From 24b80bf8d9b955b01c29ead65324ee0c5934b500 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Tue, 27 Sep 2011 10:16:54 -0400 Subject: [PATCH] Make unconfined domains permissive for rawhide Add definition for ephermeral ports --- ephemeral.patch | 39 +++++++++++++++++++++++++++++++++++++ selinux-policy.spec | 11 +++++++++-- unconfined_permissive.patch | 14 +++++++++++++ 3 files changed, 62 insertions(+), 2 deletions(-) create mode 100644 ephemeral.patch create mode 100644 unconfined_permissive.patch diff --git a/ephemeral.patch b/ephemeral.patch new file mode 100644 index 00000000..849780a4 --- /dev/null +++ b/ephemeral.patch @@ -0,0 +1,39 @@ +diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in +index 3b5de31..dfd5b61 100644 +--- a/policy/modules/kernel/corenetwork.te.in ++++ b/policy/modules/kernel/corenetwork.te.in +@@ -66,11 +66,17 @@ type port_t, port_type; + sid port gen_context(system_u:object_r:port_t,s0) + + # +-# port_t is the default type of INET port numbers. ++# unreserved_port_t is the default type of port numbers > 1024 and non ephemeral + # + type unreserved_port_t, port_type, unreserved_port_type; + + # ++# ephemeral_port_t is the default type of ephemeral port numbers. ++# cat /proc/sys/net/ipv4/ip_local_port_range ++# ++type ephemeral_port_t, port_type; ++ ++# + # reserved_port_t is the type of INET port numbers below 1024. + # + type reserved_port_t, port_type, reserved_port_type; +@@ -292,9 +298,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) + portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) + portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) + portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) +-portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0) +-portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0) +- ++portcon tcp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0) ++portcon tcp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0) ++portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0) ++portcon udp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0) ++portcon udp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0) ++portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0) + ######################################## + # + # Network nodes diff --git a/selinux-policy.spec b/selinux-policy.spec index 29adf533..fc940c38 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,12 +17,13 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 34%{?dist} +Release: 34.1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz patch: policy-F16.patch -#patch1: ephemeral.patch +patch1: ephemeral.patch +patch2: unconfined_permissive.patch Source1: modules-targeted.conf Source2: booleans-targeted.conf Source3: Makefile.devel @@ -236,6 +237,8 @@ Based off of reference policy: Checked out revision 2.20091117 %prep %setup -n serefpolicy-%{version} -q %patch -p1 +%patch1 -p1 +%patch2 -p1 %install mkdir selinux_config @@ -467,6 +470,10 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Sep 26 2011 Dan Walsh 3.10.0-34.1 +- Change unconfined_domains to permissive for Rawhide +- Add definition for the ephemeral_ports + * Mon Sep 26 2011 Miroslav Grepl 3.10.0-34 - Make mta_role() active - Allow asterisk to connect to jabber client port diff --git a/unconfined_permissive.patch b/unconfined_permissive.patch new file mode 100644 index 00000000..2071487b --- /dev/null +++ b/unconfined_permissive.patch @@ -0,0 +1,14 @@ +diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if +index 683497a..6717658 100644 +--- a/policy/modules/system/unconfined.if ++++ b/policy/modules/system/unconfined.if +@@ -136,7 +136,8 @@ interface(`unconfined_domain',` + attribute unconfined_services; + ') + +- unconfined_domain_noaudit($1) ++permissive $1; ++# unconfined_domain_noaudit($1) + + tunable_policy(`allow_execheap',` + auditallow $1 self:process execheap;