rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Allow avahi to access inotify

Browse Source 
- Remove a lot of bogus security_t:filesystem avcs
This commit is contained in:
Daniel J Walsh 2007-06-27 18:12:03 +00:00
parent 1afb424363
commit 7f44213c00
2 changed files with 100 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

120
policy-20070525.patch
View File

@ -6602,7 +6602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+ +
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.1/policy/modules/services/samba.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.1/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-06-19 16:23:35.000000000 -0400 --- nsaserefpolicy/policy/modules/services/samba.te 2007-06-19 16:23:35.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/services/samba.te 2007-06-19 17:06:27.000000000 -0400 +++ serefpolicy-3.0.1/policy/modules/services/samba.te 2007-06-27 11:39:37.000000000 -0400
@@ -189,6 +189,8 @@ @@ -189,6 +189,8 @@
miscfiles_read_localization(samba_net_t) miscfiles_read_localization(samba_net_t)
@ -6678,6 +6678,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
domain_use_interactive_fds(winbind_t) domain_use_interactive_fds(winbind_t)
@@ -767,6 +782,7 @@
#
# Winbind helper local policy
#
+corecmd_exec_bin(winbind_t)
allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.0.1/policy/modules/services/sasl.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.0.1/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2007-05-29 14:10:57.000000000 -0400 --- nsaserefpolicy/policy/modules/services/sasl.te 2007-05-29 14:10:57.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/services/sasl.te 2007-06-19 17:06:27.000000000 -0400 +++ serefpolicy-3.0.1/policy/modules/services/sasl.te 2007-06-19 17:06:27.000000000 -0400
@ -7442,7 +7450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
') ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.1/policy/modules/system/authlogin.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.1/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-06-15 14:54:34.000000000 -0400 --- nsaserefpolicy/policy/modules/system/authlogin.if 2007-06-15 14:54:34.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/system/authlogin.if 2007-06-21 10:33:53.000000000 -0400 +++ serefpolicy-3.0.1/policy/modules/system/authlogin.if 2007-06-27 10:19:29.000000000 -0400
@@ -27,7 +27,8 @@ @@ -27,7 +27,8 @@
domain_type($1_chkpwd_t) domain_type($1_chkpwd_t)
domain_entry_file($1_chkpwd_t,chkpwd_exec_t) domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
@ -8318,7 +8326,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
# Sulogin local policy # Sulogin local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.0.1/policy/modules/system/logging.fc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.0.1/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2007-05-29 14:10:58.000000000 -0400 --- nsaserefpolicy/policy/modules/system/logging.fc 2007-05-29 14:10:58.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/system/logging.fc 2007-06-20 07:06:30.000000000 -0400 +++ serefpolicy-3.0.1/policy/modules/system/logging.fc 2007-06-27 10:17:24.000000000 -0400
@@ -1,6 +1,6 @@
-
/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
+/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
@@ -43,3 +43,5 @@ @@ -43,3 +43,5 @@
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0) /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
@ -8327,7 +8343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+/var/log/syslog-ng(/.*)? -- gen_context(system_u:object_r:syslogd_var_run_t,s0) +/var/log/syslog-ng(/.*)? -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.1/policy/modules/system/logging.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.1/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2007-06-15 14:54:34.000000000 -0400 --- nsaserefpolicy/policy/modules/system/logging.if 2007-06-15 14:54:34.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/system/logging.if 2007-06-19 17:06:27.000000000 -0400 +++ serefpolicy-3.0.1/policy/modules/system/logging.if 2007-06-27 10:20:58.000000000 -0400
@@ -33,8 +33,13 @@ @@ -33,8 +33,13 @@
## </param> ## </param>
# #
@ -8343,10 +8359,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
') ')
######################################## ########################################
@@ -238,6 +243,25 @@ @@ -238,6 +243,63 @@
######################################## ########################################
## <summary> ## <summary>
+## Manage the syslogd configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_manage_syslog_config',`
+ gen_require(`
+ type syslogd_etc_t;
+ ')
+
+ files_search_etc($1)
+ manage_files_pattern($1,syslog_conf_t,syslog_conf_t)
+')
+
+#######################################
+## <summary>
+## Automatic transition from etc to syslog_conf_t.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_etc_filetrans_syslog_conf',`
+ gen_require(`
+ type syslog_conf_t;
+ ')
+
+ files_etc_filetrans($1,syslog_conf_t,file)
+')
+
+########################################
+## <summary>
+## Execute klogd in the klog domain. +## Execute klogd in the klog domain.
+## </summary> +## </summary>
+## <param name="domain"> +## <param name="domain">
@ -8369,7 +8423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
## Create an object in the log directory, with a private ## Create an object in the log directory, with a private
## type using a type transition. ## type using a type transition.
## </summary> ## </summary>
@@ -317,6 +341,25 @@ @@ -317,6 +379,25 @@
######################################## ########################################
## <summary> ## <summary>
@ -8395,7 +8449,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
## Allows the domain to open a file in the ## Allows the domain to open a file in the
## log directory, but does not allow the listing ## log directory, but does not allow the listing
## of the contents of the log directory. ## of the contents of the log directory.
@@ -451,7 +494,7 @@ @@ -451,7 +532,7 @@
files_search_var($1) files_search_var($1)
allow $1 var_log_t:dir list_dir_perms; allow $1 var_log_t:dir list_dir_perms;
@ -8404,7 +8458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
') ')
######################################## ########################################
@@ -495,6 +538,8 @@ @@ -495,6 +576,8 @@
files_search_var($1) files_search_var($1)
manage_files_pattern($1,logfile,logfile) manage_files_pattern($1,logfile,logfile)
read_lnk_files_pattern($1,logfile,logfile) read_lnk_files_pattern($1,logfile,logfile)
@ -8413,7 +8467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
') ')
######################################## ########################################
@@ -578,3 +623,101 @@ @@ -578,3 +661,101 @@
files_search_var($1) files_search_var($1)
manage_files_pattern($1,var_log_t,var_log_t) manage_files_pattern($1,var_log_t,var_log_t)
') ')
@ -8517,7 +8571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+ +
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.1/policy/modules/system/logging.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.1/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2007-06-15 14:54:33.000000000 -0400 --- nsaserefpolicy/policy/modules/system/logging.te 2007-06-15 14:54:33.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/system/logging.te 2007-06-20 07:06:09.000000000 -0400 +++ serefpolicy-3.0.1/policy/modules/system/logging.te 2007-06-27 10:16:37.000000000 -0400
@@ -7,10 +7,15 @@ @@ -7,10 +7,15 @@
# #
@ -8534,7 +8588,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
role system_r types auditctl_t; role system_r types auditctl_t;
type auditd_etc_t; type auditd_etc_t;
@@ -48,6 +53,9 @@ @@ -45,9 +50,15 @@
type syslogd_exec_t;
init_daemon_domain(syslogd_t,syslogd_exec_t)
+type syslog_conf_t;
+files_type(syslog_conf_t)
+
type syslogd_tmp_t; type syslogd_tmp_t;
files_tmp_file(syslogd_tmp_t) files_tmp_file(syslogd_tmp_t)
@ -8544,7 +8604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
type syslogd_var_run_t; type syslogd_var_run_t;
files_pid_file(syslogd_var_run_t) files_pid_file(syslogd_var_run_t)
@@ -59,14 +67,17 @@ @@ -59,14 +70,17 @@
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh) init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
') ')
@ -8565,7 +8625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t) read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t)
allow auditctl_t auditd_etc_t:dir list_dir_perms; allow auditctl_t auditd_etc_t:dir list_dir_perms;
@@ -91,6 +102,7 @@ @@ -91,6 +105,7 @@
locallogin_dontaudit_use_fds(auditctl_t) locallogin_dontaudit_use_fds(auditctl_t)
@ -8573,7 +8633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
logging_send_syslog_msg(auditctl_t) logging_send_syslog_msg(auditctl_t)
######################################## ########################################
@@ -98,12 +110,11 @@ @@ -98,12 +113,11 @@
# Auditd local policy # Auditd local policy
# #
@ -8587,7 +8647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
allow auditd_t self:fifo_file rw_file_perms; allow auditd_t self:fifo_file rw_file_perms;
allow auditd_t auditd_etc_t:dir list_dir_perms; allow auditd_t auditd_etc_t:dir list_dir_perms;
@@ -141,6 +152,7 @@ @@ -141,6 +155,7 @@
init_telinit(auditd_t) init_telinit(auditd_t)
@ -8595,7 +8655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
logging_send_syslog_msg(auditd_t) logging_send_syslog_msg(auditd_t)
libs_use_ld_so(auditd_t) libs_use_ld_so(auditd_t)
@@ -157,6 +169,8 @@ @@ -157,6 +172,8 @@
userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_sysadm_home_dirs(auditd_t) userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
@ -8604,7 +8664,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
optional_policy(` optional_policy(`
seutil_sigchld_newrole(auditd_t) seutil_sigchld_newrole(auditd_t)
@@ -249,6 +263,10 @@ @@ -243,12 +260,18 @@
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
+allow syslogd_t syslog_conf_t:file read;
+
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
files_pid_filetrans(syslogd_t,devlog_t,sock_file)
# create/append log files. # create/append log files.
manage_files_pattern(syslogd_t,var_log_t,var_log_t) manage_files_pattern(syslogd_t,var_log_t,var_log_t)
@ -8615,7 +8683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
# Allow access for syslog-ng # Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr }; allow syslogd_t var_log_t:dir { create setattr };
@@ -257,6 +275,9 @@ @@ -257,6 +280,9 @@
manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t) manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file }) files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file })
@ -8625,7 +8693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
allow syslogd_t syslogd_var_run_t:file manage_file_perms; allow syslogd_t syslogd_var_run_t:file manage_file_perms;
files_pid_filetrans(syslogd_t,syslogd_var_run_t,file) files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
@@ -313,6 +334,7 @@ @@ -313,6 +339,7 @@
domain_use_interactive_fds(syslogd_t) domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t) files_read_etc_files(syslogd_t)
@ -10902,9 +10970,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.t
+ +
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.0.1/policy/modules/users/logadm.fc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.0.1/policy/modules/users/logadm.fc
--- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.1/policy/modules/users/logadm.fc 2007-06-19 17:06:27.000000000 -0400 +++ serefpolicy-3.0.1/policy/modules/users/logadm.fc 2007-06-27 10:17:08.000000000 -0400
@@ -0,0 +1 @@ @@ -0,0 +1 @@
+/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) +# No logadm file contexts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.if serefpolicy-3.0.1/policy/modules/users/logadm.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.if serefpolicy-3.0.1/policy/modules/users/logadm.if
--- nsaserefpolicy/policy/modules/users/logadm.if 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/users/logadm.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.1/policy/modules/users/logadm.if 2007-06-19 17:06:27.000000000 -0400 +++ serefpolicy-3.0.1/policy/modules/users/logadm.if 2007-06-19 17:06:27.000000000 -0400
@ -10912,8 +10980,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.
+## <summary>Policy for logadm user</summary> +## <summary>Policy for logadm user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.te serefpolicy-3.0.1/policy/modules/users/logadm.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.te serefpolicy-3.0.1/policy/modules/users/logadm.te
--- nsaserefpolicy/policy/modules/users/logadm.te 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/users/logadm.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.1/policy/modules/users/logadm.te 2007-06-19 17:06:27.000000000 -0400 +++ serefpolicy-3.0.1/policy/modules/users/logadm.te 2007-06-27 10:21:24.000000000 -0400
@@ -0,0 +1,35 @@ @@ -0,0 +1,37 @@
+policy_module(logadm,1.0.0) +policy_module(logadm,1.0.0)
+ +
+######################################## +########################################
@ -10925,13 +10993,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.
+files_type(syslog_conf_t) +files_type(syslog_conf_t)
+ +
+userdom_base_user_template(logadm) +userdom_base_user_template(logadm)
+allow logadm_t syslog_conf_t:file manage_file_perms;
+files_etc_filetrans(logadm_t, syslog_conf_t, file)
+ +
+allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; +allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+ +
+logging_etc_filetrans_syslog_conf(logadm_t)
+logging_manage_syslog_config(logadm_t)
+logging_manage_all_logs(logadm_t) +logging_manage_all_logs(logadm_t)
+
+seutil_run_runinit(logadm_t, logadm_r, { logadm_tty_device_t logadm_devpts_t }) +seutil_run_runinit(logadm_t, logadm_r, { logadm_tty_device_t logadm_devpts_t })
+
+domain_kill_all_domains(logadm_t) +domain_kill_all_domains(logadm_t)
+seutil_read_bin_policy(logadm_t) +seutil_read_bin_policy(logadm_t)
+corecmd_exec_shell(logadm_t) +corecmd_exec_shell(logadm_t)

6
selinux-policy.spec
View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.0.1 Version: 3.0.1
Release: 1%{?dist} Release: 2%{?dist}
License: GPL License: GPL
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -355,6 +355,10 @@ exit 0
%endif %endif
%changelog %changelog
* Wed Jun 26 2007 Dan Walsh <dwalsh@redhat.com> 3.0.1-2
- Allow avahi to access inotify
- Remove a lot of bogus security_t:filesystem avcs
* Fri May 25 2007 Dan Walsh <dwalsh@redhat.com> 3.0.1-1 * Fri May 25 2007 Dan Walsh <dwalsh@redhat.com> 3.0.1-1
- Remove ifdef strict policy from upstream - Remove ifdef strict policy from upstream