- kdump leaks kdump_etc_t to ifconfig, add dontaudit
- uux needs to transition to uucpd_t - More init fixes relabels man,faillog - Remove maxima defs in libraries.fc - insmod needs to be able to create tmpfs_t files - ping needs setcap - init executes mcelog, initrc_t needs to manage faillog. - fix xserver_ralabel_xdm_tmp_dirs - Allow dovecot_deliver_t to list dovecot_etc_t - Run acroread as execmem_t
This commit is contained in:
parent
7297a334b4
commit
50dacaca09
113
policy-F15.patch
113
policy-F15.patch
@ -371,6 +371,35 @@ index 66e486e..bfda8e9 100644
|
||||
gnome_manage_config(firstboot_t)
|
||||
')
|
||||
|
||||
diff --git a/policy/modules/admin/kdump.if b/policy/modules/admin/kdump.if
|
||||
index 4198ff5..df3f4d6 100644
|
||||
--- a/policy/modules/admin/kdump.if
|
||||
+++ b/policy/modules/admin/kdump.if
|
||||
@@ -56,6 +56,24 @@ interface(`kdump_read_config',`
|
||||
allow $1 kdump_etc_t:file read_file_perms;
|
||||
')
|
||||
|
||||
+#####################################
|
||||
+## <summary>
|
||||
+## Dontaudit read kdump configuration file.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`kdump_dontaudit_read_config',`
|
||||
+ gen_require(`
|
||||
+ type kdump_etc_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 kdump_etc_t:file read_inherited_file_perms;
|
||||
+')
|
||||
+
|
||||
####################################
|
||||
## <summary>
|
||||
## Manage kdump configuration file.
|
||||
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
|
||||
index 7390b15..a46b249 100644
|
||||
--- a/policy/modules/admin/logrotate.te
|
||||
@ -35262,7 +35291,7 @@ index a4fbe31..a717e2d 100644
|
||||
|
||||
logging_list_logs($1)
|
||||
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
|
||||
index b775aaf..1e40c2a 100644
|
||||
index b775aaf..7718dbb 100644
|
||||
--- a/policy/modules/services/uucp.te
|
||||
+++ b/policy/modules/services/uucp.te
|
||||
@@ -7,7 +7,6 @@ policy_module(uucp, 1.11.0)
|
||||
@ -35281,7 +35310,7 @@ index b775aaf..1e40c2a 100644
|
||||
|
||||
dev_read_urand(uucpd_t)
|
||||
|
||||
@@ -113,13 +113,17 @@ optional_policy(`
|
||||
@@ -113,13 +113,19 @@ optional_policy(`
|
||||
kerberos_use(uucpd_t)
|
||||
')
|
||||
|
||||
@ -35297,6 +35326,8 @@ index b775aaf..1e40c2a 100644
|
||||
allow uux_t self:capability { setuid setgid };
|
||||
-allow uux_t self:fifo_file write_file_perms;
|
||||
+allow uux_t self:fifo_file write_fifo_file_perms;
|
||||
+
|
||||
+domtrans_pattern(uux_t, uucpd_exec_t, uucpd_t)
|
||||
|
||||
uucp_append_log(uux_t)
|
||||
uucp_manage_spool(uux_t)
|
||||
@ -39445,7 +39476,7 @@ index 1c4b1e7..ffa4134 100644
|
||||
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
|
||||
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
|
||||
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
|
||||
index bea0ade..5ad363e 100644
|
||||
index bea0ade..f459bae 100644
|
||||
--- a/policy/modules/system/authlogin.if
|
||||
+++ b/policy/modules/system/authlogin.if
|
||||
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
|
||||
@ -39615,7 +39646,7 @@ index bea0ade..5ad363e 100644
|
||||
+ type faillog_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 faillog_t:file relable_file_perms;
|
||||
+ allow $1 faillog_t:file relabel_file_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
@ -41697,7 +41728,7 @@ index 1d1c399..3ab3a47 100644
|
||||
+ tgtd_manage_semaphores(iscsid_t)
|
||||
')
|
||||
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
|
||||
index 9df8c4d..7a942fc 100644
|
||||
index 9df8c4d..8d1d7fa 100644
|
||||
--- a/policy/modules/system/libraries.fc
|
||||
+++ b/policy/modules/system/libraries.fc
|
||||
@@ -44,6 +44,7 @@ ifdef(`distro_redhat',`
|
||||
@ -41743,7 +41774,16 @@ index 9df8c4d..7a942fc 100644
|
||||
/usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -208,6 +209,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
|
||||
@@ -198,8 +199,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
|
||||
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
-/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
-/usr/lib64/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/nx/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -208,6 +207,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
|
||||
|
||||
/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -41751,7 +41791,7 @@ index 9df8c4d..7a942fc 100644
|
||||
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@@ -247,6 +249,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
|
||||
@@ -247,6 +247,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
|
||||
/usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -41759,7 +41799,7 @@ index 9df8c4d..7a942fc 100644
|
||||
/usr/lib(64)?/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
|
||||
@@ -302,13 +305,8 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
|
||||
@@ -302,13 +303,8 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
|
||||
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -41775,7 +41815,7 @@ index 9df8c4d..7a942fc 100644
|
||||
') dnl end distro_redhat
|
||||
|
||||
#
|
||||
@@ -319,14 +317,150 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
|
||||
@@ -319,14 +315,150 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
|
||||
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||
|
||||
@ -42721,7 +42761,7 @@ index 9c0faab..def8d5a 100644
|
||||
## loading modules.
|
||||
## </summary>
|
||||
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
|
||||
index 74a4466..3120e0e 100644
|
||||
index 74a4466..7243733 100644
|
||||
--- a/policy/modules/system/modutils.te
|
||||
+++ b/policy/modules/system/modutils.te
|
||||
@@ -18,6 +18,7 @@ type insmod_t;
|
||||
@ -42732,7 +42772,17 @@ index 74a4466..3120e0e 100644
|
||||
role system_r types insmod_t;
|
||||
|
||||
# module loading config
|
||||
@@ -55,12 +56,15 @@ corecmd_search_bin(depmod_t)
|
||||
@@ -36,6 +37,9 @@ role system_r types update_modules_t;
|
||||
type update_modules_tmp_t;
|
||||
files_tmp_file(update_modules_tmp_t)
|
||||
|
||||
+type insmod_tmpfs_t;
|
||||
+files_tmpfs_file(insmod_tmpfs_t)
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# depmod local policy
|
||||
@@ -55,12 +59,15 @@ corecmd_search_bin(depmod_t)
|
||||
|
||||
domain_use_interactive_fds(depmod_t)
|
||||
|
||||
@ -42748,7 +42798,7 @@ index 74a4466..3120e0e 100644
|
||||
|
||||
fs_getattr_xattr_fs(depmod_t)
|
||||
|
||||
@@ -74,6 +78,7 @@ userdom_use_user_terminals(depmod_t)
|
||||
@@ -74,6 +81,7 @@ userdom_use_user_terminals(depmod_t)
|
||||
# Read System.map from home directories.
|
||||
files_list_home(depmod_t)
|
||||
userdom_read_user_home_content_files(depmod_t)
|
||||
@ -42756,7 +42806,7 @@ index 74a4466..3120e0e 100644
|
||||
|
||||
ifdef(`distro_ubuntu',`
|
||||
optional_policy(`
|
||||
@@ -104,7 +109,7 @@ optional_policy(`
|
||||
@@ -104,11 +112,12 @@ optional_policy(`
|
||||
# insmod local policy
|
||||
#
|
||||
|
||||
@ -42765,7 +42815,22 @@ index 74a4466..3120e0e 100644
|
||||
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
|
||||
|
||||
allow insmod_t self:udp_socket create_socket_perms;
|
||||
@@ -125,6 +130,7 @@ kernel_write_proc_files(insmod_t)
|
||||
allow insmod_t self:rawip_socket create_socket_perms;
|
||||
+allow insmod_t self:shm create_shm_perms;
|
||||
|
||||
# Read module config and dependency information
|
||||
list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
|
||||
@@ -118,6 +127,9 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
|
||||
|
||||
can_exec(insmod_t, insmod_exec_t)
|
||||
|
||||
+manage_files_pattern(insmod_t,insmod_tmpfs_t,insmod_tmpfs_t)
|
||||
+fs_tmpfs_filetrans(insmod_t,insmod_tmpfs_t,file)
|
||||
+
|
||||
kernel_load_module(insmod_t)
|
||||
kernel_read_system_state(insmod_t)
|
||||
kernel_read_network_state(insmod_t)
|
||||
@@ -125,6 +137,7 @@ kernel_write_proc_files(insmod_t)
|
||||
kernel_mount_debugfs(insmod_t)
|
||||
kernel_mount_kvmfs(insmod_t)
|
||||
kernel_read_debugfs(insmod_t)
|
||||
@ -42773,7 +42838,7 @@ index 74a4466..3120e0e 100644
|
||||
# Rules for /proc/sys/kernel/tainted
|
||||
kernel_read_kernel_sysctls(insmod_t)
|
||||
kernel_rw_kernel_sysctl(insmod_t)
|
||||
@@ -142,6 +148,7 @@ dev_rw_agp(insmod_t)
|
||||
@@ -142,6 +155,7 @@ dev_rw_agp(insmod_t)
|
||||
dev_read_sound(insmod_t)
|
||||
dev_write_sound(insmod_t)
|
||||
dev_rw_apm_bios(insmod_t)
|
||||
@ -42781,7 +42846,7 @@ index 74a4466..3120e0e 100644
|
||||
|
||||
domain_signal_all_domains(insmod_t)
|
||||
domain_use_interactive_fds(insmod_t)
|
||||
@@ -160,11 +167,15 @@ files_write_kernel_modules(insmod_t)
|
||||
@@ -160,11 +174,15 @@ files_write_kernel_modules(insmod_t)
|
||||
|
||||
fs_getattr_xattr_fs(insmod_t)
|
||||
fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
|
||||
@ -42797,7 +42862,7 @@ index 74a4466..3120e0e 100644
|
||||
|
||||
logging_send_syslog_msg(insmod_t)
|
||||
logging_search_logs(insmod_t)
|
||||
@@ -173,8 +184,7 @@ miscfiles_read_localization(insmod_t)
|
||||
@@ -173,8 +191,7 @@ miscfiles_read_localization(insmod_t)
|
||||
|
||||
seutil_read_file_contexts(insmod_t)
|
||||
|
||||
@ -42807,7 +42872,7 @@ index 74a4466..3120e0e 100644
|
||||
userdom_dontaudit_search_user_home_dirs(insmod_t)
|
||||
|
||||
if( ! secure_mode_insmod ) {
|
||||
@@ -186,8 +196,11 @@ optional_policy(`
|
||||
@@ -186,8 +203,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -42821,7 +42886,7 @@ index 74a4466..3120e0e 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -235,6 +248,10 @@ optional_policy(`
|
||||
@@ -235,6 +255,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -44543,7 +44608,7 @@ index 8e71fb7..350d003 100644
|
||||
+ role_transition $1 dhcpc_exec_t system_r;
|
||||
')
|
||||
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
|
||||
index dfbe736..5740b79 100644
|
||||
index dfbe736..e70feca 100644
|
||||
--- a/policy/modules/system/sysnetwork.te
|
||||
+++ b/policy/modules/system/sysnetwork.te
|
||||
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.0)
|
||||
@ -44701,10 +44766,14 @@ index dfbe736..5740b79 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -334,6 +379,10 @@ optional_policy(`
|
||||
@@ -334,6 +379,14 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ kdump_dontaudit_read_config(ifconfig_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ netutils_domtrans(dhcpc_t)
|
||||
+')
|
||||
+
|
||||
@ -44712,7 +44781,7 @@ index dfbe736..5740b79 100644
|
||||
nis_use_ypbind(ifconfig_t)
|
||||
')
|
||||
|
||||
@@ -355,3 +404,9 @@ optional_policy(`
|
||||
@@ -355,3 +408,9 @@ optional_policy(`
|
||||
xen_append_log(ifconfig_t)
|
||||
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
|
||||
')
|
||||
|
@ -21,7 +21,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.9.8
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -471,6 +471,18 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Nov 11 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-5
|
||||
- kdump leaks kdump_etc_t to ifconfig, add dontaudit
|
||||
- uux needs to transition to uucpd_t
|
||||
- More init fixes relabels man,faillog
|
||||
- Remove maxima defs in libraries.fc
|
||||
- insmod needs to be able to create tmpfs_t files
|
||||
- ping needs setcap
|
||||
- init executes mcelog, initrc_t needs to manage faillog.
|
||||
- fix xserver_ralabel_xdm_tmp_dirs
|
||||
- Allow dovecot_deliver_t to list dovecot_etc_t
|
||||
- Run acroread as execmem_t
|
||||
|
||||
* Wed Nov 10 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-4
|
||||
- Fix init to be able to relabel wtmp, tmp files
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user