dontaudit_list_default(abrt_t) files_dontaudit_read_default_files(abrt_t) @@ -24075,7 +24101,7 @@ index 30861ec..7a32618 100644 fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) -@@ -131,15 +187,23 @@ fs_read_nfs_files(abrt_t) +@@ -131,15 +188,23 @@ fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) @@ -24102,7 +24128,7 @@ index 30861ec..7a32618 100644 optional_policy(` dbus_system_domain(abrt_t, abrt_exec_t) -@@ -150,6 +214,11 @@ optional_policy(` +@@ -150,6 +215,11 @@ optional_policy(` ') optional_policy(` @@ -24114,7 +24140,7 @@ index 30861ec..7a32618 100644 policykit_dbus_chat(abrt_t) policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) -@@ -167,6 +236,7 @@ optional_policy(` +@@ -167,6 +237,7 @@ optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) @@ -24122,7 +24148,7 @@ index 30861ec..7a32618 100644 rpm_manage_pid_files(abrt_t) rpm_read_db(abrt_t) rpm_signull(abrt_t) -@@ -178,12 +248,35 @@ optional_policy(` +@@ -178,12 +249,35 @@ optional_policy(` ') optional_policy(` @@ -24159,7 +24185,7 @@ index 30861ec..7a32618 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -200,23 +293,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) +@@ -200,23 +294,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) @@ -24188,7 +24214,7 @@ index 30861ec..7a32618 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +316,128 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +317,128 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -25565,10 +25591,10 @@ index 6480167..e12bbc0 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..248682c 100644 +index 3136c6a..2aee986 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te -@@ -18,130 +18,203 @@ policy_module(apache, 2.2.1) +@@ -18,130 +18,210 @@ policy_module(apache, 2.2.1) # Declarations # @@ -25734,6 +25760,13 @@ index 3136c6a..248682c 100644 +gen_tunable(httpd_can_connect_ftp, false) + +## ++##

++## Allow httpd to connect to the ldap port ++##

++## ++gen_tunable(httpd_can_connect_ldap, false) ++ ++## +##

+## Allow httpd to read home directories +##

@@ -25828,7 +25861,7 @@ index 3136c6a..248682c 100644 attribute httpdcontent; attribute httpd_user_content_type; -@@ -166,7 +239,7 @@ files_type(httpd_cache_t) +@@ -166,7 +246,7 @@ files_type(httpd_cache_t) # httpd_config_t is the type given to the configuration files type httpd_config_t; @@ -25837,7 +25870,7 @@ index 3136c6a..248682c 100644 type httpd_helper_t; type httpd_helper_exec_t; -@@ -177,6 +250,9 @@ role system_r types httpd_helper_t; +@@ -177,6 +257,9 @@ role system_r types httpd_helper_t; type httpd_initrc_exec_t; init_script_file(httpd_initrc_exec_t) @@ -25847,7 +25880,7 @@ index 3136c6a..248682c 100644 type httpd_lock_t; files_lock_file(httpd_lock_t) -@@ -216,7 +292,17 @@ files_tmp_file(httpd_suexec_tmp_t) +@@ -216,7 +299,17 @@ files_tmp_file(httpd_suexec_tmp_t) # setup the system domain for system CGI scripts apache_content_template(sys) @@ -25866,7 +25899,7 @@ index 3136c6a..248682c 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -226,6 +312,10 @@ files_tmpfs_file(httpd_tmpfs_t) +@@ -226,6 +319,10 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -25877,7 +25910,7 @@ index 3136c6a..248682c 100644 userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) -@@ -233,6 +323,7 @@ userdom_user_home_content(httpd_user_ra_content_t) +@@ -233,6 +330,7 @@ userdom_user_home_content(httpd_user_ra_content_t) userdom_user_home_content(httpd_user_rw_content_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; @@ -25885,7 +25918,7 @@ index 3136c6a..248682c 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -254,14 +345,23 @@ files_type(httpd_var_lib_t) +@@ -254,14 +352,23 @@ files_type(httpd_var_lib_t) type httpd_var_run_t; files_pid_file(httpd_var_run_t) @@ -25909,7 +25942,7 @@ index 3136c6a..248682c 100644 ######################################## # # Apache server local policy -@@ -281,11 +381,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -281,11 +388,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow httpd_t self:tcp_socket create_stream_socket_perms; allow httpd_t self:udp_socket create_socket_perms; @@ -25923,7 +25956,7 @@ index 3136c6a..248682c 100644 # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -329,8 +431,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; +@@ -329,8 +438,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -25934,7 +25967,7 @@ index 3136c6a..248682c 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -355,6 +458,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -355,6 +465,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -25944,7 +25977,7 @@ index 3136c6a..248682c 100644 corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,11 +471,15 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -365,11 +478,15 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -25961,7 +25994,7 @@ index 3136c6a..248682c 100644 dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -378,12 +488,12 @@ dev_rw_crypto(httpd_t) +@@ -378,12 +495,12 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -25977,7 +26010,7 @@ index 3136c6a..248682c 100644 domain_use_interactive_fds(httpd_t) -@@ -391,6 +501,7 @@ files_dontaudit_getattr_all_pids(httpd_t) +@@ -391,6 +508,7 @@ files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) @@ -25985,7 +26018,7 @@ index 3136c6a..248682c 100644 files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) -@@ -402,48 +513,101 @@ files_read_etc_files(httpd_t) +@@ -402,48 +520,101 @@ files_read_etc_files(httpd_t) files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -26089,7 +26122,7 @@ index 3136c6a..248682c 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -456,25 +620,47 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -456,25 +627,51 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) @@ -26108,6 +26141,10 @@ index 3136c6a..248682c 100644 + corenet_tcp_connect_all_ephemeral_ports(httpd_t) +') + ++tunable_policy(`httpd_can_connect_ldap',` ++ corenet_tcp_connect_ldap_port(httpd_t) ++') ++ tunable_policy(`httpd_enable_ftp_server',` corenet_tcp_bind_ftp_port(httpd_t) + corenet_tcp_bind_all_ephemeral_ports(httpd_t) @@ -26139,7 +26176,7 @@ index 3136c6a..248682c 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +670,16 @@ tunable_policy(`httpd_can_sendmail',` +@@ -484,7 +681,16 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -26156,7 +26193,7 @@ index 3136c6a..248682c 100644 ') tunable_policy(`httpd_ssi_exec',` -@@ -499,9 +694,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -499,9 +705,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -26177,7 +26214,7 @@ index 3136c6a..248682c 100644 ') optional_policy(` -@@ -513,7 +718,13 @@ optional_policy(` +@@ -513,7 +729,13 @@ optional_policy(` ') optional_policy(` @@ -26192,7 +26229,7 @@ index 3136c6a..248682c 100644 ') optional_policy(` -@@ -528,7 +739,19 @@ optional_policy(` +@@ -528,7 +750,19 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -26213,7 +26250,7 @@ index 3136c6a..248682c 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +760,13 @@ optional_policy(` +@@ -537,8 +771,13 @@ optional_policy(` ') optional_policy(` @@ -26228,7 +26265,7 @@ index 3136c6a..248682c 100644 ') ') -@@ -556,7 +784,13 @@ optional_policy(` +@@ -556,7 +795,13 @@ optional_policy(` ') optional_policy(` @@ -26242,7 +26279,7 @@ index 3136c6a..248682c 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +801,7 @@ optional_policy(` +@@ -567,6 +812,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -26250,7 +26287,7 @@ index 3136c6a..248682c 100644 ') optional_policy(` -@@ -577,6 +812,20 @@ optional_policy(` +@@ -577,6 +823,20 @@ optional_policy(` ') optional_policy(` @@ -26271,7 +26308,7 @@ index 3136c6a..248682c 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +840,11 @@ optional_policy(` +@@ -591,6 +851,11 @@ optional_policy(` ') optional_policy(` @@ -26283,7 +26320,7 @@ index 3136c6a..248682c 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +857,12 @@ optional_policy(` +@@ -603,6 +868,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -26296,7 +26333,7 @@ index 3136c6a..248682c 100644 ######################################## # # Apache helper local policy -@@ -616,7 +876,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -616,7 +887,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -26309,7 +26346,7 @@ index 3136c6a..248682c 100644 ######################################## # -@@ -654,28 +918,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +929,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -26353,7 +26390,7 @@ index 3136c6a..248682c 100644 ') ######################################## -@@ -685,6 +951,8 @@ optional_policy(` +@@ -685,6 +962,8 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -26362,7 +26399,7 @@ index 3136c6a..248682c 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -699,17 +967,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +978,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -26388,7 +26425,7 @@ index 3136c6a..248682c 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +1013,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,13 +1024,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -26421,7 +26458,7 @@ index 3136c6a..248682c 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1060,25 @@ optional_policy(` +@@ -769,6 +1071,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -26447,7 +26484,7 @@ index 3136c6a..248682c 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1099,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1110,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -26465,7 +26502,7 @@ index 3136c6a..248682c 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,18 +1118,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1129,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -26522,7 +26559,7 @@ index 3136c6a..248682c 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -822,14 +1169,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,14 +1180,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -26553,7 +26590,7 @@ index 3136c6a..248682c 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1204,20 @@ optional_policy(` +@@ -842,10 +1215,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -26574,7 +26611,7 @@ index 3136c6a..248682c 100644 ') ######################################## -@@ -891,11 +1263,49 @@ optional_policy(` +@@ -891,11 +1274,49 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -27777,10 +27814,10 @@ index 0000000..fa9b95a +') diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te new file mode 100644 -index 0000000..e841806 +index 0000000..1441c62 --- /dev/null +++ b/policy/modules/services/boinc.te -@@ -0,0 +1,174 @@ +@@ -0,0 +1,172 @@ +policy_module(boinc, 1.0.0) + +######################################## @@ -27788,6 +27825,8 @@ index 0000000..e841806 +# Declarations +# + ++attribute boinc_domain; ++ +type boinc_t; +type boinc_exec_t; +init_daemon_domain(boinc_t, boinc_exec_t) @@ -27814,6 +27853,37 @@ index 0000000..e841806 +type boinc_project_var_lib_t; +files_type(boinc_project_var_lib_t) + ++####################################### ++# ++# boinc domain local policy ++# ++ ++allow boinc_domain self:fifo_file rw_fifo_file_perms; ++allow boinc_domain self:sem create_sem_perms; ++ ++# needs read /proc/interrupts ++kernel_read_system_state(boinc_domain) ++ ++corecmd_exec_bin(boinc_domain) ++corecmd_exec_shell(boinc_domain) ++ ++dev_read_rand(boinc_domain) ++dev_read_urand(boinc_domain) ++dev_read_sysfs(boinc_domain) ++ ++domain_read_all_domains_state(boinc_domain) ++ ++files_read_etc_files(boinc_domain) ++files_read_etc_runtime_files(boinc_domain) ++files_read_usr_files(boinc_domain) ++ ++miscfiles_read_fonts(boinc_domain) ++miscfiles_read_localization(boinc_domain) ++ ++optional_policy(` ++ sysnet_dns_name_resolve(boinc_domain) ++') ++ +######################################## +# +# boinc local policy @@ -27822,10 +27892,8 @@ index 0000000..e841806 +allow boinc_t self:capability { kill }; +allow boinc_t self:process { setsched sigkill }; + -+allow boinc_t self:fifo_file rw_fifo_file_perms; +allow boinc_t self:unix_stream_socket create_stream_socket_perms; +allow boinc_t self:tcp_socket create_stream_socket_perms; -+allow boinc_t self:sem create_sem_perms; +allow boinc_t self:shm create_shm_perms; + +manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) @@ -27843,15 +27911,9 @@ index 0000000..e841806 +manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) + -+# needs read /proc/interrupts -+kernel_read_system_state(boinc_t) -+ +files_getattr_all_dirs(boinc_t) +files_getattr_all_files(boinc_t) + -+corecmd_exec_bin(boinc_t) -+corecmd_exec_shell(boinc_t) -+ +corenet_all_recvfrom_unlabeled(boinc_t) +corenet_all_recvfrom_netlabel(boinc_t) +corenet_tcp_sendrecv_generic_if(boinc_t) @@ -27868,18 +27930,8 @@ index 0000000..e841806 +corenet_tcp_connect_http_port(boinc_t) +corenet_tcp_connect_http_cache_port(boinc_t) + -+dev_list_sysfs(boinc_t) -+dev_read_rand(boinc_t) -+dev_read_urand(boinc_t) -+dev_read_sysfs(boinc_t) -+ -+domain_read_all_domains_state(boinc_t) -+ +files_dontaudit_getattr_boot_dirs(boinc_t) + -+files_read_etc_files(boinc_t) -+files_read_usr_files(boinc_t) -+ +fs_getattr_all_fs(boinc_t) + +term_getattr_all_ptys(boinc_t) @@ -27887,14 +27939,11 @@ index 0000000..e841806 + +init_read_utmp(boinc_t) + -+miscfiles_read_localization(boinc_t) -+miscfiles_read_generic_certs(boinc_t) -+ +logging_send_syslog_msg(boinc_t) + -+sysnet_dns_name_resolve(boinc_t) -+ -+mta_send_mail(boinc_t) ++optional_policy(` ++ mta_send_mail(boinc_t) ++') + +######################################## +# @@ -27928,29 +27977,15 @@ index 0000000..e841806 +list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t) +rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t) + -+kernel_read_system_state(boinc_project_t) +kernel_read_kernel_sysctls(boinc_project_t) +kernel_search_vm_sysctl(boinc_project_t) +kernel_read_network_state(boinc_project_t) + -+corecmd_exec_bin(boinc_project_t) -+corecmd_exec_shell(boinc_project_t) -+ +corenet_tcp_connect_boinc_port(boinc_project_t) + -+domain_read_all_domains_state(boinc_project_t) -+ -+dev_read_rand(boinc_project_t) -+dev_read_urand(boinc_project_t) -+dev_read_sysfs(boinc_project_t) +dev_rw_xserver_misc(boinc_project_t) + -+files_read_etc_files(boinc_project_t) -+files_read_etc_runtime_files(boinc_project_t) -+files_read_usr_files(boinc_project_t) -+ -+miscfiles_read_fonts(boinc_project_t) -+miscfiles_read_localization(boinc_project_t) ++files_dontaudit_search_home(boinc_project_t) + +optional_policy(` + java_exec(boinc_project_t) @@ -40747,10 +40782,10 @@ index 9878499..81fcd0f 100644 - admin_pattern($1, jabberd_var_run_t) ') diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te -index da2127e..a666df2 100644 +index da2127e..24e20b0 100644 --- a/policy/modules/services/jabber.te +++ b/policy/modules/services/jabber.te -@@ -5,90 +5,150 @@ policy_module(jabber, 1.8.0) +@@ -5,90 +5,148 @@ policy_module(jabber, 1.8.0) # Declarations # @@ -40828,45 +40863,43 @@ index da2127e..a666df2 100644 -corenet_sendrecv_jabber_interserver_server_packets(jabberd_t) +manage_files_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t) +manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t) -+ + +-dev_read_sysfs(jabberd_t) +-# For SSL +-dev_read_rand(jabberd_t) +corenet_tcp_bind_jabber_client_port(jabberd_router_t) +corenet_tcp_bind_jabber_router_port(jabberd_router_t) +corenet_tcp_connect_jabber_router_port(jabberd_router_t) +corenet_sendrecv_jabber_router_server_packets(jabberd_router_t) +corenet_sendrecv_jabber_client_server_packets(jabberd_router_t) -+ + +-domain_use_interactive_fds(jabberd_t) +fs_getattr_all_fs(jabberd_router_t) --dev_read_sysfs(jabberd_t) --# For SSL --dev_read_rand(jabberd_t) +-files_read_etc_files(jabberd_t) +-files_read_etc_runtime_files(jabberd_t) +miscfiles_read_generic_certs(jabberd_router_t) --domain_use_interactive_fds(jabberd_t) +-fs_getattr_all_fs(jabberd_t) +-fs_search_auto_mountpoints(jabberd_t) +optional_policy(` + kerberos_use(jabberd_router_t) +') --files_read_etc_files(jabberd_t) --files_read_etc_runtime_files(jabberd_t) +-logging_send_syslog_msg(jabberd_t) +optional_policy(` + nis_use_ypbind(jabberd_router_t) +') --fs_getattr_all_fs(jabberd_t) --fs_search_auto_mountpoints(jabberd_t) +-miscfiles_read_localization(jabberd_t) +##################################### +# +# Local policy for other jabberd components +# - --logging_send_syslog_msg(jabberd_t) ++ +manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t) +manage_dirs_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t) --miscfiles_read_localization(jabberd_t) -+kernel_read_system_state(jabberd_t) - -sysnet_read_config(jabberd_t) +corenet_tcp_bind_jabber_interserver_port(jabberd_t) +corenet_tcp_connect_jabber_router_port(jabberd_t) @@ -40882,8 +40915,8 @@ index da2127e..a666df2 100644 optional_policy(` - seutil_sigchld_newrole(jabberd_t) + udev_read_db(jabberd_t) - ') - ++') ++ +###################################### +# +# Local policy for pyicq-t @@ -40898,8 +40931,6 @@ index da2127e..a666df2 100644 +files_search_spool(pyicqt_t) +manage_files_pattern(pyicqt_t, pyicqt_var_spool_t, pyicqt_var_spool_t); + -+kernel_read_system_state(pyicqt_t) -+ +corenet_tcp_bind_jabber_router_port(pyicqt_t) +corenet_tcp_connect_jabber_router_port(pyicqt_t) + @@ -40916,14 +40947,14 @@ index da2127e..a666df2 100644 +libs_use_shared_libs(pyicqt_t) + +# needed for pyicq-t-mysql - optional_policy(` -- udev_read_db(jabberd_t) ++optional_policy(` + corenet_tcp_connect_mysqld_port(pyicqt_t) ') -+ -+optional_policy(` + + optional_policy(` +- udev_read_db(jabberd_t) + sysnet_use_ldap(pyicqt_t) -+') + ') + +####################################### +# @@ -40935,6 +40966,8 @@ index da2127e..a666df2 100644 +allow jabberd_domain self:tcp_socket create_stream_socket_perms; +allow jabberd_domain self:udp_socket create_socket_perms; + ++kernel_read_system_state(jabberd_domain) ++ +corenet_all_recvfrom_unlabeled(jabberd_domain) +corenet_all_recvfrom_netlabel(jabberd_domain) +corenet_tcp_sendrecv_generic_if(jabberd_domain) @@ -45206,7 +45239,7 @@ index c358d8f..fec6a97 100644 allow $1 munin_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te -index f17583b..9850f4d 100644 +index f17583b..171ebec 100644 --- a/policy/modules/services/munin.te +++ b/policy/modules/services/munin.te @@ -5,6 +5,8 @@ policy_module(munin, 1.8.0) @@ -45301,7 +45334,7 @@ index f17583b..9850f4d 100644 sysnet_read_config(disk_munin_plugin_t) -@@ -221,19 +231,17 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) +@@ -221,19 +231,23 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) dev_read_urand(mail_munin_plugin_t) @@ -45311,10 +45344,19 @@ index f17583b..9850f4d 100644 - logging_read_generic_logs(mail_munin_plugin_t) - mta_read_config(mail_munin_plugin_t) - mta_send_mail(mail_munin_plugin_t) -+mta_list_queue(mail_munin_plugin_t) - mta_read_queue(mail_munin_plugin_t) +-mta_read_config(mail_munin_plugin_t) +-mta_send_mail(mail_munin_plugin_t) +-mta_read_queue(mail_munin_plugin_t) ++optional_policy(` ++ mta_read_config(mail_munin_plugin_t) ++ mta_send_mail(mail_munin_plugin_t) ++ mta_list_queue(mail_munin_plugin_t) ++ mta_read_queue(mail_munin_plugin_t) ++') ++ ++optional_policy(` ++ nscd_socket_use(mail_munin_plugin_t) ++') optional_policy(` postfix_read_config(mail_munin_plugin_t) @@ -45323,7 +45365,7 @@ index f17583b..9850f4d 100644 ') optional_policy(` -@@ -245,6 +253,8 @@ optional_policy(` +@@ -245,6 +259,8 @@ optional_policy(` # local policy for service plugins # @@ -45332,7 +45374,7 @@ index f17583b..9850f4d 100644 allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms; allow services_munin_plugin_t self:udp_socket create_socket_perms; allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; -@@ -255,13 +265,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) +@@ -255,13 +271,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) dev_read_urand(services_munin_plugin_t) dev_read_rand(services_munin_plugin_t) @@ -45347,7 +45389,18 @@ index f17583b..9850f4d 100644 cups_stream_connect(services_munin_plugin_t) ') -@@ -286,6 +293,10 @@ optional_policy(` +@@ -279,6 +292,10 @@ optional_policy(` + ') + + optional_policy(` ++ nscd_socket_use(services_munin_plugin_t) ++') ++ ++optional_policy(` + postgresql_stream_connect(services_munin_plugin_t) + ') + +@@ -286,6 +303,10 @@ optional_policy(` snmp_read_snmp_var_lib_files(services_munin_plugin_t) ') @@ -45358,7 +45411,7 @@ index f17583b..9850f4d 100644 ################################## # # local policy for system plugins -@@ -295,13 +306,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; +@@ -295,13 +316,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) @@ -45375,7 +45428,7 @@ index f17583b..9850f4d 100644 dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) -@@ -313,3 +323,31 @@ init_read_utmp(system_munin_plugin_t) +@@ -313,3 +333,31 @@ init_read_utmp(system_munin_plugin_t) sysnet_exec_ifconfig(system_munin_plugin_t) term_getattr_unallocated_ttys(system_munin_plugin_t) @@ -46263,7 +46316,7 @@ index 2324d9e..4f46ff8 100644 + files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf") +') diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te -index 0619395..c985b07 100644 +index 0619395..76e9108 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) @@ -46327,7 +46380,13 @@ index 0619395..c985b07 100644 manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) -@@ -100,6 +125,7 @@ dev_read_rand(NetworkManager_t) +@@ -95,11 +120,12 @@ corenet_sendrecv_all_client_packets(NetworkManager_t) + corenet_rw_tun_tap_dev(NetworkManager_t) + corenet_getattr_ppp_dev(NetworkManager_t) + +-dev_read_sysfs(NetworkManager_t) ++dev_rw_sysfs(NetworkManager_t) + dev_read_rand(NetworkManager_t) dev_read_urand(NetworkManager_t) dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) dev_getattr_all_chr_files(NetworkManager_t) @@ -60939,7 +60998,7 @@ index 8294f6f..4847b43 100644 /var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0) +/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0) diff --git a/policy/modules/services/tgtd.te b/policy/modules/services/tgtd.te -index 665bf7c..d100080 100644 +index 665bf7c..a1ea37a 100644 --- a/policy/modules/services/tgtd.te +++ b/policy/modules/services/tgtd.te @@ -21,6 +21,9 @@ files_tmpfs_file(tgtd_tmpfs_t) @@ -60961,7 +61020,7 @@ index 665bf7c..d100080 100644 allow tgtd_t self:shm create_shm_perms; allow tgtd_t self:sem create_sem_perms; allow tgtd_t self:tcp_socket create_stream_socket_perms; -@@ -46,6 +49,11 @@ manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) +@@ -46,6 +49,12 @@ manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t) files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file }) @@ -60970,10 +61029,11 @@ index 665bf7c..d100080 100644 +manage_sock_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t) +files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file }) + ++kernel_read_system_state(tgtd_t) kernel_read_fs_sysctls(tgtd_t) corenet_all_recvfrom_netlabel(tgtd_t) -@@ -57,10 +65,18 @@ corenet_tcp_bind_generic_node(tgtd_t) +@@ -57,10 +66,18 @@ corenet_tcp_bind_generic_node(tgtd_t) corenet_tcp_bind_iscsi_port(tgtd_t) corenet_sendrecv_iscsi_server_packets(tgtd_t) @@ -70024,6 +70084,17 @@ index f3e1b57..d7fd7fb 100644 shorewall_read_config(iptables_t) ') +diff --git a/policy/modules/system/iscsi.fc b/policy/modules/system/iscsi.fc +index 14d9670..8391e13 100644 +--- a/policy/modules/system/iscsi.fc ++++ b/policy/modules/system/iscsi.fc +@@ -1,5 +1,6 @@ + /sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) + /sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) ++/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) + + /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0) + /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0) diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te index ddbd8be..ac8e814 100644 --- a/policy/modules/system/iscsi.te diff --git a/selinux-policy.spec b/selinux-policy.spec index f7c9893..e6f1750 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 66%{?dist} +Release: 67%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,16 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Dec 15 2011 Miroslav Grepl 3.10.0-67 +- Add httpd_can_connect_ldap() interface +- NetworkManager needs to write to /sys/class/net/ib*/mode +- Dont audit writes to leaked file descriptors or redirected output for nacl +- Add label for /var/lib/iscan/interpreter +- Add labeling for /sbin/iscsiuio +- Allow all jabberd domain to read system state +- Allow munin services plugins to use NSCD services +- More fixes for boinc + * Tue Dec 7 2011 Miroslav Grepl 3.10.0-66 - Add fixes for xguest package