- Add virt_content_ro_t and labeling for isos directory

2009-01-30 14:20:51 +00:00 · 2009-01-30 14:20:51 +00:00 · 618e35262f
commit 618e35262f
parent 2fbeb784fa
1 changed files with 131 additions and 36 deletions
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -3287,8 +3287,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.3/policy/modules/apps/podsleuth.te
 --- nsaserefpolicy/policy/modules/apps/podsleuth.te	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/apps/podsleuth.te	2009-01-19 13:10:02.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/apps/podsleuth.te	2009-01-30 08:03:36.000000000 -0500
-@@ -11,21 +11,58 @@
+@@ -11,21 +11,59 @@
 application_domain(podsleuth_t, podsleuth_exec_t)
 role system_r types podsleuth_t;
@ -3326,7 +3326,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +fs_getattr_dos_fs(podsleuth_t)
 +fs_read_dos_files(podsleuth_t)
 +fs_search_dos(podsleuth_t)
-+
+fs_getattr_tmpfs(podsleuth_t)
 +fs_list_tmpfs(podsleuth_t)
 +fs_mount_nfs(podsleuth_t)
 +fs_unmount_nfs(podsleuth_t)
 +fs_getattr_nfs(podsleuth_t)
@ -3685,7 +3686,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.3/policy/modules/apps/qemu.te
 --- nsaserefpolicy/policy/modules/apps/qemu.te	2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/apps/qemu.te	2009-01-19 13:10:02.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/apps/qemu.te	2009-01-30 09:14:38.000000000 -0500
@@ -6,6 +6,8 @@
 # Declarations
 #
@ -3695,7 +3696,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## <desc>
 ## <p>
 ## Allow qemu to connect fully to the network
-@@ -13,28 +15,151 @@
+@@ -13,28 +15,153 @@
 ## </desc>
 gen_tunable(qemu_full_network, false)
@ -3799,6 +3800,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +storage_raw_write_removable_device(qemu_t)
 +storage_raw_read_removable_device(qemu_t)
 +
 +userdom_search_user_home_content(qemu_t)
 +
 tunable_policy(`qemu_full_network',`
 	allow qemu_t self:udp_socket create_socket_perms;
@ -5158,7 +5161,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	all protocols (TCP, UDP, etc)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.3/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/kernel/domain.te	2009-01-19 13:10:02.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/kernel/domain.te	2009-01-30 07:56:48.000000000 -0500
@@ -5,6 +5,13 @@
 #
 # Declarations
@ -5220,7 +5223,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
 # act on all domains keys
-@@ -153,3 +170,39 @@
+@@ -153,3 +170,34 @@
 # receive from all domains over labeled networking
 domain_all_recvfrom_all_domains(unconfined_domain_type)
@ -5234,15 +5237,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	cron_dontaudit_write_system_job_tmp_files(domain)
 +	cron_rw_pipes(domain)
 +ifdef(`hide_broken_symptoms',`
 +	cron_dontaudit_rw_tcp_sockets(domain)
 +	allow domain domain:key { link search };
 +')
 +')
 +
 +ifdef(`hide_broken_symptoms',`
 +        dbus_dontaudit_system_bus_rw_tcp_sockets(domain)
 +')
 +
 +optional_policy(`
 +	rpm_rw_pipes(domain)
 +	rpm_dontaudit_use_script_fds(domain)
@ -17626,7 +17624,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /usr/sbin/postkick	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.3/policy/modules/services/postfix.if
 --- nsaserefpolicy/policy/modules/services/postfix.if	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/postfix.if	2009-01-19 13:10:02.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/postfix.if	2009-01-30 08:30:01.000000000 -0500
@@ -46,6 +46,7 @@
 	allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
@ -17647,7 +17645,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	files_search_etc($1)
 ')
-@@ -378,7 +378,7 @@
+@@ -232,6 +232,25 @@
 ########################################
 ## <summary>
 +##	Allow read/write postfix local pipes
 +##	TCP sockets.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
 +interface(`postfix_rw_local_pipes',`
 +	gen_require(`
 +		type postfix_local_t;
 +	')
 +
 +	allow $1 postfix_local_t:fifo rw_fifo_file_perms;
 +')
 +
 +########################################
 +## <summary>
 ##	Allow domain to read postfix local process state
 ## </summary>
 ## <param name="domain">
@@ -378,7 +397,7 @@
 ##	</summary>
 ## </param>
 #
@ -17656,7 +17680,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	gen_require(`
 		type postfix_private_t;
 	')
-@@ -389,6 +389,25 @@
+@@ -389,6 +408,25 @@
 ########################################
 ## <summary>
@ -17682,7 +17706,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Execute the master postfix program in the
 ##	postfix_master domain.
 ## </summary>
-@@ -418,10 +437,10 @@
+@@ -418,10 +456,10 @@
 #
 interface(`postfix_search_spool',`
 	gen_require(`
@ -17695,7 +17719,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	files_search_spool($1)
 ')
-@@ -437,11 +456,30 @@
+@@ -437,11 +475,30 @@
 #
 interface(`postfix_list_spool',`
 	gen_require(`
@ -17728,7 +17752,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -456,16 +494,16 @@
+@@ -456,16 +513,16 @@
 #
 interface(`postfix_read_spool_files',`
 	gen_require(`
@ -17748,7 +17772,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -475,11 +513,11 @@
+@@ -475,11 +532,11 @@
 #
 interface(`postfix_manage_spool_files',`
 	gen_require(`
@ -17762,7 +17786,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -500,3 +538,23 @@
+@@ -500,3 +557,23 @@
 	typeattribute $1 postfix_user_domtrans;
 ')
@ -21420,7 +21444,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.3/policy/modules/services/spamassassin.te
 --- nsaserefpolicy/policy/modules/services/spamassassin.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/spamassassin.te	2009-01-19 13:10:02.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/spamassassin.te	2009-01-30 08:30:30.000000000 -0500
@@ -20,6 +20,35 @@
 ## </desc>
 gen_tunable(spamd_enable_home_dirs, true)
@ -21532,7 +21556,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 miscfiles_read_localization(spamc_t)
 # cjp: this should probably be removed:
-@@ -265,31 +323,34 @@
+@@ -265,31 +323,35 @@
 sysnet_read_config(spamc_t)
@ -21568,6 +21592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -	nscd_socket_use(spamc_t)
 +	postfix_domtrans_postdrop(spamc_t)
 +	postfix_search_spool(spamc_t)
 +	postfix_rw_local_pipes(spamc_t)
 ')
 optional_policy(`
@ -21579,7 +21604,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -301,7 +362,7 @@
+@@ -301,7 +363,7 @@
 # setuids to the user running spamc.  Comment this if you are not
 # using this ability.
@ -21588,7 +21613,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dontaudit spamd_t self:capability sys_tty_config;
 allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow spamd_t self:fd use;
-@@ -317,10 +378,13 @@
+@@ -317,10 +379,13 @@
 allow spamd_t self:unix_stream_socket connectto;
 allow spamd_t self:tcp_socket create_stream_socket_perms;
 allow spamd_t self:udp_socket create_socket_perms;
@ -21603,7 +21628,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
 manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -329,10 +393,11 @@
+@@ -329,10 +394,11 @@
 # var/lib files for spamd
 allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@ -21616,7 +21641,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
 kernel_read_all_sysctls(spamd_t)
-@@ -382,22 +447,27 @@
+@@ -382,22 +448,27 @@
 init_dontaudit_rw_utmp(spamd_t)
@ -21648,7 +21673,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	fs_manage_cifs_files(spamd_t)
 ')
-@@ -415,6 +485,7 @@
+@@ -415,6 +486,7 @@
 optional_policy(`
 	dcc_domtrans_client(spamd_t)
@ -21656,7 +21681,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	dcc_stream_connect_dccifd(spamd_t)
 ')
-@@ -424,10 +495,6 @@
+@@ -424,10 +496,6 @@
 ')
 optional_policy(`
@ -21667,7 +21692,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	postfix_read_config(spamd_t)
 ')
-@@ -442,6 +509,10 @@
+@@ -442,6 +510,10 @@
 optional_policy(`
 	razor_domtrans(spamd_t)
@ -22363,10 +22388,80 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.3/policy/modules/services/virt.fc
 --- nsaserefpolicy/policy/modules/services/virt.fc	2009-01-05 15:39:43.000000000 -0500
 +++ serefpolicy-3.6.3/policy/modules/services/virt.fc	2009-01-30 09:09:00.000000000 -0500
@@ -8,5 +8,10 @@
 /var/lib/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_lib_t,s0)
 /var/lib/libvirt/images(/.*)? 	gen_context(system_u:object_r:virt_image_t,s0)
 +/var/lib/libvirt/isos(/.*)? 	gen_context(system_u:object_r:virt_image_ro_t,s0)
 +
 /var/log/libvirt(/.*)?		gen_context(system_u:object_r:virt_log_t,s0)
 /var/run/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
 +
 +HOME_DIR/VirtualMachines(/.*)? 	gen_context(system_u:object_r:virt_image_t,s0)
 +HOME_DIR/VirtualMachines/isos(/.*)? 	gen_context(system_u:object_r:virt_image_ro_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.3/policy/modules/services/virt.if
 --- nsaserefpolicy/policy/modules/services/virt.if	2009-01-05 15:39:43.000000000 -0500
 +++ serefpolicy-3.6.3/policy/modules/services/virt.if	2009-01-30 09:13:05.000000000 -0500
@@ -293,6 +293,41 @@
 ########################################
 ## <summary>
 +##	Allow domain to manage virt image files
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
 +interface(`virt_read_ro_t',`
 +	gen_require(`
 +		type virt_image_ro_t;
 +	')
 +
 +	virt_search_lib($1)
 +	allow $1 virt_image_ro_t:dir list_dir_perms;
 +	read_dirs_pattern($1, virt_image_ro_t, virt_image_ro_t)
 +	read_files_pattern($1, virt_image_ro_t, virt_image_ro_t)
 +	read_lnk_files_pattern($1, virt_image_ro_t, virt_image_ro_t)
 +	rw_blk_files_pattern($1, virt_image_ro_t, virt_image_ro_t)
 +
 +	tunable_policy(`virt_use_nfs',`
 +		fs_read_nfs_dirs($1)
 +		fs_read_nfs_files($1)
 +		fs_read_nfs_symlinks($1)
 +	')
 +
 +	tunable_policy(`virt_use_samba',`
 +		fs_read_nfs_files($1)
 +		fs_read_cifs_files($1)
 +		fs_read_cifs_symlinks($1)
 +	')
 +')
 +
 +########################################
 +## <summary>
 ##	All of the rules required to administrate 
 ##	an virt environment
 ## </summary>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.3/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/virt.te	2009-01-21 16:53:49.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/virt.te	2009-01-30 09:10:13.000000000 -0500
-@@ -53,7 +53,7 @@
+@@ -32,6 +32,10 @@
 type virt_image_t, virt_image_type; # customizable
 virt_image(virt_image_t)
 +# virt Image files
 +type virt_image_ro_t;
 +virt_image(virt_image_ro_t)
 +
 type virt_log_t;
 logging_log_file(virt_log_t)
@@ -53,7 +57,7 @@
 # virtd local policy
 #
@ -22375,7 +22470,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow virtd_t self:process { getsched sigkill signal execmem };
 allow virtd_t self:fifo_file rw_file_perms;
 allow virtd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -96,7 +96,7 @@
+@@ -96,7 +100,7 @@
 corenet_tcp_sendrecv_generic_node(virtd_t)
 corenet_tcp_sendrecv_all_ports(virtd_t)
 corenet_tcp_bind_generic_node(virtd_t)
@ -22384,7 +22479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_tcp_bind_vnc_port(virtd_t)
 corenet_tcp_connect_vnc_port(virtd_t)
 corenet_tcp_connect_soundd_port(virtd_t)
-@@ -110,11 +110,13 @@
+@@ -110,11 +114,13 @@
 files_read_usr_files(virtd_t)
 files_read_etc_files(virtd_t)
@ -22398,7 +22493,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 storage_raw_write_removable_device(virtd_t)
 storage_raw_read_removable_device(virtd_t)
-@@ -129,7 +131,10 @@
+@@ -129,7 +135,10 @@
 logging_send_syslog_msg(virtd_t)
@ -22409,7 +22504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virtd_t)
-@@ -173,16 +178,17 @@
+@@ -173,16 +182,17 @@
 	iptables_domtrans(virtd_t)
 ')
@ -28084,7 +28179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if	2009-01-28 10:48:13.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if	2009-01-30 09:14:16.000000000 -0500
@@ -30,8 +30,9 @@
 	')