From 3daa6c760bdebe8754b2741ae7f7f43c1c80b004 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mon, 22 Nov 2010 12:12:57 +0100 Subject: [PATCH] - Allow ddclient to fix file mode bits of ddclient conf file - init leaks file descriptors to daemons - Add labels for /etc/lirc/ and - Allow amavis_t to exec shell - Add label for gssd_tmp_t for /var/tmp/nfs_0 --- policy-F15.patch | 114 +++++++++++++++++++++++++++++++------------- selinux-policy.spec | 9 +++- 2 files changed, 88 insertions(+), 35 deletions(-) diff --git a/policy-F15.patch b/policy-F15.patch index bb4daba2..6f8d4141 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -10411,10 +10411,18 @@ index 3994e57..ee146ae 100644 + +/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index 492bf76..87a6942 100644 +index 492bf76..a177011 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if -@@ -292,9 +292,11 @@ interface(`term_use_console',` +@@ -267,7 +267,6 @@ interface(`term_dontaudit_read_console',` + ## Domain allowed access. + ## + ## +-## + # + interface(`term_use_console',` + gen_require(` +@@ -292,9 +291,11 @@ interface(`term_use_console',` interface(`term_dontaudit_use_console',` gen_require(` type console_device_t; @@ -10427,7 +10435,7 @@ index 492bf76..87a6942 100644 ') ######################################## -@@ -334,7 +336,7 @@ interface(`term_relabel_console',` +@@ -334,7 +335,7 @@ interface(`term_relabel_console',` ') dev_list_all_dev_nodes($1) @@ -10436,7 +10444,7 @@ index 492bf76..87a6942 100644 ') ######################################## -@@ -848,7 +850,7 @@ interface(`term_dontaudit_use_all_ptys',` +@@ -848,7 +849,7 @@ interface(`term_dontaudit_use_all_ptys',` attribute ptynode; ') @@ -10445,7 +10453,7 @@ index 492bf76..87a6942 100644 ') ######################################## -@@ -1116,7 +1118,7 @@ interface(`term_relabel_unallocated_ttys',` +@@ -1116,7 +1117,7 @@ interface(`term_relabel_unallocated_ttys',` ') dev_list_all_dev_nodes($1) @@ -10454,7 +10462,7 @@ index 492bf76..87a6942 100644 ') ######################################## -@@ -1215,7 +1217,7 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1215,7 +1216,7 @@ interface(`term_dontaudit_use_unallocated_ttys',` type tty_device_t; ') @@ -10463,7 +10471,7 @@ index 492bf76..87a6942 100644 ') ######################################## -@@ -1231,11 +1233,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1231,11 +1232,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` # interface(`term_getattr_all_ttys',` gen_require(` @@ -10477,7 +10485,7 @@ index 492bf76..87a6942 100644 ') ######################################## -@@ -1252,10 +1256,12 @@ interface(`term_getattr_all_ttys',` +@@ -1252,10 +1255,12 @@ interface(`term_getattr_all_ttys',` interface(`term_dontaudit_getattr_all_ttys',` gen_require(` attribute ttynode; @@ -10490,7 +10498,7 @@ index 492bf76..87a6942 100644 ') ######################################## -@@ -1294,7 +1300,7 @@ interface(`term_relabel_all_ttys',` +@@ -1294,7 +1299,7 @@ interface(`term_relabel_all_ttys',` ') dev_list_all_dev_nodes($1) @@ -10499,7 +10507,7 @@ index 492bf76..87a6942 100644 ') ######################################## -@@ -1352,7 +1358,7 @@ interface(`term_dontaudit_use_all_ttys',` +@@ -1352,7 +1357,7 @@ interface(`term_dontaudit_use_all_ttys',` attribute ttynode; ') @@ -13304,7 +13312,7 @@ index ceb2142..e31d92a 100644 ') diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te -index c3a1903..ec40291 100644 +index c3a1903..b0e48c6 100644 --- a/policy/modules/services/amavis.te +++ b/policy/modules/services/amavis.te @@ -76,7 +76,7 @@ files_search_spool(amavis_t) @@ -13325,6 +13333,14 @@ index c3a1903..ec40291 100644 manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t) manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t) logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir }) +@@ -105,6 +105,7 @@ kernel_dontaudit_read_system_state(amavis_t) + + # find perl + corecmd_exec_bin(amavis_t) ++corecmd_exec_shell(amavis_t) + + corenet_all_recvfrom_unlabeled(amavis_t) + corenet_all_recvfrom_netlabel(amavis_t) diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc index 9e39aa5..3bfac20 100644 --- a/policy/modules/services/apache.fc @@ -16148,10 +16164,10 @@ index fa62787..ffd0da5 100644 admin_pattern($1, certmaster_etc_rw_t) diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te -index 73f03ff..dbfd0a6 100644 +index 73f03ff..d5c4c94 100644 --- a/policy/modules/services/certmaster.te +++ b/policy/modules/services/certmaster.te -@@ -43,12 +43,12 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir }) +@@ -43,23 +43,23 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir }) # log files manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t) @@ -16166,7 +16182,12 @@ index 73f03ff..dbfd0a6 100644 # read meminfo kernel_read_system_state(certmaster_t) -@@ -60,6 +60,7 @@ corenet_tcp_bind_generic_node(certmaster_t) + +-corecmd_search_bin(certmaster_t) +-corecmd_getattr_bin_files(certmaster_t) ++corecmd_exec_bin(certmaster_t) + + corenet_tcp_bind_generic_node(certmaster_t) corenet_tcp_bind_certmaster_port(certmaster_t) files_search_etc(certmaster_t) @@ -18940,7 +18961,7 @@ index 0a1a61b..da508f4 100644 allow $1 ddclient_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te -index 24ba98a..0910356 100644 +index 24ba98a..41559cf 100644 --- a/policy/modules/services/ddclient.te +++ b/policy/modules/services/ddclient.te @@ -18,6 +18,9 @@ init_script_file(ddclient_initrc_exec_t) @@ -18953,13 +18974,15 @@ index 24ba98a..0910356 100644 type ddclient_var_t; files_type(ddclient_var_t) -@@ -37,12 +40,16 @@ allow ddclient_t self:process signal_perms; +@@ -37,12 +40,17 @@ allow ddclient_t self:process signal_perms; allow ddclient_t self:fifo_file rw_fifo_file_perms; allow ddclient_t self:tcp_socket create_socket_perms; allow ddclient_t self:udp_socket create_socket_perms; +allow ddclient_t self:netlink_route_socket r_netlink_socket_perms; - allow ddclient_t ddclient_etc_t:file read_file_perms; +-allow ddclient_t ddclient_etc_t:file read_file_perms; ++read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t) ++setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t) allow ddclient_t ddclient_log_t:file manage_file_perms; logging_log_filetrans(ddclient_t, ddclient_log_t, file) @@ -18970,7 +18993,7 @@ index 24ba98a..0910356 100644 manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) -@@ -74,6 +81,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t) +@@ -74,6 +82,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t) corenet_udp_sendrecv_generic_node(ddclient_t) corenet_tcp_sendrecv_all_ports(ddclient_t) corenet_udp_sendrecv_all_ports(ddclient_t) @@ -18979,7 +19002,7 @@ index 24ba98a..0910356 100644 corenet_tcp_connect_all_ports(ddclient_t) corenet_sendrecv_all_client_packets(ddclient_t) -@@ -89,6 +98,8 @@ files_read_usr_files(ddclient_t) +@@ -89,6 +99,8 @@ files_read_usr_files(ddclient_t) fs_getattr_all_fs(ddclient_t) fs_search_auto_mountpoints(ddclient_t) @@ -23191,6 +23214,18 @@ index ae9d49f..65e6d81 100644 manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t) +diff --git a/policy/modules/services/lircd.fc b/policy/modules/services/lircd.fc +index 49e04e5..69db026 100644 +--- a/policy/modules/services/lircd.fc ++++ b/policy/modules/services/lircd.fc +@@ -2,6 +2,7 @@ + + /etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0) + /etc/lircd\.conf -- gen_context(system_u:object_r:lircd_etc_t,s0) ++/etc/lirc(/.*)? gen_context(system_u:object_r:lircd_etc_t,s0) + + /usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0) + diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te index 6a78de1..b229ba0 100644 --- a/policy/modules/services/lircd.te @@ -31725,6 +31760,16 @@ index 779fa44..0155ca7 100644 remotelogin_domtrans(rlogind_t) remotelogin_signal(rlogind_t) +diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc +index 5c70c0c..6842295 100644 +--- a/policy/modules/services/rpc.fc ++++ b/policy/modules/services/rpc.fc +@@ -29,3 +29,5 @@ + + /var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0) + /var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0) ++ ++/var/tmp/nfs_0 -- gen_context(system_u:object_r:gssd_tmp_t,s0) diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if index cda37bb..484e552 100644 --- a/policy/modules/services/rpc.if @@ -40449,7 +40494,7 @@ index 9775375..41a244a 100644 # # /var diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index df3fa64..852a6ad 100644 +index df3fa64..b123b4a 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -105,7 +105,11 @@ interface(`init_domain',` @@ -40476,7 +40521,7 @@ index df3fa64..852a6ad 100644 ') typeattribute $1 daemon; -@@ -205,6 +211,20 @@ interface(`init_daemon_domain',` +@@ -205,6 +211,21 @@ interface(`init_daemon_domain',` role system_r types $1; domtrans_pattern(initrc_t,$2,$1) @@ -40493,11 +40538,12 @@ index df3fa64..852a6ad 100644 + tunable_policy(`init_systemd',` + allow init_t $1:unix_stream_socket create_stream_socket_perms; + allow $1 init_t:unix_dgram_socket sendto; ++ dontaudit $1 init_t:unix_stream_socket { read ioctl getattr }; + ') # daemons started from init will # inherit fds from init for the console -@@ -285,7 +305,7 @@ interface(`init_ranged_daemon_domain',` +@@ -285,7 +306,7 @@ interface(`init_ranged_daemon_domain',` type initrc_t; ') @@ -40506,7 +40552,7 @@ index df3fa64..852a6ad 100644 ifdef(`enable_mcs',` range_transition initrc_t $2:process $3; -@@ -336,8 +356,10 @@ interface(`init_ranged_daemon_domain',` +@@ -336,8 +357,10 @@ interface(`init_ranged_daemon_domain',` # interface(`init_system_domain',` gen_require(` @@ -40517,7 +40563,7 @@ index df3fa64..852a6ad 100644 ') application_domain($1,$2) -@@ -345,6 +367,19 @@ interface(`init_system_domain',` +@@ -345,6 +368,19 @@ interface(`init_system_domain',` role system_r types $1; domtrans_pattern(initrc_t,$2,$1) @@ -40537,7 +40583,7 @@ index df3fa64..852a6ad 100644 ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray -@@ -353,6 +388,37 @@ interface(`init_system_domain',` +@@ -353,6 +389,37 @@ interface(`init_system_domain',` kernel_dontaudit_use_fds($1) ') ') @@ -40575,7 +40621,7 @@ index df3fa64..852a6ad 100644 ') ######################################## -@@ -687,19 +753,24 @@ interface(`init_telinit',` +@@ -687,19 +754,24 @@ interface(`init_telinit',` type initctl_t; ') @@ -40601,7 +40647,7 @@ index df3fa64..852a6ad 100644 ') ') -@@ -772,18 +843,19 @@ interface(`init_script_file_entry_type',` +@@ -772,18 +844,19 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` gen_require(` @@ -40625,7 +40671,7 @@ index df3fa64..852a6ad 100644 ') ') -@@ -799,23 +871,45 @@ interface(`init_spec_domtrans_script',` +@@ -799,23 +872,45 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -40675,7 +40721,7 @@ index df3fa64..852a6ad 100644 ## Execute a init script in a specified domain. ## ## -@@ -867,8 +961,12 @@ interface(`init_script_file_domtrans',` +@@ -867,8 +962,12 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -40688,7 +40734,7 @@ index df3fa64..852a6ad 100644 domtrans_pattern($1, $2, initrc_t) files_search_etc($1) ') -@@ -1129,12 +1227,7 @@ interface(`init_read_script_state',` +@@ -1129,12 +1228,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -40702,7 +40748,7 @@ index df3fa64..852a6ad 100644 ') ######################################## -@@ -1374,6 +1467,27 @@ interface(`init_dbus_send_script',` +@@ -1374,6 +1468,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -40730,7 +40776,7 @@ index df3fa64..852a6ad 100644 ## init scripts over dbus. ## ## -@@ -1460,6 +1574,25 @@ interface(`init_getattr_script_status_files',` +@@ -1460,6 +1575,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -40756,7 +40802,7 @@ index df3fa64..852a6ad 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1673,7 +1806,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1673,7 +1807,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -40765,7 +40811,7 @@ index df3fa64..852a6ad 100644 ') ######################################## -@@ -1748,3 +1881,74 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1748,3 +1882,74 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 1c1d405b..0c5a81d5 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.9 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,13 @@ exit 0 %endif %changelog +* Mon Nov 22 2010 Miroslav Grepl 3.9.9-4 +- Allow ddclient to fix file mode bits of ddclient conf file +- init leaks file descriptors to daemons +- Add labels for /etc/lirc/ and +- Allow amavis_t to exec shell +- Add label for gssd_tmp_t for /var/tmp/nfs_0 + * Thu Nov 18 2010 Dan Walsh 3.9.9-3 - Put back in lircd_etc_t so policy will install