From f0922f689400d2f9190ef5c8e406ebeed954cfdb Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jan 18 2011 18:47:17 +0000 Subject: - Allow newrole to run namespace - Add puppetmaster_uses_db boolean - Add oracle ports and allow apache to connect to them if the connect_db bool - sandbox fixes --- diff --git a/policy-F13.patch b/policy-F13.patch index cdb4f4a..cbd7ab5 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -33,7 +33,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 sere .PP diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.19/policy/global_tunables --- nsaserefpolicy/policy/global_tunables 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/global_tunables 2010-05-28 09:41:59.942610848 +0200 ++++ serefpolicy-3.7.19/policy/global_tunables 2011-01-18 18:06:48.149053065 +0100 @@ -61,15 +61,6 @@ ## @@ -50,7 +50,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref ## Allow any files/directories to be exported read/write via NFS. ##

## -@@ -104,3 +95,18 @@ +@@ -91,6 +82,13 @@ + + ## + ##

++## Support fusefs home directories ++##

++## ++gen_tunable(use_fusefs_home_dirs,false) ++ ++## ++##

+ ## Support SAMBA home directories + ##

+ ## +@@ -104,3 +102,18 @@ ##

## gen_tunable(user_tcp_server,false) @@ -7221,13 +7235,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.19/policy/modules/apps/sandbox.fc --- nsaserefpolicy/policy/modules/apps/sandbox.fc 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.fc 2010-05-28 09:42:00.003610619 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.fc 2011-01-18 16:44:18.484041288 +0100 @@ -0,0 +1 @@ -+# No types are sandbox_exec_t ++/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.19/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2010-09-23 13:00:53.092386606 +0200 -@@ -0,0 +1,338 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2011-01-18 17:53:26.407042087 +0100 +@@ -0,0 +1,332 @@ + +## policy for sandbox + @@ -7312,10 +7326,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + gen_require(` + attribute sandbox_domain; + attribute sandbox_file_type; -+ attribute sandbox_x_type; + ') + -+ type $1_t, sandbox_domain, sandbox_x_type; ++ type $1_t, sandbox_domain; + application_type($1_t) + + mls_rangetrans_target($1_t) @@ -7335,7 +7348,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +######################################## +## +## Creates types and rules for a basic -+## qemu process domain. ++## sandbox process domain. +## +## +## @@ -7347,11 +7360,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + gen_require(` + type xserver_exec_t, sandbox_devpts_t; + type sandbox_xserver_t; ++ type sandbox_exec_t; + attribute sandbox_domain, sandbox_x_domain; + attribute sandbox_file_type, sandbox_tmpfs_type; ++ attribute sandbox_type; + ') + -+ type $1_t, sandbox_x_domain; ++ type $1_t, sandbox_x_domain, sandbox_type; + application_type($1_t) + mcs_untrusted_proc($1_t) + @@ -7365,11 +7380,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t) + manage_sock_files_pattern($1_t, $1_file_t, $1_file_t) + -+ type $1_devpts_t; -+ term_pty($1_devpts_t) -+ term_create_pty($1_t, $1_devpts_t) -+ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr }; -+ + # window manager + miscfiles_setattr_fonts_cache_dirs($1_t) + allow $1_t self:capability setuid; @@ -7381,12 +7391,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + type $1_client_tmpfs_t, sandbox_tmpfs_type; + files_tmpfs_file($1_client_tmpfs_t) + -+ term_search_ptys($1_t) -+ allow $1_client_t sandbox_devpts_t:chr_file { rw_term_perms setattr }; -+ term_create_pty($1_client_t,sandbox_devpts_t) -+ + manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t) ++ manage_files_pattern($1_t, $1_client_tmpfs_t, $1_client_tmpfs_t) + fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file ) ++ fs_tmpfs_filetrans($1_t, $1_client_tmpfs_t, file ) + # Pulseaudio tmpfs files with different MCS labels + dontaudit $1_client_t $1_client_tmpfs_t:file { read write }; + allow sandbox_xserver_t $1_client_tmpfs_t:file { read write }; @@ -7568,8 +7576,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-12-01 12:29:50.015042537 +0100 -@@ -0,0 +1,426 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2011-01-18 16:43:18.742041999 +0100 +@@ -0,0 +1,450 @@ +policy_module(sandbox,1.0.0) + +dbus_stub() @@ -7578,7 +7586,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +attribute sandbox_file_type; +attribute sandbox_web_type; +attribute sandbox_tmpfs_type; -+attribute sandbox_x_type; ++attribute sandbox_type; ++ ++type sandbox_exec_t; ++files_type(sandbox_exec_t) + +######################################## +# @@ -7643,6 +7654,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +files_search_home(sandbox_xserver_t) +fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t) +fs_list_inotifyfs(sandbox_xserver_t) ++fs_search_auto_mountpoints(sandbox_xserver_t) + +miscfiles_read_fonts(sandbox_xserver_t) +miscfiles_read_localization(sandbox_xserver_t) @@ -7676,7 +7688,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +# sandbox local policy +# + -+## internal communication is often done using fifo and unix sockets. +allow sandbox_domain self:fifo_file manage_file_perms; +allow sandbox_domain self:sem create_sem_perms; +allow sandbox_domain self:shm create_shm_perms; @@ -7725,7 +7736,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms; + +allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem }; -+dontaudit sandbox_x_domain self:process signal; ++dontaudit sandbox_x_domain sandbox_x_domain:process signal; +dontaudit sandbox_x_domain sandbox_xserver_t:process signal; + +allow sandbox_x_domain self:shm create_shm_perms; @@ -7734,6 +7745,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto; +dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; + ++allow sandbox_x_domain sandbox_devpts_t:chr_file { rw_term_perms setattr }; ++term_create_pty(sandbox_x_domain,sandbox_devpts_t) ++ +domain_dontaudit_read_all_domains_state(sandbox_x_domain) + +files_search_home(sandbox_x_domain) @@ -7773,18 +7787,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. + +term_getattr_pty_fs(sandbox_x_domain) +term_use_ptmx(sandbox_x_domain) ++term_search_ptys(sandbox_x_domain) ++ ++application_dontaudit_signal(sandbox_x_domain) ++application_dontaudit_sigkill(sandbox_x_domain) + +logging_send_syslog_msg(sandbox_x_domain) +logging_dontaudit_search_logs(sandbox_x_domain) + +miscfiles_read_fonts(sandbox_x_domain) + -+tunable_policy(`use_nfs_home_dirs',` -+ fs_search_nfs(sandbox_x_domain) -+') -+ -+tunable_policy(`use_samba_home_dirs',` -+ fs_search_cifs(sandbox_x_domain) ++optional_policy(` ++ consolekit_dbus_chat(sandbox_x_domain) +') + +optional_policy(` @@ -7816,7 +7830,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +userdom_read_user_home_content_symlinks(sandbox_x_domain) +userdom_search_user_home_content(sandbox_x_domain) + -+#============= sandbox_x_t ============== ++tunable_policy(`use_nfs_home_dirs',` ++ fs_search_auto_mountpoints(sandbox_x_domain) ++ fs_search_nfs(sandbox_xserver_t) ++ fs_read_nfs_files(sandbox_xserver_t) ++ fs_manage_nfs_dirs(sandbox_x_domain) ++ fs_manage_nfs_files(sandbox_x_domain) ++ fs_exec_nfs_files(sandbox_x_domain) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_search_cifs(sandbox_xserver_t) ++ fs_read_cifs_files(sandbox_xserver_t) ++ fs_manage_cifs_dirs(sandbox_x_domain) ++ fs_manage_cifs_files(sandbox_x_domain) ++ fs_exec_cifs_files(sandbox_x_domain) ++') ++ ++tunable_policy(`use_fusefs_home_dirs',` ++ fs_search_fusefs(sandbox_xserver_t) ++ fs_read_fusefs_files(sandbox_xserver_t) ++ fs_manage_fusefs_dirs(sandbox_x_domain) ++ fs_manage_fusefs_files(sandbox_x_domain) ++ fs_exec_fusefs_files(sandbox_x_domain) ++') ++ +files_search_home(sandbox_x_t) +userdom_use_user_ptys(sandbox_x_t) + @@ -7850,7 +7888,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +allow sandbox_web_t self:process setsched; + +optional_policy(` -+ nsplugin_read_rw_files(sandbox_web_t) ++ nsplugin_read_rw_files(sandbox_web_t) +') + +######################################## @@ -7876,7 +7914,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +dev_write_sound(sandbox_web_type) +dev_read_sound(sandbox_web_type) + -+# Browse the web, connect to printer +corenet_all_recvfrom_unlabeled(sandbox_web_type) +corenet_all_recvfrom_netlabel(sandbox_web_type) +corenet_tcp_sendrecv_all_if(sandbox_web_type) @@ -7906,14 +7943,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +corenet_sendrecv_ftp_client_packets(sandbox_web_type) +corenet_sendrecv_ipp_client_packets(sandbox_web_type) +corenet_sendrecv_generic_client_packets(sandbox_web_type) -+# Should not need other ports ++ +corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type) +corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type) + +files_dontaudit_getattr_all_dirs(sandbox_web_type) +files_dontaudit_list_mnt(sandbox_web_type) + -+#fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type) ++# the bug in pulseaudiot, needed by fedora13 +fs_rw_anon_inodefs_files(sandbox_web_type) +fs_dontaudit_getattr_all_fs(sandbox_web_type) + @@ -7943,17 +7980,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +') + +optional_policy(` -+ consolekit_dbus_chat(sandbox_web_type) -+') -+ -+optional_policy(` + hal_dbus_chat(sandbox_web_type) +') + +optional_policy(` + nsplugin_read_rw_files(sandbox_web_type) + nsplugin_rw_exec(sandbox_web_type) -+# nsplugin_manage_rw(sandbox_web_type) +') + +optional_policy(` @@ -8009,7 +8041,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.f # /usr diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.7.19/policy/modules/apps/screen.if --- nsaserefpolicy/policy/modules/apps/screen.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/apps/screen.if 2011-01-14 14:39:47.869062903 +0100 ++++ serefpolicy-3.7.19/policy/modules/apps/screen.if 2011-01-18 16:05:04.096041318 +0100 @@ -64,6 +64,9 @@ files_pid_filetrans($1_screen_t, screen_var_run_t, dir) @@ -8020,6 +8052,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.i read_files_pattern($1_screen_t, screen_home_t, screen_home_t) read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t) +@@ -113,6 +116,7 @@ + dev_read_urand($1_screen_t) + + domain_use_interactive_fds($1_screen_t) ++ domain_sigchld_interactive_fds($1_screen_t) + + files_search_tmp($1_screen_t) + files_search_home($1_screen_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.19/policy/modules/apps/seunshare.if --- nsaserefpolicy/policy/modules/apps/seunshare.if 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/apps/seunshare.if 2010-05-28 09:42:00.006611051 +0200 @@ -9331,7 +9371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2011-01-03 14:29:17.539042734 +0100 ++++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2011-01-17 10:37:03.828041865 +0100 @@ -25,6 +25,7 @@ # type tun_tap_device_t; @@ -9400,7 +9440,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) -@@ -124,40 +132,55 @@ +@@ -124,40 +132,56 @@ network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -9435,6 +9475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(nmbd, udp,137,s0, udp,138,s0) network_port(ntp, udp,123,s0) +network_port(ntop, tcp,3000,s0, udp,3000,s0, tcp,3001,s0, udp,3001,s0) ++network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) network_port(ocsp, tcp,9080,s0) network_port(openvpn, tcp,1194,s0, udp,1194,s0) network_port(pegasus_http, tcp,5988,s0) @@ -9458,7 +9499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -177,18 +200,22 @@ +@@ -177,18 +201,22 @@ network_port(rsync, tcp,873,s0, udp,873,s0) network_port(rwho, udp,513,s0) network_port(sap, tcp,9875,s0, udp,9875,s0) @@ -9482,7 +9523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) -@@ -201,23 +228,23 @@ +@@ -201,23 +229,23 @@ network_port(varnishd, tcp,6081,s0, tcp,6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -9512,7 +9553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene ######################################## # -@@ -266,5 +293,5 @@ +@@ -266,5 +294,5 @@ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; # Bind to any network address. @@ -9583,7 +9624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.19/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2010-10-18 15:39:59.101902148 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/devices.if 2011-01-18 17:18:36.853041461 +0100 @@ -407,7 +407,7 @@ ######################################## @@ -9771,7 +9812,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Delete all block device files. ## ## -@@ -2042,6 +2177,24 @@ +@@ -1823,6 +1958,24 @@ + read_chr_files_pattern($1, device_t, kmsg_device_t) + ') + ++####################################### ++## ++## Do not audit attempts to read the kernel messages ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_read_kmsg',` ++ gen_require(` ++ type kmsg_device_t; ++ ') ++ ++ dontaudit $1 kmsg_device_t:chr_file read; ++') ++ + ######################################## + ## + ## Write to the kernel messages device +@@ -2042,6 +2195,24 @@ ######################################## ## @@ -9796,7 +9862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Read the lvm comtrol device. ## ## -@@ -2597,6 +2750,7 @@ +@@ -2597,6 +2768,7 @@ type mtrr_device_t; ') @@ -9804,7 +9870,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device dontaudit $1 mtrr_device_t:chr_file write; ') -@@ -2875,24 +3029,6 @@ +@@ -2875,24 +3047,6 @@ ######################################## ## @@ -9829,7 +9895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Get the attributes of the QEMU ## microcode and id interfaces. ## -@@ -3440,6 +3576,24 @@ +@@ -3440,6 +3594,24 @@ ######################################## ## @@ -9854,7 +9920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Get the attributes of sysfs directories. ## ## -@@ -3733,6 +3887,42 @@ +@@ -3733,6 +3905,42 @@ ######################################## ## @@ -9897,7 +9963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Mount a usbfs filesystem. ## ## -@@ -3905,6 +4095,24 @@ +@@ -3905,6 +4113,24 @@ ######################################## ## @@ -11450,7 +11516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy +/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.19/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2010-09-16 17:07:16.826386994 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/filesystem.if 2011-01-18 17:41:41.159293424 +0100 @@ -559,6 +559,24 @@ ######################################## @@ -11489,10 +11555,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') - allow $1 cifs_t:filesystem getattr; --') -- --######################################## --## ++ allow $1 cgroup_t:filesystem getattr; + ') + + ######################################## + ## -## list dirs on cgroup -## file systems. -## @@ -11509,11 +11576,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy - ') - - list_dirs_pattern($1, cgroup_t, cgroup_t) -+ allow $1 cgroup_t:filesystem getattr; - ') - - ######################################## - ## +-') +- +-######################################## +-## -## Do not audit attempts to read -## dirs on a CIFS or SMB filesystem. +## list dirs on cgroup @@ -11705,7 +11771,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ####################################### ## ## Create, read, write, and delete dirs -@@ -1831,6 +1938,25 @@ +@@ -1790,6 +1897,25 @@ + manage_files_pattern($1, fusefs_t, fusefs_t) + ') + ++###################################### ++## ++## Execute files on a FUSEFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_exec_fusefs_files',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ allow $1 fusefs_t:dir list_dir_perms; ++ exec_files_pattern($1, fusefs_t, fusefs_t) ++') ++ + ######################################## + ## + ## Do not audit attempts to create, +@@ -1831,6 +1957,25 @@ ######################################## ## @@ -11731,7 +11823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Read and write hugetlbfs files. ## ## -@@ -1847,6 +1973,24 @@ +@@ -1847,6 +1992,24 @@ rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') @@ -11756,7 +11848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ######################################## ## ## Allow the type to associate to hugetlbfs filesystems. -@@ -1899,6 +2043,7 @@ +@@ -1899,6 +2062,7 @@ ') allow $1 inotifyfs_t:dir list_dir_perms; @@ -11764,7 +11856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -2295,6 +2440,25 @@ +@@ -2295,6 +2459,25 @@ ######################################## ## @@ -11790,7 +11882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Append files ## on a NFS filesystem. ## -@@ -2333,6 +2497,24 @@ +@@ -2333,6 +2516,24 @@ dontaudit $1 nfs_t:file append_file_perms; ') @@ -11815,7 +11907,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ######################################## ## ## Do not audit attempts to read or -@@ -2349,7 +2531,7 @@ +@@ -2349,7 +2550,7 @@ type nfs_t; ') @@ -11824,7 +11916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ') ######################################## -@@ -2537,6 +2719,24 @@ +@@ -2537,6 +2738,24 @@ ######################################## ## @@ -11849,7 +11941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Read removable storage symbolic links. ## ## -@@ -2745,7 +2945,7 @@ +@@ -2745,7 +2964,7 @@ ######################################### ## ## Create, read, write, and delete symbolic links @@ -11858,7 +11950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## ## ## -@@ -3812,6 +4012,24 @@ +@@ -3812,6 +4031,24 @@ rw_files_pattern($1, tmpfs_t, tmpfs_t) ') @@ -11883,7 +11975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ######################################## ## ## Read tmpfs link files. -@@ -3870,6 +4088,24 @@ +@@ -3870,6 +4107,24 @@ ######################################## ## @@ -11908,7 +12000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4432,6 +4668,44 @@ +@@ -4432,6 +4687,44 @@ ######################################## ## @@ -11953,7 +12045,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Do not audit attempts to get the attributes ## of all files with a filesystem type. ## -@@ -4549,3 +4823,24 @@ +@@ -4549,3 +4842,24 @@ relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs) ') @@ -12020,7 +12112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.19/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2010-05-28 09:42:00.038610838 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2011-01-18 18:03:04.576041170 +0100 @@ -534,6 +534,37 @@ ######################################## @@ -12118,7 +12210,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ## Do not audit attempts by caller to get the ## attributes of an unlabeled file. ## -@@ -2792,6 +2859,24 @@ +@@ -2325,6 +2392,24 @@ + allow $1 unlabeled_t:blk_file getattr; + ') + ++####################################### ++## ++## Read and write unlabeled sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_rw_unlabeled_socket',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ allow $1 unlabeled_t:socket rw_socket_perms; ++') ++ + ######################################## + ## + ## Do not audit attempts by caller to get attributes for +@@ -2792,6 +2877,24 @@ ######################################## ## @@ -12143,7 +12260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ## Unconfined access to kernel module resources. ## ## -@@ -2807,3 +2892,23 @@ +@@ -2807,3 +2910,23 @@ typeattribute $1 kern_unconfined; ') @@ -12169,7 +12286,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.19/policy/modules/kernel/kernel.te --- nsaserefpolicy/policy/modules/kernel/kernel.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/kernel/kernel.te 2011-01-07 10:48:13.921042668 +0100 ++++ serefpolicy-3.7.19/policy/modules/kernel/kernel.te 2011-01-18 18:00:20.345042656 +0100 @@ -46,15 +46,6 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) @@ -12211,7 +12328,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -@@ -256,7 +258,8 @@ +@@ -229,6 +231,8 @@ + # connections with invalidated labels: + allow kernel_t unlabeled_t:packet send; + ++kernel_rw_unlabeled_socket(kernel_t) ++ + # Allow unlabeled network traffic + allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; + corenet_in_generic_if(unlabeled_t) +@@ -256,7 +260,8 @@ selinux_load_policy(kernel_t) @@ -12221,7 +12347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -270,19 +273,30 @@ +@@ -270,19 +275,30 @@ files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -12252,7 +12378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel optional_policy(` hotplug_search_config(kernel_t) ') -@@ -359,6 +373,10 @@ +@@ -359,6 +375,10 @@ unconfined_domain_noaudit(kernel_t) ') @@ -16166,7 +16292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-12-22 10:20:47.020041345 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/apache.te 2011-01-18 17:21:06.301042684 +0100 @@ -19,11 +19,13 @@ # Declarations # @@ -16489,14 +16615,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + corenet_sendrecv_pop_client_packets(httpd_t) mta_send_mail(httpd_t) + mta_signal(httpd_t) - ') - ++') ++ +tunable_policy(`httpd_use_cifs',` + fs_manage_cifs_dirs(httpd_t) + fs_manage_cifs_files(httpd_t) + fs_manage_cifs_symlinks(httpd_t) -+') -+ + ') + +tunable_policy(`httpd_setrlimit',` + allow httpd_t self:process setrlimit; + allow httpd_t self:capability sys_resource; @@ -16641,7 +16767,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -699,17 +892,18 @@ +@@ -667,6 +860,17 @@ + corenet_sendrecv_mssql_client_packets(httpd_sys_script_t) + corenet_tcp_connect_mssql_port(httpd_suexec_t) + corenet_sendrecv_mssql_client_packets(httpd_suexec_t) ++ ++ ++ corenet_tcp_connect_oracle_port(httpd_t) ++ corenet_sendrecv_oracle_client_packets(httpd_t) ++ corenet_tcp_connect_oracle_port(httpd_php_t) ++ corenet_tcp_connect_oracle_port(httpd_suexec_t) ++ corenet_sendrecv_oracle_client_packets(httpd_suexec_t) ++ corenet_sendrecv_oracle_client_packets(httpd_php_t) ++ corenet_tcp_connect_oracle_port(httpd_sys_script_t) ++ corenet_sendrecv_oracle_client_packets(httpd_sys_script_t) ++ + ') + + optional_policy(` +@@ -699,17 +903,18 @@ manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -16663,7 +16807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,10 +934,21 @@ +@@ -740,10 +945,21 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -16686,7 +16830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -769,6 +974,12 @@ +@@ -769,6 +985,12 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -16699,7 +16843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache system script local policy -@@ -791,10 +1002,15 @@ +@@ -791,10 +1013,15 @@ files_search_var_lib(httpd_sys_script_t) files_search_spool(httpd_sys_script_t) @@ -16715,7 +16859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,6 +1019,28 @@ +@@ -803,6 +1030,28 @@ mta_send_mail(httpd_sys_script_t) ') @@ -16744,7 +16888,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; allow httpd_sys_script_t self:udp_socket create_socket_perms; -@@ -830,6 +1068,16 @@ +@@ -830,6 +1079,16 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -16761,7 +16905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,6 +1090,7 @@ +@@ -842,6 +1101,7 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -16769,7 +16913,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -891,11 +1140,33 @@ +@@ -891,11 +1151,33 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -22399,8 +22543,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv.te serefpolicy-3.7.19/policy/modules/services/dirsrv.te --- nsaserefpolicy/policy/modules/services/dirsrv.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/dirsrv.te 2010-12-01 11:30:49.108042385 +0100 -@@ -0,0 +1,176 @@ ++++ serefpolicy-3.7.19/policy/modules/services/dirsrv.te 2011-01-14 16:32:12.778042378 +0100 +@@ -0,0 +1,180 @@ +policy_module(dirsrv,1.0.0) + +######################################## @@ -22568,6 +22712,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs +sysnet_dns_name_resolve(dirsrv_snmp_t) + +optional_policy(` ++ kerberos_use(dirsrv_t) ++') ++ ++optional_policy(` + snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t) + snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t) + snmp_append_snmp_var_lib_files(dirsrv_snmp_t) @@ -26881,7 +27029,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.19/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/mysql.te 2010-11-15 10:41:35.381147405 +0100 ++++ serefpolicy-3.7.19/policy/modules/services/mysql.te 2011-01-17 10:32:43.704041892 +0100 @@ -65,6 +65,7 @@ manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) @@ -26890,7 +27038,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file }) -@@ -157,6 +158,7 @@ +@@ -86,6 +87,9 @@ + kernel_read_system_state(mysqld_t) + kernel_read_kernel_sysctls(mysqld_t) + ++corecmd_exec_bin(mysqld_t) ++corecmd_exec_shell(mysqld_t) ++ + corenet_all_recvfrom_unlabeled(mysqld_t) + corenet_all_recvfrom_netlabel(mysqld_t) + corenet_tcp_sendrecv_generic_if(mysqld_t) +@@ -157,6 +161,7 @@ allow mysqld_safe_t self:capability { chown dac_override fowner kill }; dontaudit mysqld_safe_t self:capability sys_ptrace; allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; @@ -26898,7 +27056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) -@@ -176,6 +178,7 @@ +@@ -176,6 +181,7 @@ domain_read_all_domains_state(mysqld_safe_t) @@ -26906,7 +27064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq files_read_etc_files(mysqld_safe_t) files_read_usr_files(mysqld_safe_t) files_dontaudit_getattr_all_dirs(mysqld_safe_t) -@@ -184,6 +187,8 @@ +@@ -184,6 +190,8 @@ hostname_exec(mysqld_safe_t) @@ -31852,8 +32010,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.te serefpolicy-3.7.19/policy/modules/services/puppet.te --- nsaserefpolicy/policy/modules/services/puppet.te 2010-04-13 20:44:36.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/puppet.te 2010-11-10 09:56:12.468147284 +0100 -@@ -192,7 +192,14 @@ ++++ serefpolicy-3.7.19/policy/modules/services/puppet.te 2011-01-17 10:29:24.948041219 +0100 +@@ -14,6 +14,13 @@ + ## + gen_tunable(puppet_manage_all_files, false) + ++## ++##

++## Alow Pupper master to use connect to mysql and postgresql database ++##

++## ++gen_tunable(puppetmaster_use_db, false) ++ + type puppet_t; + type puppet_exec_t; + init_daemon_domain(puppet_t, puppet_exec_t) +@@ -192,7 +199,14 @@ manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir }) @@ -31868,7 +32040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp kernel_read_system_state(puppetmaster_t) kernel_read_crypto_sysctls(puppetmaster_t) -@@ -218,10 +225,13 @@ +@@ -218,10 +232,25 @@ logging_send_syslog_msg(puppetmaster_t) miscfiles_read_localization(puppetmaster_t) @@ -31879,10 +32051,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp +mta_send_mail(puppetmaster_t) + ++optional_policy(` ++ tunable_policy(`puppetmaster_use_db',` ++ mysql_stream_connect(puppetmaster_t) ++ ') ++') ++ ++optional_policy(` ++ tunable_policy(`puppetmaster_use_db',` ++ postgresql_stream_connect(puppetmaster_t) ++ ') ++') ++ optional_policy(` hostname_exec(puppetmaster_t) ') -@@ -232,3 +242,8 @@ +@@ -232,3 +261,8 @@ rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') @@ -35943,7 +36127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.19/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/spamassassin.te 2010-07-21 09:36:37.293135266 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/spamassassin.te 2011-01-18 15:53:51.928042302 +0100 @@ -20,6 +20,35 @@ ## gen_tunable(spamd_enable_home_dirs, true) @@ -36029,7 +36213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') ######################################## -@@ -207,16 +253,33 @@ +@@ -207,16 +253,35 @@ allow spamc_t self:unix_stream_socket connectto; allow spamc_t self:tcp_socket create_stream_socket_perms; allow spamc_t self:udp_socket create_socket_perms; @@ -36060,10 +36244,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam kernel_read_kernel_sysctls(spamc_t) +kernel_read_system_state(spamc_t) ++ ++corecmd_exec_bin(spamc_t) corenet_all_recvfrom_unlabeled(spamc_t) corenet_all_recvfrom_netlabel(spamc_t) -@@ -246,9 +309,16 @@ +@@ -246,9 +311,16 @@ files_dontaudit_search_var(spamc_t) # cjp: this may be removable: files_list_home(spamc_t) @@ -36080,7 +36266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam miscfiles_read_localization(spamc_t) # cjp: this should probably be removed: -@@ -256,27 +326,40 @@ +@@ -256,27 +328,40 @@ sysnet_read_config(spamc_t) @@ -36127,7 +36313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') ######################################## -@@ -288,7 +371,7 @@ +@@ -288,7 +373,7 @@ # setuids to the user running spamc. Comment this if you are not # using this ability. @@ -36136,7 +36322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; -@@ -304,10 +387,17 @@ +@@ -304,10 +389,17 @@ allow spamd_t self:unix_stream_socket connectto; allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; @@ -36155,7 +36341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -@@ -316,10 +406,12 @@ +@@ -316,10 +408,12 @@ # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -36169,7 +36355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) kernel_read_all_sysctls(spamd_t) -@@ -369,22 +461,27 @@ +@@ -369,22 +463,27 @@ init_dontaudit_rw_utmp(spamd_t) @@ -36201,7 +36387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam fs_manage_cifs_files(spamd_t) ') -@@ -397,16 +494,22 @@ +@@ -397,16 +496,22 @@ ') optional_policy(` @@ -36228,7 +36414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') optional_policy(` -@@ -415,10 +518,6 @@ +@@ -415,10 +520,6 @@ ') optional_policy(` @@ -36239,7 +36425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam postfix_read_config(spamd_t) ') -@@ -433,6 +532,10 @@ +@@ -433,6 +534,10 @@ optional_policy(` razor_domtrans(spamd_t) @@ -36250,7 +36436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ') optional_policy(` -@@ -445,5 +548,9 @@ +@@ -445,5 +550,9 @@ ') optional_policy(` @@ -40053,8 +40239,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosr interface(`zosremote_domtrans',` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.7.19/policy/modules/system/application.if --- nsaserefpolicy/policy/modules/system/application.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/application.if 2010-08-04 15:09:32.261085029 +0200 -@@ -130,3 +130,21 @@ ++++ serefpolicy-3.7.19/policy/modules/system/application.if 2011-01-18 17:37:24.656040920 +0100 +@@ -130,3 +130,76 @@ allow $1 application_domain_type:process signull; ') @@ -40075,7 +40261,62 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic + ') + + allow $1 application_domain_type:process signal; -+') ++') ++ ++####################################### ++## ++## Dontaudit signull sent to all application domains. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`application_dontaudit_signull',` ++ gen_require(` ++ attribute application_domain_type; ++ ') ++ ++ dontaudit $1 application_domain_type:process signull; ++') ++ ++####################################### ++## ++## Dontaudit signal sent to all application domains. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`application_dontaudit_signal',` ++ gen_require(` ++ attribute application_domain_type; ++ ') ++ ++ dontaudit $1 application_domain_type:process signal; ++') ++ ++####################################### ++## ++## Dontaudit kill signal sent to all application domains. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`application_dontaudit_sigkill',` ++ gen_require(` ++ attribute application_domain_type; ++ ') ++ ++ dontaudit $1 application_domain_type:process sigkill; ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.19/policy/modules/system/application.te --- nsaserefpolicy/policy/modules/system/application.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/system/application.te 2010-05-28 09:42:00.208611712 +0200 @@ -40968,7 +41209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.19/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/init.te 2011-01-07 14:44:25.100042432 +0100 ++++ serefpolicy-3.7.19/policy/modules/system/init.te 2011-01-18 16:03:10.193041196 +0100 @@ -1,5 +1,5 @@ -policy_module(init, 1.14.2) @@ -41125,7 +41366,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t corenet_all_recvfrom_unlabeled(initrc_t) corenet_all_recvfrom_netlabel(initrc_t) -@@ -299,6 +344,7 @@ +@@ -280,6 +325,7 @@ + + dev_read_rand(initrc_t) + dev_read_urand(initrc_t) ++dev_dontaudit_read_kmsg(initrc_t) + dev_write_kmsg(initrc_t) + dev_write_rand(initrc_t) + dev_write_urand(initrc_t) +@@ -299,6 +345,7 @@ dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -41133,7 +41382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t corecmd_exec_all_executables(initrc_t) -@@ -325,8 +371,10 @@ +@@ -325,8 +372,10 @@ files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -41145,7 +41394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -342,6 +390,8 @@ +@@ -342,6 +391,8 @@ files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -41154,7 +41403,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) -@@ -352,6 +402,8 @@ +@@ -352,6 +403,8 @@ fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -41163,7 +41412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -364,6 +416,7 @@ +@@ -364,6 +417,7 @@ mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -41171,7 +41420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t selinux_get_enforce_mode(initrc_t) -@@ -395,15 +448,16 @@ +@@ -395,15 +449,16 @@ miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -41190,7 +41439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # TTYs to any process in the initrc_t domain. Therefore, daemons and such # started from init should be placed in their own domain. userdom_use_user_terminals(initrc_t) -@@ -437,6 +491,10 @@ +@@ -437,6 +492,10 @@ dev_create_generic_dirs(initrc_t) dev_delete_generic_dirs(initrc_t) @@ -41201,7 +41450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # openrc uses tmpfs for its state data fs_tmpfs_filetrans(initrc_t, initrc_state_t, { dir file fifo_file lnk_file }) -@@ -471,7 +529,7 @@ +@@ -471,7 +530,7 @@ # Red Hat systems seem to have a stray # fd open from the initrd @@ -41210,7 +41459,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -495,6 +553,12 @@ +@@ -495,6 +554,12 @@ fs_read_tmpfs_symlinks(initrc_t) fs_rw_tmpfs_chr_files(initrc_t) @@ -41223,7 +41472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t storage_manage_fixed_disk(initrc_t) storage_dev_filetrans_fixed_disk(initrc_t) storage_getattr_removable_dev(initrc_t) -@@ -517,6 +581,23 @@ +@@ -517,6 +582,23 @@ optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -41247,7 +41496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -528,6 +609,8 @@ +@@ -528,6 +610,8 @@ optional_policy(` sysnet_rw_dhcp_config(initrc_t) sysnet_manage_config(initrc_t) @@ -41256,7 +41505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -542,6 +625,35 @@ +@@ -542,6 +626,35 @@ ') ') @@ -41292,7 +41541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -554,6 +666,8 @@ +@@ -554,6 +667,8 @@ optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -41301,7 +41550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -578,6 +692,11 @@ +@@ -578,6 +693,11 @@ ') optional_policy(` @@ -41313,7 +41562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -594,6 +713,7 @@ +@@ -594,6 +714,7 @@ dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -41321,7 +41570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` consolekit_dbus_chat(initrc_t) -@@ -695,7 +815,13 @@ +@@ -695,7 +816,13 @@ ') optional_policy(` @@ -41335,7 +41584,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -718,6 +844,10 @@ +@@ -718,6 +845,10 @@ ') optional_policy(` @@ -41346,7 +41595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -739,6 +869,10 @@ +@@ -739,6 +870,10 @@ ') optional_policy(` @@ -41357,7 +41606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -760,8 +894,6 @@ +@@ -760,8 +895,6 @@ # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -41366,7 +41615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -770,14 +902,21 @@ +@@ -770,14 +903,21 @@ ') optional_policy(` @@ -41388,7 +41637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -790,6 +929,7 @@ +@@ -790,6 +930,7 @@ optional_policy(` udev_rw_db(initrc_t) @@ -41396,7 +41645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t udev_manage_pid_files(initrc_t) ') -@@ -798,11 +938,19 @@ +@@ -798,11 +939,19 @@ ') optional_policy(` @@ -41417,7 +41666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -812,6 +960,25 @@ +@@ -812,6 +961,25 @@ optional_policy(` mono_domtrans(initrc_t) ') @@ -41443,7 +41692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -837,3 +1004,35 @@ +@@ -837,3 +1005,35 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -43612,8 +43861,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.19/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.if 2010-08-30 20:19:44.277333391 +0200 -@@ -361,6 +361,27 @@ ++++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.if 2011-01-18 15:44:52.758042314 +0100 +@@ -199,6 +199,10 @@ + role $2 types newrole_t; + + auth_run_upd_passwd(newrole_t, $2) ++ ++ optional_policy(` ++ namespace_init_run(newrole_t, $2) ++ ') + ') + + ######################################## +@@ -361,6 +365,27 @@ ######################################## ## @@ -43641,7 +43901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Execute run_init in the run_init domain. ## ## -@@ -514,6 +535,10 @@ +@@ -514,6 +539,10 @@ files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, setfiles_exec_t, setfiles_t) @@ -43652,7 +43912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ') ######################################## -@@ -545,6 +570,53 @@ +@@ -545,6 +574,53 @@ ######################################## ## @@ -43706,7 +43966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Execute setfiles in the caller domain. ## ## -@@ -690,6 +762,7 @@ +@@ -690,6 +766,7 @@ ') files_search_etc($1) @@ -43714,7 +43974,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu manage_files_pattern($1, selinux_config_t, selinux_config_t) read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) ') -@@ -1009,6 +1082,26 @@ +@@ -1009,6 +1086,26 @@ ######################################## ## @@ -43741,7 +44001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Execute semanage in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. -@@ -1020,7 +1113,7 @@ +@@ -1020,7 +1117,7 @@ ## ## ## @@ -43750,7 +44010,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## ## ## -@@ -1038,6 +1131,54 @@ +@@ -1038,6 +1135,54 @@ ######################################## ## @@ -43805,7 +44065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Full management of the semanage ## module store. ## -@@ -1149,3 +1290,194 @@ +@@ -1149,3 +1294,194 @@ selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index ff2dab0..1e9b31f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 82%{?dist} +Release: 83%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -470,6 +470,12 @@ exit 0 %endif %changelog +* Tue Jan 18 2011 Miroslav Grepl 3.7.19-83 +- Allow newrole to run namespace +- Add puppetmaster_uses_db boolean +- Add oracle ports and allow apache to connect to them if the connect_db boolean is turned on +- sandbox fixes + * Fri Jan 14 2011 Miroslav Grepl 3.7.19-82 - Add namespace policy - Update for screen policy to handle pipe in homedir