- kdump leaks kdump_etc_t to ifconfig, add dontaudit

- uux needs to transition to uucpd_t
- More init fixes relabels man,faillog
- Remove maxima defs in libraries.fc
- insmod needs to be able to create tmpfs_t files
- ping needs setcap
- init executes mcelog, initrc_t needs to manage faillog.
- fix xserver_ralabel_xdm_tmp_dirs
- Allow dovecot_deliver_t to list dovecot_etc_t
- Run acroread as execmem_t
This commit is contained in:
Dan Walsh 2010-11-12 09:56:06 -05:00
parent 7297a334b4
commit 50dacaca09
2 changed files with 104 additions and 23 deletions

View File

@ -371,6 +371,35 @@ index 66e486e..bfda8e9 100644
gnome_manage_config(firstboot_t)
')
diff --git a/policy/modules/admin/kdump.if b/policy/modules/admin/kdump.if
index 4198ff5..df3f4d6 100644
--- a/policy/modules/admin/kdump.if
+++ b/policy/modules/admin/kdump.if
@@ -56,6 +56,24 @@ interface(`kdump_read_config',`
allow $1 kdump_etc_t:file read_file_perms;
')
+#####################################
+## <summary>
+## Dontaudit read kdump configuration file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kdump_dontaudit_read_config',`
+ gen_require(`
+ type kdump_etc_t;
+ ')
+
+ dontaudit $1 kdump_etc_t:file read_inherited_file_perms;
+')
+
####################################
## <summary>
## Manage kdump configuration file.
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index 7390b15..a46b249 100644
--- a/policy/modules/admin/logrotate.te
@ -35262,7 +35291,7 @@ index a4fbe31..a717e2d 100644
logging_list_logs($1)
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
index b775aaf..1e40c2a 100644
index b775aaf..7718dbb 100644
--- a/policy/modules/services/uucp.te
+++ b/policy/modules/services/uucp.te
@@ -7,7 +7,6 @@ policy_module(uucp, 1.11.0)
@ -35281,7 +35310,7 @@ index b775aaf..1e40c2a 100644
dev_read_urand(uucpd_t)
@@ -113,13 +113,17 @@ optional_policy(`
@@ -113,13 +113,19 @@ optional_policy(`
kerberos_use(uucpd_t)
')
@ -35297,6 +35326,8 @@ index b775aaf..1e40c2a 100644
allow uux_t self:capability { setuid setgid };
-allow uux_t self:fifo_file write_file_perms;
+allow uux_t self:fifo_file write_fifo_file_perms;
+
+domtrans_pattern(uux_t, uucpd_exec_t, uucpd_t)
uucp_append_log(uux_t)
uucp_manage_spool(uux_t)
@ -39445,7 +39476,7 @@ index 1c4b1e7..ffa4134 100644
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index bea0ade..5ad363e 100644
index bea0ade..f459bae 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@ -39615,7 +39646,7 @@ index bea0ade..5ad363e 100644
+ type faillog_t;
+ ')
+
+ allow $1 faillog_t:file relable_file_perms;
+ allow $1 faillog_t:file relabel_file_perms;
+')
+
+########################################
@ -41697,7 +41728,7 @@ index 1d1c399..3ab3a47 100644
+ tgtd_manage_semaphores(iscsid_t)
')
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 9df8c4d..7a942fc 100644
index 9df8c4d..8d1d7fa 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -44,6 +44,7 @@ ifdef(`distro_redhat',`
@ -41743,7 +41774,16 @@ index 9df8c4d..7a942fc 100644
/usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -208,6 +209,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
@@ -198,8 +199,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib64/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nx/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -208,6 +207,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -41751,7 +41791,7 @@ index 9df8c4d..7a942fc 100644
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -247,6 +249,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
@@ -247,6 +247,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
/usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -41759,7 +41799,7 @@ index 9df8c4d..7a942fc 100644
/usr/lib(64)?/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
@@ -302,13 +305,8 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
@@ -302,13 +303,8 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -41775,7 +41815,7 @@ index 9df8c4d..7a942fc 100644
') dnl end distro_redhat
#
@@ -319,14 +317,150 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
@@ -319,14 +315,150 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
@ -42721,7 +42761,7 @@ index 9c0faab..def8d5a 100644
## loading modules.
## </summary>
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 74a4466..3120e0e 100644
index 74a4466..7243733 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -18,6 +18,7 @@ type insmod_t;
@ -42732,7 +42772,17 @@ index 74a4466..3120e0e 100644
role system_r types insmod_t;
# module loading config
@@ -55,12 +56,15 @@ corecmd_search_bin(depmod_t)
@@ -36,6 +37,9 @@ role system_r types update_modules_t;
type update_modules_tmp_t;
files_tmp_file(update_modules_tmp_t)
+type insmod_tmpfs_t;
+files_tmpfs_file(insmod_tmpfs_t)
+
########################################
#
# depmod local policy
@@ -55,12 +59,15 @@ corecmd_search_bin(depmod_t)
domain_use_interactive_fds(depmod_t)
@ -42748,7 +42798,7 @@ index 74a4466..3120e0e 100644
fs_getattr_xattr_fs(depmod_t)
@@ -74,6 +78,7 @@ userdom_use_user_terminals(depmod_t)
@@ -74,6 +81,7 @@ userdom_use_user_terminals(depmod_t)
# Read System.map from home directories.
files_list_home(depmod_t)
userdom_read_user_home_content_files(depmod_t)
@ -42756,7 +42806,7 @@ index 74a4466..3120e0e 100644
ifdef(`distro_ubuntu',`
optional_policy(`
@@ -104,7 +109,7 @@ optional_policy(`
@@ -104,11 +112,12 @@ optional_policy(`
# insmod local policy
#
@ -42765,7 +42815,22 @@ index 74a4466..3120e0e 100644
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket create_socket_perms;
@@ -125,6 +130,7 @@ kernel_write_proc_files(insmod_t)
allow insmod_t self:rawip_socket create_socket_perms;
+allow insmod_t self:shm create_shm_perms;
# Read module config and dependency information
list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
@@ -118,6 +127,9 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
can_exec(insmod_t, insmod_exec_t)
+manage_files_pattern(insmod_t,insmod_tmpfs_t,insmod_tmpfs_t)
+fs_tmpfs_filetrans(insmod_t,insmod_tmpfs_t,file)
+
kernel_load_module(insmod_t)
kernel_read_system_state(insmod_t)
kernel_read_network_state(insmod_t)
@@ -125,6 +137,7 @@ kernel_write_proc_files(insmod_t)
kernel_mount_debugfs(insmod_t)
kernel_mount_kvmfs(insmod_t)
kernel_read_debugfs(insmod_t)
@ -42773,7 +42838,7 @@ index 74a4466..3120e0e 100644
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
@@ -142,6 +148,7 @@ dev_rw_agp(insmod_t)
@@ -142,6 +155,7 @@ dev_rw_agp(insmod_t)
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
@ -42781,7 +42846,7 @@ index 74a4466..3120e0e 100644
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
@@ -160,11 +167,15 @@ files_write_kernel_modules(insmod_t)
@@ -160,11 +174,15 @@ files_write_kernel_modules(insmod_t)
fs_getattr_xattr_fs(insmod_t)
fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
@ -42797,7 +42862,7 @@ index 74a4466..3120e0e 100644
logging_send_syslog_msg(insmod_t)
logging_search_logs(insmod_t)
@@ -173,8 +184,7 @@ miscfiles_read_localization(insmod_t)
@@ -173,8 +191,7 @@ miscfiles_read_localization(insmod_t)
seutil_read_file_contexts(insmod_t)
@ -42807,7 +42872,7 @@ index 74a4466..3120e0e 100644
userdom_dontaudit_search_user_home_dirs(insmod_t)
if( ! secure_mode_insmod ) {
@@ -186,8 +196,11 @@ optional_policy(`
@@ -186,8 +203,11 @@ optional_policy(`
')
optional_policy(`
@ -42821,7 +42886,7 @@ index 74a4466..3120e0e 100644
')
optional_policy(`
@@ -235,6 +248,10 @@ optional_policy(`
@@ -235,6 +255,10 @@ optional_policy(`
')
optional_policy(`
@ -44543,7 +44608,7 @@ index 8e71fb7..350d003 100644
+ role_transition $1 dhcpc_exec_t system_r;
')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index dfbe736..5740b79 100644
index dfbe736..e70feca 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.0)
@ -44701,10 +44766,14 @@ index dfbe736..5740b79 100644
')
optional_policy(`
@@ -334,6 +379,10 @@ optional_policy(`
@@ -334,6 +379,14 @@ optional_policy(`
')
optional_policy(`
+ kdump_dontaudit_read_config(ifconfig_t)
+')
+
+optional_policy(`
+ netutils_domtrans(dhcpc_t)
+')
+
@ -44712,7 +44781,7 @@ index dfbe736..5740b79 100644
nis_use_ypbind(ifconfig_t)
')
@@ -355,3 +404,9 @@ optional_policy(`
@@ -355,3 +408,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')

View File

@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.8
Release: 4%{?dist}
Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -471,6 +471,18 @@ exit 0
%endif
%changelog
* Thu Nov 11 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-5
- kdump leaks kdump_etc_t to ifconfig, add dontaudit
- uux needs to transition to uucpd_t
- More init fixes relabels man,faillog
- Remove maxima defs in libraries.fc
- insmod needs to be able to create tmpfs_t files
- ping needs setcap
- init executes mcelog, initrc_t needs to manage faillog.
- fix xserver_ralabel_xdm_tmp_dirs
- Allow dovecot_deliver_t to list dovecot_etc_t
- Run acroread as execmem_t
* Wed Nov 10 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-4
- Fix init to be able to relabel wtmp, tmp files