From 582d2c5d2c46ac5e7a8a85bd9865aa01d324b69f Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Tue, 16 Nov 2010 09:46:19 +0100 Subject: [PATCH] - Update to upstream - Dontaudit leaked sockets from userdomains to user domains - Fixes for mcelog to handle scripts - Apply patch from Ruben Kerkhof - Allow syslog to search spool dirs --- .gitignore | 1 + policy-F15.patch | 156 +++++++++++++++++++++++++++++++------------- selinux-policy.spec | 11 +++- sources | 1 + 4 files changed, 121 insertions(+), 48 deletions(-) diff --git a/.gitignore b/.gitignore index 1c223374..100fdfa4 100644 --- a/.gitignore +++ b/.gitignore @@ -229,3 +229,4 @@ serefpolicy* /serefpolicy-3.9.6.tgz /config.tgz /serefpolicy-3.9.8.tgz +/serefpolicy-3.9.9.tgz diff --git a/policy-F15.patch b/policy-F15.patch index e08515a3..73d0dcdf 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -490,10 +490,10 @@ index 75ce30f..f3347aa 100644 ') diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te -index 5a9cebf..276941d 100644 +index 5a9cebf..2e08bef 100644 --- a/policy/modules/admin/mcelog.te +++ b/policy/modules/admin/mcelog.te -@@ -7,6 +7,7 @@ policy_module(mcelog, 1.0.1) +@@ -7,9 +7,13 @@ policy_module(mcelog, 1.0.1) type mcelog_t; type mcelog_exec_t; @@ -501,6 +501,29 @@ index 5a9cebf..276941d 100644 application_domain(mcelog_t, mcelog_exec_t) cron_system_entry(mcelog_t, mcelog_exec_t) ++type mcelog_var_run_t; ++files_pid_file(mcelog_var_run_t) ++ + ######################################## + # + # mcelog local policy +@@ -17,10 +21,16 @@ cron_system_entry(mcelog_t, mcelog_exec_t) + + allow mcelog_t self:capability sys_admin; + ++allow mcelog_t mcelog_var_run_t:file manage_file_perms; ++allow mcelog_t mcelog_var_run_t:sock_file manage_sock_file_perms; ++allow mcelog_t mcelog_var_run_t:dir manage_dir_perms; ++files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file }) ++ + kernel_read_system_state(mcelog_t) + + dev_read_raw_memory(mcelog_t) + dev_read_kmsg(mcelog_t) ++dev_rw_sysfs(mcelog_t) + + files_read_etc_files(mcelog_t) + diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te index 0e19d80..9d58abe 100644 --- a/policy/modules/admin/mrtg.te @@ -3518,7 +3541,7 @@ index 86c1768..cd76e6a 100644 /usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:java_exec_t,s0) ') diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if -index e6d84e8..f0c4777 100644 +index e6d84e8..b027189 100644 --- a/policy/modules/apps/java.if +++ b/policy/modules/apps/java.if @@ -72,7 +72,8 @@ template(`java_role_template',` @@ -3531,16 +3554,19 @@ index e6d84e8..f0c4777 100644 allow $1_java_t self:process { ptrace signal getsched execmem execstack }; -@@ -82,7 +83,7 @@ template(`java_role_template',` +@@ -82,7 +83,10 @@ template(`java_role_template',` domtrans_pattern($3, java_exec_t, $1_java_t) - corecmd_bin_domtrans($1_java_t, $3) + corecmd_bin_domtrans($1_java_t, $1_t) ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit $1_t $1_java_t:socket_class_set { read write }; ++ ') dev_dontaudit_append_rand($1_java_t) -@@ -179,6 +180,7 @@ interface(`java_run_unconfined',` +@@ -179,6 +183,7 @@ interface(`java_run_unconfined',` java_domtrans_unconfined($1) role $2 types unconfined_java_t; @@ -3783,10 +3809,10 @@ index 0000000..b7f569d +') + diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if -index 7b08e13..9c9e6c1 100644 +index 7b08e13..515a88a 100644 --- a/policy/modules/apps/mono.if +++ b/policy/modules/apps/mono.if -@@ -41,7 +41,6 @@ template(`mono_role_template',` +@@ -41,15 +41,22 @@ template(`mono_role_template',` application_type($1_mono_t) allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack }; @@ -3794,9 +3820,12 @@ index 7b08e13..9c9e6c1 100644 allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms }; domtrans_pattern($3, mono_exec_t, $1_mono_t) -@@ -49,7 +48,12 @@ template(`mono_role_template',` + fs_dontaudit_rw_tmpfs_files($1_mono_t) corecmd_bin_domtrans($1_mono_t, $1_t) ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit $1_t $1_mono_t:socket_class_set { read write }; ++ ') - userdom_manage_user_tmpfs_files($1_mono_t) + userdom_unpriv_usertype($1, $1_mono_t) @@ -7260,7 +7289,7 @@ index 9d24449..9782698 100644 /opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) /opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0) diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if -index 0440b4c..e10101a 100644 +index 0440b4c..4b055c1 100644 --- a/policy/modules/apps/wine.if +++ b/policy/modules/apps/wine.if @@ -29,12 +29,16 @@ @@ -7298,8 +7327,13 @@ index 0440b4c..e10101a 100644 type wine_exec_t; ') -@@ -101,7 +105,7 @@ template(`wine_role_template',` +@@ -99,9 +103,12 @@ template(`wine_role_template',` + allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms }; + domtrans_pattern($3, wine_exec_t, $1_wine_t) corecmd_bin_domtrans($1_wine_t, $1_t) ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit $1_t $1_wine_t:socket_class_set { read write }; ++ ') userdom_unpriv_usertype($1, $1_wine_t) - userdom_manage_user_tmpfs_files($1_wine_t) @@ -7307,7 +7341,7 @@ index 0440b4c..e10101a 100644 domain_mmap_low($1_wine_t) -@@ -109,6 +113,10 @@ template(`wine_role_template',` +@@ -109,6 +116,10 @@ template(`wine_role_template',` dontaudit $1_wine_t self:memprotect mmap_zero; ') @@ -7318,7 +7352,7 @@ index 0440b4c..e10101a 100644 optional_policy(` xserver_role($1_r, $1_wine_t) ') -@@ -157,3 +165,22 @@ interface(`wine_run',` +@@ -157,3 +168,22 @@ interface(`wine_run',` wine_domtrans($1) role $2 types wine_t; ') @@ -24701,7 +24735,7 @@ index 343cee3..2f948ad 100644 + ') +') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te -index 64268e4..6543734 100644 +index 64268e4..ce7924b 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -20,8 +20,8 @@ files_type(etc_aliases_t) @@ -24739,18 +24773,20 @@ index 64268e4..6543734 100644 dev_read_sysfs(system_mail_t) dev_read_rand(system_mail_t) dev_read_urand(system_mail_t) -@@ -82,6 +71,10 @@ init_use_script_ptys(system_mail_t) +@@ -82,6 +71,12 @@ init_use_script_ptys(system_mail_t) userdom_use_user_terminals(system_mail_t) userdom_dontaudit_search_user_home_dirs(system_mail_t) +userdom_dontaudit_list_admin_dir(system_mail_t) ++ ++allow system_mail_t mail_home_t:file manage_file_perms; +userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file) + +logging_append_all_logs(system_mail_t) optional_policy(` apache_read_squirrelmail_data(system_mail_t) -@@ -92,17 +85,28 @@ optional_policy(` +@@ -92,17 +87,28 @@ optional_policy(` apache_dontaudit_rw_stream_sockets(system_mail_t) apache_dontaudit_rw_tcp_sockets(system_mail_t) apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) @@ -24780,7 +24816,7 @@ index 64268e4..6543734 100644 clamav_stream_connect(system_mail_t) clamav_append_log(system_mail_t) ') -@@ -111,6 +115,8 @@ optional_policy(` +@@ -111,6 +117,8 @@ optional_policy(` cron_read_system_job_tmp_files(system_mail_t) cron_dontaudit_write_pipes(system_mail_t) cron_rw_system_job_stream_sockets(system_mail_t) @@ -24789,7 +24825,7 @@ index 64268e4..6543734 100644 ') optional_policy(` -@@ -124,12 +130,8 @@ optional_policy(` +@@ -124,12 +132,8 @@ optional_policy(` ') optional_policy(` @@ -24803,7 +24839,7 @@ index 64268e4..6543734 100644 ') optional_policy(` -@@ -146,6 +148,10 @@ optional_policy(` +@@ -146,6 +150,10 @@ optional_policy(` ') optional_policy(` @@ -24814,7 +24850,7 @@ index 64268e4..6543734 100644 nagios_read_tmp_files(system_mail_t) ') -@@ -158,18 +164,6 @@ optional_policy(` +@@ -158,18 +166,6 @@ optional_policy(` files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) domain_use_interactive_fds(system_mail_t) @@ -24833,7 +24869,7 @@ index 64268e4..6543734 100644 ') optional_policy(` -@@ -189,6 +183,10 @@ optional_policy(` +@@ -189,6 +185,10 @@ optional_policy(` ') optional_policy(` @@ -24844,7 +24880,7 @@ index 64268e4..6543734 100644 smartmon_read_tmp_files(system_mail_t) ') -@@ -199,7 +197,7 @@ optional_policy(` +@@ -199,7 +199,7 @@ optional_policy(` arpwatch_search_data(mailserver_delivery) arpwatch_manage_tmp_files(mta_user_agent) @@ -24853,7 +24889,7 @@ index 64268e4..6543734 100644 arpwatch_dontaudit_rw_packet_sockets(mta_user_agent) ') -@@ -220,7 +218,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -220,7 +220,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -24863,7 +24899,7 @@ index 64268e4..6543734 100644 read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) -@@ -249,11 +248,16 @@ optional_policy(` +@@ -249,11 +250,16 @@ optional_policy(` mailman_read_data_symlinks(mailserver_delivery) ') @@ -24880,7 +24916,7 @@ index 64268e4..6543734 100644 domain_use_interactive_fds(user_mail_t) userdom_use_user_terminals(user_mail_t) -@@ -292,3 +296,44 @@ optional_policy(` +@@ -292,3 +298,44 @@ optional_policy(` postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -25422,7 +25458,7 @@ index 8581040..f54b3b8 100644 allow $1 nagios_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te -index da5b33d..b9ab551 100644 +index da5b33d..5416fde 100644 --- a/policy/modules/services/nagios.te +++ b/policy/modules/services/nagios.te @@ -107,13 +107,11 @@ files_read_etc_files(nagios_t) @@ -25484,6 +25520,15 @@ index da5b33d..b9ab551 100644 allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms; allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms; allow nagios_mail_plugin_t self:udp_socket create_socket_perms; +@@ -299,7 +299,7 @@ optional_policy(` + + optional_policy(` + postfix_stream_connect_master(nagios_mail_plugin_t) +- posftix_exec_postqueue(nagios_mail_plugin_t) ++ postfix_exec_postqueue(nagios_mail_plugin_t) + ') + + ###################################### @@ -323,7 +323,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) allow nagios_services_plugin_t self:capability { net_bind_service net_raw }; @@ -28084,7 +28129,7 @@ index 55e62d2..c114a40 100644 /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if -index 46bee12..9c13189 100644 +index 46bee12..b87375e 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -34,8 +34,9 @@ template(`postfix_domain_template',` @@ -28169,6 +28214,15 @@ index 46bee12..9c13189 100644 # interface(`postfix_stream_connect_master',` gen_require(` +@@ -462,7 +484,7 @@ interface(`postfix_domtrans_postqueue',` + ## + ## + # +-interface(`posftix_exec_postqueue',` ++interface(`postfix_exec_postqueue',` + gen_require(` + type postfix_postqueue_exec_t; + ') @@ -529,6 +551,25 @@ interface(`postfix_domtrans_smtp',` ######################################## @@ -40361,7 +40415,7 @@ index 9775375..51bde2a 100644 # # /var diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index df3fa64..73dc579 100644 +index df3fa64..852a6ad 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -105,7 +105,11 @@ interface(`init_domain',` @@ -40429,7 +40483,7 @@ index df3fa64..73dc579 100644 ') application_domain($1,$2) -@@ -345,6 +367,17 @@ interface(`init_system_domain',` +@@ -345,6 +367,19 @@ interface(`init_system_domain',` role system_r types $1; domtrans_pattern(initrc_t,$2,$1) @@ -40437,6 +40491,8 @@ index df3fa64..73dc579 100644 + allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; + allow $1 initrc_transition_domain:fd use; + ++ dontaudit $1 init_t:unix_stream_socket getattr; ++ + tunable_policy(`init_systemd',` + # Handle upstart/systemd direct transition to a executable + domtrans_pattern(init_t,$2,$1) @@ -40447,7 +40503,7 @@ index df3fa64..73dc579 100644 ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray -@@ -353,6 +386,37 @@ interface(`init_system_domain',` +@@ -353,6 +388,37 @@ interface(`init_system_domain',` kernel_dontaudit_use_fds($1) ') ') @@ -40485,7 +40541,7 @@ index df3fa64..73dc579 100644 ') ######################################## -@@ -687,19 +751,24 @@ interface(`init_telinit',` +@@ -687,19 +753,24 @@ interface(`init_telinit',` type initctl_t; ') @@ -40511,7 +40567,7 @@ index df3fa64..73dc579 100644 ') ') -@@ -772,18 +841,19 @@ interface(`init_script_file_entry_type',` +@@ -772,18 +843,19 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` gen_require(` @@ -40535,7 +40591,7 @@ index df3fa64..73dc579 100644 ') ') -@@ -799,23 +869,45 @@ interface(`init_spec_domtrans_script',` +@@ -799,23 +871,45 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -40585,7 +40641,7 @@ index df3fa64..73dc579 100644 ## Execute a init script in a specified domain. ## ## -@@ -867,8 +959,12 @@ interface(`init_script_file_domtrans',` +@@ -867,8 +961,12 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -40598,7 +40654,7 @@ index df3fa64..73dc579 100644 domtrans_pattern($1, $2, initrc_t) files_search_etc($1) ') -@@ -1129,12 +1225,7 @@ interface(`init_read_script_state',` +@@ -1129,12 +1227,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -40612,7 +40668,7 @@ index df3fa64..73dc579 100644 ') ######################################## -@@ -1374,6 +1465,27 @@ interface(`init_dbus_send_script',` +@@ -1374,6 +1467,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -40640,7 +40696,7 @@ index df3fa64..73dc579 100644 ## init scripts over dbus. ## ## -@@ -1460,6 +1572,25 @@ interface(`init_getattr_script_status_files',` +@@ -1460,6 +1574,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -40666,7 +40722,7 @@ index df3fa64..73dc579 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1673,7 +1804,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1673,7 +1806,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -40675,7 +40731,7 @@ index df3fa64..73dc579 100644 ') ######################################## -@@ -1748,3 +1879,74 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1748,3 +1881,74 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -42457,7 +42513,7 @@ index 3fb1915..26e9f79 100644 - nscd_socket_use(sulogin_t) -') diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index 362614c..c5757eb 100644 +index 571599b..17dd196 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -17,6 +17,10 @@ @@ -42601,7 +42657,7 @@ index c7cfb62..db7ad6b 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 828156a..4762f02 100644 +index aa2b0a6..ec04f4f 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -60,6 +60,7 @@ files_type(syslog_conf_t) @@ -42675,23 +42731,31 @@ index 828156a..4762f02 100644 sysnet_dns_name_resolve(audisp_remote_t) ######################################## -@@ -369,9 +392,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -360,6 +383,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) + # create/append log files. + manage_files_pattern(syslogd_t, var_log_t, var_log_t) + rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) ++files_search_spool(syslogd_t) + + # Allow access for syslog-ng + allow syslogd_t var_log_t:dir { create setattr }; +@@ -369,8 +393,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) +manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) files_search_var_lib(syslogd_t) - ++files_search_spool(syslogd_t) ++ +manage_dirs_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) +manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) +manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) +files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir }) -+ + # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) - files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) -@@ -412,6 +441,7 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t) +@@ -412,6 +443,7 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t) dev_filetrans(syslogd_t, devlog_t, sock_file) dev_read_sysfs(syslogd_t) @@ -42699,7 +42763,7 @@ index 828156a..4762f02 100644 domain_use_interactive_fds(syslogd_t) -@@ -488,6 +518,10 @@ optional_policy(` +@@ -488,6 +520,10 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 7dc24355..b760b60e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,8 +20,8 @@ %define CHECKPOLICYVER 2.0.21-1 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.9.8 -Release: 7%{?dist} +Version: 3.9.9 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,13 @@ exit 0 %endif %changelog +* Tue Nov 16 2010 Miroslav Grepl 3.9.9-1 +- Update to upstream +- Dontaudit leaked sockets from userdomains to user domains +- Fixes for mcelog to handle scripts +- Apply patch from Ruben Kerkhof +- Allow syslog to search spool dirs + * Mon Nov 15 2010 Miroslav Grepl 3.9.8-7 - Allow nagios plugins to read usr files - Allow mysqld-safe to send system log messages diff --git a/sources b/sources index 47fa8af5..6522089d 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ 409b40c8102b1617681ba17c31032e66 config.tgz 51455f82ff27ad44c20ac9d8441d09e5 serefpolicy-3.9.8.tgz +24888445b1086e411acfa24c592cc65a serefpolicy-3.9.9.tgz