- Allow ddclient to fix file mode bits of ddclient conf file

- init leaks file descriptors to daemons
- Add labels for /etc/lirc/ and
- Allow amavis_t to exec shell
- Add label for gssd_tmp_t for /var/tmp/nfs_0
This commit is contained in:
Miroslav Grepl 2010-11-22 12:12:57 +01:00
parent d6719f6ecb
commit 3daa6c760b
2 changed files with 88 additions and 35 deletions

View File

@ -10411,10 +10411,18 @@ index 3994e57..ee146ae 100644
+
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 492bf76..87a6942 100644
index 492bf76..a177011 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -292,9 +292,11 @@ interface(`term_use_console',`
@@ -267,7 +267,6 @@ interface(`term_dontaudit_read_console',`
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
interface(`term_use_console',`
gen_require(`
@@ -292,9 +291,11 @@ interface(`term_use_console',`
interface(`term_dontaudit_use_console',`
gen_require(`
type console_device_t;
@ -10427,7 +10435,7 @@ index 492bf76..87a6942 100644
')
########################################
@@ -334,7 +336,7 @@ interface(`term_relabel_console',`
@@ -334,7 +335,7 @@ interface(`term_relabel_console',`
')
dev_list_all_dev_nodes($1)
@ -10436,7 +10444,7 @@ index 492bf76..87a6942 100644
')
########################################
@@ -848,7 +850,7 @@ interface(`term_dontaudit_use_all_ptys',`
@@ -848,7 +849,7 @@ interface(`term_dontaudit_use_all_ptys',`
attribute ptynode;
')
@ -10445,7 +10453,7 @@ index 492bf76..87a6942 100644
')
########################################
@@ -1116,7 +1118,7 @@ interface(`term_relabel_unallocated_ttys',`
@@ -1116,7 +1117,7 @@ interface(`term_relabel_unallocated_ttys',`
')
dev_list_all_dev_nodes($1)
@ -10454,7 +10462,7 @@ index 492bf76..87a6942 100644
')
########################################
@@ -1215,7 +1217,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
@@ -1215,7 +1216,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
@ -10463,7 +10471,7 @@ index 492bf76..87a6942 100644
')
########################################
@@ -1231,11 +1233,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
@@ -1231,11 +1232,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
#
interface(`term_getattr_all_ttys',`
gen_require(`
@ -10477,7 +10485,7 @@ index 492bf76..87a6942 100644
')
########################################
@@ -1252,10 +1256,12 @@ interface(`term_getattr_all_ttys',`
@@ -1252,10 +1255,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',`
gen_require(`
attribute ttynode;
@ -10490,7 +10498,7 @@ index 492bf76..87a6942 100644
')
########################################
@@ -1294,7 +1300,7 @@ interface(`term_relabel_all_ttys',`
@@ -1294,7 +1299,7 @@ interface(`term_relabel_all_ttys',`
')
dev_list_all_dev_nodes($1)
@ -10499,7 +10507,7 @@ index 492bf76..87a6942 100644
')
########################################
@@ -1352,7 +1358,7 @@ interface(`term_dontaudit_use_all_ttys',`
@@ -1352,7 +1357,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
@ -13304,7 +13312,7 @@ index ceb2142..e31d92a 100644
')
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index c3a1903..ec40291 100644
index c3a1903..b0e48c6 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -76,7 +76,7 @@ files_search_spool(amavis_t)
@ -13325,6 +13333,14 @@ index c3a1903..ec40291 100644
manage_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t)
logging_log_filetrans(amavis_t, amavis_var_log_t, { sock_file file dir })
@@ -105,6 +105,7 @@ kernel_dontaudit_read_system_state(amavis_t)
# find perl
corecmd_exec_bin(amavis_t)
+corecmd_exec_shell(amavis_t)
corenet_all_recvfrom_unlabeled(amavis_t)
corenet_all_recvfrom_netlabel(amavis_t)
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
index 9e39aa5..3bfac20 100644
--- a/policy/modules/services/apache.fc
@ -16148,10 +16164,10 @@ index fa62787..ffd0da5 100644
admin_pattern($1, certmaster_etc_rw_t)
diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te
index 73f03ff..dbfd0a6 100644
index 73f03ff..d5c4c94 100644
--- a/policy/modules/services/certmaster.te
+++ b/policy/modules/services/certmaster.te
@@ -43,12 +43,12 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })
@@ -43,23 +43,23 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })
# log files
manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t)
@ -16166,7 +16182,12 @@ index 73f03ff..dbfd0a6 100644
# read meminfo
kernel_read_system_state(certmaster_t)
@@ -60,6 +60,7 @@ corenet_tcp_bind_generic_node(certmaster_t)
-corecmd_search_bin(certmaster_t)
-corecmd_getattr_bin_files(certmaster_t)
+corecmd_exec_bin(certmaster_t)
corenet_tcp_bind_generic_node(certmaster_t)
corenet_tcp_bind_certmaster_port(certmaster_t)
files_search_etc(certmaster_t)
@ -18940,7 +18961,7 @@ index 0a1a61b..da508f4 100644
allow $1 ddclient_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te
index 24ba98a..0910356 100644
index 24ba98a..41559cf 100644
--- a/policy/modules/services/ddclient.te
+++ b/policy/modules/services/ddclient.te
@@ -18,6 +18,9 @@ init_script_file(ddclient_initrc_exec_t)
@ -18953,13 +18974,15 @@ index 24ba98a..0910356 100644
type ddclient_var_t;
files_type(ddclient_var_t)
@@ -37,12 +40,16 @@ allow ddclient_t self:process signal_perms;
@@ -37,12 +40,17 @@ allow ddclient_t self:process signal_perms;
allow ddclient_t self:fifo_file rw_fifo_file_perms;
allow ddclient_t self:tcp_socket create_socket_perms;
allow ddclient_t self:udp_socket create_socket_perms;
+allow ddclient_t self:netlink_route_socket r_netlink_socket_perms;
allow ddclient_t ddclient_etc_t:file read_file_perms;
-allow ddclient_t ddclient_etc_t:file read_file_perms;
+read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
+setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
allow ddclient_t ddclient_log_t:file manage_file_perms;
logging_log_filetrans(ddclient_t, ddclient_log_t, file)
@ -18970,7 +18993,7 @@ index 24ba98a..0910356 100644
manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
@@ -74,6 +81,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
@@ -74,6 +82,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
corenet_udp_sendrecv_generic_node(ddclient_t)
corenet_tcp_sendrecv_all_ports(ddclient_t)
corenet_udp_sendrecv_all_ports(ddclient_t)
@ -18979,7 +19002,7 @@ index 24ba98a..0910356 100644
corenet_tcp_connect_all_ports(ddclient_t)
corenet_sendrecv_all_client_packets(ddclient_t)
@@ -89,6 +98,8 @@ files_read_usr_files(ddclient_t)
@@ -89,6 +99,8 @@ files_read_usr_files(ddclient_t)
fs_getattr_all_fs(ddclient_t)
fs_search_auto_mountpoints(ddclient_t)
@ -23191,6 +23214,18 @@ index ae9d49f..65e6d81 100644
manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t)
diff --git a/policy/modules/services/lircd.fc b/policy/modules/services/lircd.fc
index 49e04e5..69db026 100644
--- a/policy/modules/services/lircd.fc
+++ b/policy/modules/services/lircd.fc
@@ -2,6 +2,7 @@
/etc/rc\.d/init\.d/lirc -- gen_context(system_u:object_r:lircd_initrc_exec_t,s0)
/etc/lircd\.conf -- gen_context(system_u:object_r:lircd_etc_t,s0)
+/etc/lirc(/.*)? gen_context(system_u:object_r:lircd_etc_t,s0)
/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te
index 6a78de1..b229ba0 100644
--- a/policy/modules/services/lircd.te
@ -31725,6 +31760,16 @@ index 779fa44..0155ca7 100644
remotelogin_domtrans(rlogind_t)
remotelogin_signal(rlogind_t)
diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
index 5c70c0c..6842295 100644
--- a/policy/modules/services/rpc.fc
+++ b/policy/modules/services/rpc.fc
@@ -29,3 +29,5 @@
/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+
+/var/tmp/nfs_0 -- gen_context(system_u:object_r:gssd_tmp_t,s0)
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
index cda37bb..484e552 100644
--- a/policy/modules/services/rpc.if
@ -40449,7 +40494,7 @@ index 9775375..41a244a 100644
#
# /var
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index df3fa64..852a6ad 100644
index df3fa64..b123b4a 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -105,7 +105,11 @@ interface(`init_domain',`
@ -40476,7 +40521,7 @@ index df3fa64..852a6ad 100644
')
typeattribute $1 daemon;
@@ -205,6 +211,20 @@ interface(`init_daemon_domain',`
@@ -205,6 +211,21 @@ interface(`init_daemon_domain',`
role system_r types $1;
domtrans_pattern(initrc_t,$2,$1)
@ -40493,11 +40538,12 @@ index df3fa64..852a6ad 100644
+ tunable_policy(`init_systemd',`
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ allow $1 init_t:unix_dgram_socket sendto;
+ dontaudit $1 init_t:unix_stream_socket { read ioctl getattr };
+ ')
# daemons started from init will
# inherit fds from init for the console
@@ -285,7 +305,7 @@ interface(`init_ranged_daemon_domain',`
@@ -285,7 +306,7 @@ interface(`init_ranged_daemon_domain',`
type initrc_t;
')
@ -40506,7 +40552,7 @@ index df3fa64..852a6ad 100644
ifdef(`enable_mcs',`
range_transition initrc_t $2:process $3;
@@ -336,8 +356,10 @@ interface(`init_ranged_daemon_domain',`
@@ -336,8 +357,10 @@ interface(`init_ranged_daemon_domain',`
#
interface(`init_system_domain',`
gen_require(`
@ -40517,7 +40563,7 @@ index df3fa64..852a6ad 100644
')
application_domain($1,$2)
@@ -345,6 +367,19 @@ interface(`init_system_domain',`
@@ -345,6 +368,19 @@ interface(`init_system_domain',`
role system_r types $1;
domtrans_pattern(initrc_t,$2,$1)
@ -40537,7 +40583,7 @@ index df3fa64..852a6ad 100644
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
@@ -353,6 +388,37 @@ interface(`init_system_domain',`
@@ -353,6 +389,37 @@ interface(`init_system_domain',`
kernel_dontaudit_use_fds($1)
')
')
@ -40575,7 +40621,7 @@ index df3fa64..852a6ad 100644
')
########################################
@@ -687,19 +753,24 @@ interface(`init_telinit',`
@@ -687,19 +754,24 @@ interface(`init_telinit',`
type initctl_t;
')
@ -40601,7 +40647,7 @@ index df3fa64..852a6ad 100644
')
')
@@ -772,18 +843,19 @@ interface(`init_script_file_entry_type',`
@@ -772,18 +844,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@ -40625,7 +40671,7 @@ index df3fa64..852a6ad 100644
')
')
@@ -799,23 +871,45 @@ interface(`init_spec_domtrans_script',`
@@ -799,23 +872,45 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@ -40675,7 +40721,7 @@ index df3fa64..852a6ad 100644
## Execute a init script in a specified domain.
## </summary>
## <desc>
@@ -867,8 +961,12 @@ interface(`init_script_file_domtrans',`
@@ -867,8 +962,12 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@ -40688,7 +40734,7 @@ index df3fa64..852a6ad 100644
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
@@ -1129,12 +1227,7 @@ interface(`init_read_script_state',`
@@ -1129,12 +1228,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@ -40702,7 +40748,7 @@ index df3fa64..852a6ad 100644
')
########################################
@@ -1374,6 +1467,27 @@ interface(`init_dbus_send_script',`
@@ -1374,6 +1468,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@ -40730,7 +40776,7 @@ index df3fa64..852a6ad 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
@@ -1460,6 +1574,25 @@ interface(`init_getattr_script_status_files',`
@@ -1460,6 +1575,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@ -40756,7 +40802,7 @@ index df3fa64..852a6ad 100644
## Do not audit attempts to read init script
## status files.
## </summary>
@@ -1673,7 +1806,7 @@ interface(`init_dontaudit_rw_utmp',`
@@ -1673,7 +1807,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@ -40765,7 +40811,7 @@ index df3fa64..852a6ad 100644
')
########################################
@@ -1748,3 +1881,74 @@ interface(`init_udp_recvfrom_all_daemons',`
@@ -1748,3 +1882,74 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')

View File

@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.9
Release: 3%{?dist}
Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -471,6 +471,13 @@ exit 0
%endif
%changelog
* Mon Nov 22 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-4
- Allow ddclient to fix file mode bits of ddclient conf file
- init leaks file descriptors to daemons
- Add labels for /etc/lirc/ and
- Allow amavis_t to exec shell
- Add label for gssd_tmp_t for /var/tmp/nfs_0
* Thu Nov 18 2010 Dan Walsh <dwalsh@redhat.com> 3.9.9-3
- Put back in lircd_etc_t so policy will install