From e04c70e3ba19d4e04b58086c689985d7c4584fb1 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mar 12 2009 14:49:10 +0000 Subject: - Fix sysnet/net_conf_t --- diff --git a/modules-minimum.conf b/modules-minimum.conf index 169123d..1c7d9c8 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -793,6 +793,13 @@ mplayer = module # gpg = module +# Layer: services +# Module: gpsd +# +# gpsd monitor daemon +# +gpsd = module + # Layer: admin # Module: mrtg # diff --git a/modules-mls.conf b/modules-mls.conf index 8e8dcd0..e70ca60 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -255,6 +255,13 @@ dmidecode = base # gpg = module +# Layer: services +# Module: gpsd +# +# gpsd monitor daemon +# +gpsd = module + # Layer: apps # Module: loadkeys # diff --git a/modules-targeted.conf b/modules-targeted.conf index eaf1456..220193d 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -477,6 +477,13 @@ games = module # getty = base +# Layer: services +# Module: gpsd +# +# gpsd monitor daemon +# +gpsd = module + # Layer: apps # Module: gnome # diff --git a/policy-20080710.patch b/policy-20080710.patch index 601f4f4..d59e9d1 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -2326,7 +2326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.5.13/policy/modules/apps/gnome.te --- nsaserefpolicy/policy/modules/apps/gnome.te 2008-10-17 14:49:14.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/apps/gnome.te 2009-02-10 15:07:15.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/apps/gnome.te 2009-03-12 13:00:13.000000000 +0100 @@ -8,8 +8,33 @@ attribute gnomedomain; @@ -2357,7 +2357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te +# +type gconfd_t, gnomedomain; +application_domain(gconfd_t, gconfd_exec_t) -+role system_r types gconfd_exec_t; ++role system_r types gconfd_t; + +############################## +# @@ -6674,8 +6674,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.te se +wm_domain_template(user,xdm) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-10-17 14:49:14.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc 2009-02-26 15:48:02.000000000 +0100 -@@ -123,12 +123,17 @@ ++++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc 2009-03-12 13:44:36.000000000 +0100 +@@ -73,10 +73,16 @@ + /etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0) + /etc/sysconfig/netconsole -- gen_context(system_u:object_r:bin_t,s0) + /etc/sysconfig/readonly-root -- gen_context(system_u:object_r:bin_t,s0) +-/etc/sysconfig/network-scripts/ifup-.* -- gen_context(system_u:object_r:bin_t,s0) +-/etc/sysconfig/network-scripts/ifup-.* -l gen_context(system_u:object_r:bin_t,s0) +-/etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0) +-/etc/sysconfig/network-scripts/ifdown-.* -l gen_context(system_u:object_r:bin_t,s0) ++ ++/etc/sysconfig/network-scripts/ifup.* gen_context(system_u:object_r:bin_t,s0) ++/etc/sysconfig/network-scripts/ifdown.* gen_context(system_u:object_r:bin_t,s0) ++/etc/sysconfig/network-scripts/net.* gen_context(system_u:object_r:bin_t,s0) ++/etc/sysconfig/network-scripts/init.* gen_context(system_u:object_r:bin_t,s0) ++ ++#/etc/sysconfig/network-scripts/ifup-.* -- gen_context(system_u:object_r:bin_t,s0) ++#/etc/sysconfig/network-scripts/ifup-.* -l gen_context(system_u:object_r:bin_t,s0) ++#/etc/sysconfig/network-scripts/ifdown-.* -- gen_context(system_u:object_r:bin_t,s0) ++#/etc/sysconfig/network-scripts/ifdown-.* -l gen_context(system_u:object_r:bin_t,s0) + + /etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0) + /etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0) +@@ -123,12 +129,17 @@ /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -6693,7 +6714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco # # /usr # -@@ -176,6 +181,8 @@ +@@ -176,6 +187,8 @@ /usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) @@ -6702,7 +6723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -184,10 +191,8 @@ +@@ -184,10 +197,8 @@ /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -6715,7 +6736,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -202,6 +207,7 @@ +@@ -202,6 +213,7 @@ /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -6723,7 +6744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) -@@ -222,14 +228,15 @@ +@@ -222,14 +234,15 @@ /usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -6741,7 +6762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0) -@@ -292,3 +299,14 @@ +@@ -292,3 +305,14 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -22010,7 +22031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.5.13/policy/modules/services/polkit.te --- nsaserefpolicy/policy/modules/services/polkit.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.5.13/policy/modules/services/polkit.te 2009-02-10 15:07:15.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/services/polkit.te 2009-03-12 13:00:18.000000000 +0100 @@ -0,0 +1,235 @@ +policy_module(polkit_auth, 1.0.0) + @@ -22139,7 +22160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk +optional_policy(` + dbus_system_bus_client_template(polkit_auth, polkit_auth_t) + consolekit_dbus_chat(polkit_auth_t) -+ dbus_system_domain(polkit_exec_t, polkit_t) ++ dbus_system_domain(polkit_auth_t, polkit_auth_exec_t) +') + +optional_policy(` @@ -26807,7 +26828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.5.13/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2008-10-17 14:49:11.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/setroubleshoot.te 2009-02-10 15:07:15.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/services/setroubleshoot.te 2009-03-12 12:57:27.000000000 +0100 @@ -11,6 +11,9 @@ domain_type(setroubleshootd_t) init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) @@ -26865,7 +26886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) -@@ -97,22 +110,25 @@ +@@ -97,23 +110,30 @@ locallogin_dontaudit_use_fds(setroubleshootd_t) @@ -26893,6 +26914,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr rpm_read_db(setroubleshootd_t) rpm_dontaudit_manage_db(setroubleshootd_t) rpm_use_script_fds(setroubleshootd_t) + ') ++ ++optional_policy(` ++ unconfined_signull(setroubleshoot_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.5.13/policy/modules/services/smartmon.te --- nsaserefpolicy/policy/modules/services/smartmon.te 2008-10-17 14:49:13.000000000 +0200 +++ serefpolicy-3.5.13/policy/modules/services/smartmon.te 2009-02-10 15:07:15.000000000 +0100 @@ -34546,8 +34572,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setran + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.5.13/policy/modules/system/sysnetwork.fc --- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.fc 2009-02-10 15:07:15.000000000 +0100 -@@ -11,15 +11,21 @@ ++++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.fc 2009-03-12 13:33:35.000000000 +0100 +@@ -11,15 +11,23 @@ /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) @@ -34563,13 +34589,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet +/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:net_conf_t, s0) + ifdef(`distro_redhat',` - /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/sysconfig/networking/profiles/.*/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) -+/etc/sysconfig/networking/profiles/.*/hosts -- gen_context(system_u:object_r:net_conf_t,s0) +-/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) +-/etc/sysconfig/networking/profiles/.*/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) ++/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) ++/etc/sysconfig/networking/profiles/.*/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) ++/etc/sysconfig/networking/profiles/.*/hosts -- gen_context(system_u:object_r:net_conf_t,s0) ++/etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0) ++ ') # -@@ -57,3 +63,5 @@ +@@ -57,3 +65,5 @@ ifdef(`distro_gentoo',` /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) ') @@ -34577,7 +34607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.5.13/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.if 2009-02-10 15:07:15.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.if 2009-03-12 14:42:54.000000000 +0100 @@ -198,7 +198,25 @@ type dhcpc_state_t; ') @@ -34605,7 +34635,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') ####################################### -@@ -553,6 +571,7 @@ +@@ -236,7 +254,7 @@ + ') + + files_search_etc($1) +- allow $1 net_conf_t:file read_file_perms; ++ read_files_pattern($1, net_conf_t, net_conf_t) + ') + + ####################################### +@@ -329,7 +347,8 @@ + type net_conf_t; + ') + +- allow $1 net_conf_t:file manage_file_perms; ++ allow $1 net_conf_t:dir list_dir_perms; ++ manage_files_pattern($1, net_conf_t, net_conf_t) + ') + + ####################################### +@@ -553,6 +572,7 @@ type net_conf_t; ') @@ -34613,7 +34662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; -@@ -569,6 +588,14 @@ +@@ -569,6 +589,14 @@ files_search_etc($1) allow $1 net_conf_t:file read_file_perms; @@ -34628,7 +34677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') ######################################## -@@ -598,6 +625,8 @@ +@@ -598,6 +626,8 @@ files_search_etc($1) allow $1 net_conf_t:file read_file_perms; @@ -34637,7 +34686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') ######################################## -@@ -632,3 +661,49 @@ +@@ -632,3 +662,49 @@ files_search_etc($1) allow $1 net_conf_t:file read_file_perms; ') @@ -34689,7 +34738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.13/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te 2009-02-10 15:07:15.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te 2009-03-12 15:06:51.000000000 +0100 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpc_t,dhcpc_exec_t) role system_r types dhcpc_t; @@ -34727,6 +34776,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet manage_files_pattern(dhcpc_t,dhcpc_state_t,dhcpc_state_t) filetrans_pattern(dhcpc_t,dhcp_state_t,dhcpc_state_t,file) +@@ -65,7 +69,7 @@ + + # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files + # in /etc created by dhcpcd will be labelled net_conf_t. +-allow dhcpc_t net_conf_t:file manage_file_perms; ++sysnet_manage_config(dhcpc_t) + files_etc_filetrans(dhcpc_t,net_conf_t,file) + + # create temp files @@ -116,7 +120,7 @@ corecmd_exec_shell(dhcpc_t)