From ef836a986197adc37a35872b4df38d6290622f94 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Dec 22 2010 21:12:41 +0000 Subject: - New labels for ghc http content - nsplugin_config needs to read urand, lvm now calls setfscreate to create dev - pm-suspend now creates log file for append access so we remove devicekit_wri - Change authlogin_use_sssd to authlogin_nsswitch_use_ldap - Fixes for greylist_milter policy --- diff --git a/policy-F15.patch b/policy-F15.patch index cc26057..b540d76 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -5109,10 +5109,10 @@ index 0000000..4f9cb05 +') diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te new file mode 100644 -index 0000000..aedbcbe +index 0000000..ae1d09b --- /dev/null +++ b/policy/modules/apps/nsplugin.te -@@ -0,0 +1,315 @@ +@@ -0,0 +1,316 @@ +policy_module(nsplugin, 1.0.0) + +######################################## @@ -5343,6 +5343,7 @@ index 0000000..aedbcbe +allow nsplugin_config_t self:fifo_file rw_file_perms; +allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms; + ++dev_read_urand(nsplugin_config_t) +dev_dontaudit_read_rand(nsplugin_config_t) +dev_dontaudit_rw_dri(nsplugin_config_t) + @@ -7846,7 +7847,7 @@ index 82842a0..4111a1d 100644 dbus_system_bus_client($1_wm_t) dbus_session_bus_client($1_wm_t) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 34c9d01..93e0ee8 100644 +index 34c9d01..d858795 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -72,7 +72,9 @@ ifdef(`distro_redhat',` @@ -7887,7 +7888,11 @@ index 34c9d01..93e0ee8 100644 /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -319,6 +324,7 @@ ifdef(`distro_redhat', ` +@@ -316,9 +321,11 @@ ifdef(`distro_redhat', ` + /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/share/doc/ghc/html/libraries/gen_contents_index -- gen_context(system_u:object_r:bin_t,s0) /usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0) @@ -8003,7 +8008,7 @@ index b06df19..c0763c2 100644 ## ## diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index edefaf3..e00278f 100644 +index edefaf3..7548158 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -15,6 +15,7 @@ attribute rpc_port_type; @@ -8094,7 +8099,7 @@ index edefaf3..e00278f 100644 network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) -@@ -125,30 +147,34 @@ network_port(iscsi, tcp,3260,s0) +@@ -125,30 +147,35 @@ network_port(iscsi, tcp,3260,s0) network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -8116,6 +8121,7 @@ index edefaf3..e00278f 100644 network_port(memcache, tcp,11211,s0, udp,11211,s0) network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) ++network_port(movaz_ssc, tcp,5252,s0) +network_port(mpd, tcp,6600,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) -network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0) @@ -8133,7 +8139,7 @@ index edefaf3..e00278f 100644 network_port(ntp, udp,123,s0) network_port(ocsp, tcp,9080,s0) network_port(openvpn, tcp,1194,s0, udp,1194,s0) -@@ -156,12 +182,20 @@ network_port(pegasus_http, tcp,5988,s0) +@@ -156,12 +183,20 @@ network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) network_port(pingd, tcp,9125,s0) @@ -8154,7 +8160,7 @@ index edefaf3..e00278f 100644 network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -176,43 +210,49 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) +@@ -176,43 +211,49 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) @@ -14200,7 +14206,7 @@ index c3a1903..b0e48c6 100644 corenet_all_recvfrom_unlabeled(amavis_t) corenet_all_recvfrom_netlabel(amavis_t) diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc -index 9e39aa5..3bfac20 100644 +index 9e39aa5..7ba3b11 100644 --- a/policy/modules/services/apache.fc +++ b/policy/modules/services/apache.fc @@ -2,7 +2,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u @@ -14220,17 +14226,19 @@ index 9e39aa5..3bfac20 100644 /usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) /usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) /usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) -@@ -43,8 +42,7 @@ ifdef(`distro_suse', ` +@@ -43,8 +42,9 @@ ifdef(`distro_suse', ` /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') -/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/drupal(6)?(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++ /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -@@ -74,7 +72,8 @@ ifdef(`distro_suse', ` +@@ -74,7 +74,8 @@ ifdef(`distro_suse', ` /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) @@ -14240,7 +14248,7 @@ index 9e39aa5..3bfac20 100644 /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -@@ -86,7 +85,6 @@ ifdef(`distro_suse', ` +@@ -86,7 +87,6 @@ ifdef(`distro_suse', ` /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) @@ -14248,7 +14256,7 @@ index 9e39aa5..3bfac20 100644 ifdef(`distro_debian', ` /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -@@ -109,3 +107,22 @@ ifdef(`distro_debian', ` +@@ -109,3 +109,22 @@ ifdef(`distro_debian', ` /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) @@ -20208,7 +20216,7 @@ index 418a5a0..28d9e41 100644 /var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) /var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if -index f706b99..20efe4a 100644 +index f706b99..22b862e 100644 --- a/policy/modules/services/devicekit.if +++ b/policy/modules/services/devicekit.if @@ -5,9 +5,9 @@ @@ -20223,29 +20231,10 @@ index f706b99..20efe4a 100644 ## # interface(`devicekit_domtrans',` -@@ -118,6 +118,63 @@ interface(`devicekit_dbus_chat_power',` +@@ -118,6 +118,44 @@ interface(`devicekit_dbus_chat_power',` allow devicekit_power_t $1:dbus send_msg; ') -+###################################### -+## -+## Allow to write the devicekit -+## log files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`devicekit_write_log',` -+ gen_require(` -+ type devicekit_var_log_t; -+ ') -+ -+ allow $1 devicekit_var_log_t:file { write }; -+') -+ +####################################### +## +## Do not audit attempts to write the devicekit @@ -20287,7 +20276,7 @@ index f706b99..20efe4a 100644 ######################################## ## ## Read devicekit PID files. -@@ -139,22 +196,52 @@ interface(`devicekit_read_pid_files',` +@@ -139,22 +177,52 @@ interface(`devicekit_read_pid_files',` ######################################## ## @@ -20347,7 +20336,7 @@ index f706b99..20efe4a 100644 ## ## ## -@@ -165,21 +252,22 @@ interface(`devicekit_admin',` +@@ -165,21 +233,21 @@ interface(`devicekit_admin',` type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; ') @@ -20375,7 +20364,6 @@ index f706b99..20efe4a 100644 - files_search_pids($1) + files_list_pids($1) ') -+ diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te index f231f17..4ecd4b7 100644 --- a/policy/modules/services/devicekit.te @@ -24961,7 +24949,7 @@ index ed1af3c..40b5f0e 100644 + delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t) +') diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te -index 47e3612..98801a7 100644 +index 47e3612..ece07ab 100644 --- a/policy/modules/services/milter.te +++ b/policy/modules/services/milter.te @@ -9,6 +9,13 @@ policy_module(milter, 1.3.0) @@ -25009,7 +24997,27 @@ index 47e3612..98801a7 100644 # # It removes any existing socket (not owned by root) whilst running as root, -@@ -52,8 +76,8 @@ mta_read_config(greylist_milter_t) +@@ -33,11 +57,19 @@ files_type(spamass_milter_state_t) + allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice }; + allow greylist_milter_t self:process { setsched getsched }; + ++allow greylist_milter_t self:tcp_socket create_stream_socket_perms; ++ + # It creates a pid file /var/run/milter-greylist.pid + files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file) + + kernel_read_kernel_sysctls(greylist_milter_t) + ++corecmd_exec_bin(greylist_milter_t) ++corecmd_exec_shell(greylist_milter_t) ++ ++corenet_tcp_bind_movaz_ssc_port(greylist_milter_t) ++corenet_tcp_connect_movaz_ssc_port(greylist_milter_t) ++ + # Allow the milter to read a GeoIP database in /usr/share + files_read_usr_files(greylist_milter_t) + # The milter runs from /var/lib/milter-greylist and maintains files there +@@ -52,8 +84,8 @@ mta_read_config(greylist_milter_t) ######################################## # # milter-regex local policy @@ -25020,7 +25028,7 @@ index 47e3612..98801a7 100644 # # It removes any existing socket (not owned by root) whilst running as root -@@ -72,8 +96,8 @@ mta_read_config(regex_milter_t) +@@ -72,8 +104,8 @@ mta_read_config(regex_milter_t) ######################################## # # spamass-milter local policy @@ -41253,7 +41261,7 @@ index 1c4b1e7..ffa4134 100644 /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index bea0ade..cbd62c5 100644 +index bea0ade..a0feb45 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -41580,7 +41588,7 @@ index bea0ade..cbd62c5 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1500,28 +1692,38 @@ interface(`auth_manage_login_records',` +@@ -1500,28 +1692,36 @@ interface(`auth_manage_login_records',` # interface(`auth_use_nsswitch',` @@ -41594,7 +41602,7 @@ index bea0ade..cbd62c5 100644 sysnet_dns_name_resolve($1) - sysnet_use_ldap($1) + -+ tunable_policy(`authlogin_use_sssd',`', ` ++ tunable_policy(`authlogin_nsswitch_use_ldap',` + files_list_var_lib($1) + + miscfiles_read_generic_certs($1) @@ -41604,61 +41612,45 @@ index bea0ade..cbd62c5 100644 optional_policy(` - avahi_stream_connect($1) -+ tunable_policy(`authlogin_use_sssd',`', ` ++ tunable_policy(`authlogin_nsswitch_use_ldap',` + dirsrv_stream_connect($1) + ') ') optional_policy(` - ldap_stream_connect($1) -+ tunable_policy(`authlogin_use_sssd',`', ` ++ tunable_policy(`authlogin_nsswitch_use_ldap',` + ldap_stream_connect($1) + ') ') optional_policy(` -- likewise_stream_connect_lsassd($1) -+ tunable_policy(`authlogin_use_sssd',`', ` -+ likewise_stream_connect_lsassd($1) -+ ') + likewise_stream_connect_lsassd($1) ') + # can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off. optional_policy(` kerberos_use($1) ') -@@ -1531,13 +1733,25 @@ interface(`auth_use_nsswitch',` +@@ -1531,7 +1731,15 @@ interface(`auth_use_nsswitch',` ') optional_policy(` - nscd_socket_use($1) + nscd_use($1) - ') - - optional_policy(` -- samba_stream_connect_winbind($1) -- samba_read_var_files($1) -- samba_dontaudit_write_var_files($1) -+ tunable_policy(`authlogin_use_sssd',`', ` -+ nslcd_stream_connect($1) -+ ') + ') + + optional_policy(` -+ sssd_stream_connect($1) ++ nslcd_stream_connect($1) + ') + + optional_policy(` -+ tunable_policy(`authlogin_use_sssd',`', ` -+ samba_stream_connect_winbind($1) -+ samba_read_var_files($1) -+ samba_dontaudit_write_var_files($1) -+ ') ++ sssd_stream_connect($1) ') - ') + optional_policy(` diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 54d122b..c2a3970 100644 +index 54d122b..069790d 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,9 +5,24 @@ policy_module(authlogin, 2.2.0) @@ -41677,7 +41669,7 @@ index 54d122b..c2a3970 100644 +## Allow users to login using a sssd server +##

+## -+gen_tunable(authlogin_use_sssd, false) ++gen_tunable(authlogin_nsswitch_use_ldap, false) + attribute can_read_shadow_passwords; attribute can_write_shadow_passwords; @@ -42553,7 +42545,7 @@ index ed152c4..be3bb8f 100644 + allow $1 init_t:unix_dgram_socket sendto; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 0580e7c..28fd86c 100644 +index 0580e7c..1618f9d 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,27 @@ gen_require(` @@ -43241,7 +43233,7 @@ index 0580e7c..28fd86c 100644 +userdom_inherit_append_user_tmp_files(daemon) +userdom_dontaudit_rw_stream(daemon) + -+logging_append_all_logs(daemon) ++logging_inherit_append_all_logs(daemon) + +optional_policy(` + # sudo service restart causes this @@ -44345,7 +44337,7 @@ index 571599b..17dd196 100644 + +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index c7cfb62..620e0a4 100644 +index c7cfb62..ee9809d 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -545,6 +545,44 @@ interface(`logging_send_syslog_msg',` @@ -44416,7 +44408,7 @@ index c7cfb62..620e0a4 100644 + attribute logfile; + ') + -+ allow $1 logfile:file { getattr append }; ++ allow $1 logfile:file { getattr append ioctl lock }; +') + +######################################## @@ -44660,7 +44652,7 @@ index 58bc27f..b4f0663 100644 + allow $1 clvmd_tmpfs_t:file rw_file_perms; +') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index 86ef2da..a251276 100644 +index 86ef2da..0676045 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -44705,8 +44697,12 @@ index 86ef2da..a251276 100644 ccs_stream_connect(clvmd_t) ') -@@ -170,6 +182,7 @@ dontaudit lvm_t self:capability sys_tty_config; - allow lvm_t self:process { sigchld sigkill sigstop signull signal }; +@@ -167,9 +179,10 @@ optional_policy(` + # net_admin for multipath + allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin }; + dontaudit lvm_t self:capability sys_tty_config; +-allow lvm_t self:process { sigchld sigkill sigstop signull signal }; ++allow lvm_t self:process { setfscreate sigchld sigkill sigstop signull signal }; # LVM will complain a lot if it cannot set its priority. allow lvm_t self:process setsched; +allow lvm_t self:sem create_sem_perms; @@ -46782,7 +46778,7 @@ index 8e71fb7..f1b155a 100644 + role_transition $1 dhcpc_exec_t system_r; +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index dfbe736..d8c6f24 100644 +index dfbe736..d1f6368 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.0) @@ -46944,12 +46940,11 @@ index dfbe736..d8c6f24 100644 ifdef(`hide_broken_symptoms',` optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) -@@ -325,8 +372,15 @@ ifdef(`hide_broken_symptoms',` +@@ -325,8 +372,14 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` + devicekit_dontaudit_read_pid_files(ifconfig_t) -+ devicekit_write_log(ifconfig_t) +') + +optional_policy(` @@ -46960,7 +46955,7 @@ index dfbe736..d8c6f24 100644 ') optional_policy(` -@@ -334,6 +388,14 @@ optional_policy(` +@@ -334,6 +387,14 @@ optional_policy(` ') optional_policy(` @@ -46975,7 +46970,7 @@ index dfbe736..d8c6f24 100644 nis_use_ypbind(ifconfig_t) ') -@@ -355,3 +417,9 @@ optional_policy(` +@@ -355,3 +416,9 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 99148d8..9be8f73 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.12 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,13 @@ exit 0 %endif %changelog +* Tue Dec 21 2010 Dan Walsh 3.9.12-2 +- New labels for ghc http content +- nsplugin_config needs to read urand, lvm now calls setfscreate to create dev +- pm-suspend now creates log file for append access so we remove devicekit_wri +- Change authlogin_use_sssd to authlogin_nsswitch_use_ldap +- Fixes for greylist_milter policy + * Tue Dec 21 2010 Miroslav Grepl 3.9.12-1 - Update to upstream - Fixes for systemd policy