- Allow dhcpd to read kernel network state

policy-20071130.patch

@@ -7892,7 +7892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.3.1/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if	2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if	2008-04-10 13:50:44.000000000 -0400
 @@ -851,9 +851,8 @@
  		type proc_t, proc_afs_t;
  	')
@@ -7916,7 +7916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
  	')
  
  	dontaudit $1 sysctl_type:dir list_dir_perms;
-+	dontaudit $1 sysctl_type:file getattr;
++	dontaudit $1 sysctl_type:file read_file_perms;
  ')
  
  ########################################
@@ -8382,7 +8382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +/etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.3.1/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2007-10-23 17:17:42.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.if	2008-04-05 07:45:49.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.if	2008-04-10 13:06:52.000000000 -0400
 @@ -13,21 +13,16 @@
  #
  template(`apache_content_template',`
@@ -8538,7 +8538,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
  		read_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
-@@ -177,48 +159,6 @@
+@@ -151,9 +133,13 @@
+ 		# privileged users run the script:
+ 		domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
+ 
++		allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
++
+ 		# apache runs the script:
+ 		domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+ 
++		allow httpd_t httpd_$1_script_exec_t:file read_file_perms;
++
+ 		allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
+ 		allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
+ 
+@@ -177,48 +163,6 @@
  		miscfiles_read_localization(httpd_$1_script_t)
  	')
  
@@ -8587,7 +8601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	optional_policy(`
  		tunable_policy(`httpd_enable_cgi && allow_ypbind',`
  			nis_use_ypbind_uncond(httpd_$1_script_t)
-@@ -265,72 +205,77 @@
+@@ -265,72 +209,77 @@
  template(`apache_per_role_template', `
  	gen_require(`
  		attribute httpdcontent, httpd_script_domains;
@@ -8718,7 +8732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	')
  ')
  
-@@ -352,12 +297,11 @@
+@@ -352,12 +301,11 @@
  #
  template(`apache_read_user_scripts',`
  	gen_require(`
@@ -8735,7 +8749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  ########################################
-@@ -378,12 +322,12 @@
+@@ -378,12 +326,12 @@
  #
  template(`apache_read_user_content',`
  	gen_require(`
@@ -8752,7 +8766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  ########################################
-@@ -761,6 +705,7 @@
+@@ -761,6 +709,7 @@
  	')
  
  	allow $1 httpd_modules_t:dir list_dir_perms;
@@ -8760,7 +8774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  ########################################
-@@ -841,12 +786,16 @@
+@@ -841,12 +790,16 @@
  # sysadm_t to run scripts
  interface(`apache_domtrans_sys_script',`
  	gen_require(`
@@ -8779,7 +8793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	')
  ')
  
-@@ -932,7 +881,7 @@
+@@ -932,7 +885,7 @@
  		type httpd_squirrelmail_t;
  	')
  
@@ -8788,7 +8802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  ########################################
-@@ -1023,16 +972,16 @@
+@@ -1023,16 +976,16 @@
  #
  interface(`apache_manage_all_user_content',`
  	gen_require(`
@@ -8812,7 +8826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  ########################################
-@@ -1088,3 +1037,142 @@
+@@ -1088,3 +1041,142 @@
  
  	allow httpd_t $1:process signal;
  ')
@@ -13399,7 +13413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.3.1/policy/modules/services/dhcp.te
 --- nsaserefpolicy/policy/modules/services/dhcp.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/dhcp.te	2008-04-04 12:06:55.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/dhcp.te	2008-04-10 11:29:00.000000000 -0400
 @@ -19,18 +19,20 @@
  type dhcpd_var_run_t;
  files_pid_file(dhcpd_var_run_t)
@@ -13423,7 +13437,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
  allow dhcpd_t self:tcp_socket create_stream_socket_perms;
  allow dhcpd_t self:udp_socket create_socket_perms;
  # Allow dhcpd_t to use packet sockets
-@@ -88,6 +90,8 @@
+@@ -51,6 +53,7 @@
+ 
+ kernel_read_system_state(dhcpd_t)
+ kernel_read_kernel_sysctls(dhcpd_t)
++kernel_read_network_state(dhcpd_t)
+ 
+ corenet_all_recvfrom_unlabeled(dhcpd_t)
+ corenet_all_recvfrom_netlabel(dhcpd_t)
+@@ -88,6 +91,8 @@
  files_read_etc_runtime_files(dhcpd_t)
  files_search_var_lib(dhcpd_t)
  
@@ -13432,7 +13454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
  libs_use_ld_so(dhcpd_t)
  libs_use_shared_libs(dhcpd_t)
  
-@@ -95,7 +99,6 @@
+@@ -95,7 +100,6 @@
  
  miscfiles_read_localization(dhcpd_t)
  
@@ -13440,7 +13462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
  sysnet_read_dhcp_config(dhcpd_t)
  
  userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
-@@ -116,14 +119,6 @@
+@@ -116,14 +120,6 @@
  ')
  
  optional_policy(`
@@ -27809,7 +27831,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 +/var/cfengine/outputs(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.3.1/policy/modules/system/logging.if
 --- nsaserefpolicy/policy/modules/system/logging.if	2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/logging.if	2008-04-05 14:44:00.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/logging.if	2008-04-10 10:48:18.000000000 -0400
 @@ -213,12 +213,7 @@
  ## </param>
  #
@@ -27905,7 +27927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  ')
  
  ########################################
-@@ -804,3 +838,127 @@
+@@ -804,3 +838,128 @@
  	logging_admin_audit($1, $2, $3)
  	logging_admin_syslog($1, $2, $3)
  ')
@@ -28013,6 +28035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 +	domtrans_pattern(audisp_t,$2,$1)
 +
 +	allow audisp_t $2:file getattr;
++	allow $1 audisp_t:unix_stream_socket rw_socket_perms;
 +')
 +
 +########################################

selinux-policy.spec

@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 32%{?dist}
+Release: 33%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -383,6 +383,9 @@ exit 0
 %endif
 
 %changelog
+* Thu Apr 10 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-33
+- Allow dhcpd to read kernel network state
+
 * Thu Apr 10 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-32
 - Label /var/run/gdm correctly
 - Fix unconfined_u user creation