rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

- Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t

Browse Source
This commit is contained in:
Dan Walsh 2010-11-12 10:59:01 -05:00
parent 50dacaca09
commit 519b05a70f
2 changed files with 143 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

182
policy-F15.patch
View File

@ -489,6 +489,18 @@ index 75ce30f..f3347aa 100644
files_getattr_all_file_type_fs(logwatch_t)
')
diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
index 5a9cebf..276941d 100644
--- a/policy/modules/admin/mcelog.te
+++ b/policy/modules/admin/mcelog.te
@@ -7,6 +7,7 @@ policy_module(mcelog, 1.0.1)
type mcelog_t;
type mcelog_exec_t;
+init_system_domain(mcelog_t, mcelog_exec_t)
application_domain(mcelog_t, mcelog_exec_t)
cron_system_entry(mcelog_t, mcelog_exec_t)
diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te
index 0e19d80..9d58abe 100644
--- a/policy/modules/admin/mrtg.te
@ -1996,10 +2008,10 @@ index 7fd0900..899e234 100644
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
new file mode 100644
index 0000000..278b3a3
index 0000000..4ef897d
--- /dev/null
+++ b/policy/modules/apps/execmem.fc
@@ -0,0 +1,49 @@
@@ -0,0 +1,50 @@
+
+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/compiz -- gen_context(system_u:object_r:execmem_exec_t,s0)
@ -2049,6 +2061,7 @@ index 0000000..278b3a3
+/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
new file mode 100644
index 0000000..06ed3de
@ -9391,7 +9404,7 @@ index 59bae6a..2e55e71 100644
+/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/dev/hugepages(/.*)? <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 437a42a..b9e3aa9 100644
index 437a42a..725b363 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
@ -9721,7 +9734,33 @@ index 437a42a..b9e3aa9 100644
## Read removable storage symbolic links.
## </summary>
## <param name="domain">
@@ -2779,6 +2955,7 @@ interface(`fs_manage_nfs_dirs',`
@@ -2653,6 +2829,25 @@ interface(`fs_read_removable_symlinks',`
read_lnk_files_pattern($1, removable_t, removable_t)
')
+######################################
+## <summary>
+## Read block nodes on removable filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_removable_blk_files',`
+ gen_require(`
+ type removable_t;
+ ')
+
+ allow $1 removable_t:dir list_dir_perms;
+ read_blk_files_pattern($1, removable_t, removable_t)
+')
+
########################################
## <summary>
## Read and write block nodes on removable filesystems.
@@ -2779,6 +2974,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@ -9729,7 +9768,7 @@ index 437a42a..b9e3aa9 100644
allow $1 nfs_t:dir manage_dir_perms;
')
@@ -2819,6 +2996,7 @@ interface(`fs_manage_nfs_files',`
@@ -2819,6 +3015,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@ -9737,7 +9776,7 @@ index 437a42a..b9e3aa9 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
@@ -2845,7 +3023,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
@@ -2845,7 +3042,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
#########################################
## <summary>
## Create, read, write, and delete symbolic links
@ -9746,7 +9785,7 @@ index 437a42a..b9e3aa9 100644
## </summary>
## <param name="domain">
## <summary>
@@ -2859,6 +3037,7 @@ interface(`fs_manage_nfs_symlinks',`
@@ -2859,6 +3056,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@ -9754,7 +9793,7 @@ index 437a42a..b9e3aa9 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
@@ -3970,6 +4149,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
@@ -3970,6 +4168,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@ -9797,7 +9836,7 @@ index 437a42a..b9e3aa9 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
@@ -4252,6 +4467,8 @@ interface(`fs_mount_all_fs',`
@@ -4252,6 +4486,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@ -9806,7 +9845,7 @@ index 437a42a..b9e3aa9 100644
')
########################################
@@ -4662,3 +4879,24 @@ interface(`fs_unconfined',`
@@ -4662,3 +4898,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@ -19945,7 +19984,7 @@ index e1d7dc5..ee51a19 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index cbe14e4..9e2f6d5 100644
index cbe14e4..e74c9fe 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@ -20037,12 +20076,14 @@ index cbe14e4..9e2f6d5 100644
postfix_search_spool(dovecot_auth_t)
')
@@ -253,19 +266,31 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
@@ -253,19 +266,33 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
allow dovecot_deliver_t dovecot_t:process signull;
-allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
+allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms;
+read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
+
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
@ -20071,7 +20112,7 @@ index cbe14e4..9e2f6d5 100644
miscfiles_read_localization(dovecot_deliver_t)
@@ -302,4 +327,5 @@ tunable_policy(`use_samba_home_dirs',`
@@ -302,4 +329,5 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
@ -22451,7 +22492,7 @@ index 3525d24..e5db539 100644
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
index 604f67b..8c72504 100644
index 604f67b..31a6075 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -26,9 +26,9 @@
@ -22517,8 +22558,31 @@ index 604f67b..8c72504 100644
')
allow $1 kadmind_t:process { ptrace signal_perms };
@@ -378,3 +376,22 @@ interface(`kerberos_admin',`
admin_pattern($1, krb5kdc_var_run_t)
')
+
+########################################
+## <summary>
+## Type transition files created in /tmp
+## to the krb5_host_rcache type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_tmp_filetrans_host_rcache',`
+ gen_require(`
+ type krb5_host_rcache_t;
+ ')
+
+ files_tmp_filetrans($1, krb5_host_rcache_t, file)
+')
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index 8edc29b..744e7d6 100644
index 8edc29b..ee97d9f 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -6,9 +6,9 @@ policy_module(kerberos, 1.11.0)
@ -22534,6 +22598,15 @@ index 8edc29b..744e7d6 100644
## </desc>
gen_tunable(allow_kerberos, false)
@@ -40,7 +40,7 @@ files_type(krb5_conf_t)
type krb5_home_t;
userdom_user_home_content(krb5_home_t)
-type krb5_host_rcache_t;
+type krb5_host_rcache_t alias saslauthd_tmp_t;
files_tmp_file(krb5_host_rcache_t)
# types for general configuration files in /etc
@@ -93,9 +93,9 @@ allow kadmind_t krb5_conf_t:file read_file_perms;
dontaudit kadmind_t krb5_conf_t:file write;
@ -32517,12 +32590,27 @@ index f1aea88..c3ffa9d 100644
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
index 22184ad..687f9ae 100644
index 22184ad..d87a3f0 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -42,13 +42,17 @@ allow saslauthd_t saslauthd_tmp_t:dir setattr;
manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t)
files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file)
@@ -19,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t)
type saslauthd_initrc_exec_t;
init_script_file(saslauthd_initrc_exec_t)
-type saslauthd_tmp_t;
-files_tmp_file(saslauthd_tmp_t)
-
type saslauthd_var_run_t;
files_pid_file(saslauthd_var_run_t)
@@ -38,17 +35,19 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms;
allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
allow saslauthd_t self:tcp_socket create_socket_perms;
-allow saslauthd_t saslauthd_tmp_t:dir setattr;
-manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t)
-files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file)
+mta_tmp_filetrans_host_rcache(saslauthd_t)
+manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
@ -32539,7 +32627,7 @@ index 22184ad..687f9ae 100644
corenet_all_recvfrom_unlabeled(saslauthd_t)
corenet_all_recvfrom_netlabel(saslauthd_t)
corenet_tcp_sendrecv_generic_if(saslauthd_t)
@@ -94,6 +98,7 @@ tunable_policy(`allow_saslauthd_read_shadow',`
@@ -94,6 +93,7 @@ tunable_policy(`allow_saslauthd_read_shadow',`
optional_policy(`
kerberos_keytab_template(saslauthd, saslauthd_t)
@ -36778,7 +36866,7 @@ index aa6e5a8..42a0efb 100644
########################################
## <summary>
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 6f1e3c7..6a160b2 100644
index 6f1e3c7..ecfe665 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,23 @@
@ -36889,7 +36977,7 @@ index 6f1e3c7..6a160b2 100644
+/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/slim.* -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm(/*.)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
+/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
@ -36904,7 +36992,7 @@ index 6f1e3c7..6a160b2 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index da2601a..19018ae 100644
index da2601a..4b06508 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@ -37395,7 +37483,7 @@ index da2601a..19018ae 100644
+ type xdm_tmp_t;
+ ')
+
+ allow initrc_t initrc_tmp_t:dir relabel_dir_perms;
+ allow $1 xdm_tmp_t:dir relabel_dir_perms;
+')
+
+########################################
@ -40534,7 +40622,7 @@ index df3fa64..73dc579 100644
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 8a105fd..eb0cec2 100644
index 8a105fd..3f105f0 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@ -40918,7 +41006,15 @@ index 8a105fd..eb0cec2 100644
selinux_get_enforce_mode(initrc_t)
@@ -394,13 +568,14 @@ logging_read_audit_config(initrc_t)
@@ -374,6 +548,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
+auth_manage_faillog(initrc_t)
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
@@ -394,13 +569,14 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@ -40934,7 +41030,7 @@ index 8a105fd..eb0cec2 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
@@ -473,7 +648,7 @@ ifdef(`distro_redhat',`
@@ -473,7 +649,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@ -40943,7 +41039,7 @@ index 8a105fd..eb0cec2 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
@@ -519,6 +694,23 @@ ifdef(`distro_redhat',`
@@ -519,6 +695,23 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@ -40967,7 +41063,7 @@ index 8a105fd..eb0cec2 100644
')
optional_policy(`
@@ -526,10 +718,17 @@ ifdef(`distro_redhat',`
@@ -526,10 +719,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@ -40985,7 +41081,7 @@ index 8a105fd..eb0cec2 100644
')
optional_policy(`
@@ -544,6 +743,35 @@ ifdef(`distro_suse',`
@@ -544,6 +744,35 @@ ifdef(`distro_suse',`
')
')
@ -41021,7 +41117,7 @@ index 8a105fd..eb0cec2 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
@@ -556,6 +784,8 @@ optional_policy(`
@@ -556,6 +785,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@ -41030,7 +41126,7 @@ index 8a105fd..eb0cec2 100644
')
optional_policy(`
@@ -572,6 +802,7 @@ optional_policy(`
@@ -572,6 +803,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@ -41038,7 +41134,7 @@ index 8a105fd..eb0cec2 100644
')
optional_policy(`
@@ -584,6 +815,11 @@ optional_policy(`
@@ -584,6 +816,11 @@ optional_policy(`
')
optional_policy(`
@ -41050,7 +41146,7 @@ index 8a105fd..eb0cec2 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
@@ -600,9 +836,13 @@ optional_policy(`
@@ -600,9 +837,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@ -41064,7 +41160,7 @@ index 8a105fd..eb0cec2 100644
')
optional_policy(`
@@ -701,7 +941,13 @@ optional_policy(`
@@ -701,7 +942,13 @@ optional_policy(`
')
optional_policy(`
@ -41078,7 +41174,7 @@ index 8a105fd..eb0cec2 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -724,6 +970,10 @@ optional_policy(`
@@ -724,6 +971,10 @@ optional_policy(`
')
optional_policy(`
@ -41089,7 +41185,7 @@ index 8a105fd..eb0cec2 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
@@ -737,6 +987,10 @@ optional_policy(`
@@ -737,6 +988,10 @@ optional_policy(`
')
optional_policy(`
@ -41100,7 +41196,7 @@ index 8a105fd..eb0cec2 100644
quota_manage_flags(initrc_t)
')
@@ -745,6 +999,10 @@ optional_policy(`
@@ -745,6 +1000,10 @@ optional_policy(`
')
optional_policy(`
@ -41111,7 +41207,7 @@ index 8a105fd..eb0cec2 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
@@ -766,8 +1024,6 @@ optional_policy(`
@@ -766,8 +1025,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@ -41120,7 +41216,7 @@ index 8a105fd..eb0cec2 100644
')
optional_policy(`
@@ -776,14 +1032,21 @@ optional_policy(`
@@ -776,14 +1033,21 @@ optional_policy(`
')
optional_policy(`
@ -41142,7 +41238,7 @@ index 8a105fd..eb0cec2 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
@@ -805,11 +1068,19 @@ optional_policy(`
@@ -805,11 +1069,19 @@ optional_policy(`
')
optional_policy(`
@ -41163,7 +41259,7 @@ index 8a105fd..eb0cec2 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
@@ -819,6 +1090,25 @@ optional_policy(`
@@ -819,6 +1091,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@ -41189,7 +41285,7 @@ index 8a105fd..eb0cec2 100644
')
optional_policy(`
@@ -844,3 +1134,59 @@ optional_policy(`
@@ -844,3 +1135,59 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')

5
selinux-policy.spec
View File

@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.8
Release: 5%{?dist}
Release: 6%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -471,6 +471,9 @@ exit 0
%endif
%changelog
* Fri Nov 12 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-6
- Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t
* Thu Nov 11 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-5
- kdump leaks kdump_etc_t to ifconfig, add dontaudit
- uux needs to transition to uucpd_t