- Fix cyphesis file context

2008-11-05 20:34:06 +00:00 · 2008-11-05 20:34:06 +00:00 · 074b12f275
parent 6a09cfb688
commit 074b12f275
3 changed files with 44 additions and 27 deletions
--- a/modules-mls.conf
+++ b/modules-mls.conf
@ -1003,6 +1003,13 @@ logwatch = base
 # 
 setrans = base

+# Layer: services
+# Module: setroubleshoot
+#
+# Policy for the SELinux troubleshooting utility
+# 
+setroubleshoot = base
+
 # Layer: services
 # Module: openvpn
 #
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@ -8400,7 +8400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.5.13/policy/modules/kernel/storage.fc
 --- nsaserefpolicy/policy/modules/kernel/storage.fc	2008-10-08 19:00:23.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/storage.fc	2008-10-28 10:56:19.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/kernel/storage.fc	2008-11-05 13:22:07.000000000 -0500
@@ -36,7 +36,7 @@
 /dev/pg[0-3]		-c	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/ps3d.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@ -14165,13 +14165,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.fc serefpolicy-3.5.13/policy/modules/services/cyphesis.fc
 --- nsaserefpolicy/policy/modules/services/cyphesis.fc	2008-09-03 11:05:02.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/cyphesis.fc	2008-11-04 09:54:55.000000000 -0500
+++ serefpolicy-3.5.13/policy/modules/services/cyphesis.fc	2008-11-05 15:12:14.000000000 -0500
@@ -1 +1,6 @@
 /usr/bin/cyphesis	--	gen_context(system_u:object_r:cyphesis_exec_t,s0)
 +
 +/var/log/cyphesis(/.*)?		gen_context(system_u:object_r:cyphesis_log_t,s0)
 +
-+/var/run/cyphesis(/.*)?		gen_context(system_u:object_r:cyphesis_run_t,s0)
+/var/run/cyphesis(/.*)?		gen_context(system_u:object_r:cyphesis_var_run_t,s0)
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.5.13/policy/modules/services/dbus.fc
 --- nsaserefpolicy/policy/modules/services/dbus.fc	2008-08-07 11:15:11.000000000 -0400
@ -26338,7 +26338,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.13/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2008-10-16 17:21:16.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/xserver.te	2008-10-29 13:26:13.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/xserver.te	2008-11-05 15:24:47.000000000 -0500
@@ -8,6 +8,14 @@
 
 ## <desc>
@ -26443,7 +26443,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 xserver_common_domain_template(xdm)
 xserver_common_x_domain_template(xdm, xdm, xdm_t)
 init_system_domain(xdm_xserver_t, xserver_exec_t)
-@@ -140,8 +193,9 @@
+@@ -140,13 +193,14 @@
 # XDM Local policy
 #
 
@ -26455,6 +26455,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow xdm_t self:fifo_file rw_fifo_file_perms;
 allow xdm_t self:shm create_shm_perms;
 allow xdm_t self:sem create_sem_perms;
+ allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
+-allow xdm_t self:unix_dgram_socket create_socket_perms;
+allow xdm_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow xdm_t self:tcp_socket create_stream_socket_perms;
+ allow xdm_t self:udp_socket create_socket_perms;
+ allow xdm_t self:socket create_socket_perms;
@@ -154,6 +208,12 @@
 allow xdm_t self:key { search link write };
 
@ -26477,7 +26483,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
 manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
-@@ -176,15 +238,31 @@
+@@ -176,15 +238,32 @@
 manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
 manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
 fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@ -26497,6 +26503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)	
 manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
 -files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file)
+manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
 +manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t)
 +files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir })
 +# Read machine-id
@ -26511,7 +26518,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 allow xdm_t xdm_xserver_t:process signal;
 allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -198,6 +276,7 @@
+@@ -198,6 +277,7 @@
 allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
 
 allow xdm_t xdm_xserver_t:shm rw_shm_perms;
@ -26519,7 +26526,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 # connect to xdm xserver over stream socket
 stream_connect_pattern(xdm_t, xdm_xserver_tmp_t, xdm_xserver_tmp_t, xdm_xserver_t)
-@@ -229,6 +308,7 @@
+@@ -229,6 +309,7 @@
 corenet_udp_sendrecv_all_ports(xdm_t)
 corenet_tcp_bind_all_nodes(xdm_t)
 corenet_udp_bind_all_nodes(xdm_t)
@ -26527,7 +26534,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_tcp_connect_all_ports(xdm_t)
 corenet_sendrecv_all_client_packets(xdm_t)
 # xdm tries to bind to biff_port_t
-@@ -241,6 +321,7 @@
+@@ -241,6 +322,7 @@
 dev_getattr_mouse_dev(xdm_t)
 dev_setattr_mouse_dev(xdm_t)
 dev_rw_apm_bios(xdm_t)
@ -26535,7 +26542,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dev_setattr_apm_bios_dev(xdm_t)
 dev_rw_dri(xdm_t)
 dev_rw_agp(xdm_t)
-@@ -253,14 +334,17 @@
+@@ -253,14 +335,17 @@
 dev_setattr_video_dev(xdm_t)
 dev_getattr_scanner_dev(xdm_t)
 dev_setattr_scanner_dev(xdm_t)
@ -26555,7 +26562,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 files_read_etc_files(xdm_t)
 files_read_var_files(xdm_t)
-@@ -271,9 +355,13 @@
+@@ -271,9 +356,13 @@
 files_read_usr_files(xdm_t)
 # Poweroff wants to create the /poweroff file when run from xdm
 files_create_boot_flag(xdm_t)
@ -26569,7 +26576,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 storage_dontaudit_read_fixed_disk(xdm_t)
 storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -282,6 +370,7 @@
+@@ -282,6 +371,7 @@
 storage_dontaudit_raw_write_removable_device(xdm_t)
 storage_dontaudit_setattr_removable_dev(xdm_t)
 storage_dontaudit_rw_scsi_generic(xdm_t)
@ -26577,7 +26584,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 term_setattr_console(xdm_t)
 term_use_unallocated_ttys(xdm_t)
-@@ -290,6 +379,7 @@
+@@ -290,6 +380,7 @@
 auth_domtrans_pam_console(xdm_t)
 auth_manage_pam_pid(xdm_t)
 auth_manage_pam_console_data(xdm_t)
@ -26585,7 +26592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 auth_rw_faillog(xdm_t)
 auth_write_login_records(xdm_t)
 
-@@ -301,21 +391,26 @@
+@@ -301,21 +392,26 @@
 libs_exec_lib_files(xdm_t)
 
 logging_read_generic_logs(xdm_t)
@ -26617,7 +26624,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 xserver_rw_session_template(xdm, xdm_t, xdm_tmpfs_t)
 xserver_unconfined(xdm_t)
-@@ -348,10 +443,12 @@
+@@ -348,10 +444,12 @@
 
 optional_policy(`
 	alsa_domtrans(xdm_t)
@ -26630,7 +26637,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -359,6 +456,22 @@
+@@ -359,6 +457,22 @@
 ')
 
 optional_policy(`
@ -26653,7 +26660,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# Talk to the console mouse server.
 	gpm_stream_connect(xdm_t)
 	gpm_setattr_gpmctl(xdm_t)
-@@ -382,16 +495,34 @@
+@@ -382,16 +496,34 @@
 ')
 
 optional_policy(`
@ -26689,7 +26696,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	ifndef(`distro_redhat',`
 		allow xdm_t self:process { execheap execmem };
-@@ -411,6 +542,10 @@
+@@ -411,6 +543,10 @@
 ')
 
 optional_policy(`
@ -26700,7 +26707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	xfs_stream_connect(xdm_t)
 ')
 
-@@ -427,7 +562,7 @@
+@@ -427,7 +563,7 @@
 allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
 
@ -26709,7 +26716,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 # Label pid and temporary files with derived types.
 manage_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -439,6 +574,15 @@
+@@ -439,6 +575,15 @@
 can_exec(xdm_xserver_t, xkb_var_lib_t)
 files_search_var_lib(xdm_xserver_t)
 
@ -26725,7 +26732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # VNC v4 module in X server
 corenet_tcp_bind_vnc_port(xdm_xserver_t)
 
-@@ -450,10 +594,19 @@
+@@ -450,10 +595,19 @@
 # xdm_xserver_t may no longer have any reason
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
@ -26746,7 +26753,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xdm_xserver_t)
 	fs_manage_nfs_files(xdm_xserver_t)
-@@ -468,8 +621,19 @@
+@@ -468,8 +622,19 @@
 
 optional_policy(`
 	dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t)
@ -26766,7 +26773,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 optional_policy(`
 	resmgr_stream_connect(xdm_t)
-@@ -481,8 +645,25 @@
+@@ -481,8 +646,25 @@
 ')
 
 optional_policy(`
@ -26794,7 +26801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	ifndef(`distro_redhat',`
 		allow xdm_xserver_t self:process { execheap execmem };
-@@ -491,7 +672,6 @@
+@@ -491,7 +673,6 @@
 	ifdef(`distro_rhel4',`
 		allow xdm_xserver_t self:process { execheap execmem };
 	')
@ -26802,7 +26809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 ########################################
 #
-@@ -512,6 +692,27 @@
+@@ -512,6 +693,27 @@
 allow xserver_unconfined_type { x_domain x_server_domain }:x_resource *;
 allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
 
@ -26830,7 +26837,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ifdef(`TODO',`
 # Need to further investigate these permissions and
 # perhaps define derived types.
-@@ -544,3 +745,70 @@
+@@ -544,3 +746,70 @@
 #
 allow pam_t xdm_t:fifo_file { getattr ioctl write };
 ') dnl end TODO
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.5.13
-Release: 15%{?dist}
+Release: 16%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -457,6 +457,9 @@ exit 0
 %endif

 %changelog
+* Wed Nov 5 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-16
+- Fix cyphesis file context
+
 * Tue Nov 3 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-15
 - Allow hal/pm-utils to look at /var/run/video.rom
 - Add ulogd policy