diff --git a/Changelog b/Changelog index dc1ff707..9f156e66 100644 --- a/Changelog +++ b/Changelog @@ -1,4 +1,5 @@ -- Patch to confine ldconfig in the targeted policy from Dan Walsh. +- Patch for sasl's use of kerberos from Dan Walsh. +- Patches to confine ldconfig, udev, and insmod in the targeted policy from Dan Walsh. - Man page updates from Dan Walsh. - Two patches from Paul Moore to for ipsec to remove redundant rules and have setkey read the config file. diff --git a/policy/modules/apps/games.fc b/policy/modules/apps/games.fc index d2420509..0e5ed81d 100644 --- a/policy/modules/apps/games.fc +++ b/policy/modules/apps/games.fc @@ -4,6 +4,7 @@ /usr/games/powermanga -- gen_context(system_u:object_r:games_exec_t,s0) /usr/games/nethack-3.4.3/nethack -- gen_context(system_u:object_r:games_exec_t,s0) /usr/games/vulturesclaw/vulturesclaw -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/games/vultureseye/vultureseye -- gen_context(system_u:object_r:games_exec_t,s0) /usr/lib/games(/.*)? gen_context(system_u:object_r:games_exec_t,s0) diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te index 4c462b8c..21fcecfb 100644 --- a/policy/modules/apps/games.te +++ b/policy/modules/apps/games.te @@ -1,5 +1,5 @@ -policy_module(games,1.1.3) +policy_module(games,1.1.4) ######################################## # diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 068d1383..d422ed89 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -189,6 +189,7 @@ ifdef(`distro_gentoo', ` ifdef(`distro_redhat', ` /usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig.py -- gen_context(system_u:object_r:bin_t,s0) @@ -205,6 +206,7 @@ ifdef(`distro_redhat', ` /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-keyboard/system-config-keyboard -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index 288e15dc..4acf62ca 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,5 +1,5 @@ -policy_module(corecommands,1.5.4) +policy_module(corecommands,1.5.5) ######################################## # diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 2b67c129..c235aa68 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork,1.2.5) +policy_module(corenetwork,1.2.6) ######################################## # @@ -108,7 +108,7 @@ network_port(monopd, tcp,1234,s0) network_port(mysqld, tcp,3306,s0) network_port(nessus, tcp,1241,s0) network_port(netsupport, tcp,5405,s0, udp,5405,s0) -network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0) +network_port(nmbd, udp,137,s0, udp,138,s0) network_port(ntp, udp,123,s0) network_port(ocsp, tcp,9080,s0) network_port(openvpn, tcp,1194,s0, udp,1194,s0) @@ -132,7 +132,7 @@ network_port(rndc, tcp,953,s0) network_port(router, udp,520,s0) network_port(rsh, tcp,514,s0) network_port(rsync, tcp,873,s0, udp,873,s0) -network_port(smbd, tcp,137-139,s0, tcp,445,s0) +network_port(smbd, tcp,139,s0, tcp,445,s0) network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0) network_port(spamd, tcp,783,s0) diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te index 6128b90f..2a6970d6 100644 --- a/policy/modules/services/sasl.te +++ b/policy/modules/services/sasl.te @@ -1,5 +1,5 @@ -policy_module(sasl,1.4.2) +policy_module(sasl,1.4.3) ######################################## # @@ -17,6 +17,9 @@ type saslauthd_t; type saslauthd_exec_t; init_daemon_domain(saslauthd_t,saslauthd_exec_t) +type saslauthd_tmp_t; +files_tmp_file(saslauthd_tmp_t) + type saslauthd_var_run_t; files_pid_file(saslauthd_var_run_t) @@ -33,6 +36,10 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms; allow saslauthd_t self:unix_stream_socket create_stream_socket_perms; allow saslauthd_t self:tcp_socket create_socket_perms; +allow saslauthd_t saslauthd_tmp_t:dir setattr; +manage_files_pattern(saslauthd_t,saslauthd_tmp_t,saslauthd_tmp_t) +files_tmp_filetrans(saslauthd_t,saslauthd_tmp_t,file) + manage_files_pattern(saslauthd_t,saslauthd_var_run_t,saslauthd_var_run_t) manage_sock_files_pattern(saslauthd_t,saslauthd_var_run_t,saslauthd_var_run_t) files_pid_filetrans(saslauthd_t,saslauthd_var_run_t,file) @@ -95,6 +102,10 @@ tunable_policy(`allow_saslauthd_read_shadow',` auth_tunable_read_shadow(saslauthd_t) ') +optional_policy(` + kerberos_read_keytab(saslauthd_t) +') + optional_policy(` mysql_search_db(saslauthd_t) mysql_stream_connect(saslauthd_t) diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 8bf4cb5d..ef4a0a66 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -1,5 +1,5 @@ -policy_module(modutils,1.2.1) +policy_module(modutils,1.2.2) gen_require(` bool secure_mode_insmod; @@ -68,7 +68,7 @@ files_read_kernel_modules(insmod_t) # for locking: (cjp: ????) files_write_kernel_modules(insmod_t) -dev_read_sysfs(insmod_t) +dev_rw_sysfs(insmod_t) dev_search_usbfs(insmod_t) dev_rw_mtrr(insmod_t) dev_read_urand(insmod_t) @@ -117,7 +117,8 @@ if( ! secure_mode_insmod ) { } ifdef(`targeted_policy',` - unconfined_domain(insmod_t) + term_use_unallocated_ttys(insmod_t) + term_use_generic_ptys(insmod_t) ') optional_policy(` diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc index b6523d73..99b7ffb5 100644 --- a/policy/modules/system/udev.fc +++ b/policy/modules/system/udev.fc @@ -1,6 +1,6 @@ # udev -/dev/\.udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0) +/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0) /dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0) /dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0) diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index aa8da2e4..6fff9921 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -1,5 +1,5 @@ -policy_module(udev,1.5.1) +policy_module(udev,1.5.2) ######################################## # @@ -164,6 +164,8 @@ ifdef(`distro_redhat',` fs_relabel_tmpfs_blk_file(udev_t) fs_relabel_tmpfs_chr_file(udev_t) + term_search_ptys(udev_t) + # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(udev_t) ') @@ -171,8 +173,6 @@ ifdef(`distro_redhat',` ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(udev_t) term_dontaudit_use_generic_ptys(udev_t) - - unconfined_domain(udev_t) ') optional_policy(`