- Additional fixes for cyphesis

- Fix certmaster file context
- Add policy for system-config-samba
This commit is contained in:
Daniel J Walsh 2008-11-04 15:40:31 +00:00
parent a023a0be19
commit 411a424e1c
4 changed files with 229 additions and 32 deletions

View File

@ -1129,6 +1129,13 @@ sendmail = base
#
samba = module
# Layer: apps
# Module: sambagui
#
# policy for system-config-samba
#
sambagui = module
# Layer: apps
# Module: screen
#

View File

@ -1129,6 +1129,13 @@ sendmail = base
#
samba = module
# Layer: apps
# Module: sambagui
#
# policy for system-config-samba
#
sambagui = module
# Layer: apps
# Module: screen
#

View File

@ -5466,6 +5466,84 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# qemu_unconfined local policy
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.5.13/policy/modules/apps/sambagui.fc
--- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.13/policy/modules/apps/sambagui.fc 2008-11-04 09:44:32.000000000 -0500
@@ -0,0 +1,4 @@
+/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0)
+
+
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.5.13/policy/modules/apps/sambagui.if
--- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.13/policy/modules/apps/sambagui.if 2008-11-04 10:25:22.000000000 -0500
@@ -0,0 +1,2 @@
+## <summary>system-config-samba policy</summary>
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.5.13/policy/modules/apps/sambagui.te
--- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.13/policy/modules/apps/sambagui.te 2008-11-04 10:21:56.000000000 -0500
@@ -0,0 +1,60 @@
+policy_module(sambagui,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type sambagui_t;
+type sambagui_exec_t;
+
+dbus_system_domain(sambagui_t, sambagui_exec_t)
+
+########################################
+#
+# system-config-samba local policy
+#
+
+allow sambagui_t self:fifo_file rw_fifo_file_perms;
+
+# handling with samba conf files
+samba_append_log(sambagui_t)
+samba_manage_config(sambagui_t)
+samba_manage_var_files(sambagui_t)
+samba_initrc_domtrans(sambagui_t)
+samba_domtrans_smb(sambagui_t)
+samba_domtrans_nmb(sambagui_t)
+
+# execut apps of system-config-samba
+corecmd_exec_shell(sambagui_t)
+corecmd_exec_bin(sambagui_t)
+
+files_read_etc_files(sambagui_t)
+files_search_var_lib(sambagui_t)
+files_search_usr(sambagui_t)
+
+fs_list_inotifyfs(sambagui_t)
+
+libs_use_ld_so(sambagui_t)
+libs_use_shared_libs(sambagui_t)
+
+# reading shadow by pdbedit
+#auth_read_shadow(sambagui_t)
+
+miscfiles_read_localization(sambagui_t)
+
+# read meminfo
+kernel_read_system_state(sambagui_t)
+
+dev_dontaudit_read_urand(sambagui_t)
+nscd_dontaudit_search_pid(sambagui_t)
+
+optional_policy(`
+ consoletype_exec(sambagui_t)
+')
+
+optional_policy(`
+ polkit_dbus_chat(sambagui_t)
+')
+
+permissive sambagui_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.5.13/policy/modules/apps/screen.fc
--- nsaserefpolicy/policy/modules/apps/screen.fc 2008-08-07 11:15:03.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/apps/screen.fc 2008-10-28 10:56:19.000000000 -0400
@ -6275,8 +6353,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-14 11:58:07.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-10-28 10:56:19.000000000 -0400
@@ -79,6 +79,7 @@
+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-11-04 09:01:51.000000000 -0500
@@ -79,11 +79,13 @@
network_port(auth, tcp,113,s0)
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
@ -6284,7 +6362,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
@@ -93,6 +94,7 @@
network_port(comsat, udp,512,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0)
+portcon tcp 6780-6799 gen_context(system_u:object_r:cyphesis_port_t, s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dbskkd, tcp,1178,s0)
@@ -93,6 +95,7 @@
network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
network_port(fingerd, tcp,79,s0)
@ -6292,7 +6376,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(ftp_data, tcp,20,s0)
network_port(ftp, tcp,21,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
@@ -117,6 +119,8 @@
@@ -117,6 +120,8 @@
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
@ -6301,7 +6385,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
@@ -126,6 +130,7 @@
@@ -126,6 +131,7 @@
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
@ -6309,7 +6393,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
@@ -137,11 +142,13 @@
@@ -137,11 +143,13 @@
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(postfix_policyd, tcp,10031,s0)
@ -6323,7 +6407,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pxe, udp,4011,s0)
@@ -159,9 +166,10 @@
@@ -159,9 +167,10 @@
network_port(rwho, udp,513,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
@ -6335,7 +6419,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
@@ -170,13 +178,16 @@
@@ -170,13 +179,16 @@
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@ -12157,16 +12241,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.5.13/policy/modules/services/certmaster.fc
--- nsaserefpolicy/policy/modules/services/certmaster.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.13/policy/modules/services/certmaster.fc 2008-10-30 14:43:22.000000000 -0400
@@ -0,0 +1,11 @@
+++ serefpolicy-3.5.13/policy/modules/services/certmaster.fc 2008-11-04 08:52:09.000000000 -0500
@@ -0,0 +1,9 @@
+
+/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0)
+/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0)
+
+/etc/certmaster(/.*)? gen_context(system_u:object_r:certmaster_etc_rw_t,s0)
+
+/etc/pki/certmaster(/.*)? gen_context(system_u:object_r:certmaster_cert_t,s0)
+
+/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0)
+
+/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0)
@ -12641,7 +12723,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.5.13/policy/modules/services/consolekit.if
--- nsaserefpolicy/policy/modules/services/consolekit.if 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/consolekit.if 2008-10-28 10:56:19.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/consolekit.if 2008-11-04 09:40:18.000000000 -0500
@@ -38,3 +38,24 @@
allow $1 consolekit_t:dbus send_msg;
allow consolekit_t $1:dbus send_msg;
@ -14081,6 +14163,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.fc serefpolicy-3.5.13/policy/modules/services/cyphesis.fc
--- nsaserefpolicy/policy/modules/services/cyphesis.fc 2008-09-03 11:05:02.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/cyphesis.fc 2008-11-04 09:54:55.000000000 -0500
@@ -1 +1,6 @@
/usr/bin/cyphesis -- gen_context(system_u:object_r:cyphesis_exec_t,s0)
+
+/var/log/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_log_t,s0)
+
+/var/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_run_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.5.13/policy/modules/services/dbus.fc
--- nsaserefpolicy/policy/modules/services/dbus.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/dbus.fc 2008-10-28 10:56:19.000000000 -0400
@ -18567,8 +18659,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.5.13/policy/modules/services/polkit.if
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.13/policy/modules/services/polkit.if 2008-10-28 10:56:19.000000000 -0400
@@ -0,0 +1,213 @@
+++ serefpolicy-3.5.13/policy/modules/services/polkit.if 2008-11-04 09:56:57.000000000 -0500
@@ -0,0 +1,233 @@
+
+## <summary>policy for polkit_auth</summary>
+
@ -18782,9 +18874,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ polkit_read_lib($2)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## polkit over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`polkit_dbus_chat',`
+ gen_require(`
+ type polkit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 polkit_t:dbus send_msg;
+ allow polkit_t $1:dbus send_msg;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.5.13/policy/modules/services/polkit.te
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.13/policy/modules/services/polkit.te 2008-10-28 10:56:19.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/polkit.te 2008-11-04 09:58:08.000000000 -0500
@@ -0,0 +1,231 @@
+policy_module(polkit_auth, 1.0.0)
+
@ -21515,11 +21627,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.5.13/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/samba.if 2008-10-28 10:56:19.000000000 -0400
@@ -52,6 +52,25 @@
## </summary>
## </param>
#
+++ serefpolicy-3.5.13/policy/modules/services/samba.if 2008-11-04 10:21:25.000000000 -0500
@@ -44,6 +44,44 @@
########################################
## <summary>
+## Execute smbd net in the smbd_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`samba_domtrans_smb',`
+ gen_require(`
+ type smbd_t, smbd_exec_t;
@ -21531,7 +21651,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+########################################
+## <summary>
+## Execute samba net in the samba_net domain.
+## Execute nmbd net in the nmbd_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
@ -21539,10 +21659,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## </summary>
+## </param>
+#
interface(`samba_domtrans_net',`
gen_require(`
type samba_net_t, samba_net_exec_t;
@@ -63,6 +82,25 @@
+interface(`samba_domtrans_nmb',`
+ gen_require(`
+ type nmbd_t, nmbd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, nmbd_exec_t, nmbd_t)
+')
+
+########################################
+## <summary>
## Execute samba net in the samba_net domain.
## </summary>
## <param name="domain">
@@ -63,6 +101,25 @@
########################################
## <summary>
@ -21568,7 +21699,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Execute samba net in the samba_net domain, and
## allow the specified role the samba_net domain.
## </summary>
@@ -95,6 +133,38 @@
@@ -95,6 +152,38 @@
########################################
## <summary>
@ -21607,7 +21738,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Execute smbmount in the smbmount domain.
## </summary>
## <param name="domain">
@@ -331,6 +401,25 @@
@@ -188,6 +277,28 @@
########################################
## <summary>
+## Allow the specified domain to read
+## and write samba configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`samba_manage_config',`
+ gen_require(`
+ type samba_etc_t;
+ ')
+
+ files_search_etc($1)
+ manage_dirs_pattern($1, samba_etc_t, samba_etc_t)
+ manage_files_pattern($1, samba_etc_t, samba_etc_t)
+')
+
+########################################
+## <summary>
## Allow the specified domain to read samba's log files.
## </summary>
## <param name="domain">
@@ -331,6 +442,25 @@
########################################
## <summary>
@ -21633,7 +21793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Allow the specified domain to
## read and write samba /var files.
## </summary>
@@ -348,6 +437,7 @@
@@ -348,6 +478,7 @@
files_search_var($1)
files_search_var_lib($1)
manage_files_pattern($1, samba_var_t, samba_var_t)
@ -21641,7 +21801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -420,6 +510,7 @@
@@ -420,6 +551,7 @@
')
domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
@ -21649,7 +21809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -503,3 +594,190 @@
@@ -503,3 +635,208 @@
stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t)
')
')
@ -21756,6 +21916,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+########################################
+## <summary>
+## Execute samba server in the samba domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`samba_initrc_domtrans',`
+ gen_require(`
+ type samba_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, samba_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an samba environment
+## </summary>

View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
Release: 13%{?dist}
Release: 14%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -457,6 +457,11 @@ exit 0
%endif
%changelog
* Tue Nov 3 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-14
- Additional fixes for cyphesis
- Fix certmaster file context
- Add policy for system-config-samba
* Mon Nov 3 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-13
- Allow dhcpc to restart ypbind
- Fixup labeling in /var/run