From 3a8f668266f9888e5147a5d61dab168b5d61ef76 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Oct 01 2010 07:27:33 +0000 Subject: - Add label for '/usr/share/sampler/tray/tray' - Fixes for abrt policy - Fixes for chrome-sandbox policy --- diff --git a/policy-20100106.patch b/policy-20100106.patch index 7b83d7e..6ad11b0 100644 --- a/policy-20100106.patch +++ b/policy-20100106.patch @@ -1394,7 +1394,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.6.32/policy/modules/apps/chrome.te --- nsaserefpolicy/policy/modules/apps/chrome.te 2010-01-18 18:24:22.588542189 +0100 -+++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2010-04-13 15:01:31.593601647 +0200 ++++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2010-10-01 08:33:42.677599778 +0200 @@ -23,8 +23,7 @@ # # chrome_sandbox local policy @@ -1420,9 +1420,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_rw_user_tmpfs_files(chrome_sandbox_t) userdom_use_user_ptys(chrome_sandbox_t) -@@ -59,15 +63,17 @@ +@@ -58,25 +62,30 @@ + miscfiles_read_localization(chrome_sandbox_t) miscfiles_read_fonts(chrome_sandbox_t) ++sysnet_dontaudit_read_config(chrome_sandbox_t) ++ optional_policy(` - gnome_write_inherited_config(chrome_sandbox_t) + execmem_exec(chrome_sandbox_t) @@ -1441,6 +1444,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`use_nfs_home_dirs',` +- fs_dontaudit_append_nfs_files(chrome_sandbox_t) +- fs_dontaudit_read_nfs_files(chrome_sandbox_t) +- fs_dontaudit_read_nfs_symlinks(chrome_sandbox_t) ++ fs_search_nfs(chrome_sandbox_t) ++ fs_read_inherited_nfs_files(chrome_sandbox_t) ++ fs_read_nfs_symlinks(chrome_sandbox_t) + ') + + tunable_policy(`use_samba_home_dirs',` ++ fs_search_cifs(chrome_sandbox_t) ++ fs_read_inherited_cifs_files(chrome_sandbox_t) + fs_dontaudit_append_cifs_files(chrome_sandbox_t) +- fs_dontaudit_read_cifs_files(chrome_sandbox_t) + ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.6.32/policy/modules/apps/execmem.if --- nsaserefpolicy/policy/modules/apps/execmem.if 2010-01-18 18:24:22.590539929 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/execmem.if 2010-03-11 22:17:04.177894107 +0100 @@ -3073,7 +3090,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-01-18 18:24:22.665531100 +0100 -+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2010-09-01 14:34:55.989084677 +0200 ++++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2010-09-30 17:44:01.683349415 +0200 @@ -166,6 +166,7 @@ /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) @@ -3095,7 +3112,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/SAPInstance -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/SAPDatabase -- gen_context(system_u:object_r:bin_t,s0) -@@ -237,6 +241,7 @@ +@@ -234,9 +238,11 @@ + /usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/sampler/tray/tray -- gen_context(system_u:object_r:bin_t,s0) /usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -3103,7 +3124,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -244,6 +249,7 @@ +@@ -244,6 +250,7 @@ /usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/turboprint/lib(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -3111,7 +3132,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) -@@ -299,6 +305,7 @@ +@@ -299,6 +306,7 @@ /usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -4436,7 +4457,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.32/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2010-01-18 18:24:22.685530781 +0100 -+++ serefpolicy-3.6.32/policy/modules/kernel/domain.te 2010-03-02 17:30:45.367615524 +0100 ++++ serefpolicy-3.6.32/policy/modules/kernel/domain.te 2010-09-30 17:48:05.733351004 +0200 @@ -105,8 +105,10 @@ kernel_dontaudit_search_key(domain) kernel_dontaudit_link_key(domain) @@ -4449,7 +4470,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Use trusted objects in /dev dev_rw_null(domain) -@@ -216,8 +218,10 @@ +@@ -211,13 +213,16 @@ + abrt_read_pid_files(domain) + abrt_read_state(domain) + abrt_signull(domain) ++ abrt_stream_connect(domain) + ') + optional_policy(` rpm_use_fds(domain) rpm_read_pipes(domain) @@ -5173,8 +5200,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # compatibility aliases for removed types: diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.32/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-01-18 18:24:22.697530142 +0100 -+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2010-03-23 13:14:01.858389781 +0100 -@@ -988,6 +988,25 @@ ++++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2010-10-01 08:23:48.728349711 +0200 +@@ -890,6 +890,24 @@ + dontaudit $1 cifs_t:file append_file_perms; + ') + ++####################################### ++## ++## Read inherited files on a CIFS or SMB filesystem. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_read_inherited_cifs_files',` ++ gen_require(` ++ type cifs_t; ++ ') ++ ++ allow $1 cifs_t:file read_inherited_file_perms; ++') ++ + ######################################## + ## + ## Do not audit attempts to read or +@@ -988,6 +1006,25 @@ exec_files_pattern($1, cifs_t, cifs_t) ') @@ -5200,7 +5252,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create, read, write, and delete directories -@@ -1632,6 +1651,36 @@ +@@ -1632,6 +1669,36 @@ ######################################## ## @@ -5237,7 +5289,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Search inotifyfs filesystem. ## ## -@@ -1668,6 +1717,24 @@ +@@ -1668,6 +1735,24 @@ ######################################## ## @@ -5262,7 +5314,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Mount an iso9660 filesystem, which ## is usually used on CDs. ## -@@ -2010,6 +2077,25 @@ +@@ -2010,6 +2095,25 @@ exec_files_pattern($1, nfs_t, nfs_t) ') @@ -5288,7 +5340,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Append files -@@ -3186,6 +3272,24 @@ +@@ -2050,6 +2154,24 @@ + dontaudit $1 nfs_t:file append_file_perms; + ') + ++####################################### ++## ++## Read inherited files on a NFS filesystem. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_read_inherited_nfs_files',` ++ gen_require(` ++ type nfs_t; ++ ') ++ ++ allow $1 nfs_t:file read_inherited_file_perms; ++') ++ + ######################################## + ## + ## Do not audit attempts to read or +@@ -3186,6 +3308,24 @@ allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms; ') @@ -5313,7 +5390,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Mount a tmpfs filesystem. -@@ -3496,6 +3600,24 @@ +@@ -3496,6 +3636,24 @@ ######################################## ## @@ -5338,7 +5415,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write generic tmpfs files. ## ## -@@ -3722,7 +3844,7 @@ +@@ -3722,7 +3880,7 @@ ######################################## ## @@ -5347,7 +5424,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -3730,17 +3852,17 @@ +@@ -3730,17 +3888,17 @@ ## ## # @@ -5368,7 +5445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -3748,12 +3870,12 @@ +@@ -3748,12 +3906,12 @@ ## ## # @@ -5383,7 +5460,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3891,6 +4013,44 @@ +@@ -3891,6 +4049,44 @@ allow $1 filesystem_type:filesystem unmount; ') @@ -5428,7 +5505,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Get the attributes of all persistent -@@ -4297,6 +4457,26 @@ +@@ -4297,6 +4493,26 @@ ######################################## ## @@ -5455,7 +5532,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write files on cgroup ## file systems. ## -@@ -4409,3 +4589,23 @@ +@@ -4409,3 +4625,23 @@ write_files_pattern($1, cgroup_t, cgroup_t) ') @@ -6255,7 +6332,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.6.32/policy/modules/services/abrt.if --- nsaserefpolicy/policy/modules/services/abrt.if 2010-01-18 18:24:22.726539977 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/abrt.if 2010-02-01 21:01:00.945160840 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/abrt.if 2010-09-30 17:49:13.511600481 +0200 @@ -35,6 +35,11 @@ ') @@ -6268,6 +6345,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ###################################### +@@ -214,6 +219,25 @@ + allow $1 abrt_t:process signull; + ') + ++####################################### ++## ++## Connect to abrt over an unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`abrt_stream_connect',` ++ gen_require(` ++ type abrt_t, abrt_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, abrt_var_run_t, abrt_var_run_t, abrt_t) ++') ++ + ##################################### + ## + ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-18 18:24:22.727540243 +0100 +++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-08-17 12:15:17.471085294 +0200 @@ -18230,7 +18333,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.32/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2010-01-18 18:24:22.941530168 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/iptables.te 2010-02-10 13:59:49.976859557 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/iptables.te 2010-10-01 08:59:22.987601967 +0200 @@ -52,6 +52,7 @@ kernel_use_fds(iptables_t) @@ -18239,7 +18342,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_sysfs(iptables_t) -@@ -71,6 +72,7 @@ +@@ -68,9 +69,11 @@ + + files_read_etc_files(iptables_t) + files_read_etc_runtime_files(iptables_t) ++files_read_usr_files(iptables_t) auth_use_nsswitch(iptables_t) @@ -18247,7 +18354,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol init_use_fds(iptables_t) init_use_script_ptys(iptables_t) # to allow rules to be saved on reboot: -@@ -87,6 +89,10 @@ +@@ -87,6 +90,10 @@ userdom_use_user_terminals(iptables_t) userdom_use_all_users_fds(iptables_t) @@ -19303,8 +19410,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:net_conf_t, s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.32/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2010-01-18 18:24:22.969542320 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.if 2010-02-16 16:50:00.011598570 +0100 -@@ -430,6 +430,10 @@ ++++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.if 2010-10-01 08:57:09.109598807 +0200 +@@ -72,7 +75,12 @@ + optional_policy(` + ntp_run(dhcpc_t, $2) + ') ++ + seutil_run_setfiles(dhcpc_t, $2) ++ ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit dhcpc_t $1:socket_class_set { read write }; ++ ') + ') + + ######################################## +@@ -430,6 +438,10 @@ corecmd_search_bin($1) domtrans_pattern($1, ifconfig_exec_t, ifconfig_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 62acc0a..cecf514 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 122%{?dist} +Release: 123%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,11 @@ exit 0 %endif %changelog +* Fri Oct 1 2010 Miroslav Grepl 3.6.32-123 +- Add label for '/usr/share/sampler/tray/tray' +- Fixes for abrt policy +- Fixes for chrome-sandbox policy + * Wed Sep 1 2010 Miroslav Grepl 3.6.32-122 - Fixes for nut policy