From 8cd443307d839fd9c78a5bed3e62606322e8e788 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mon, 23 Jan 2012 16:15:05 +0100 Subject: [PATCH] - Treat Bip with bitlbee policy * Bip is an IRC proxy - Add port definition for interwise port - Add support for ipa_memcached socket - systemd_jounald needs to getattr on all processes - mdadmin fixes * uses getpw - amavisd calls getpwnam() - denyhosts calls getpwall() --- policy-F16.patch | 207 ++++++++++++++++++++++++++++++-------------- selinux-policy.spec | 15 +++- 2 files changed, 153 insertions(+), 69 deletions(-) diff --git a/policy-F16.patch b/policy-F16.patch index 2fa1838b..918a0324 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -14484,7 +14484,7 @@ index 4f3b542..f4e36ee 100644 corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 99b71cb..f7cc16e 100644 +index 99b71cb..58a5523 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -11,11 +11,15 @@ attribute netif_type; @@ -14610,7 +14610,7 @@ index 99b71cb..f7cc16e 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -115,11 +157,12 @@ network_port(hddtemp, tcp,7634,s0) +@@ -115,11 +157,13 @@ network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port @@ -14620,11 +14620,12 @@ index 99b71cb..f7cc16e 100644 network_port(imaze, tcp,5323,s0, udp,5323,s0) network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) network_port(innd, tcp,119,s0) ++network_port(interwise, tcp,7778,s0, udp,7778,s0) +network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0) network_port(ipmi, udp,623,s0, udp,664,s0) network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0) network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) -@@ -129,20 +172,27 @@ network_port(iscsi, tcp,3260,s0) +@@ -129,20 +173,27 @@ network_port(iscsi, tcp,3260,s0) network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -14655,7 +14656,7 @@ index 99b71cb..f7cc16e 100644 network_port(mpd, tcp,6600,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) -@@ -152,21 +202,31 @@ network_port(mysqlmanagerd, tcp,2273,s0) +@@ -152,21 +203,31 @@ network_port(mysqlmanagerd, tcp,2273,s0) network_port(nessus, tcp,1241,s0) network_port(netport, tcp,3129,s0, udp,3129,s0) network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) @@ -14688,7 +14689,7 @@ index 99b71cb..f7cc16e 100644 network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) -@@ -179,34 +239,40 @@ network_port(radacct, udp,1646,s0, udp,1813,s0) +@@ -179,34 +240,40 @@ network_port(radacct, udp,1646,s0, udp,1813,s0) network_port(radius, udp,1645,s0, udp,1812,s0) network_port(radsec, tcp,2083,s0) network_port(razor, tcp,2703,s0) @@ -14734,7 +14735,7 @@ index 99b71cb..f7cc16e 100644 network_port(traceroute, udp,64000-64010,s0) network_port(transproxy, tcp,8081,s0) network_port(ups, tcp,3493,s0) -@@ -215,9 +281,11 @@ network_port(uucpd, tcp,540,s0) +@@ -215,9 +282,11 @@ network_port(uucpd, tcp,540,s0) network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -14747,7 +14748,7 @@ index 99b71cb..f7cc16e 100644 network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -@@ -229,6 +297,7 @@ network_port(zookeeper_client, tcp,2181,s0) +@@ -229,6 +298,7 @@ network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) @@ -14755,7 +14756,7 @@ index 99b71cb..f7cc16e 100644 network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; -@@ -238,6 +307,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) +@@ -238,6 +308,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) @@ -14768,7 +14769,7 @@ index 99b71cb..f7cc16e 100644 ######################################## # -@@ -282,9 +357,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -282,9 +358,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -25244,7 +25245,7 @@ index e31d92a..e515cb8 100644 domain_system_change_exemption($1) role_transition $2 amavis_initrc_exec_t system_r; diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te -index deca9d3..ae8c579 100644 +index deca9d3..ac92fce 100644 --- a/policy/modules/services/amavis.te +++ b/policy/modules/services/amavis.te @@ -38,7 +38,7 @@ type amavis_quarantine_t; @@ -25264,7 +25265,15 @@ index deca9d3..ae8c579 100644 domain_use_interactive_fds(amavis_t) -@@ -153,24 +154,28 @@ sysnet_use_ldap(amavis_t) +@@ -137,6 +138,7 @@ files_read_usr_files(amavis_t) + + fs_getattr_xattr_fs(amavis_t) + ++auth_use_nsswitch(amavis_t) + auth_dontaudit_read_shadow(amavis_t) + + # uses uptime which reads utmp - redhat bug 561383 +@@ -153,24 +155,28 @@ sysnet_use_ldap(amavis_t) userdom_dontaudit_search_user_home_dirs(amavis_t) @@ -28230,16 +28239,23 @@ index 4deca04..7859fa1 100644 optional_policy(` diff --git a/policy/modules/services/bitlbee.fc b/policy/modules/services/bitlbee.fc -index 0197980..f8bce2c 100644 +index 0197980..909ce04 100644 --- a/policy/modules/services/bitlbee.fc +++ b/policy/modules/services/bitlbee.fc -@@ -4,3 +4,6 @@ +@@ -1,6 +1,13 @@ + /etc/rc\.d/init\.d/bitlbee -- gen_context(system_u:object_r:bitlbee_initrc_exec_t,s0) + /etc/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_conf_t,s0) + ++/usr/bin/bip -- gen_context(system_u:object_r:bitlbee_exec_t,s0) /usr/sbin/bitlbee -- gen_context(system_u:object_r:bitlbee_exec_t,s0) /var/lib/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_t,s0) + ++/var/log/bip(/.*)? gen_context(system_u:object_r:bitlbee_log_t,s0) ++ +/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0) +/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0) ++/var/run/bip(/.*)? gen_context(system_u:object_r:bitlbee_var_run_t,s0) diff --git a/policy/modules/services/bitlbee.if b/policy/modules/services/bitlbee.if index de0bd67..1df2048 100644 --- a/policy/modules/services/bitlbee.if @@ -28260,13 +28276,16 @@ index de0bd67..1df2048 100644 domain_system_change_exemption($1) role_transition $2 bitlbee_initrc_exec_t system_r; diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te -index f4e7ad3..2faf42a 100644 +index f4e7ad3..6b577c2 100644 --- a/policy/modules/services/bitlbee.te +++ b/policy/modules/services/bitlbee.te -@@ -22,29 +22,40 @@ files_tmp_file(bitlbee_tmp_t) +@@ -22,29 +22,47 @@ files_tmp_file(bitlbee_tmp_t) type bitlbee_var_t; files_type(bitlbee_var_t) ++type bitlbee_log_t; ++logging_log_file(bitlbee_log_t) ++ +type bitlbee_var_run_t; +files_type(bitlbee_var_run_t) + @@ -28277,7 +28296,7 @@ index f4e7ad3..2faf42a 100644 -allow bitlbee_t self:capability { setgid setuid }; -allow bitlbee_t self:process signal; -+allow bitlbee_t self:capability { dac_override setgid setuid sys_nice }; ++allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice }; +allow bitlbee_t self:process { setsched signal }; + +allow bitlbee_t self:fifo_file rw_fifo_file_perms; @@ -28300,6 +28319,10 @@ index f4e7ad3..2faf42a 100644 manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t) files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file) ++# log files ++manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) ++manage_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) ++ +manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) +manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) +manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) @@ -28308,7 +28331,7 @@ index f4e7ad3..2faf42a 100644 kernel_read_system_state(bitlbee_t) corenet_all_recvfrom_unlabeled(bitlbee_t) -@@ -52,6 +63,7 @@ corenet_udp_sendrecv_generic_if(bitlbee_t) +@@ -52,6 +70,7 @@ corenet_udp_sendrecv_generic_if(bitlbee_t) corenet_udp_sendrecv_generic_node(bitlbee_t) corenet_tcp_sendrecv_generic_if(bitlbee_t) corenet_tcp_sendrecv_generic_node(bitlbee_t) @@ -28316,13 +28339,15 @@ index f4e7ad3..2faf42a 100644 # Allow bitlbee to connect to jabber servers corenet_tcp_connect_jabber_client_port(bitlbee_t) corenet_tcp_sendrecv_jabber_client_port(bitlbee_t) -@@ -69,6 +81,9 @@ corenet_tcp_connect_http_port(bitlbee_t) +@@ -69,6 +88,11 @@ corenet_tcp_connect_http_port(bitlbee_t) corenet_tcp_sendrecv_http_port(bitlbee_t) corenet_tcp_connect_http_cache_port(bitlbee_t) corenet_tcp_sendrecv_http_cache_port(bitlbee_t) +corenet_tcp_bind_ircd_port(bitlbee_t) +corenet_tcp_sendrecv_ircd_port(bitlbee_t) +corenet_sendrecv_ircd_server_packets(bitlbee_t) ++corenet_tcp_bind_interwise_port(bitlbee_t) ++corenet_tcp_sendrecv_interwise_port(bitlbee_t) dev_read_rand(bitlbee_t) dev_read_urand(bitlbee_t) @@ -35612,7 +35637,7 @@ index 567865f..3a57eb9 100644 admin_pattern($1, denyhosts_var_lock_t) ') diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te -index 8ba9425..b10da2c 100644 +index 8ba9425..555058a 100644 --- a/policy/modules/services/denyhosts.te +++ b/policy/modules/services/denyhosts.te @@ -25,7 +25,8 @@ logging_log_file(denyhosts_var_log_t) @@ -35625,7 +35650,7 @@ index 8ba9425..b10da2c 100644 allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms; allow denyhosts_t self:tcp_socket create_socket_perms; allow denyhosts_t self:udp_socket create_socket_perms; -@@ -53,20 +54,28 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t) +@@ -53,20 +54,30 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t) corenet_tcp_sendrecv_generic_node(denyhosts_t) corenet_tcp_bind_generic_node(denyhosts_t) corenet_tcp_connect_smtp_port(denyhosts_t) @@ -35636,6 +35661,8 @@ index 8ba9425..b10da2c 100644 files_read_etc_files(denyhosts_t) +files_read_usr_files(denyhosts_t) ++ ++auth_use_nsswitch(denyhosts_t) # /var/log/secure logging_read_generic_logs(denyhosts_t) @@ -45146,6 +45173,16 @@ index 98d28b4..1c1d012 100644 + + delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t) +') +diff --git a/policy/modules/services/memcached.fc b/policy/modules/services/memcached.fc +index 4d69477..4079870 100644 +--- a/policy/modules/services/memcached.fc ++++ b/policy/modules/services/memcached.fc +@@ -2,4 +2,5 @@ + + /usr/bin/memcached -- gen_context(system_u:object_r:memcached_exec_t,s0) + ++/var/run/ipa_memcached -s gen_context(system_u:object_r:memcached_var_run_t,s0) + /var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0) diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if index db4fd6f..ce07b3f 100644 --- a/policy/modules/services/memcached.if @@ -45194,7 +45231,7 @@ index db4fd6f..ce07b3f 100644 admin_pattern($1, memcached_var_run_t) ') diff --git a/policy/modules/services/memcached.te b/policy/modules/services/memcached.te -index b681608..08b1b49 100644 +index b681608..0934c95 100644 --- a/policy/modules/services/memcached.te +++ b/policy/modules/services/memcached.te @@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t) @@ -45206,6 +45243,16 @@ index b681608..08b1b49 100644 dontaudit memcached_t self:capability sys_tty_config; allow memcached_t self:process { setrlimit signal_perms }; allow memcached_t self:tcp_socket create_stream_socket_perms; +@@ -42,7 +42,8 @@ corenet_udp_bind_memcache_port(memcached_t) + + manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) + manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) +-files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir }) ++manage_sock_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) ++files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir sock_file }) + + kernel_read_kernel_sysctls(memcached_t) + kernel_read_system_state(memcached_t) diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc index 55a3e2f..bc489e0 100644 --- a/policy/modules/services/milter.fc @@ -60717,7 +60764,7 @@ index bcdd16c..039b0c8 100644 files_list_var_lib($1) admin_pattern($1, setroubleshoot_var_lib_t) diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te -index 086cd5f..a181f01 100644 +index 086cd5f..6e66656 100644 --- a/policy/modules/services/setroubleshoot.te +++ b/policy/modules/services/setroubleshoot.te @@ -32,6 +32,8 @@ files_pid_file(setroubleshoot_var_run_t) @@ -60778,7 +60825,7 @@ index 086cd5f..a181f01 100644 seutil_read_config(setroubleshootd_t) seutil_read_file_contexts(setroubleshootd_t) seutil_read_bin_policy(setroubleshootd_t) -@@ -121,6 +128,18 @@ seutil_read_bin_policy(setroubleshootd_t) +@@ -121,10 +128,23 @@ seutil_read_bin_policy(setroubleshootd_t) userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) optional_policy(` @@ -60797,7 +60844,12 @@ index 086cd5f..a181f01 100644 dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) ') -@@ -151,7 +170,11 @@ kernel_read_system_state(setroubleshoot_fixit_t) + optional_policy(` ++ rpm_exec(setroubleshootd_t) + rpm_signull(setroubleshootd_t) + rpm_read_db(setroubleshootd_t) + rpm_dontaudit_manage_db(setroubleshootd_t) +@@ -151,7 +171,11 @@ kernel_read_system_state(setroubleshoot_fixit_t) corecmd_exec_bin(setroubleshoot_fixit_t) corecmd_exec_shell(setroubleshoot_fixit_t) @@ -60809,7 +60861,7 @@ index 086cd5f..a181f01 100644 files_read_usr_files(setroubleshoot_fixit_t) files_read_etc_files(setroubleshoot_fixit_t) -@@ -164,6 +187,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) +@@ -164,6 +188,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) miscfiles_read_localization(setroubleshoot_fixit_t) @@ -75252,7 +75304,7 @@ index 831b909..118f708 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index b6ec597..688f59a 100644 +index b6ec597..dc551f4 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -5,6 +5,13 @@ policy_module(logging, 1.17.2) @@ -75404,7 +75456,7 @@ index b6ec597..688f59a 100644 # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) -@@ -426,10 +466,21 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -426,10 +466,22 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -75423,10 +75475,11 @@ index b6ec597..688f59a 100644 +domain_read_all_domains_state(syslogd_t) domain_use_interactive_fds(syslogd_t) +domain_read_all_domains_state(syslogd_t) ++domain_getattr_all_domains(syslogd_t) files_read_etc_files(syslogd_t) files_read_usr_files(syslogd_t) -@@ -447,7 +498,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and +@@ -447,7 +499,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and term_write_console(syslogd_t) # Allow syslog to a terminal term_write_unallocated_ttys(syslogd_t) @@ -75436,7 +75489,7 @@ index b6ec597..688f59a 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -459,6 +512,7 @@ init_use_fds(syslogd_t) +@@ -459,6 +513,7 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -75444,7 +75497,7 @@ index b6ec597..688f59a 100644 miscfiles_read_localization(syslogd_t) -@@ -496,11 +550,20 @@ optional_policy(` +@@ -496,11 +551,20 @@ optional_policy(` ') optional_policy(` @@ -77105,7 +77158,7 @@ index b1a85b5..db0d815 100644 ## ## diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te -index a19ecea..99c4da1 100644 +index a19ecea..486d7f2 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te @@ -10,11 +10,9 @@ type mdadm_exec_t; @@ -77122,7 +77175,7 @@ index a19ecea..99c4da1 100644 ######################################## # -@@ -23,18 +21,19 @@ files_pid_file(mdadm_var_run_t) +@@ -23,18 +21,20 @@ files_pid_file(mdadm_var_run_t) allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; dontaudit mdadm_t self:capability sys_tty_config; @@ -77138,6 +77191,7 @@ index a19ecea..99c4da1 100644 +manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) -files_pid_filetrans(mdadm_t, mdadm_var_run_t, file) ++manage_lnk_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) +manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) +files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir }) +dev_filetrans(mdadm_t, mdadm_var_run_t, { file dir sock_file }) @@ -77148,12 +77202,13 @@ index a19ecea..99c4da1 100644 kernel_rw_software_raid_state(mdadm_t) kernel_getattr_core_if(mdadm_t) -@@ -52,13 +51,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t) +@@ -52,13 +52,17 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t) dev_read_realtime_clock(mdadm_t) # unfortunately needed for DMI decoding: dev_read_raw_memory(mdadm_t) +dev_read_generic_files(mdadm_t) ++domain_read_all_domains_state(mdadm_t) domain_use_interactive_fds(mdadm_t) files_read_etc_files(mdadm_t) @@ -77166,7 +77221,7 @@ index a19ecea..99c4da1 100644 fs_dontaudit_list_tmpfs(mdadm_t) mls_file_read_all_levels(mdadm_t) -@@ -68,6 +70,7 @@ mls_file_write_all_levels(mdadm_t) +@@ -68,9 +72,12 @@ mls_file_write_all_levels(mdadm_t) storage_manage_fixed_disk(mdadm_t) storage_dev_filetrans_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) @@ -77174,7 +77229,12 @@ index a19ecea..99c4da1 100644 term_dontaudit_list_ptys(mdadm_t) -@@ -84,6 +87,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t) ++auth_use_nsswitch(mdadm_t) ++ + init_dontaudit_getattr_initctl(mdadm_t) + + logging_send_syslog_msg(mdadm_t) +@@ -84,6 +91,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t) mta_send_mail(mdadm_t) optional_policy(` @@ -81035,7 +81095,7 @@ index db75976..ce61aed 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..330f877 100644 +index 4b2878a..eeb5b5a 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -82671,12 +82731,16 @@ index 4b2878a..330f877 100644 ## Mmap user home files. ## ## -@@ -1700,12 +2186,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1698,14 +2184,35 @@ interface(`userdom_mmap_user_home_content_files',` + interface(`userdom_read_user_home_content_files',` + gen_require(` type user_home_dir_t, user_home_t; ++ attribute user_home_type; ') -+ list_dirs_pattern($1, { user_home_dir_t user_home_t }, { user_home_dir_t user_home_t }) - read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) +- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) ++ list_dirs_pattern($1, { user_home_dir_t user_home_type }, { user_home_dir_t user_home_type }) ++ read_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) files_search_home($1) ') @@ -82704,7 +82768,7 @@ index 4b2878a..330f877 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2222,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2223,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -82722,7 +82786,7 @@ index 4b2878a..330f877 100644 ') ######################################## -@@ -1779,6 +2288,60 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1779,6 +2289,60 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -82783,7 +82847,7 @@ index 4b2878a..330f877 100644 ## Do not audit attempts to write user home files. ## ## -@@ -1810,8 +2373,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2374,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -82793,7 +82857,7 @@ index 4b2878a..330f877 100644 ') ######################################## -@@ -1827,20 +2389,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2390,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -82818,7 +82882,16 @@ index 4b2878a..330f877 100644 ######################################## ## -@@ -1941,6 +2497,24 @@ interface(`userdom_delete_user_home_content_symlinks',` +@@ -1920,7 +2477,7 @@ interface(`userdom_manage_user_home_content_symlinks',` + allow $1 user_home_dir_t:dir search_dir_perms; + files_search_home($1) + ') +- ++/ + ######################################## + ## + ## Delete symbolic links in a user home directory. +@@ -1941,6 +2498,24 @@ interface(`userdom_delete_user_home_content_symlinks',` ######################################## ## @@ -82843,7 +82916,7 @@ index 4b2878a..330f877 100644 ## Create, read, write, and delete named pipes ## in a user home subdirectory. ## -@@ -2008,7 +2582,7 @@ interface(`userdom_user_home_dir_filetrans',` +@@ -2008,7 +2583,7 @@ interface(`userdom_user_home_dir_filetrans',` type user_home_dir_t; ') @@ -82852,7 +82925,7 @@ index 4b2878a..330f877 100644 files_search_home($1) ') -@@ -2039,7 +2613,7 @@ interface(`userdom_user_home_content_filetrans',` +@@ -2039,7 +2614,7 @@ interface(`userdom_user_home_content_filetrans',` type user_home_dir_t, user_home_t; ') @@ -82861,7 +82934,7 @@ index 4b2878a..330f877 100644 allow $1 user_home_dir_t:dir search_dir_perms; files_search_home($1) ') -@@ -2182,7 +2756,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2757,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -82870,7 +82943,7 @@ index 4b2878a..330f877 100644 ') ######################################## -@@ -2390,7 +2964,7 @@ interface(`userdom_user_tmp_filetrans',` +@@ -2390,7 +2965,7 @@ interface(`userdom_user_tmp_filetrans',` type user_tmp_t; ') @@ -82879,7 +82952,7 @@ index 4b2878a..330f877 100644 files_search_tmp($1) ') -@@ -2419,6 +2993,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2419,6 +2994,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2) ') @@ -82905,7 +82978,7 @@ index 4b2878a..330f877 100644 ######################################## ## ## Read user tmpfs files. -@@ -2435,13 +3028,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +3029,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -82921,7 +82994,7 @@ index 4b2878a..330f877 100644 ## ## ## -@@ -2462,7 +3056,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,7 +3057,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -82930,7 +83003,7 @@ index 4b2878a..330f877 100644 ## ## ## -@@ -2470,14 +3064,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2470,14 +3065,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -82965,7 +83038,7 @@ index 4b2878a..330f877 100644 ') ######################################## -@@ -2572,6 +3182,24 @@ interface(`userdom_use_user_ttys',` +@@ -2572,6 +3183,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -82990,7 +83063,7 @@ index 4b2878a..330f877 100644 ## Read and write a user domain pty. ## ## -@@ -2590,22 +3218,34 @@ interface(`userdom_use_user_ptys',` +@@ -2590,22 +3219,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -83033,7 +83106,7 @@ index 4b2878a..330f877 100644 ## ## ## -@@ -2614,14 +3254,33 @@ interface(`userdom_use_user_ptys',` +@@ -2614,14 +3255,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -83071,7 +83144,7 @@ index 4b2878a..330f877 100644 ') ######################################## -@@ -2640,8 +3299,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2640,8 +3300,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -83101,7 +83174,7 @@ index 4b2878a..330f877 100644 ') ######################################## -@@ -2713,45 +3391,45 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2713,45 +3392,45 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -83167,7 +83240,7 @@ index 4b2878a..330f877 100644 ') ######################################## -@@ -2772,25 +3450,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -2772,25 +3451,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -83193,7 +83266,7 @@ index 4b2878a..330f877 100644 ######################################## ## ## Manage unpriviledged user SysV shared -@@ -2852,7 +3511,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2852,7 +3512,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -83202,7 +83275,7 @@ index 4b2878a..330f877 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2868,29 +3527,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2868,29 +3528,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -83236,7 +83309,7 @@ index 4b2878a..330f877 100644 ') ######################################## -@@ -2972,7 +3615,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2972,7 +3616,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -83245,7 +83318,7 @@ index 4b2878a..330f877 100644 ') ######################################## -@@ -3027,7 +3670,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -3027,7 +3671,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -83292,7 +83365,7 @@ index 4b2878a..330f877 100644 ') ######################################## -@@ -3045,7 +3726,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3045,7 +3727,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -83301,7 +83374,7 @@ index 4b2878a..330f877 100644 ') ######################################## -@@ -3064,6 +3745,7 @@ interface(`userdom_read_all_users_state',` +@@ -3064,6 +3746,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -83309,7 +83382,7 @@ index 4b2878a..330f877 100644 kernel_search_proc($1) ') -@@ -3142,6 +3824,24 @@ interface(`userdom_signal_all_users',` +@@ -3142,6 +3825,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -83334,7 +83407,7 @@ index 4b2878a..330f877 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3160,6 +3860,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3160,6 +3861,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -83359,7 +83432,7 @@ index 4b2878a..330f877 100644 ## Create keys for all user domains. ## ## -@@ -3194,3 +3912,1236 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3913,1236 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 865308c2..9f4b4980 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -16,7 +16,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 76%{?dist} +Release: 77%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,17 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Jan 23 2012 Miroslav Grepl 3.10.0-77 +- Treat Bip with bitlbee policy + * Bip is an IRC proxy +- Add port definition for interwise port +- Add support for ipa_memcached socket +- systemd_jounald needs to getattr on all processes +- mdadmin fixes + * uses getpw +- amavisd calls getpwnam() +- denyhosts calls getpwall() + * Fri Jan 20 2012 Miroslav Grepl 3.10.0-76 - Setup labeling of /var/rsa and /var/lib/rsa to allow login programs to write there - bluetooth says they do not use /tmp and want to remove the type @@ -479,7 +490,7 @@ SELinux Reference policy mls base module. - Allow postfix_smtpd_t to connect to spamd - Add boolean to allow ftp to connect to all ports > 1023 - Allow sendmain to write to inherited dovecot tmp files - +- setroubleshoot needs to be able to execute rpm to see what version of packages * Mon Jan 16 2012 Miroslav Grepl 3.10.0-75 - Merge systemd patch - systemd-tmpfiles wants to relabel /sys/devices/system/cpu/online