From e37650721d95044d380cdecbf08464a1f2a51b40 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Oct 30 2007 21:02:59 +0000 Subject: - Allow fd passing - dontaudit rpm_rw_pipes - Allow mount to start rpc_mountd --- diff --git a/policy-20070501.patch b/policy-20070501.patch index 0acd544..a3b71ca 100644 --- a/policy-20070501.patch +++ b/policy-20070501.patch @@ -916,7 +916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.6.4/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-07 14:51:05.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/admin/rpm.if 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/admin/rpm.if 2007-10-30 06:41:29.000000000 -0400 @@ -211,6 +211,24 @@ ######################################## @@ -973,7 +973,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if ') ######################################## -@@ -290,3 +329,103 @@ +@@ -290,3 +329,120 @@ dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') @@ -1077,6 +1077,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if + dontaudit $1 rpm_t:shm rw_shm_perms; +') + ++######################################## ++## ++## dontaudit read and write an unnamed RPM pipe. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`rpm_dontaudit_rw_pipes',` ++ gen_require(` ++ type rpm_t; ++ ') ++ ++ dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.6.4/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2007-05-07 14:51:05.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/admin/rpm.te 2007-08-07 09:42:35.000000000 -0400 @@ -2388,7 +2405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.6.4/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2007-05-07 14:51:04.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/kernel/domain.te 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/kernel/domain.te 2007-10-30 16:16:45.000000000 -0400 @@ -6,6 +6,29 @@ # Declarations # @@ -2430,7 +2447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain # Domains that can set their current context # (perform dynamic transitions) attribute set_curr_context; -@@ -144,3 +171,26 @@ +@@ -144,3 +171,33 @@ # act on all domains keys allow unconfined_domain_type domain:key *; @@ -2457,6 +2474,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain + ipsec_labeled(domain) + ') +') ++ ++# Allow all domains to use fds past to them ++allow domain domain:fd use; ++optional_policy(` ++ rpm_dontaudit_rw_pipes(domain) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.6.4/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2007-05-07 14:51:02.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/kernel/files.fc 2007-10-18 17:13:23.000000000 -0400 @@ -5720,7 +5744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim --- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-2.6.4/policy/modules/services/exim.fc 2007-10-05 09:28:27.000000000 -0400 @@ -0,0 +1,16 @@ -+# $Id: policy-20070501.patch,v 1.70 2007/10/27 11:44:01 dwalsh Exp $ ++# $Id: policy-20070501.patch,v 1.71 2007/10/30 21:02:59 dwalsh Exp $ +# Draft SELinux refpolicy module for the Exim MTA +# +# Devin Carraway @@ -5899,9 +5923,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-2.6.4/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-2.6.4/policy/modules/services/exim.te 2007-10-22 11:12:46.000000000 -0400 -@@ -0,0 +1,230 @@ -+# $Id: policy-20070501.patch,v 1.70 2007/10/27 11:44:01 dwalsh Exp $ ++++ serefpolicy-2.6.4/policy/modules/services/exim.te 2007-10-30 16:46:45.000000000 -0400 +@@ -0,0 +1,231 @@ ++# $Id: policy-20070501.patch,v 1.71 2007/10/30 21:02:59 dwalsh Exp $ +# Draft SELinux refpolicy module for the Exim MTA +# +# Devin Carraway @@ -5915,6 +5939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim + +type exim_t; +type exim_exec_t; ++init_daemon_domain(exim_t, exim_exec_t) +mta_mailserver(exim_t, exim_exec_t) +mta_mailserver_user_agent(exim_t) +application_executable_file(exim_exec_t) @@ -6211,7 +6236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-2.6.4/policy/modules/services/hal.fc --- nsaserefpolicy/policy/modules/services/hal.fc 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/hal.fc 2007-10-09 17:19:50.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/hal.fc 2007-10-29 23:28:20.000000000 -0400 @@ -2,15 +2,22 @@ /etc/hal/device\.d/printer_remove\.hal -- gen_context(system_u:object_r:hald_exec_t,s0) /etc/hal/capability\.d/printer_update\.hal -- gen_context(system_u:object_r:hald_exec_t,s0) @@ -6230,7 +6255,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. +/var/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0) + /var/run/haldaemon.pid -- gen_context(system_u:object_r:hald_var_run_t,s0) -+/var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0) + +/usr/libexec/hal-acl-tool -- gen_context(system_u:object_r:hald_acl_exec_t,s0) +/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) @@ -6240,6 +6264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. +/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0) +/var/log/pm-suspend.log gen_context(system_u:object_r:hald_log_t,s0) +/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0) ++/var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-2.6.4/policy/modules/services/hal.if --- nsaserefpolicy/policy/modules/services/hal.if 2007-05-07 14:51:01.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/hal.if 2007-08-07 09:42:35.000000000 -0400 @@ -12728,7 +12753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. -/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.6.4/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/mount.te 2007-10-08 17:27:32.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/mount.te 2007-10-30 16:18:14.000000000 -0400 @@ -9,6 +9,13 @@ ifdef(`targeted_policy',` ## @@ -12819,13 +12844,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') ') -@@ -162,13 +186,8 @@ +@@ -162,13 +186,9 @@ fs_search_rpc(mount_t) - sysnet_dns_name_resolve(mount_t) - rpc_stub(mount_t) ++ rpc_domtrans_rpcd(mount_t) - optional_policy(` - nis_use_ypbind(mount_t) @@ -12833,7 +12859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -192,9 +211,6 @@ +@@ -192,9 +212,6 @@ samba_domtrans_smbmount(mount_t) ') @@ -12843,7 +12869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ######################################## # -@@ -204,4 +220,30 @@ +@@ -204,4 +221,30 @@ ifdef(`targeted_policy',` files_etc_filetrans_etc_runtime(unconfined_mount_t,file) unconfined_domain(unconfined_mount_t) @@ -12995,7 +13021,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.6.4/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/selinuxutil.te 2007-09-10 14:35:42.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/selinuxutil.te 2007-10-30 06:40:52.000000000 -0400 @@ -1,10 +1,8 @@ policy_module(selinuxutil,1.5.0) @@ -13209,7 +13235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu libs_use_ld_so(semanage_t) libs_use_shared_libs(semanage_t) -@@ -621,6 +640,15 @@ +@@ -621,6 +640,16 @@ userdom_search_sysadm_home_dirs(semanage_t) @@ -13220,12 +13246,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + +optional_policy(` + rpm_dontaudit_rw_tmp_files(semanage_t) ++ rpm_dontaudit_rw_pipes(semanage_t) +') + # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files -@@ -700,6 +728,8 @@ +@@ -700,6 +729,8 @@ ifdef(`hide_broken_symptoms',` # cjp: cover up stray file descriptors. optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 30d55ae..c2eb514 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 2.6.4 -Release: 50%{?dist} +Release: 51%{?dist} License: GPL Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -361,6 +361,11 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init %endif %changelog +* Tue Oct 30 2007 Dan Walsh 2.6.4-51 +- Allow fd passing +- dontaudit rpm_rw_pipes +- Allow mount to start rpc_mountd + * Mon Oct 22 2007 Dan Walsh 2.6.4-50 - Fixes for exim to run from cron - Fix /var/run/ppp* spec