- Additional fixes for cyphesis

- Fix certmaster file context - Add policy for system-config-samba
2008-11-04 15:40:31 +00:00 · 2008-11-04 15:40:31 +00:00 · 411a424e1c
parent a023a0be19
commit 411a424e1c
4 changed files with 229 additions and 32 deletions
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@ -1129,6 +1129,13 @@ sendmail = base
 # 
 samba = module

+# Layer: apps
+# Module: sambagui
+#
+# policy for system-config-samba
+# 
+sambagui = module
+
 # Layer: apps
 # Module: screen
 #
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -1129,6 +1129,13 @@ sendmail = base
 # 
 samba = module

+# Layer: apps
+# Module: sambagui
+#
+# policy for system-config-samba
+# 
+sambagui = module
+
 # Layer: apps
 # Module: screen
 #
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@ -5466,6 +5466,84 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # qemu_unconfined local policy
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.5.13/policy/modules/apps/sambagui.fc
+--- nsaserefpolicy/policy/modules/apps/sambagui.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.13/policy/modules/apps/sambagui.fc	2008-11-04 09:44:32.000000000 -0500
+@@ -0,0 +1,4 @@
+/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0)
+
+
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.5.13/policy/modules/apps/sambagui.if
+--- nsaserefpolicy/policy/modules/apps/sambagui.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.13/policy/modules/apps/sambagui.if	2008-11-04 10:25:22.000000000 -0500
+@@ -0,0 +1,2 @@
+## <summary>system-config-samba policy</summary>
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.5.13/policy/modules/apps/sambagui.te
+--- nsaserefpolicy/policy/modules/apps/sambagui.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.13/policy/modules/apps/sambagui.te	2008-11-04 10:21:56.000000000 -0500
+@@ -0,0 +1,60 @@
+policy_module(sambagui,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type sambagui_t;
+type sambagui_exec_t;
+
+dbus_system_domain(sambagui_t, sambagui_exec_t)
+
+########################################
+#
+# system-config-samba local policy
+#
+
+allow sambagui_t self:fifo_file rw_fifo_file_perms;
+
+# handling with samba conf files
+samba_append_log(sambagui_t)
+samba_manage_config(sambagui_t)
+samba_manage_var_files(sambagui_t)
+samba_initrc_domtrans(sambagui_t)
+samba_domtrans_smb(sambagui_t)
+samba_domtrans_nmb(sambagui_t)
+
+# execut apps of system-config-samba
+corecmd_exec_shell(sambagui_t)
+corecmd_exec_bin(sambagui_t)
+
+files_read_etc_files(sambagui_t)
+files_search_var_lib(sambagui_t)
+files_search_usr(sambagui_t)
+
+fs_list_inotifyfs(sambagui_t)
+
+libs_use_ld_so(sambagui_t)
+libs_use_shared_libs(sambagui_t)
+
+# reading shadow by pdbedit
+#auth_read_shadow(sambagui_t)
+
+miscfiles_read_localization(sambagui_t)
+
+# read meminfo
+kernel_read_system_state(sambagui_t)
+
+dev_dontaudit_read_urand(sambagui_t)
+nscd_dontaudit_search_pid(sambagui_t)
+
+optional_policy(`
+	consoletype_exec(sambagui_t)
+')
+
+optional_policy(`
+	polkit_dbus_chat(sambagui_t)
+')
+
+permissive sambagui_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.5.13/policy/modules/apps/screen.fc
 --- nsaserefpolicy/policy/modules/apps/screen.fc	2008-08-07 11:15:03.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/apps/screen.fc	2008-10-28 10:56:19.000000000 -0400
@ -6275,8 +6353,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2008-10-14 11:58:07.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in	2008-10-28 10:56:19.000000000 -0400
-@@ -79,6 +79,7 @@
+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in	2008-11-04 09:01:51.000000000 -0500
+@@ -79,11 +79,13 @@
 network_port(auth, tcp,113,s0)
 network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
 type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
@ -6284,7 +6362,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 network_port(clamd, tcp,3310,s0)
 network_port(clockspeed, udp,4041,s0)
 network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
-@@ -93,6 +94,7 @@
+ network_port(comsat, udp,512,s0)
+ network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0)
+portcon tcp 6780-6799 gen_context(system_u:object_r:cyphesis_port_t, s0)
+ network_port(cvs, tcp,2401,s0, udp,2401,s0)
+ network_port(dcc, udp,6276,s0, udp,6277,s0)
+ network_port(dbskkd, tcp,1178,s0)
+@@ -93,6 +95,7 @@
 network_port(distccd, tcp,3632,s0)
 network_port(dns, udp,53,s0, tcp,53,s0)
 network_port(fingerd, tcp,79,s0)
@ -6292,7 +6376,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 network_port(ftp_data, tcp,20,s0)
 network_port(ftp, tcp,21,s0)
 network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -117,6 +119,8 @@
+@@ -117,6 +120,8 @@
 network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
 network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
 network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
@ -6301,7 +6385,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 network_port(ktalkd, udp,517,s0, udp,518,s0)
 network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
 type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
-@@ -126,6 +130,7 @@
+@@ -126,6 +131,7 @@
 network_port(mmcc, tcp,5050,s0, udp,5050,s0)
 network_port(monopd, tcp,1234,s0)
 network_port(msnp, tcp,1863,s0, udp,1863,s0)
@ -6309,7 +6393,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
 portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
 network_port(nessus, tcp,1241,s0)
-@@ -137,11 +142,13 @@
+@@ -137,11 +143,13 @@
 network_port(pegasus_http, tcp,5988,s0)
 network_port(pegasus_https, tcp,5989,s0)
 network_port(postfix_policyd, tcp,10031,s0)
@ -6323,7 +6407,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 network_port(printer, tcp,515,s0)
 network_port(ptal, tcp,5703,s0)
 network_port(pxe, udp,4011,s0)
-@@ -159,9 +166,10 @@
+@@ -159,9 +167,10 @@
 network_port(rwho, udp,513,s0)
 network_port(smbd, tcp,137-139,s0, tcp,445,s0)
 network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
@ -6335,7 +6419,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
 type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
 type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
-@@ -170,13 +178,16 @@
+@@ -170,13 +179,16 @@
 network_port(syslogd, udp,514,s0)
 network_port(telnetd, tcp,23,s0)
 network_port(tftp, udp,69,s0)
@ -12157,16 +12241,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.5.13/policy/modules/services/certmaster.fc
 --- nsaserefpolicy/policy/modules/services/certmaster.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/services/certmaster.fc	2008-10-30 14:43:22.000000000 -0400
-@@ -0,0 +1,11 @@
+++ serefpolicy-3.5.13/policy/modules/services/certmaster.fc	2008-11-04 08:52:09.000000000 -0500
+@@ -0,0 +1,9 @@
 +
 +/etc/rc\.d/init\.d/certmaster 		--   		gen_context(system_u:object_r:certmaster_initrc_exec_t,s0)
 +/usr/bin/certmaster			--		gen_context(system_u:object_r:certmaster_exec_t,s0)
 +
 +/etc/certmaster(/.*)?					gen_context(system_u:object_r:certmaster_etc_rw_t,s0)
 +
-+/etc/pki/certmaster(/.*)? 				gen_context(system_u:object_r:certmaster_cert_t,s0)
-+
 +/var/run/certmaster.*					gen_context(system_u:object_r:certmaster_var_run_t,s0)
 +
 +/var/log/certmaster(/.*)?  				gen_context(system_u:object_r:certmaster_var_log_t,s0)
@ -12641,7 +12723,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/log/ConsoleKit(/.*)?	gen_context(system_u:object_r:consolekit_log_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.5.13/policy/modules/services/consolekit.if
 --- nsaserefpolicy/policy/modules/services/consolekit.if	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/consolekit.if	2008-10-28 10:56:19.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/consolekit.if	2008-11-04 09:40:18.000000000 -0500
@@ -38,3 +38,24 @@
 	allow $1 consolekit_t:dbus send_msg;
 	allow consolekit_t $1:dbus send_msg;
@ -14081,6 +14163,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
 +	files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
 ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.fc serefpolicy-3.5.13/policy/modules/services/cyphesis.fc
+--- nsaserefpolicy/policy/modules/services/cyphesis.fc	2008-09-03 11:05:02.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/cyphesis.fc	2008-11-04 09:54:55.000000000 -0500
+@@ -1 +1,6 @@
+ /usr/bin/cyphesis	--	gen_context(system_u:object_r:cyphesis_exec_t,s0)
+
+/var/log/cyphesis(/.*)?		gen_context(system_u:object_r:cyphesis_log_t,s0)
+
+/var/run/cyphesis(/.*)?		gen_context(system_u:object_r:cyphesis_run_t,s0)
+
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.5.13/policy/modules/services/dbus.fc
 --- nsaserefpolicy/policy/modules/services/dbus.fc	2008-08-07 11:15:11.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/services/dbus.fc	2008-10-28 10:56:19.000000000 -0400
@ -18567,8 +18659,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/lib/PolicyKit-public(/.*)?			gen_context(system_u:object_r:polkit_var_lib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.5.13/policy/modules/services/polkit.if
 --- nsaserefpolicy/policy/modules/services/polkit.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/services/polkit.if	2008-10-28 10:56:19.000000000 -0400
-@@ -0,0 +1,213 @@
+++ serefpolicy-3.5.13/policy/modules/services/polkit.if	2008-11-04 09:56:57.000000000 -0500
+@@ -0,0 +1,233 @@
 +
 +## <summary>policy for polkit_auth</summary>
 +
@ -18782,9 +18874,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	polkit_read_lib($2)
 +')
 +
+########################################
+## <summary>
+##	Send and receive messages from
+##	polkit over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`polkit_dbus_chat',`
+	gen_require(`
+		type polkit_t;
+		class dbus send_msg;
+	')
+
+	allow $1 polkit_t:dbus send_msg;
+	allow polkit_t $1:dbus send_msg;
+')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.5.13/policy/modules/services/polkit.te
 --- nsaserefpolicy/policy/modules/services/polkit.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/services/polkit.te	2008-10-28 10:56:19.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/polkit.te	2008-11-04 09:58:08.000000000 -0500
@@ -0,0 +1,231 @@
 +policy_module(polkit_auth, 1.0.0)
 +
@ -21515,11 +21627,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.5.13/policy/modules/services/samba.if
 --- nsaserefpolicy/policy/modules/services/samba.if	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/samba.if	2008-10-28 10:56:19.000000000 -0400
-@@ -52,6 +52,25 @@
- ##	</summary>
- ## </param>
- #
+++ serefpolicy-3.5.13/policy/modules/services/samba.if	2008-11-04 10:21:25.000000000 -0500
+@@ -44,6 +44,44 @@
+ 
+ ########################################
+ ## <summary>
+##	Execute smbd net in the smbd_t domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
 +interface(`samba_domtrans_smb',`
 +	gen_require(`
 +		type smbd_t, smbd_exec_t;
@ -21531,7 +21651,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +########################################
 +## <summary>
-+##	Execute samba net in the samba_net domain.
+##	Execute nmbd net in the nmbd_t domain.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@ -21539,10 +21659,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
- interface(`samba_domtrans_net',`
- 	gen_require(`
- 		type samba_net_t, samba_net_exec_t;
-@@ -63,6 +82,25 @@
+interface(`samba_domtrans_nmb',`
+	gen_require(`
+		type nmbd_t, nmbd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, nmbd_exec_t, nmbd_t)
+')
+
+########################################
+## <summary>
+ ##	Execute samba net in the samba_net domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -63,6 +101,25 @@
 
 ########################################
 ## <summary>
@ -21568,7 +21699,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Execute samba net in the samba_net domain, and
 ##	allow the specified role the samba_net domain.
 ## </summary>
-@@ -95,6 +133,38 @@
+@@ -95,6 +152,38 @@
 
 ########################################
 ## <summary>
@ -21607,7 +21738,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Execute smbmount in the smbmount domain.
 ## </summary>
 ## <param name="domain">
-@@ -331,6 +401,25 @@
+@@ -188,6 +277,28 @@
+ 
+ ########################################
+ ## <summary>
+##	Allow the specified domain to read
+##	and write samba configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_manage_config',`
+	gen_require(`
+		type samba_etc_t;
+	')
+
+	files_search_etc($1)
+	manage_dirs_pattern($1, samba_etc_t, samba_etc_t)
+	manage_files_pattern($1, samba_etc_t, samba_etc_t)
+')
+
+########################################
+## <summary>
+ ##	Allow the specified domain to read samba's log files.
+ ## </summary>
+ ## <param name="domain">
+@@ -331,6 +442,25 @@
 
 ########################################
 ## <summary>
@ -21633,7 +21793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Allow the specified domain to
 ##	read and write samba /var files.
 ## </summary>
-@@ -348,6 +437,7 @@
+@@ -348,6 +478,7 @@
 	files_search_var($1)
 	files_search_var_lib($1)
 	manage_files_pattern($1, samba_var_t, samba_var_t)
@ -21641,7 +21801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -420,6 +510,7 @@
+@@ -420,6 +551,7 @@
 	')
 
 	domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
@ -21649,7 +21809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -503,3 +594,190 @@
+@@ -503,3 +635,208 @@
 		stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t)
 	')
 ')
@ -21756,6 +21916,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +########################################
 +## <summary>
+##	Execute samba server in the samba domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`samba_initrc_domtrans',`
+	gen_require(`
+		type samba_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, samba_initrc_exec_t)
+')
+
+########################################
+## <summary>
 +##	All of the rules required to administrate 
 +##	an samba environment
 +## </summary>
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.5.13
-Release: 13%{?dist}
+Release: 14%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -457,6 +457,11 @@ exit 0
 %endif

 %changelog
+* Tue Nov 3 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-14
+- Additional fixes for cyphesis
+- Fix certmaster file context
+- Add policy for system-config-samba
+
 * Mon Nov 3 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-13
 - Allow dhcpc to restart ypbind
 - Fixup labeling in /var/run