- Allow ddclient to fix file mode bits of ddclient conf file
- init leaks file descriptors to daemons - Add labels for /etc/lirc/ and - Allow amavis_t to exec shell - Add label for gssd_tmp_t for /var/tmp/nfs_0
This commit is contained in:
Miroslav Grepl
parent
d6719f6ecb
commit
3daa6c760b
114
policy-F15.patch
114
policy-F15.patch
|
|
@ -10411,10 +10411,18 @@ index 3994e57..ee146ae 100644
|
|||
+
|
||||
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
|
||||
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
|
||||
index 492bf76..87a6942 100644
|
||||
index 492bf76..a177011 100644
|
||||
--- a/policy/modules/kernel/terminal.if
|
||||
+++ b/policy/modules/kernel/terminal.if
|
||||
@@ -292,9 +292,11 @@ interface(`term_use_console',`
|
||||
@@ -267,7 +267,6 @@ interface(`term_dontaudit_read_console',`
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
-## <rolecap/>
|
||||
#
|
||||
interface(`term_use_console',`
|
||||
gen_require(`
|
||||
@@ -292,9 +291,11 @@ interface(`term_use_console',`
|
||||
interface(`term_dontaudit_use_console',`
|
||||
gen_require(`
|
||||
type console_device_t;
|
||||
|
|
@ -10427,7 +10435,7 @@ index 492bf76..87a6942 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -334,7 +336,7 @@ interface(`term_relabel_console',`
|
||||
@@ -334,7 +335,7 @@ interface(`term_relabel_console',`
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
|
|
@ -10436,7 +10444,7 @@ index 492bf76..87a6942 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -848,7 +850,7 @@ interface(`term_dontaudit_use_all_ptys',`
|
||||
@@ -848,7 +849,7 @@ interface(`term_dontaudit_use_all_ptys',`
|
||||
attribute ptynode;
|
||||
')
|
||||
|
||||
|
|
@ -10445,7 +10453,7 @@ index 492bf76..87a6942 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1116,7 +1118,7 @@ interface(`term_relabel_unallocated_ttys',`
|
||||
@@ -1116,7 +1117,7 @@ interface(`term_relabel_unallocated_ttys',`
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
|
|
@ -10454,7 +10462,7 @@ index 492bf76..87a6942 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1215,7 +1217,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
|
||||
@@ -1215,7 +1216,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
|
||||
type tty_device_t;
|
||||
')
|
||||
|
||||
|
|
@ -10463,7 +10471,7 @@ index 492bf76..87a6942 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1231,11 +1233,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
|
||||
@@ -1231,11 +1232,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
|
||||
#
|
||||
interface(`term_getattr_all_ttys',`
|
||||
gen_require(`
|
||||
|
|
@ -10477,7 +10485,7 @@ index 492bf76..87a6942 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1252,10 +1256,12 @@ interface(`term_getattr_all_ttys',`
|
||||
@@ -1252,10 +1255,12 @@ interface(`term_getattr_all_ttys',`
|
||||
interface(`term_dontaudit_getattr_all_ttys',`
|
||||
gen_require(`
|
||||
attribute ttynode;
|
||||
|
|
@ -10490,7 +10498,7 @@ index 492bf76..87a6942 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1294,7 +1300,7 @@ interface(`term_relabel_all_ttys',`
|
||||
@@ -1294,7 +1299,7 @@ interface(`term_relabel_all_ttys',`
|
||||
')
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
|
|
@ -10499,7 +10507,7 @@ index 492bf76..87a6942 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1352,7 +1358,7 @@ interface(`term_dontaudit_use_all_ttys',`
|
||||
@@ -1352,7 +1357,7 @@ interface(`term_dontaudit_use_all_ttys',`
|
||||
attribute ttynode;
|
||||
')
|
||||
|
||||
|
|
@ -13304,7 +13312,7 @@ index ceb2142..e31d92a 100644
|
|||
')
|
||||
|
||||
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
|
||||
index c3a1903..ec40291 100644
|
||||
index c3a1903..b0e48c6 100644
|
||||
--- a/policy/modules/services/amavis.te
|
||||
+++ b/policy/modules/services/amavis.te
|
||||
@@ -76,7 +76,7 @@ files_search_spool(amavis_t)
|
||||
|
|
@ -13325,6 +13333,14 @@ index c3a1903..ec40291 100644
|
|||
manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
|
||||
manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
|
||||
logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })
|
||||
@@ -105,6 +105,7 @@ kernel_dontaudit_read_system_state(amavis_t)
|
||||
|
||||
# find perl
|
||||
corecmd_exec_bin(amavis_t)
|
||||
+corecmd_exec_shell(amavis_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(amavis_t)
|
||||
corenet_all_recvfrom_netlabel(amavis_t)
|
||||
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
|
||||
index 9e39aa5..3bfac20 100644
|
||||
--- a/policy/modules/services/apache.fc
|
||||
|
|
@ -16148,10 +16164,10 @@ index fa62787..ffd0da5 100644
|
|||
admin_pattern($1, certmaster_etc_rw_t)
|
||||
|
||||
diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te
|
||||
index 73f03ff..dbfd0a6 100644
|
||||
index 73f03ff..d5c4c94 100644
|
||||
--- a/policy/modules/services/certmaster.te
|
||||
+++ b/policy/modules/services/certmaster.te
|
||||
@@ -43,12 +43,12 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })
|
||||
@@ -43,23 +43,23 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })
|
||||
|
||||
# log files
|
||||
manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t)
|
||||
|
|
@ -16166,7 +16182,12 @@ index 73f03ff..dbfd0a6 100644
|
|||
|
||||
# read meminfo
|
||||
kernel_read_system_state(certmaster_t)
|
||||
@@ -60,6 +60,7 @@ corenet_tcp_bind_generic_node(certmaster_t)
|
||||
|
||||
-corecmd_search_bin(certmaster_t)
|
||||
-corecmd_getattr_bin_files(certmaster_t)
|
||||
+corecmd_exec_bin(certmaster_t)
|
||||
|
||||
corenet_tcp_bind_generic_node(certmaster_t)
|
||||
corenet_tcp_bind_certmaster_port(certmaster_t)
|
||||
|
||||
files_search_etc(certmaster_t)
|
||||
|
|
@ -18940,7 +18961,7 @@ index 0a1a61b..da508f4 100644
|
|||
|
||||
allow $1 ddclient_t:process { ptrace signal_perms };
|
||||
diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te
|
||||
index 24ba98a..0910356 100644
|
||||
index 24ba98a..41559cf 100644
|
||||
--- a/policy/modules/services/ddclient.te
|
||||
+++ b/policy/modules/services/ddclient.te
|
||||
@@ -18,6 +18,9 @@ init_script_file(ddclient_initrc_exec_t)
|
||||
|
|
@ -18953,13 +18974,15 @@ index 24ba98a..0910356 100644
|
|||
type ddclient_var_t;
|
||||
files_type(ddclient_var_t)
|
||||
|
||||
@@ -37,12 +40,16 @@ allow ddclient_t self:process signal_perms;
|
||||
@@ -37,12 +40,17 @@ allow ddclient_t self:process signal_perms;
|
||||
allow ddclient_t self:fifo_file rw_fifo_file_perms;
|
||||
allow ddclient_t self:tcp_socket create_socket_perms;
|
||||
allow ddclient_t self:udp_socket create_socket_perms;
|
||||
+allow ddclient_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow ddclient_t ddclient_etc_t:file read_file_perms;
|
||||
-allow ddclient_t ddclient_etc_t:file read_file_perms;
|
||||
+read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
|
||||
+setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
|
||||
|
||||
allow ddclient_t ddclient_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(ddclient_t, ddclient_log_t, file)
|
||||
|
|
@ -18970,7 +18993,7 @@ index 24ba98a..0910356 100644
|
|||
manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
|
||||
manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
|
||||
manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
|
||||
@@ -74,6 +81,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
|
||||
@@ -74,6 +82,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
|
||||
corenet_udp_sendrecv_generic_node(ddclient_t)
|
||||
corenet_tcp_sendrecv_all_ports(ddclient_t)
|
||||
corenet_udp_sendrecv_all_ports(ddclient_t)
|
||||
|
|
@ -18979,7 +19002,7 @@ index 24ba98a..0910356 100644
|
|||
corenet_tcp_connect_all_ports(ddclient_t)
|
||||
corenet_sendrecv_all_client_packets(ddclient_t)
|
||||
|
||||
@@ -89,6 +98,8 @@ files_read_usr_files(ddclient_t)
|
||||
@@ -89,6 +99,8 @@ files_read_usr_files(ddclient_t)
|
||||
fs_getattr_all_fs(ddclient_t)
|
||||
fs_search_auto_mountpoints(ddclient_t)
|
||||
|
||||
|
|
@ -23191,6 +23214,18 @@ index ae9d49f..65e6d81 100644
|
|||
|
||||
manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t)
|
||||
|
||||
diff --git a/policy/modules/services/lircd.fc b/policy/modules/services/lircd.fc
|
||||
index 49e04e5..69db026 100644
|
||||
--- a/policy/modules/services/lircd.fc
|
||||
+++ b/policy/modules/services/lircd.fc
|
||||
@@ -2,6 +2,7 @@
|
||||
|
||||
/etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0)
|
||||
/etc/lircd\.conf -- gen_context(system_u:object_r:lircd_etc_t,s0)
|
||||
+/etc/lirc(/.*)? gen_context(system_u:object_r:lircd_etc_t,s0)
|
||||
|
||||
/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
|
||||
|
||||
diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te
|
||||
index 6a78de1..b229ba0 100644
|
||||
--- a/policy/modules/services/lircd.te
|
||||
|
|
@ -31725,6 +31760,16 @@ index 779fa44..0155ca7 100644
|
|||
|
||||
remotelogin_domtrans(rlogind_t)
|
||||
remotelogin_signal(rlogind_t)
|
||||
diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
|
||||
index 5c70c0c..6842295 100644
|
||||
--- a/policy/modules/services/rpc.fc
|
||||
+++ b/policy/modules/services/rpc.fc
|
||||
@@ -29,3 +29,5 @@
|
||||
|
||||
/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
|
||||
/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
|
||||
+
|
||||
+/var/tmp/nfs_0 -- gen_context(system_u:object_r:gssd_tmp_t,s0)
|
||||
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
|
||||
index cda37bb..484e552 100644
|
||||
--- a/policy/modules/services/rpc.if
|
||||
|
|
@ -40449,7 +40494,7 @@ index 9775375..41a244a 100644
|
|||
#
|
||||
# /var
|
||||
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
|
||||
index df3fa64..852a6ad 100644
|
||||
index df3fa64..b123b4a 100644
|
||||
--- a/policy/modules/system/init.if
|
||||
+++ b/policy/modules/system/init.if
|
||||
@@ -105,7 +105,11 @@ interface(`init_domain',`
|
||||
|
|
@ -40476,7 +40521,7 @@ index df3fa64..852a6ad 100644
|
|||
')
|
||||
|
||||
typeattribute $1 daemon;
|
||||
@@ -205,6 +211,20 @@ interface(`init_daemon_domain',`
|
||||
@@ -205,6 +211,21 @@ interface(`init_daemon_domain',`
|
||||
role system_r types $1;
|
||||
|
||||
domtrans_pattern(initrc_t,$2,$1)
|
||||
|
|
@ -40493,11 +40538,12 @@ index df3fa64..852a6ad 100644
|
|||
+ tunable_policy(`init_systemd',`
|
||||
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
|
||||
+ allow $1 init_t:unix_dgram_socket sendto;
|
||||
+ dontaudit $1 init_t:unix_stream_socket { read ioctl getattr };
|
||||
+ ')
|
||||
|
||||
# daemons started from init will
|
||||
# inherit fds from init for the console
|
||||
@@ -285,7 +305,7 @@ interface(`init_ranged_daemon_domain',`
|
||||
@@ -285,7 +306,7 @@ interface(`init_ranged_daemon_domain',`
|
||||
type initrc_t;
|
||||
')
|
||||
|
||||
|
|
@ -40506,7 +40552,7 @@ index df3fa64..852a6ad 100644
|
|||
|
||||
ifdef(`enable_mcs',`
|
||||
range_transition initrc_t $2:process $3;
|
||||
@@ -336,8 +356,10 @@ interface(`init_ranged_daemon_domain',`
|
||||
@@ -336,8 +357,10 @@ interface(`init_ranged_daemon_domain',`
|
||||
#
|
||||
interface(`init_system_domain',`
|
||||
gen_require(`
|
||||
|
|
@ -40517,7 +40563,7 @@ index df3fa64..852a6ad 100644
|
|||
')
|
||||
|
||||
application_domain($1,$2)
|
||||
@@ -345,6 +367,19 @@ interface(`init_system_domain',`
|
||||
@@ -345,6 +368,19 @@ interface(`init_system_domain',`
|
||||
role system_r types $1;
|
||||
|
||||
domtrans_pattern(initrc_t,$2,$1)
|
||||
|
|
@ -40537,7 +40583,7 @@ index df3fa64..852a6ad 100644
|
|||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
# RHEL4 systems seem to have a stray
|
||||
@@ -353,6 +388,37 @@ interface(`init_system_domain',`
|
||||
@@ -353,6 +389,37 @@ interface(`init_system_domain',`
|
||||
kernel_dontaudit_use_fds($1)
|
||||
')
|
||||
')
|
||||
|
|
@ -40575,7 +40621,7 @@ index df3fa64..852a6ad 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -687,19 +753,24 @@ interface(`init_telinit',`
|
||||
@@ -687,19 +754,24 @@ interface(`init_telinit',`
|
||||
type initctl_t;
|
||||
')
|
||||
|
||||
|
|
@ -40601,7 +40647,7 @@ index df3fa64..852a6ad 100644
|
|||
')
|
||||
')
|
||||
|
||||
@@ -772,18 +843,19 @@ interface(`init_script_file_entry_type',`
|
||||
@@ -772,18 +844,19 @@ interface(`init_script_file_entry_type',`
|
||||
#
|
||||
interface(`init_spec_domtrans_script',`
|
||||
gen_require(`
|
||||
|
|
@ -40625,7 +40671,7 @@ index df3fa64..852a6ad 100644
|
|||
')
|
||||
')
|
||||
|
||||
@@ -799,23 +871,45 @@ interface(`init_spec_domtrans_script',`
|
||||
@@ -799,23 +872,45 @@ interface(`init_spec_domtrans_script',`
|
||||
#
|
||||
interface(`init_domtrans_script',`
|
||||
gen_require(`
|
||||
|
|
@ -40675,7 +40721,7 @@ index df3fa64..852a6ad 100644
|
|||
## Execute a init script in a specified domain.
|
||||
## </summary>
|
||||
## <desc>
|
||||
@@ -867,8 +961,12 @@ interface(`init_script_file_domtrans',`
|
||||
@@ -867,8 +962,12 @@ interface(`init_script_file_domtrans',`
|
||||
interface(`init_labeled_script_domtrans',`
|
||||
gen_require(`
|
||||
type initrc_t;
|
||||
|
|
@ -40688,7 +40734,7 @@ index df3fa64..852a6ad 100644
|
|||
domtrans_pattern($1, $2, initrc_t)
|
||||
files_search_etc($1)
|
||||
')
|
||||
@@ -1129,12 +1227,7 @@ interface(`init_read_script_state',`
|
||||
@@ -1129,12 +1228,7 @@ interface(`init_read_script_state',`
|
||||
')
|
||||
|
||||
kernel_search_proc($1)
|
||||
|
|
@ -40702,7 +40748,7 @@ index df3fa64..852a6ad 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1374,6 +1467,27 @@ interface(`init_dbus_send_script',`
|
||||
@@ -1374,6 +1468,27 @@ interface(`init_dbus_send_script',`
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
|
|
@ -40730,7 +40776,7 @@ index df3fa64..852a6ad 100644
|
|||
## init scripts over dbus.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1460,6 +1574,25 @@ interface(`init_getattr_script_status_files',`
|
||||
@@ -1460,6 +1575,25 @@ interface(`init_getattr_script_status_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
|
@ -40756,7 +40802,7 @@ index df3fa64..852a6ad 100644
|
|||
## Do not audit attempts to read init script
|
||||
## status files.
|
||||
## </summary>
|
||||
@@ -1673,7 +1806,7 @@ interface(`init_dontaudit_rw_utmp',`
|
||||
@@ -1673,7 +1807,7 @@ interface(`init_dontaudit_rw_utmp',`
|
||||
type initrc_var_run_t;
|
||||
')
|
||||
|
||||
|
|
@ -40765,7 +40811,7 @@ index df3fa64..852a6ad 100644
|
|||
')
|
||||
|
||||
########################################
|
||||
@@ -1748,3 +1881,74 @@ interface(`init_udp_recvfrom_all_daemons',`
|
||||
@@ -1748,3 +1882,74 @@ interface(`init_udp_recvfrom_all_daemons',`
|
||||
')
|
||||
corenet_udp_recvfrom_labeled($1, daemon)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@
|
|||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.9.9
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
|
|
@ -471,6 +471,13 @@ exit 0
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Nov 22 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-4
|
||||
- Allow ddclient to fix file mode bits of ddclient conf file
|
||||
- init leaks file descriptors to daemons
|
||||
- Add labels for /etc/lirc/ and
|
||||
- Allow amavis_t to exec shell
|
||||
- Add label for gssd_tmp_t for /var/tmp/nfs_0
|
||||
|
||||
* Thu Nov 18 2010 Dan Walsh <dwalsh@redhat.com> 3.9.9-3
|
||||
- Put back in lircd_etc_t so policy will install
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue