diff --git a/policy-f20-base.patch b/policy-f20-base.patch index d2395b3..99ed4bf 100644 --- a/policy-f20-base.patch +++ b/policy-f20-base.patch @@ -34782,7 +34782,7 @@ index b50c5fe..e55a556 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 4e94884..b144ffe 100644 +index 4e94884..8de26ad 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -34941,12 +34941,7 @@ index 4e94884..b144ffe 100644 + read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) + list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t) +') - -- # the type of socket depends on the syslog daemon -- allow $1 syslogd_t:unix_dgram_socket sendto; -- allow $1 syslogd_t:unix_stream_socket connectto; -- allow $1 self:unix_dgram_socket create_socket_perms; -- allow $1 self:unix_stream_socket create_socket_perms; ++ +######################################## +## +## Relabel the syslog pid sock_file. @@ -34961,14 +34956,15 @@ index 4e94884..b144ffe 100644 + gen_require(` + type syslogd_var_run_t; + ') - -- # If syslog is down, the glibc syslog() function -- # will write to the console. -- term_write_console($1) -- term_dontaudit_read_console($1) ++ + allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms; +') -+ + +- # the type of socket depends on the syslog daemon +- allow $1 syslogd_t:unix_dgram_socket sendto; +- allow $1 syslogd_t:unix_stream_socket connectto; +- allow $1 self:unix_dgram_socket create_socket_perms; +- allow $1 self:unix_stream_socket create_socket_perms; +######################################## +## +## Connect to the syslog control unix stream socket. @@ -34983,13 +34979,43 @@ index 4e94884..b144ffe 100644 + gen_require(` + type syslogd_t, syslogd_var_run_t; + ') -+ + +- # If syslog is down, the glibc syslog() function +- # will write to the console. +- term_write_console($1) +- term_dontaudit_read_console($1) + files_search_pids($1) + stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t) ') ######################################## -@@ -609,6 +753,25 @@ interface(`logging_read_syslog_config',` +@@ -571,6 +715,25 @@ interface(`logging_read_audit_config',` + + ######################################## + ## ++## dontaudit search of auditd log files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++## ++# ++interface(`logging_dontaudit_search_audit_logs',` ++ gen_require(` ++ type auditd_log_t; ++ ') ++ ++ dontaudit $1 auditd_log_t:dir search_dir_perms; ++') ++ ++######################################## ++## + ## dontaudit search of auditd configuration files. + ## + ## +@@ -609,6 +772,25 @@ interface(`logging_read_syslog_config',` ######################################## ## @@ -35015,7 +35041,7 @@ index 4e94884..b144ffe 100644 ## Allows the domain to open a file in the ## log directory, but does not allow the listing ## of the contents of the log directory. -@@ -722,6 +885,25 @@ interface(`logging_setattr_all_log_dirs',` +@@ -722,6 +904,25 @@ interface(`logging_setattr_all_log_dirs',` allow $1 logfile:dir setattr; ') @@ -35041,7 +35067,7 @@ index 4e94884..b144ffe 100644 ######################################## ## ## Do not audit attempts to get the attributes -@@ -776,7 +958,25 @@ interface(`logging_append_all_logs',` +@@ -776,7 +977,25 @@ interface(`logging_append_all_logs',` ') files_search_var($1) @@ -35068,7 +35094,7 @@ index 4e94884..b144ffe 100644 ') ######################################## -@@ -859,7 +1059,7 @@ interface(`logging_manage_all_logs',` +@@ -859,7 +1078,7 @@ interface(`logging_manage_all_logs',` files_search_var($1) manage_files_pattern($1, logfile, logfile) @@ -35077,7 +35103,7 @@ index 4e94884..b144ffe 100644 ') ######################################## -@@ -885,6 +1085,44 @@ interface(`logging_read_generic_logs',` +@@ -885,6 +1104,44 @@ interface(`logging_read_generic_logs',` ######################################## ## @@ -35122,7 +35148,7 @@ index 4e94884..b144ffe 100644 ## Write generic log files. ## ## -@@ -905,6 +1143,24 @@ interface(`logging_write_generic_logs',` +@@ -905,6 +1162,24 @@ interface(`logging_write_generic_logs',` ######################################## ## @@ -35147,7 +35173,7 @@ index 4e94884..b144ffe 100644 ## Dontaudit Write generic log files. ## ## -@@ -984,11 +1240,16 @@ interface(`logging_admin_audit',` +@@ -984,11 +1259,16 @@ interface(`logging_admin_audit',` type auditd_t, auditd_etc_t, auditd_log_t; type auditd_var_run_t; type auditd_initrc_exec_t; @@ -35165,7 +35191,7 @@ index 4e94884..b144ffe 100644 manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) -@@ -1004,6 +1265,33 @@ interface(`logging_admin_audit',` +@@ -1004,6 +1284,33 @@ interface(`logging_admin_audit',` domain_system_change_exemption($1) role_transition $2 auditd_initrc_exec_t system_r; allow $2 system_r; @@ -35199,7 +35225,7 @@ index 4e94884..b144ffe 100644 ') ######################################## -@@ -1032,10 +1320,15 @@ interface(`logging_admin_syslog',` +@@ -1032,10 +1339,15 @@ interface(`logging_admin_syslog',` type syslogd_initrc_exec_t; ') @@ -35217,7 +35243,7 @@ index 4e94884..b144ffe 100644 manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) -@@ -1057,6 +1350,8 @@ interface(`logging_admin_syslog',` +@@ -1057,6 +1369,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -35226,7 +35252,7 @@ index 4e94884..b144ffe 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1085,3 +1380,54 @@ interface(`logging_admin',` +@@ -1085,3 +1399,54 @@ interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') @@ -48983,7 +49009,7 @@ index e79d545..101086d 100644 ') diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt -index 6e91317..018d0a6 100644 +index 6e91317..8fc985f 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }') @@ -49045,16 +49071,18 @@ index 6e91317..018d0a6 100644 define(`create_fifo_file_perms',`{ getattr create open }') define(`rename_fifo_file_perms',`{ getattr rename }') define(`delete_fifo_file_perms',`{ getattr unlink }') -@@ -208,7 +212,8 @@ define(`getattr_sock_file_perms',`{ getattr }') +@@ -208,8 +212,9 @@ define(`getattr_sock_file_perms',`{ getattr }') define(`setattr_sock_file_perms',`{ setattr }') define(`read_sock_file_perms',`{ getattr open read }') define(`write_sock_file_perms',`{ getattr write open append }') -define(`rw_sock_file_perms',`{ getattr open read write append }') +-define(`create_sock_file_perms',`{ getattr create open }') +define(`rw_inherited_sock_file_perms',`{ getattr read write append }') +define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }') - define(`create_sock_file_perms',`{ getattr create open }') ++define(`create_sock_file_perms',`{ getattr setattr create open }') define(`rename_sock_file_perms',`{ getattr rename }') define(`delete_sock_file_perms',`{ getattr unlink }') + define(`manage_sock_file_perms',`{ create open getattr setattr read write rename link unlink ioctl lock append }') @@ -225,7 +230,8 @@ define(`setattr_blk_file_perms',`{ setattr }') define(`read_blk_file_perms',`{ getattr open read lock ioctl }') define(`append_blk_file_perms',`{ getattr open append lock ioctl }') diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch index 99dd61b..8b246ba 100644 --- a/policy-f20-contrib.patch +++ b/policy-f20-contrib.patch @@ -8937,7 +8937,7 @@ index 866a1e2..43b445c 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 076ffee..1672ca4 100644 +index 076ffee..93ffa1d 100644 --- a/bind.te +++ b/bind.te @@ -34,7 +34,7 @@ type named_checkconf_exec_t; @@ -9043,7 +9043,17 @@ index 076ffee..1672ca4 100644 corenet_all_recvfrom_netlabel(ndc_t) corenet_tcp_sendrecv_generic_if(ndc_t) corenet_tcp_sendrecv_generic_node(ndc_t) -@@ -251,7 +263,7 @@ init_use_script_ptys(ndc_t) +@@ -236,6 +248,9 @@ corenet_tcp_bind_generic_node(ndc_t) + corenet_tcp_connect_rndc_port(ndc_t) + corenet_sendrecv_rndc_client_packets(ndc_t) + ++dev_read_rand(ndc_t) ++dev_read_urand(ndc_t) ++ + domain_use_interactive_fds(ndc_t) + + files_search_pids(ndc_t) +@@ -251,7 +266,7 @@ init_use_script_ptys(ndc_t) logging_send_syslog_msg(ndc_t) @@ -26475,7 +26485,7 @@ index 50d0084..6565422 100644 fail2ban_run_client($1, $2) diff --git a/fail2ban.te b/fail2ban.te -index 0872e50..cdea6d0 100644 +index 0872e50..0cb0a7b 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t; @@ -26503,9 +26513,11 @@ index 0872e50..cdea6d0 100644 files_list_var(fail2ban_t) files_dontaudit_list_tmp(fail2ban_t) -@@ -92,22 +90,33 @@ auth_use_nsswitch(fail2ban_t) +@@ -91,23 +89,35 @@ auth_use_nsswitch(fail2ban_t) + logging_read_all_logs(fail2ban_t) logging_send_syslog_msg(fail2ban_t) ++logging_dontaudit_search_audit_logs(fail2ban_t) -miscfiles_read_localization(fail2ban_t) +mta_send_mail(fail2ban_t) @@ -26541,7 +26553,7 @@ index 0872e50..cdea6d0 100644 iptables_domtrans(fail2ban_t) ') -@@ -116,6 +125,10 @@ optional_policy(` +@@ -116,6 +126,10 @@ optional_policy(` ') optional_policy(` @@ -26552,7 +26564,7 @@ index 0872e50..cdea6d0 100644 shorewall_domtrans(fail2ban_t) ') -@@ -129,22 +142,29 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read }; +@@ -129,22 +143,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read }; domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) @@ -26577,9 +26589,10 @@ index 0872e50..cdea6d0 100644 + logging_getattr_all_logs(fail2ban_client_t) logging_search_all_logs(fail2ban_client_t) - --miscfiles_read_localization(fail2ban_client_t) - +-miscfiles_read_localization(fail2ban_client_t) ++logging_dontaudit_search_audit_logs(fail2ban_client_t) + userdom_dontaudit_search_user_home_dirs(fail2ban_client_t) userdom_use_user_terminals(fail2ban_client_t) + @@ -27337,10 +27350,10 @@ index c12c067..a415012 100644 optional_policy(` diff --git a/fprintd.te b/fprintd.te -index c81b6e8..72b7712 100644 +index c81b6e8..2cbb61f 100644 --- a/fprintd.te +++ b/fprintd.te -@@ -20,6 +20,8 @@ files_type(fprintd_var_lib_t) +@@ -20,23 +20,28 @@ files_type(fprintd_var_lib_t) allow fprintd_t self:capability sys_nice; allow fprintd_t self:process { getsched setsched signal sigkill }; allow fprintd_t self:fifo_file rw_fifo_file_perms; @@ -27349,8 +27362,11 @@ index c81b6e8..72b7712 100644 manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) -@@ -28,15 +30,16 @@ kernel_read_system_state(fprintd_t) + kernel_read_system_state(fprintd_t) + ++corecmd_exec_bin(fprintd_t) ++ dev_list_usbfs(fprintd_t) dev_read_sysfs(fprintd_t) +dev_read_urand(fprintd_t) @@ -27368,7 +27384,7 @@ index c81b6e8..72b7712 100644 userdom_use_user_ptys(fprintd_t) userdom_read_all_users_state(fprintd_t) -@@ -54,8 +57,17 @@ optional_policy(` +@@ -54,8 +59,17 @@ optional_policy(` ') ') @@ -29482,10 +29498,10 @@ index 0000000..1ed97fe + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..36ff903 +index 0000000..e05cac4 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,200 @@ +@@ -0,0 +1,201 @@ +policy_module(glusterfs, 1.0.1) + +## @@ -29627,6 +29643,7 @@ index 0000000..36ff903 +corenet_sendrecv_all_client_packets(glusterd_t) +corenet_tcp_bind_all_unreserved_ports(glusterd_t) +corenet_tcp_connect_all_unreserved_ports(glusterd_t) ++corenet_tcp_connect_all_ephemeral_ports(glusterd_t) +corenet_tcp_connect_ssh_port(glusterd_t) + +dev_read_sysfs(glusterd_t) @@ -47378,7 +47395,7 @@ index f42896c..1e1a679 100644 +/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +/var/spool/smtpd(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/mta.if b/mta.if -index ed81cac..8f217ea 100644 +index ed81cac..837a43a 100644 --- a/mta.if +++ b/mta.if @@ -1,4 +1,4 @@ @@ -47530,11 +47547,13 @@ index ed81cac..8f217ea 100644 ') -####################################### --## ++###################################### + ## -## Read mta mail home files. --## --## --## ++## Dontaudit read and write an leaked file descriptors + ## + ## + ## -## Domain allowed access. -## -## @@ -47621,15 +47640,13 @@ index ed81cac..8f217ea 100644 -') - -######################################## -+###################################### - ## +-## -## Create specified objects in user home -## directories with the generic mail -## home rw type. -+## Dontaudit read and write an leaked file descriptors - ## - ## - ## +-## +-## +-## -## Domain allowed access. -## -## @@ -48318,7 +48335,7 @@ index ed81cac..8f217ea 100644 ## ## ## -@@ -1081,3 +1051,177 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -1081,3 +1051,200 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -48349,6 +48366,29 @@ index ed81cac..8f217ea 100644 + +###################################### +## ++## ALlow domain to append mail content in the homedir ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mta_append_home',` ++ gen_require(` ++ type mail_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ append_files_pattern($1, mail_home_t, mail_home_t) ++ ++ ifdef(`distro_redhat',` ++ userdom_search_admin_dir($1) ++ ') ++') ++ ++###################################### ++## +## ALlow domain to read mail content in the homedir +## +## @@ -48497,7 +48537,7 @@ index ed81cac..8f217ea 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index afd2fad..8ccf7ef 100644 +index afd2fad..2bd8062 100644 --- a/mta.te +++ b/mta.te @@ -1,4 +1,4 @@ @@ -48923,10 +48963,17 @@ index afd2fad..8ccf7ef 100644 files_search_var_lib(mailserver_delivery) mailman_domtrans(mailserver_delivery) -@@ -378,6 +274,10 @@ optional_policy(` +@@ -378,6 +274,17 @@ optional_policy(` ') optional_policy(` ++ mta_filetrans_home_content(mailserver_domain) ++ mta_filetrans_admin_home_content(mailserver_domain) ++ mta_read_home(mailserver_domain) ++ mta_append_home(mailserver_domain) ++') ++ ++optional_policy(` + pcp_read_lib_files(mailserver_delivery) +') + @@ -48934,7 +48981,7 @@ index afd2fad..8ccf7ef 100644 postfix_rw_inherited_master_pipes(mailserver_delivery) ') -@@ -387,24 +287,177 @@ optional_policy(` +@@ -387,24 +294,177 @@ optional_policy(` ######################################## # @@ -60075,7 +60122,7 @@ index 0000000..0493b99 +') diff --git a/osad.fc b/osad.fc new file mode 100644 -index 0000000..1e1eceb +index 0000000..cf911d5 --- /dev/null +++ b/osad.fc @@ -0,0 +1,7 @@ @@ -60083,7 +60130,7 @@ index 0000000..1e1eceb + +/usr/sbin/osad -- gen_context(system_u:object_r:osad_exec_t,s0) + -+/var/log/osad -- gen_context(system_u:object_r:osad_log_t,s0) ++/var/log/osad.* -- gen_context(system_u:object_r:osad_log_t,s0) + +/var/run/osad.* -- gen_context(system_u:object_r:osad_var_run_t,s0) diff --git a/osad.if b/osad.if @@ -60259,10 +60306,10 @@ index 0000000..05648bd +') diff --git a/osad.te b/osad.te new file mode 100644 -index 0000000..a40fcc3 +index 0000000..310d672 --- /dev/null +++ b/osad.te -@@ -0,0 +1,45 @@ +@@ -0,0 +1,48 @@ +policy_module(osad, 1.0.0) + +######################################## @@ -60287,20 +60334,23 @@ index 0000000..a40fcc3 +# +# osad local policy +# ++ +allow osad_t self:process setpgid; + +manage_files_pattern(osad_t, osad_log_t, osad_log_t) -+logging_log_filetrans(osad_t, osad_log_t, { file }) ++logging_log_filetrans(osad_t, osad_log_t, file) + +manage_files_pattern(osad_t, osad_var_run_t, osad_var_run_t) -+files_pid_filetrans(osad_t, osad_var_run_t, { file}) ++files_pid_filetrans(osad_t, osad_var_run_t, file) + +kernel_read_system_state(osad_t) + -+auth_read_passwd(osad_t) ++corenet_tcp_connect_http_port(osad_t) + +dev_read_urand(osad_t) + ++auth_use_nsswitch(osad_t) ++ +optional_policy(` + gnome_dontaudit_search_config(osad_t) +') @@ -108162,7 +108212,7 @@ index dd63de0..38ce620 100644 - admin_pattern($1, zabbix_tmpfs_t) ') diff --git a/zabbix.te b/zabbix.te -index 46e4cd3..551c4e9 100644 +index 46e4cd3..73ea90f 100644 --- a/zabbix.te +++ b/zabbix.te @@ -6,27 +6,32 @@ policy_module(zabbix, 1.5.3) @@ -108355,15 +108405,16 @@ index 46e4cd3..551c4e9 100644 rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t) fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) -@@ -151,16 +161,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) +@@ -151,16 +161,13 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file) manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t) files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file) -kernel_read_all_sysctls(zabbix_agent_t) kernel_read_system_state(zabbix_agent_t) - --corecmd_read_all_executables(zabbix_agent_t) - +-corecmd_read_all_executables(zabbix_agent_t) ++kernel_read_network_state(zabbix_agent_t) + corenet_all_recvfrom_unlabeled(zabbix_agent_t) corenet_all_recvfrom_netlabel(zabbix_agent_t) -corenet_tcp_sendrecv_generic_if(zabbix_agent_t) @@ -108374,7 +108425,7 @@ index 46e4cd3..551c4e9 100644 corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t) corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) -@@ -177,21 +183,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) +@@ -177,21 +184,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) dev_getattr_all_blk_files(zabbix_agent_t) dev_getattr_all_chr_files(zabbix_agent_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 202b049..61fcbb1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 177%{?dist} +Release: 178%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -579,6 +579,16 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Jul 18 2014 Lukas Vrabec 3.12.1-178 +- Add logging_dontaudit_search_audit_logs() +- Clean up osad policy. Remove additional interfaces/rules +- Allow mailserver_domain domains to create mail home content with right labeling +- Dontaudit search audit logs for fail2ban +- Allow mailserver_domain domains to append dead.letter labeled as mail_home_t. +- Allow fprintd to execute usr_t/bin_t +- Allow zabbix to read system network state +- Allow ndc to read random and urandom device BZ #1110397 + * Mon Jul 14 2014 Lukas Vrabec 3.12.1-177 - Allow lircd_t to use tty_device_t for use withmythtv - Allow mysqld to bind and connect to tram port BZ #1118052