diff --git a/booleans-targeted.conf b/booleans-targeted.conf index f2e22cd..c966911 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -202,6 +202,10 @@ user_ttyfile_stat = false # write_untrusted_content = false +# Allow all domains to use tcp wrapper +# +allow_daemons_use_tcp_wrapper = false + # Allow all domains to talk to ttys # allow_daemons_use_tty = false diff --git a/policy-F13.patch b/policy-F13.patch index 406c0ca..f022009 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -8001,8 +8001,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2011-01-18 15:43:18.000000000 +0000 -@@ -0,0 +1,450 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2011-02-17 09:39:15.596796002 +0000 +@@ -0,0 +1,458 @@ +policy_module(sandbox,1.0.0) + +dbus_stub() @@ -8210,6 +8210,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +miscfiles_read_localization(sandbox_x_domain) +miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain) + ++selinux_get_fs_mount(sandbox_x_domain) ++selinux_validate_context(sandbox_x_domain) ++selinux_compute_access_vector(sandbox_x_domain) ++selinux_compute_create_context(sandbox_x_domain) ++selinux_compute_relabel_context(sandbox_x_domain) ++selinux_compute_user_contexts(sandbox_x_domain) ++seutil_read_default_contexts(sandbox_x_domain) ++ +term_getattr_pty_fs(sandbox_x_domain) +term_use_ptmx(sandbox_x_domain) +term_search_ptys(sandbox_x_domain) @@ -12608,7 +12616,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.19/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2011-01-19 18:02:35.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/kernel/kernel.if 2011-02-17 13:45:53.359796002 +0000 @@ -534,6 +534,37 @@ ######################################## @@ -12731,7 +12739,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ######################################## ## ## Do not audit attempts by caller to get attributes for -@@ -2775,16 +2860,24 @@ +@@ -2677,6 +2762,33 @@ + + ######################################## + ## ++## Read/Write Raw IP packets from an unlabeled connection. ++## ++## ++##

++## Receive Raw IP packets from an unlabeled connection. ++##

++##

++## The corenetwork interface corenet_raw_recv_unlabeled() should ++## be used instead of this one. ++##

++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_rw_unlabeled_rawip_socket',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ allow $1 unlabeled_t:rawip_socket rw_socket_perms; ++') ++ ++######################################## ++## + ## Send and receive unlabeled packets. + ## + ## +@@ -2775,16 +2887,24 @@ gen_require(` type unlabeled_t; class db_database { setattr relabelfrom }; @@ -12756,7 +12798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel allow $1 unlabeled_t:db_column { setattr relabelfrom }; allow $1 unlabeled_t:db_tuple { update relabelfrom }; allow $1 unlabeled_t:db_blob { setattr relabelfrom }; -@@ -2792,6 +2885,24 @@ +@@ -2792,6 +2912,24 @@ ######################################## ## @@ -12781,7 +12823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel ## Unconfined access to kernel module resources. ## ## -@@ -2807,3 +2918,23 @@ +@@ -2807,3 +2945,23 @@ typeattribute $1 kern_unconfined; ') @@ -13040,8 +13082,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.7.19/policy/modules/kernel/storage.fc --- nsaserefpolicy/policy/modules/kernel/storage.fc 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/kernel/storage.fc 2010-05-28 07:42:00.000000000 +0000 -@@ -20,6 +20,7 @@ ++++ serefpolicy-3.7.19/policy/modules/kernel/storage.fc 2011-02-17 14:54:15.022796002 +0000 +@@ -12,6 +12,7 @@ + /dev/cdu.* -b gen_context(system_u:object_r:removable_device_t,s0) + /dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0) + /dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) ++/dev/dasd[^/]* -c gen_context(system_u:object_r:fixed_disk_device_t,s0) + /dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/drbd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/etherd/.+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +@@ -20,6 +21,7 @@ /dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/hitcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/ht[0-1] -b gen_context(system_u:object_r:tape_device_t,s0) @@ -13049,6 +13099,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag /dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +@@ -49,6 +51,7 @@ + /dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0) + /dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0) + /dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0) ++/dev/tgt -c gen_context(system_u:object_r:scsi_generic_device_t,s0) + /dev/tw[a-z][^/]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh) + /dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.7.19/policy/modules/kernel/storage.if --- nsaserefpolicy/policy/modules/kernel/storage.if 2010-04-13 18:44:37.000000000 +0000 +++ serefpolicy-3.7.19/policy/modules/kernel/storage.if 2010-08-06 10:20:38.000000000 +0000 @@ -14558,8 +14616,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2011-01-14 13:20:39.000000000 +0000 -@@ -0,0 +1,453 @@ ++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2011-02-17 14:43:35.779796002 +0000 +@@ -0,0 +1,457 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -14634,6 +14692,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +allow unconfined_t self:system syslog_read; +dontaudit unconfined_t self:capability sys_module; + ++kernel_rw_unlabeled_socket(unconfined_t) ++kernel_rw_unlabeled_rawip_socket(unconfined_t) ++ +files_create_boot_flag(unconfined_t) +files_create_default_dir(unconfined_t) +files_root_filetrans_default(unconfined_t, dir) @@ -15013,6 +15074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.19/policy/modules/roles/unprivuser.te --- nsaserefpolicy/policy/modules/roles/unprivuser.te 2010-04-13 18:44:37.000000000 +0000 +++ serefpolicy-3.7.19/policy/modules/roles/unprivuser.te 2011-01-27 14:39:30.789455000 +0000 @@ -16293,6 +16355,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav ') ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.7.19/policy/modules/services/amavis.te +--- nsaserefpolicy/policy/modules/services/amavis.te 2010-04-13 18:44:37.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/amavis.te 2011-02-17 10:03:19.814796001 +0000 +@@ -170,6 +170,10 @@ + ') + + optional_policy(` ++ nslcd_stream_connect(amavis_t) ++') ++ ++optional_policy(` + postfix_read_config(amavis_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.19/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2010-04-13 18:44:37.000000000 +0000 +++ serefpolicy-3.7.19/policy/modules/services/apache.fc 2010-07-13 07:55:52.000000000 +0000 @@ -34359,8 +34435,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.19/policy/modules/services/rgmanager.te --- nsaserefpolicy/policy/modules/services/rgmanager.te 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/rgmanager.te 2010-06-15 16:40:09.000000000 +0000 -@@ -0,0 +1,223 @@ ++++ serefpolicy-3.7.19/policy/modules/services/rgmanager.te 2011-02-17 10:06:36.528796002 +0000 +@@ -0,0 +1,227 @@ + +policy_module(rgmanager, 1.0.0) + @@ -34497,6 +34573,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +') + +optional_policy(` ++ dbus_system_bus_client(rgmanager_t) ++') ++ ++optional_policy(` + fstools_domtrans(rgmanager_t) +') + @@ -35078,8 +35158,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.19/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2011-02-03 10:44:54.678796002 +0000 -@@ -0,0 +1,261 @@ ++++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2011-02-17 10:04:32.623796000 +0000 +@@ -0,0 +1,265 @@ + +policy_module(rhcs,1.1.0) + @@ -35341,6 +35421,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +optional_policy(` + corosync_stream_connect(cluster_domain) +') ++ ++optional_policy(` ++ dbus_system_bus_client(cluster_domain) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.fc serefpolicy-3.7.19/policy/modules/services/ricci.fc --- nsaserefpolicy/policy/modules/services/ricci.fc 2010-04-13 18:44:37.000000000 +0000 +++ serefpolicy-3.7.19/policy/modules/services/ricci.fc 2010-07-21 11:56:07.000000000 +0000 @@ -38773,12 +38857,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/syss +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.if serefpolicy-3.7.19/policy/modules/services/tftp.if --- nsaserefpolicy/policy/modules/services/tftp.if 2010-04-13 18:44:36.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/tftp.if 2010-12-01 12:48:17.000000000 +0000 -@@ -16,6 +16,26 @@ ++++ serefpolicy-3.7.19/policy/modules/services/tftp.if 2011-02-17 09:41:56.694796002 +0000 +@@ -13,9 +13,33 @@ + interface(`tftp_read_content',` + gen_require(` + type tftpdir_t; ++ type tftpdir_rw_t; ') read_files_pattern($1, tftpdir_t, tftpdir_t) + read_lnk_files_pattern($1, tftpdir_t, tftpdir_t) ++ ++ read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ++ read_lnk_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) +') + +######################################## @@ -38801,7 +38892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp ') ######################################## -@@ -40,6 +60,36 @@ +@@ -40,6 +64,36 @@ ######################################## ## @@ -38838,7 +38929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp ## All of the rules required to administrate ## an tftp environment ## -@@ -55,9 +105,10 @@ +@@ -55,9 +109,10 @@ type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t; ') @@ -42775,7 +42866,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.19/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/system/init.te 2011-01-18 15:03:10.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/system/init.te 2011-02-17 09:49:30.499796002 +0000 @@ -1,5 +1,5 @@ -policy_module(init, 1.14.2) @@ -42783,12 +42874,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t gen_require(` class passwd rootok; -@@ -17,6 +17,20 @@ +@@ -17,6 +17,27 @@ ## gen_tunable(init_upstart, false) +## +##

++## Allow all daemons to use tcp wrappers. ++##

++## ++gen_tunable(allow_daemons_use_tcp_wrapper, false) ++ ++## ++##

+## Allow all daemons the ability to read/write terminals +##

+## @@ -42804,7 +42902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # used for direct running of init scripts # by admin domains attribute direct_run_init; -@@ -26,6 +40,7 @@ +@@ -26,6 +47,7 @@ attribute init_script_domain_type; attribute init_script_file_type; attribute init_run_all_scripts_domain; @@ -42812,7 +42910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # Mark process types as daemons attribute daemon; -@@ -33,7 +48,7 @@ +@@ -33,7 +55,7 @@ # # init_t is the domain of the init process. # @@ -42821,7 +42919,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t type init_exec_t; domain_type(init_t) domain_entry_file(init_t, init_exec_t) -@@ -64,6 +79,7 @@ +@@ -64,6 +86,7 @@ # of the below init_upstart tunable # but this has a typeattribute in it corecmd_shell_entry_type(initrc_t) @@ -42829,7 +42927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t type initrc_devpts_t; term_pty(initrc_devpts_t) -@@ -88,7 +104,7 @@ +@@ -88,7 +111,7 @@ # # Use capabilities. old rule: @@ -42838,7 +42936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -101,7 +117,9 @@ +@@ -101,7 +124,9 @@ # Re-exec itself can_exec(init_t, init_exec_t) @@ -42849,7 +42947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # For /var/run/shutdown.pid. allow init_t init_var_run_t:file manage_file_perms; -@@ -121,6 +139,8 @@ +@@ -121,6 +146,8 @@ corecmd_exec_bin(init_t) dev_read_sysfs(init_t) @@ -42858,7 +42956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -169,6 +189,8 @@ +@@ -169,6 +196,8 @@ miscfiles_read_localization(init_t) @@ -42867,7 +42965,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; ') -@@ -192,10 +214,23 @@ +@@ -192,10 +221,23 @@ ') optional_policy(` @@ -42891,7 +42989,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t nscd_socket_use(init_t) ') -@@ -213,7 +248,7 @@ +@@ -213,7 +255,7 @@ # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -42900,7 +42998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -242,6 +277,7 @@ +@@ -242,6 +284,7 @@ allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -42908,7 +43006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t can_exec(initrc_t, initrc_tmp_t) manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) -@@ -259,13 +295,22 @@ +@@ -259,13 +302,22 @@ kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -42932,7 +43030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t corenet_all_recvfrom_unlabeled(initrc_t) corenet_all_recvfrom_netlabel(initrc_t) -@@ -280,6 +325,7 @@ +@@ -280,6 +332,7 @@ dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -42940,7 +43038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -299,6 +345,7 @@ +@@ -299,6 +352,7 @@ dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -42948,7 +43046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t corecmd_exec_all_executables(initrc_t) -@@ -325,8 +372,10 @@ +@@ -325,8 +379,10 @@ files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -42960,7 +43058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -342,6 +391,8 @@ +@@ -342,6 +398,8 @@ files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -42969,7 +43067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) -@@ -352,6 +403,8 @@ +@@ -352,6 +410,8 @@ fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -42978,7 +43076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -364,6 +417,7 @@ +@@ -364,6 +424,7 @@ mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -42986,7 +43084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t selinux_get_enforce_mode(initrc_t) -@@ -395,15 +449,16 @@ +@@ -395,15 +456,16 @@ miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -43005,7 +43103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # TTYs to any process in the initrc_t domain. Therefore, daemons and such # started from init should be placed in their own domain. userdom_use_user_terminals(initrc_t) -@@ -437,6 +492,10 @@ +@@ -437,6 +499,10 @@ dev_create_generic_dirs(initrc_t) dev_delete_generic_dirs(initrc_t) @@ -43016,7 +43114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t # openrc uses tmpfs for its state data fs_tmpfs_filetrans(initrc_t, initrc_state_t, { dir file fifo_file lnk_file }) -@@ -471,7 +530,7 @@ +@@ -471,7 +537,7 @@ # Red Hat systems seem to have a stray # fd open from the initrd @@ -43025,7 +43123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -495,6 +554,12 @@ +@@ -495,6 +561,12 @@ fs_read_tmpfs_symlinks(initrc_t) fs_rw_tmpfs_chr_files(initrc_t) @@ -43038,7 +43136,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t storage_manage_fixed_disk(initrc_t) storage_dev_filetrans_fixed_disk(initrc_t) storage_getattr_removable_dev(initrc_t) -@@ -517,6 +582,23 @@ +@@ -517,6 +589,23 @@ optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -43062,7 +43160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -528,6 +610,8 @@ +@@ -528,6 +617,8 @@ optional_policy(` sysnet_rw_dhcp_config(initrc_t) sysnet_manage_config(initrc_t) @@ -43071,7 +43169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -542,6 +626,35 @@ +@@ -542,6 +633,39 @@ ') ') @@ -43080,6 +43178,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t +userdom_dontaudit_list_admin_dir(daemon) +userdom_dontaudit_search_user_tmp(daemon) + ++tunable_policy(`allow_daemons_use_tcp_wrapper',` ++ corenet_tcp_connect_auth_port(daemon) ++') ++ +tunable_policy(`allow_daemons_use_tty',` + term_use_unallocated_ttys(daemon) + term_use_generic_ptys(daemon) @@ -43107,7 +43209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -554,6 +667,8 @@ +@@ -554,6 +678,8 @@ optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -43116,7 +43218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -578,6 +693,11 @@ +@@ -578,6 +704,11 @@ ') optional_policy(` @@ -43128,7 +43230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -594,6 +714,7 @@ +@@ -594,6 +725,7 @@ dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -43136,7 +43238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` consolekit_dbus_chat(initrc_t) -@@ -695,7 +816,13 @@ +@@ -695,7 +827,13 @@ ') optional_policy(` @@ -43150,7 +43252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -718,6 +845,10 @@ +@@ -718,6 +856,10 @@ ') optional_policy(` @@ -43161,7 +43263,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -739,6 +870,10 @@ +@@ -739,6 +881,10 @@ ') optional_policy(` @@ -43172,7 +43274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -760,8 +895,6 @@ +@@ -760,8 +906,6 @@ # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -43181,7 +43283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -770,14 +903,21 @@ +@@ -770,14 +914,21 @@ ') optional_policy(` @@ -43203,7 +43305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -790,6 +930,7 @@ +@@ -790,6 +941,7 @@ optional_policy(` udev_rw_db(initrc_t) @@ -43211,7 +43313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t udev_manage_pid_files(initrc_t) ') -@@ -798,11 +939,19 @@ +@@ -798,11 +950,19 @@ ') optional_policy(` @@ -43232,7 +43334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -812,6 +961,25 @@ +@@ -812,6 +972,25 @@ optional_policy(` mono_domtrans(initrc_t) ') @@ -43258,7 +43360,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -837,3 +1005,35 @@ +@@ -837,3 +1016,35 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -46900,7 +47002,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.19/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2011-01-07 09:38:30.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.te 2011-02-17 13:44:58.055796002 +0000 @@ -1,11 +1,18 @@ -policy_module(sysnetwork, 1.10.3) @@ -47031,7 +47133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet userdom_use_user_terminals(ifconfig_t) userdom_use_all_users_fds(ifconfig_t) -@@ -328,6 +366,8 @@ +@@ -328,9 +366,12 @@ optional_policy(` hal_dontaudit_rw_pipes(ifconfig_t) hal_dontaudit_rw_dgram_sockets(ifconfig_t) @@ -47040,7 +47142,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') optional_policy(` -@@ -348,6 +388,7 @@ ++ ipsec_setcontext_default_spd(ifconfig_t) + ipsec_write_pid(ifconfig_t) + ') + +@@ -348,6 +389,7 @@ optional_policy(` unconfined_dontaudit_rw_pipes(ifconfig_t) @@ -47048,7 +47154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') optional_policy(` -@@ -360,3 +401,9 @@ +@@ -360,3 +402,9 @@ xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 319e060..36264c0 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 92%{?dist} +Release: 93%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,13 @@ exit 0 %endif %changelog +* Thu Feb 17 2011 Miroslav Grepl 3.7.19-93 +- Allow all sandbox to read selinux poilcy config files +- Add allow_daemons_use_tcp_wrappers boolean +- Allow amavis to talk to nslcd +- Add label for /dev/tgt +- Add label for /dev/dasd_eer + * Tue Feb 15 2011 Miroslav Grepl 3.7.19-92 - allow chfn_t to check whether rssh_exec_t is executable - Make labeled ipsec work in MLS machines