trunk: 3 patches from dan.

2007-09-11 19:24:32 +00:00 · 2007-09-11 19:24:32 +00:00 · 134a799c75
commit 134a799c75
parent 8a9d6f6449
5 changed files with 169 additions and 17 deletions
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
@ -1,5 +1,5 @@

-policy_module(inetd,1.4.1)
+policy_module(inetd,1.4.2)

 ########################################
 #
@ -80,16 +80,21 @@ corenet_tcp_bind_auth_port(inetd_t)
 corenet_udp_bind_comsat_port(inetd_t)
 corenet_tcp_bind_dbskkd_port(inetd_t)
 corenet_udp_bind_dbskkd_port(inetd_t)
+corenet_tcp_bind_ftp_port(inetd_t)
 corenet_udp_bind_ftp_port(inetd_t)
 corenet_tcp_bind_inetd_child_port(inetd_t)
+corenet_udp_bind_inetd_child_port(inetd_t)
 corenet_udp_bind_ktalkd_port(inetd_t)
 corenet_tcp_bind_printer_port(inetd_t)
+corenet_udp_bind_rlogind_port(inetd_t)
 corenet_udp_bind_rsh_port(inetd_t)
+corenet_tcp_bind_rsh_port(inetd_t)
 corenet_tcp_bind_rsync_port(inetd_t)
 corenet_udp_bind_rsync_port(inetd_t)
 #corenet_tcp_bind_stunnel_port(inetd_t)
 corenet_tcp_bind_swat_port(inetd_t)
 corenet_udp_bind_swat_port(inetd_t)
+corenet_tcp_bind_telnetd_port(inetd_t)
 corenet_udp_bind_tftp_port(inetd_t)
 corenet_tcp_bind_ssh_port(inetd_t)

@ -134,6 +139,7 @@ miscfiles_read_localization(inetd_t)
 # xinetd needs MLS override privileges to work
 mls_fd_share_all_levels(inetd_t)
 mls_socket_read_to_clearance(inetd_t)
+mls_socket_write_to_clearance(inetd_t)
 mls_process_set_level(inetd_t)

 sysnet_read_config(inetd_t)
@ -141,6 +147,11 @@ sysnet_read_config(inetd_t)
 userdom_dontaudit_use_unpriv_user_fds(inetd_t)
 userdom_dontaudit_search_sysadm_home_dirs(inetd_t)

+ifdef(`enable_mls',`
+	corenet_tcp_recvfrom_netlabel(inetd_t)
+	corenet_udp_recvfrom_netlabel(inetd_t)
+')
+
 ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_ttys(inetd_t)
 	term_dontaudit_use_generic_ptys(inetd_t)
@ -208,6 +219,8 @@ fs_getattr_xattr_fs(inetd_child_t)

 files_read_etc_files(inetd_child_t)

+auth_use_nsswitch(inetd_child_t)
+
 libs_use_ld_so(inetd_child_t)
 libs_use_shared_libs(inetd_child_t)

@ -225,10 +238,3 @@ optional_policy(`
 	kerberos_use(inetd_child_t)
 ')

-optional_policy(`
-	nis_use_ypbind(inetd_child_t)
-')
-
-optional_policy(`
-	nscd_socket_use(inetd_child_t)
-')
--- a/policy/modules/services/postfix.fc
+++ b/policy/modules/services/postfix.fc
@ -14,6 +14,7 @@ ifdef(`distro_redhat', `
 /usr/libexec/postfix/smtpd --	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
 /usr/libexec/postfix/bounce --	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
 /usr/libexec/postfix/pipe --	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+/usr/libexec/postfix/virtual --	gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
 ', `
 /usr/lib/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
 /usr/lib/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
@ -28,6 +29,7 @@ ifdef(`distro_redhat', `
 /usr/lib/postfix/smtpd	--	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
 /usr/lib/postfix/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
 /usr/lib/postfix/pipe	--	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+/usr/lib/postfix/virtual --	gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
 ')
 /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
 /etc/postfix/prng_exch	--	gen_context(system_u:object_r:postfix_prng_t,s0)
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@ -41,6 +41,8 @@ template(`postfix_domain_template',`
 	allow postfix_$1_t self:unix_stream_socket connectto;

 	allow postfix_master_t postfix_$1_t:process signal;
+	#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
+	allow postfix_$1_t postfix_master_t:file read;

 	allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
 	read_files_pattern(postfix_$1_t,postfix_etc_t,postfix_etc_t)
@ -66,6 +68,7 @@ template(`postfix_domain_template',`

 	fs_search_auto_mountpoints(postfix_$1_t)
 	fs_getattr_xattr_fs(postfix_$1_t)
+	fs_rw_anon_inodefs_files(postfix_$1_t)

 	term_dontaudit_use_console(postfix_$1_t)

@ -138,10 +141,8 @@ template(`postfix_server_domain_template',`
 	corenet_tcp_connect_all_ports(postfix_$1_t)
 	corenet_sendrecv_all_client_packets(postfix_$1_t)

-	sysnet_read_config(postfix_$1_t)
-
 	optional_policy(`
-		nis_use_ypbind(postfix_$1_t)
+		auth_use_nsswitch(postfix_$1_t)
 	')
 ')

@ -273,6 +274,42 @@ interface(`postfix_dontaudit_rw_local_tcp_sockets',`
 	dontaudit $1 postfix_local_t:tcp_socket { read write };
 ')

+########################################
+## <summary>
+##	Allow domain to read postfix local process state
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`postfix_read_local_state',`
+	gen_require(`
+		type postfix_local_t;
+	')
+
+	read_files_pattern($1,postfix_local_t,postfix_local_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to read postfix master process state
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`postfix_read_master_state',`
+	gen_require(`
+		type postfix_master_t;
+	')
+
+	read_files_pattern($1,postfix_master_t,postfix_master_t)
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to use
@ -381,6 +418,25 @@ interface(`postfix_exec_master',`
 	can_exec($1,postfix_master_exec_t)
 ')

+########################################
+## <summary>
+##	Create a named socket in a postfix private directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postfix_create_pivate_sockets',`
+	gen_require(`
+		type postfix_private_t;
+	')
+
+	allow $1 postfix_private_t:dir list_dir_perms;
+	create_sock_files_pattern($1,postfix_private_t,postfix_private_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute the master postfix program in the
@ -438,6 +494,25 @@ interface(`postfix_list_spool',`
 	files_search_spool($1)
 ')

+########################################
+## <summary>
+##	Read postfix mail spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postfix_read_spool_files',`
+	gen_require(`
+		type postfix_spool_t;
+	')
+
+	files_search_spool($1)
+	read_files_pattern($1,postfix_spool_t, postfix_spool_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute postfix user mail programs
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@ -1,5 +1,5 @@

-policy_module(postfix,1.6.1)
+policy_module(postfix,1.6.2)

 ########################################
 #
@ -83,6 +83,12 @@ files_type(postfix_public_t)
 type postfix_var_run_t;
 files_pid_file(postfix_var_run_t)

+postfix_server_domain_template(virtual)
+mta_mailserver_delivery(postfix_virtual_t)
+
+type postfix_virtual_tmp_t;
+files_tmp_file(postfix_virtual_tmp_t)
+
 ########################################
 #
 # Postfix master process local policy
@ -158,6 +164,8 @@ domain_use_interactive_fds(postfix_master_t)

 files_read_usr_files(postfix_master_t)

+term_dontaudit_search_ptys(postfix_master_t)
+
 miscfiles_read_man_pages(postfix_master_t)

 seutil_sigchld_newrole(postfix_master_t)
@ -169,6 +177,10 @@ sysnet_read_config(postfix_master_t)
 mta_rw_aliases(postfix_master_t)
 mta_read_sendmail_bin(postfix_master_t)

+optional_policy(`
+	auth_use_nsswitch(postfix_master_t)
+')
+
 ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_ttys(postfix_master_t)
 	term_dontaudit_use_generic_ptys(postfix_master_t)
@ -183,10 +195,18 @@ optional_policy(`
 	mailman_manage_data_files(postfix_master_t)
 ')

+optional_policy(`
+	mysql_stream_connect(postfix_master_t)
+')
+
 optional_policy(`
 	nis_use_ypbind(postfix_master_t)
 ')

+optional_policy(`
+	sendmail_signal(postfix_master_t)
+')
+
 ###########################################################
 #
 # Partially converted rules.  THESE ARE ONLY TEMPORARY
@ -387,7 +407,7 @@ delete_files_pattern(postfix_pickup_t,postfix_spool_maildrop_t,postfix_spool_mai
 # Postfix pipe local policy
 #

-allow postfix_pipe_t self:fifo_file { read write };
+allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;

 write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)

@ -441,6 +461,11 @@ optional_policy(`
 	cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
 ')

+# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239951
+optional_policy(`
+	fstools_read_pipes(postfix_postdrop_t)
+')
+
 optional_policy(`
 	ppp_use_fds(postfix_postqueue_t)
 	ppp_sigchld(postfix_postqueue_t)
@ -520,8 +545,6 @@ sysnet_dns_name_resolve(postfix_showq_t)
 # Postfix smtp delivery local policy
 #

-allow postfix_smtp_t self:netlink_route_socket r_netlink_socket_perms;
-
 # connect to master process
 stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)

@ -529,6 +552,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;

 allow postfix_smtp_t postfix_spool_t:file rw_file_perms;

+files_dontaudit_getattr_home_dir(postfix_smtp_t)
+
 optional_policy(`
 	cyrus_stream_connect(postfix_smtp_t)
 ')
@ -552,6 +577,10 @@ corecmd_exec_bin(postfix_smtpd_t)
 files_read_usr_files(postfix_smtpd_t)
 mta_read_aliases(postfix_smtpd_t)

+optional_policy(`
+	mailman_read_data_files(postfix_smtpd_t)
+')
+
 optional_policy(`
 	postgrey_stream_connect(postfix_smtpd_t)
 ')
@ -559,3 +588,31 @@ optional_policy(`
 optional_policy(`
 	sasl_connect(postfix_smtpd_t)
 ')
+
+########################################
+#
+# Postfix virtual local policy
+#
+
+allow postfix_virtual_t self:fifo_file rw_fifo_file_perms;
+allow postfix_virtual_t self:process { setsched setrlimit };
+
+allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
+
+manage_dirs_pattern(postfix_virtual_t,postfix_virtual_tmp_t,postfix_virtual_tmp_t)
+manage_files_pattern(postfix_virtual_t,postfix_virtual_tmp_t,postfix_virtual_tmp_t)
+files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
+
+# connect to master process
+stream_connect_pattern(postfix_virtual_t,postfix_public_t,postfix_public_t,postfix_master_t)
+
+corecmd_exec_shell(postfix_virtual_t)
+corecmd_exec_bin(postfix_virtual_t)
+
+files_read_etc_files(postfix_virtual_t)
+
+mta_read_aliases(postfix_virtual_t)
+mta_delete_spool(postfix_virtual_t)
+# For reading spamassasin
+mta_read_config(postfix_virtual_t)
+mta_manage_spool(postfix_virtual_t)
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@ -1,5 +1,5 @@

-policy_module(locallogin,1.4.1)
+policy_module(locallogin,1.4.2)

 ########################################
 #
@ -25,6 +25,7 @@ domain_subj_id_change_exemption(sulogin_t)
 domain_role_change_exemption(sulogin_t)
 domain_interactive_fd(sulogin_t)
 init_domain(sulogin_t,sulogin_exec_t)
+init_system_domain(sulogin_t,sulogin_exec_t)
 role system_r types sulogin_t;

 ########################################
@ -138,7 +139,6 @@ userdom_sigchld_all_users(local_login_t)
 userdom_create_all_users_keys(local_login_t)

 ifdef(`targeted_policy',`
-	unconfined_domain(local_login_t)
 	unconfined_shell_domtrans(local_login_t)
 ')

@ -160,6 +160,13 @@ tunable_policy(`use_samba_home_dirs',`
 	fs_read_cifs_symlinks(local_login_t)
 ')

+optional_policy(`
+	dbus_system_bus_client_template(local_login,local_login_t)
+	dbus_send_system_bus(local_login_t)
+
+	consolekit_dbus_chat(local_login_t)
+')
+
 optional_policy(`
 	gpm_getattr_gpmctl(local_login_t)
 	gpm_setattr_gpmctl(local_login_t)
@ -186,6 +193,11 @@ optional_policy(`
 	alsa_domtrans(local_login_t)
 ')

+optional_policy(`
+	xserver_read_xdm_tmp_files(local_login_t)
+	xserver_rw_xdm_tmp_files(local_login_t)
+')
+
 #################################
 # 
 # Sulogin local policy