From 2c41076cf541c2f1099188b3c6ecea6815e0ada4 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mar 18 2010 16:56:00 +0000 Subject: - Allow logrotate to transition to asterisk - Allow xdm to transition to shutdown - Allow shutdown dac_override - Allow samba sys_chroot --- diff --git a/policy-20100106.patch b/policy-20100106.patch index 2baa5bf..0976616 100644 --- a/policy-20100106.patch +++ b/policy-20100106.patch @@ -587,7 +587,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/usr/sbin/mcelog -- gen_context(system_u:object_r:dmesg_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.32/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2010-01-18 18:24:22.549542536 +0100 -+++ serefpolicy-3.6.32/policy/modules/admin/logrotate.te 2010-03-09 15:56:02.235764426 +0100 ++++ serefpolicy-3.6.32/policy/modules/admin/logrotate.te 2010-03-18 13:28:33.608513957 +0100 @@ -108,6 +108,7 @@ init_domtrans_script(logrotate_t) @@ -596,7 +596,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(logrotate_t) # cjp: why is this needed? logging_exec_all_logs(logrotate_t) -@@ -215,5 +216,9 @@ +@@ -155,9 +156,7 @@ + ') + + optional_policy(` +- asterisk_exec(logrotate_t) +- asterisk_stream_connect(logrotate_t) +- asterisk_manage_lib_files(logrotate_t) ++ asterisk_domtrans(logrotate_t) + ') + + optional_policy(` +@@ -215,5 +214,9 @@ ') optional_policy(` @@ -976,7 +987,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.6.32/policy/modules/admin/shutdown.te --- nsaserefpolicy/policy/modules/admin/shutdown.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/admin/shutdown.te 2010-03-11 21:21:02.264511203 +0100 ++++ serefpolicy-3.6.32/policy/modules/admin/shutdown.te 2010-03-18 13:34:32.775764351 +0100 @@ -0,0 +1,57 @@ +policy_module(shutdown,1.0.0) + @@ -1003,7 +1014,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# shutdown local policy +# + -+allow shutdown_t self:capability { kill setuid sys_tty_config }; ++allow shutdown_t self:capability { dac_override kill setuid sys_tty_config }; +allow shutdown_t self:process { fork signal }; + +allow shutdown_t self:fifo_file manage_fifo_file_perms; @@ -1142,9 +1153,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # allow searching for cdrom-drive dev_list_all_dev_nodes(cdrecord_t) dev_read_sysfs(cdrecord_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.6.32/policy/modules/apps/chrome.if +--- nsaserefpolicy/policy/modules/apps/chrome.if 2010-01-18 18:24:22.587539966 +0100 ++++ serefpolicy-3.6.32/policy/modules/apps/chrome.if 2010-03-18 13:26:17.264514490 +0100 +@@ -18,8 +18,11 @@ + + domtrans_pattern($1,chrome_sandbox_exec_t,chrome_sandbox_t) + ps_process_pattern(chrome_sandbox_t, $1) +-') + ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit chrome_sandbox_t $1:socket_class_set { read write }; ++ ') ++') + + ######################################## + ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.6.32/policy/modules/apps/chrome.te --- nsaserefpolicy/policy/modules/apps/chrome.te 2010-01-18 18:24:22.588542189 +0100 -+++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2010-03-03 10:39:47.584615400 +0100 ++++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2010-03-18 15:08:01.040764195 +0100 @@ -23,8 +23,7 @@ # # chrome_sandbox local policy @@ -1155,7 +1182,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack }; allow chrome_sandbox_t self:fifo_file manage_file_perms; allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms; -@@ -59,15 +58,17 @@ +@@ -45,10 +44,13 @@ + + domain_dontaudit_read_all_domains_state(chrome_sandbox_t) + ++dev_read_sysfs(chrome_sandbox_t) + dev_read_urand(chrome_sandbox_t) + + files_read_etc_files(chrome_sandbox_t) + ++fs_dontaudit_getattr_all_fs(chrome_sandbox_t) ++ + userdom_rw_user_tmpfs_files(chrome_sandbox_t) + userdom_use_user_ptys(chrome_sandbox_t) + userdom_write_inherited_user_tmp_files(chrome_sandbox_t) +@@ -59,15 +61,17 @@ miscfiles_read_fonts(chrome_sandbox_t) optional_policy(` @@ -1239,7 +1280,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.32/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2010-01-18 18:24:22.595534558 +0100 -+++ serefpolicy-3.6.32/policy/modules/apps/gnome.if 2010-02-03 22:59:15.907072357 +0100 ++++ serefpolicy-3.6.32/policy/modules/apps/gnome.if 2010-03-18 14:18:03.800514373 +0100 @@ -72,6 +72,24 @@ domtrans_pattern($1, gconfd_exec_t, gconfd_t) ') @@ -1305,7 +1346,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -238,6 +256,24 @@ +@@ -219,6 +237,24 @@ + read_files_pattern($1, gconf_home_t, gconf_home_t) + ') + ++####################################### ++## ++## Append gconf home files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_append_gconf_home_files',` ++ gen_require(` ++ type gconf_home_t; ++ ') ++ ++ append_files_pattern($1, gconf_home_t, gconf_home_t) ++') ++ + ######################################## + ## + ## manage gconf home files +@@ -238,6 +274,24 @@ manage_files_pattern($1, gconf_home_t, gconf_home_t) ') @@ -1330,7 +1396,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Connect to gnome over an unix stream socket. -@@ -255,11 +291,29 @@ +@@ -255,11 +309,29 @@ # interface(`gnome_stream_connect',` gen_require(` @@ -1362,7 +1428,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -274,8 +328,9 @@ +@@ -274,8 +346,9 @@ # interface(`gnome_write_inherited_config',` gen_require(` @@ -2212,7 +2278,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dbus_read_config(sandbox_net_client_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.6.32/policy/modules/apps/slocate.te --- nsaserefpolicy/policy/modules/apps/slocate.te 2010-01-18 18:24:22.654539968 +0100 -+++ serefpolicy-3.6.32/policy/modules/apps/slocate.te 2010-02-15 15:04:15.236661606 +0100 ++++ serefpolicy-3.6.32/policy/modules/apps/slocate.te 2010-03-18 17:36:13.695514634 +0100 @@ -31,6 +31,7 @@ kernel_read_system_state(locate_t) @@ -2221,6 +2287,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(locate_t) +@@ -44,6 +45,8 @@ + files_read_etc_runtime_files(locate_t) + files_read_etc_files(locate_t) + ++fs_getattr_all_blk_files(locate_t) ++fs_getattr_all_chr_files(locate_t) + fs_getattr_all_fs(locate_t) + fs_getattr_all_files(locate_t) + fs_getattr_all_pipes(locate_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.6.32/policy/modules/apps/vmware.if --- nsaserefpolicy/policy/modules/apps/vmware.if 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/apps/vmware.if 2010-01-25 17:40:10.448685801 +0100 @@ -2470,7 +2545,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Getattr the point-to-point device. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-01-18 18:24:22.668540002 +0100 -+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2010-03-05 10:47:05.501811848 +0100 ++++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2010-03-18 14:31:45.767514531 +0100 @@ -85,6 +85,7 @@ network_port(clamd, tcp,3310,s0) network_port(clockspeed, udp,4041,s0) @@ -2494,14 +2569,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(festival, tcp,1314,s0) network_port(fingerd, tcp,79,s0) network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0) -@@ -148,6 +150,7 @@ +@@ -148,7 +150,9 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0) portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) +network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0) network_port(nessus, tcp,1241,s0) ++network_port(netport, tcp,3129,s0, udp,3129,s0) network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) network_port(nmbd, udp,137,s0, udp,138,s0) + network_port(ntp, udp,123,s0) +@@ -195,7 +199,7 @@ + network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0) + network_port(smbd, tcp,137-139,s0, tcp,445,s0) + network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) +-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0) ++network_port(snmp, tcp,161,s0, udp,161,s0, tcp,162,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0) + type socks_port_t, port_type; dnl network_port(socks) # no defined portcon + network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) + network_port(spamd, tcp,783,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-01-18 18:24:22.670530409 +0100 +++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2010-03-15 10:19:23.322613725 +0100 @@ -4975,7 +5061,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to read and write Apache diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-01-18 18:24:22.739530246 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-03-15 09:29:24.349614032 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-03-18 13:31:20.256514411 +0100 @@ -67,6 +67,13 @@ ## @@ -5022,15 +5108,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) -@@ -400,6 +408,7 @@ +@@ -400,7 +408,9 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) +fs_list_inotifyfs(httpd_t) fs_search_auto_mountpoints(httpd_t) ++fs_read_anon_inodefs_files(httpd_t) fs_read_iso9660_files(httpd_t) -@@ -483,8 +492,14 @@ + auth_use_nsswitch(httpd_t) +@@ -483,8 +493,14 @@ corenet_tcp_connect_pop_port(httpd_t) corenet_sendrecv_pop_client_packets(httpd_t) mta_send_mail(httpd_t) @@ -5046,7 +5134,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_can_network_relay',` -@@ -588,6 +603,9 @@ +@@ -588,6 +604,9 @@ optional_policy(` cobbler_search_lib(httpd_t) @@ -5056,7 +5144,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -612,6 +630,11 @@ +@@ -612,6 +631,11 @@ avahi_dbus_chat(httpd_t) ') ') @@ -5068,7 +5156,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` kerberos_keytab_template(httpd, httpd_t) ') -@@ -756,8 +779,14 @@ +@@ -756,8 +780,14 @@ corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t) corenet_tcp_connect_mysqld_port(httpd_suexec_t) corenet_sendrecv_mysqld_client_packets(httpd_suexec_t) @@ -5084,7 +5172,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` mysql_stream_connect(httpd_php_t) -@@ -895,6 +924,9 @@ +@@ -895,6 +925,9 @@ sysnet_read_config(httpd_sys_script_t) @@ -5094,7 +5182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -906,6 +938,7 @@ +@@ -906,6 +939,7 @@ fs_manage_nfs_files(httpd_sys_script_t) fs_manage_nfs_symlinks(httpd_sys_script_t) fs_exec_nfs_files(httpd_sys_script_t) @@ -5102,7 +5190,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_manage_nfs_dirs(httpd_suexec_t) fs_manage_nfs_files(httpd_suexec_t) -@@ -945,6 +977,7 @@ +@@ -945,6 +978,7 @@ fs_manage_cifs_files(httpd_suexec_t) fs_manage_cifs_symlinks(httpd_suexec_t) fs_exec_cifs_files(httpd_suexec_t) @@ -5145,6 +5233,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(arpwatch_t) fs_search_auto_mountpoints(arpwatch_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.6.32/policy/modules/services/asterisk.if +--- nsaserefpolicy/policy/modules/services/asterisk.if 2010-01-18 18:24:22.741530430 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/asterisk.if 2010-03-18 15:26:43.834514737 +0100 +@@ -20,6 +20,25 @@ + stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t) + ') + ++##################################### ++## ++## Execute asterisk in the asterisk domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`asterisk_domtrans',` ++ gen_require(` ++ type asterisk_t, asterisk_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, asterisk_exec_t, asterisk_t) ++') ++ + ###################################### + ## + ## Execute asterisk diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.6.32/policy/modules/services/asterisk.te --- nsaserefpolicy/policy/modules/services/asterisk.te 2010-01-18 18:24:22.742540405 +0100 +++ serefpolicy-3.6.32/policy/modules/services/asterisk.te 2010-03-01 16:56:10.526493733 +0100 @@ -10435,7 +10552,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2010-01-18 18:24:22.886540773 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-03-02 16:58:05.254606365 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-03-18 14:27:30.841764712 +0100 @@ -208,7 +208,7 @@ files_read_usr_symlinks(samba_net_t) @@ -10445,6 +10562,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(samba_net_t) +@@ -231,7 +231,7 @@ + # + # smbd Local policy + # +-allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search }; ++allow smbd_t self:capability { chown fowner setgid setuid sys_chroot sys_nice sys_resource lease dac_override dac_read_search }; + dontaudit smbd_t self:capability sys_tty_config; + allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow smbd_t self:process setrlimit; @@ -286,6 +286,8 @@ allow smbd_t winbind_t:process { signal signull }; @@ -10562,7 +10688,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpm_dontaudit_manage_db(setroubleshoot_fixit_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.32/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2010-01-18 18:24:22.892539860 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/snmp.te 2010-01-19 14:20:15.303858953 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/snmp.te 2010-03-18 13:42:40.063765395 +0100 @@ -25,9 +25,9 @@ # # Local policy @@ -10575,6 +10701,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow snmpd_t self:fifo_file rw_fifo_file_perms; allow snmpd_t self:unix_dgram_socket create_socket_perms; allow snmpd_t self:unix_stream_socket create_stream_socket_perms; +@@ -72,6 +72,7 @@ + corenet_udp_bind_snmp_port(snmpd_t) + corenet_sendrecv_snmp_server_packets(snmpd_t) + corenet_tcp_connect_agentx_port(snmpd_t) ++corenet_tcp_connect_snmp_port(snmpd_t) + corenet_tcp_bind_agentx_port(snmpd_t) + corenet_udp_bind_agentx_port(snmpd_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.6.32/policy/modules/services/snort.te --- nsaserefpolicy/policy/modules/services/snort.te 2010-01-18 18:24:22.893530558 +0100 +++ serefpolicy-3.6.32/policy/modules/services/snort.te 2010-01-27 17:37:08.744613818 +0100 @@ -10637,6 +10771,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol exim_manage_spool_dirs(spamd_t) exim_manage_spool_files(spamd_t) ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.32/policy/modules/services/squid.te +--- nsaserefpolicy/policy/modules/services/squid.te 2010-01-18 18:24:22.897529880 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/squid.te 2010-03-18 14:31:45.784764437 +0100 +@@ -14,6 +14,13 @@ + ## + gen_tunable(squid_connect_any, false) + ++## ++##

++## Allow squid to run as a transparent proxy (TPROXY) ++##

++## ++gen_tunable(squid_use_tproxy, false) ++ + type squid_t; + type squid_exec_t; + init_daemon_domain(squid_t, squid_exec_t) +@@ -161,6 +168,11 @@ + corenet_sendrecv_all_packets(squid_t) + ') + ++tunable_policy(`squid_use_tproxy',` ++ allow squid_t self:capability net_admin; ++ corenet_tcp_bind_netport_port(squid_t) ++') ++ + optional_policy(` + apache_content_template(squid) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.32/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2010-01-18 18:24:22.898539086 +0100 +++ serefpolicy-3.6.32/policy/modules/services/ssh.if 2010-02-23 16:04:29.107525602 +0100 @@ -11458,7 +11621,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_generic_ptys(virt_domain) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2010-01-18 18:24:22.917530119 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2010-03-11 17:11:02.481510064 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2010-03-18 13:45:28.425514615 +0100 @@ -51,17 +51,17 @@ # /tmp # @@ -11476,8 +11639,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # /usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) -+/usr/bin/lxdm gen_context(system_u:object_r:xdm_exec_t,s0) -+/usr/bin/lxdm-binary gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/(s)?bin/lxdm gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/(s)?bin/lxdm-binary gen_context(system_u:object_r:xdm_exec_t,s0) /usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) @@ -12769,7 +12932,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-18 18:24:22.923530253 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-03-05 09:36:04.149561766 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-03-18 14:18:46.911764068 +0100 @@ -1,5 +1,5 @@ -policy_module(xserver, 3.2.3) @@ -12830,10 +12993,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +type xproperty_t, xproperty_type; +type seclabel_xproperty_t, xproperty_type; type clipboard_xproperty_t, xproperty_type; --type clipboard_xselection_t, xselection_type; ++ ++# X Selections ++attribute xselection_type; ++type xselection_t, xselection_type; + type clipboard_xselection_t, xselection_type; -type debug_xext_t, xextension_type; -type directhw_xext_t alias disallowed_xext_t, xextension_type; -type focus_xevent_t, xevent_type; ++#type settings_xselection_t, xselection_type; ++#type dbus_xselection_t, xselection_type; -type iceauth_t; -type iceauth_exec_t; @@ -12841,24 +13010,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t }; -application_domain(iceauth_t, iceauth_exec_t) -ubac_constrained(iceauth_t) -+# X Selections -+attribute xselection_type; -+type xselection_t, xselection_type; -+type clipboard_xselection_t, xselection_type; -+#type settings_xselection_t, xselection_type; -+#type dbus_xselection_t, xselection_type; - --type iceauth_home_t; --typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t }; --typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t xguest_iceauth_home_t }; --files_poly_member(iceauth_home_t) --userdom_user_home_content(iceauth_home_t) +# X Drawables +attribute xdrawable_type; +attribute xcolormap_type; +type root_xdrawable_t, xdrawable_type; +type root_xcolormap_t, xcolormap_type; +-type iceauth_home_t; +-typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t }; +-typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t xguest_iceauth_home_t }; +-files_poly_member(iceauth_home_t) +-userdom_user_home_content(iceauth_home_t) +- -type info_xproperty_t, xproperty_type; -type input_xevent_t, xevent_type; -type manage_xevent_t, xevent_type; @@ -13152,15 +13315,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_bin_entry_type(xdm_t) -@@ -668,6 +697,7 @@ +@@ -667,7 +696,9 @@ + ') optional_policy(` ++ gnome_append_gconf_home_files(xdm_t) gnome_read_gconf_config(xdm_t) + gnome_read_config(xdm_t) ') optional_policy(` -@@ -685,11 +715,6 @@ +@@ -685,11 +716,6 @@ optional_policy(` # Do not audit attempts to check whether user root has email mta_dontaudit_getattr_spool_files(xdm_t) @@ -13172,7 +13337,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -705,13 +730,18 @@ +@@ -705,13 +731,18 @@ ') optional_policy(` @@ -13193,7 +13358,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') # On crash gdm execs gdb to dump stack -@@ -767,6 +797,14 @@ +@@ -726,6 +757,10 @@ + ') + + optional_policy(` ++ shutdown_domtrans(xdm_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(xdm_t) + ') + +@@ -767,6 +802,14 @@ # X server local policy # @@ -13208,7 +13384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer # sys_admin, locking shared mem? chowning IPC message queues or semaphores? -@@ -802,18 +840,12 @@ +@@ -802,18 +845,12 @@ allow xserver_t xauth_home_t:file read_file_perms; @@ -13228,7 +13404,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -907,6 +939,7 @@ +@@ -907,6 +944,7 @@ mls_process_write_to_clearance(xserver_t) mls_file_read_to_clearance(xserver_t) mls_file_write_all_levels(xserver_t) @@ -13236,7 +13412,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -928,13 +961,14 @@ +@@ -928,13 +966,14 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -13252,7 +13428,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -952,7 +986,7 @@ +@@ -952,7 +991,7 @@ ') ifdef(`enable_mls',` @@ -13261,7 +13437,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; ') -@@ -961,15 +995,17 @@ +@@ -961,15 +1000,17 @@ # but typeattribute doesnt work in conditionals allow xserver_t xserver_t:x_server *; @@ -13282,7 +13458,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t xextension_type:x_extension *; allow xserver_t { x_domain xserver_t }:x_resource *; allow xserver_t xevent_type:{ x_event x_synthetic_event } *; -@@ -1016,6 +1052,7 @@ +@@ -1016,6 +1057,7 @@ # cjp: when xdm is configurable via tunable these # rules will be enabled only when xdm is enabled @@ -13290,7 +13466,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t xdm_t:process { signal getpgid }; allow xserver_t xdm_t:shm rw_shm_perms; -@@ -1027,9 +1064,9 @@ +@@ -1027,9 +1069,9 @@ read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) # Label pid and temporary files with derived types. @@ -13303,7 +13479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Run xkbcomp. allow xserver_t xkb_var_lib_t:lnk_file read; -@@ -1088,136 +1125,139 @@ +@@ -1088,136 +1130,139 @@ # # Hacks @@ -14134,7 +14310,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_read_all_domains_state(iscsid_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-18 18:24:22.945540594 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-03-15 09:55:26.375864536 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-03-18 10:10:48.712514201 +0100 @@ -133,7 +133,7 @@ /usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -14157,7 +14333,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -377,9 +381,6 @@ +@@ -333,6 +337,8 @@ + + /usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + ++/opt/altera9.1/quartus/linux/libccl_err\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ + /opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + /usr/lib(64)?/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -377,9 +383,6 @@ /usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -14167,7 +14352,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -396,10 +397,8 @@ +@@ -396,10 +399,8 @@ /usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -14178,7 +14363,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -432,9 +431,22 @@ +@@ -432,9 +433,22 @@ /usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/selinux-policy.spec b/selinux-policy.spec index bd60839..0b7d8dc 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 103%{?dist} +Release: 104%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,12 @@ exit 0 %endif %changelog +* Mon Mar 18 2010 Miroslav Grepl 3.6.32-104 +- Allow logrotate to transition to asterisk +- Allow xdm to transition to shutdown +- Allow shutdown dac_override +- Allow samba sys_chroot + * Mon Mar 15 2010 Miroslav Grepl 3.6.32-103 - Add sosreport policy