diff --git a/policy-20070703.patch b/policy-20070703.patch index 7e140b3..4811bbe 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -3995,7 +3995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-11-16 13:24:55.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-11-19 14:58:40.000000000 -0500 @@ -4,6 +4,7 @@ /dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -4004,7 +4004,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/(misc/)?agpgart -c gen_context(system_u:object_r:agp_device_t,s0) /dev/aload.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/amidi.* -c gen_context(system_u:object_r:sound_device_t,s0) -@@ -14,22 +15,29 @@ +@@ -14,22 +15,30 @@ /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) @@ -4031,10 +4031,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device +/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) +/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,mls_systemhigh) ++/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) -@@ -41,6 +49,11 @@ +@@ -41,6 +50,11 @@ /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/null -c gen_context(system_u:object_r:null_device_t,s0) @@ -4046,7 +4047,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh) /dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) -@@ -49,6 +62,9 @@ +@@ -49,6 +63,9 @@ /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -4056,7 +4057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0) /dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0) -@@ -65,9 +81,11 @@ +@@ -65,9 +82,11 @@ /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) @@ -4068,7 +4069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) -@@ -95,11 +113,21 @@ +@@ -95,11 +114,21 @@ /dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/input/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -6850,7 +6851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.0.8/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/consolekit.te 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/consolekit.te 2007-11-19 15:22:07.000000000 -0500 @@ -10,7 +10,6 @@ type consolekit_exec_t; init_daemon_domain(consolekit_t, consolekit_exec_t) @@ -6877,7 +6878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons files_read_etc_files(consolekit_t) # needs to read /var/lib/dbus/machine-id -@@ -50,8 +51,15 @@ +@@ -50,8 +51,16 @@ libs_use_ld_so(consolekit_t) libs_use_shared_libs(consolekit_t) @@ -6887,13 +6888,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons +# consolekit needs to be able to ptrace all logged in users +userdom_ptrace_all_users(consolekit_t) ++userdom_dontaudit_read_unpriv_users_home_content_files(consolekit_t) +hal_ptrace(consolekit_t) +mcs_ptrace_all(consolekit_t) + optional_policy(` dbus_system_bus_client_template(consolekit, consolekit_t) dbus_send_system_bus(consolekit_t) -@@ -62,9 +70,16 @@ +@@ -62,9 +71,16 @@ optional_policy(` unconfined_dbus_chat(consolekit_t) ') @@ -10196,7 +10198,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.0.8/policy/modules/services/nscd.if --- nsaserefpolicy/policy/modules/services/nscd.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/nscd.if 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/nscd.if 2007-11-19 16:32:18.000000000 -0500 +@@ -77,7 +77,7 @@ + + allow $1 nscd_t:nscd { getpwd getgrp gethost }; + dontaudit $1 nscd_t:fd use; +- dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; ++ dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; + + files_search_pids($1) + stream_connect_pattern($1,nscd_var_run_t,nscd_var_run_t,nscd_t) @@ -204,3 +204,22 @@ role $2 types nscd_t; dontaudit nscd_t $3:chr_file rw_term_perms; @@ -11763,7 +11774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.0.8/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/rsync.te 2007-11-08 13:36:23.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/rsync.te 2007-11-19 14:03:34.000000000 -0500 @@ -8,6 +8,13 @@ ## @@ -11786,7 +11797,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn role system_r types rsync_t; type rsync_data_t; -@@ -57,6 +65,8 @@ +@@ -33,7 +41,7 @@ + # Local policy + # + +-allow rsync_t self:capability sys_chroot; ++allow rsync_t self:capability { dac_read_search dac_override setuid setgid sys_chroot }; + allow rsync_t self:process signal_perms; + allow rsync_t self:fifo_file rw_fifo_file_perms; + allow rsync_t self:tcp_socket create_stream_socket_perms; +@@ -43,7 +51,6 @@ + # cjp: this should probably only be inetd_child_t rules? + # search home and kerberos also. + allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +-allow rsync_t self:capability { setuid setgid }; + #end for identd + + allow rsync_t rsync_data_t:dir list_dir_perms; +@@ -57,6 +64,8 @@ manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t) files_pid_filetrans(rsync_t,rsync_var_run_t,file) @@ -11795,7 +11823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn kernel_read_kernel_sysctls(rsync_t) kernel_read_system_state(rsync_t) kernel_read_network_state(rsync_t) -@@ -80,6 +90,8 @@ +@@ -80,6 +89,8 @@ files_read_etc_files(rsync_t) files_search_home(rsync_t) @@ -11804,7 +11832,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn libs_use_ld_so(rsync_t) libs_use_shared_libs(rsync_t) -@@ -89,8 +101,6 @@ +@@ -89,8 +100,6 @@ miscfiles_read_localization(rsync_t) miscfiles_read_public_files(rsync_t) @@ -11813,7 +11841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn tunable_policy(`allow_rsync_anon_write',` miscfiles_manage_public_files(rsync_t) ') -@@ -107,10 +117,8 @@ +@@ -107,10 +116,7 @@ inetd_service_domain(rsync_t,rsync_exec_t) ') @@ -11824,7 +11852,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn -optional_policy(` - nscd_socket_use(rsync_t) +tunable_policy(`rsync_export_all_ro',` -+ allow rsync_t self:capability dac_override; + fs_read_noxattr_fs_files(rsync_t) + auth_read_all_files_except_shadow(rsync_t) ') @@ -11990,7 +12017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.8/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/samba.te 2007-11-09 12:27:28.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/samba.te 2007-11-19 10:25:59.000000000 -0500 @@ -137,6 +137,11 @@ type winbind_var_run_t; files_pid_file(winbind_var_run_t) @@ -12073,11 +12100,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) -@@ -298,6 +296,7 @@ +@@ -292,12 +290,13 @@ + + fs_getattr_all_fs(smbd_t) + fs_get_xattr_fs_quotas(smbd_t) +-fs_search_auto_mountpoints(smbd_t) + fs_getattr_rpc_dirs(smbd_t) + fs_list_inotifyfs(smbd_t) ++fs_search_auto_mountpoints(smbd_t) - auth_use_nsswitch(smbd_t) +-auth_use_nsswitch(smbd_t) auth_domtrans_chk_passwd(smbd_t) +auth_domtrans_upd_passwd(smbd_t) ++auth_use_nsswitch(smbd_t) domain_use_interactive_fds(smbd_t) domain_dontaudit_list_all_domains_state(smbd_t) @@ -12136,7 +12171,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) kernel_read_kernel_sysctls(nmbd_t) -@@ -462,17 +471,11 @@ +@@ -446,6 +455,7 @@ + dev_getattr_mtrr_dev(nmbd_t) + + fs_getattr_all_fs(nmbd_t) ++fs_list_inotifyfs(nmbd_t) + fs_search_auto_mountpoints(nmbd_t) + + domain_use_interactive_fds(nmbd_t) +@@ -462,17 +472,11 @@ miscfiles_read_localization(nmbd_t) @@ -12154,7 +12197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb seutil_sigchld_newrole(nmbd_t) ') -@@ -506,6 +509,8 @@ +@@ -506,6 +510,8 @@ manage_lnk_files_pattern(smbmount_t,samba_var_t,samba_var_t) files_list_var_lib(smbmount_t) @@ -12163,7 +12206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_system_state(smbmount_t) corenet_all_recvfrom_unlabeled(smbmount_t) -@@ -533,6 +538,7 @@ +@@ -533,6 +539,7 @@ storage_raw_write_fixed_disk(smbmount_t) term_list_ptys(smbmount_t) @@ -12171,7 +12214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb corecmd_list_bin(smbmount_t) -@@ -553,16 +559,11 @@ +@@ -553,16 +560,11 @@ logging_search_logs(smbmount_t) @@ -12190,7 +12233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') ######################################## -@@ -570,24 +571,28 @@ +@@ -570,24 +572,28 @@ # SWAT Local policy # @@ -12227,7 +12270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t smbd_var_run_t:file read; manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t) -@@ -597,7 +602,11 @@ +@@ -597,7 +603,11 @@ manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t) files_pid_filetrans(swat_t,swat_var_run_t,file) @@ -12240,7 +12283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -622,23 +631,24 @@ +@@ -622,23 +632,24 @@ dev_read_urand(swat_t) @@ -12267,7 +12310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -652,13 +662,16 @@ +@@ -652,13 +663,16 @@ kerberos_use(swat_t) ') @@ -12290,7 +12333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # -@@ -672,7 +685,6 @@ +@@ -672,7 +686,6 @@ allow winbind_t self:fifo_file { read write }; allow winbind_t self:unix_dgram_socket create_socket_perms; allow winbind_t self:unix_stream_socket create_stream_socket_perms; @@ -12298,7 +12341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow winbind_t self:tcp_socket create_stream_socket_perms; allow winbind_t self:udp_socket create_socket_perms; -@@ -709,6 +721,8 @@ +@@ -709,6 +722,8 @@ manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t) files_pid_filetrans(winbind_t,winbind_var_run_t,file) @@ -12307,7 +12350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(winbind_t) kernel_list_proc(winbind_t) kernel_read_proc_symlinks(winbind_t) -@@ -733,7 +747,9 @@ +@@ -733,7 +748,9 @@ fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) @@ -12317,7 +12360,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb domain_use_interactive_fds(winbind_t) -@@ -746,9 +762,6 @@ +@@ -746,9 +763,6 @@ miscfiles_read_localization(winbind_t) @@ -12327,7 +12370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_dontaudit_search_sysadm_home_dirs(winbind_t) userdom_priveleged_home_dir_manager(winbind_t) -@@ -758,10 +771,6 @@ +@@ -758,10 +772,6 @@ ') optional_policy(` @@ -12338,7 +12381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb seutil_sigchld_newrole(winbind_t) ') -@@ -784,6 +793,8 @@ +@@ -784,6 +794,8 @@ allow winbind_helper_t samba_var_t:dir search; files_list_var_lib(winbind_helper_t) @@ -12347,7 +12390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t) term_list_ptys(winbind_helper_t) -@@ -804,6 +815,7 @@ +@@ -804,6 +816,7 @@ optional_policy(` squid_read_log(winbind_helper_t) squid_append_log(winbind_helper_t) @@ -12355,7 +12398,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') ######################################## -@@ -828,3 +840,37 @@ +@@ -828,3 +841,37 @@ domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) ') ') @@ -13504,8 +13547,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c. +miscfiles_read_certs(httpd_w3c_validator_script_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.te serefpolicy-3.0.8/policy/modules/services/xfs.te --- nsaserefpolicy/policy/modules/services/xfs.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/xfs.te 2007-10-29 23:59:29.000000000 -0400 -@@ -37,6 +37,15 @@ ++++ serefpolicy-3.0.8/policy/modules/services/xfs.te 2007-11-19 15:03:17.000000000 -0500 +@@ -26,6 +26,7 @@ + allow xfs_t self:process { signal_perms setpgid }; + allow xfs_t self:unix_stream_socket create_stream_socket_perms; + allow xfs_t self:unix_dgram_socket create_socket_perms; ++allow xfs_t self:tcp_socket create_stream_socket_perms; + + manage_dirs_pattern(xfs_t,xfs_tmp_t,xfs_tmp_t) + manage_sock_files_pattern(xfs_t,xfs_tmp_t,xfs_tmp_t) +@@ -37,6 +38,15 @@ kernel_read_kernel_sysctls(xfs_t) kernel_read_system_state(xfs_t) @@ -18304,7 +18355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-17 07:03:58.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-19 15:21:25.000000000 -0500 @@ -29,8 +29,9 @@ ') @@ -19412,7 +19463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5559,3 +5756,379 @@ +@@ -5559,3 +5756,402 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -19727,6 +19778,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + +######################################## +## ++## dontaudit Read all unprivileged users home directory ++## files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_dontaudit_read_unpriv_users_home_content_files',` ++ gen_require(` ++ attribute user_home_dir_type, user_home_type; ++ ') ++ ++ files_search_home($1) ++ dontaudit $1 user_home_type:dir list_dir_perms; ++ dontaudit $1 user_home_type:file read_file_perms; ++ dontaudit $1 user_home_type:file read_lnk_file_perms; ++') ++ ++ ++######################################## ++## +## dontaudit attempts to write to user home dir files +## +## diff --git a/selinux-policy.spec b/selinux-policy.spec index 96d97f1..d883e02 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -380,6 +380,13 @@ exit 0 %endif %changelog +* Fri Nov 16 2007 Dan Walsh 3.0.8-58 +- Allow nmbd to list inotifyfs_t +- Dontaudit consolekit access to user homedir +- dontaudit nscd getserv and shmemserv +- Allow rsync_t dac overrides +- Allow xfs_t to listen to sockets + * Fri Nov 16 2007 Dan Walsh 3.0.8-57 - Allow lvm to search mnt - Add booleans for xguest account