- Dontaudit listing of /root directory for cron system jobs

policy-20090105.patch

@@ -1580,6 +1580,68 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /usr/bin/cdrecord	--	gen_context(system_u:object_r:cdrecord_exec_t,s0)
 +/usr/bin/growisoifs	--	gen_context(system_u:object_r:cdrecord_exec_t,s0)
  
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.fc serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.fc
+--- nsaserefpolicy/policy/modules/apps/cpufreqselector.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.fc	2009-04-02 10:05:45.000000000 -0400
+@@ -0,0 +1 @@
++/usr/bin/cpufreq-selector       --      gen_context(system_u:object_r:cpufreqselector_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.if serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.if
+--- nsaserefpolicy/policy/modules/apps/cpufreqselector.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.if	2009-04-02 10:05:45.000000000 -0400
+@@ -0,0 +1,2 @@
++## <summary>cpufreq-selector policy</summary>
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.te
+--- nsaserefpolicy/policy/modules/apps/cpufreqselector.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.te	2009-04-02 10:05:45.000000000 -0400
+@@ -0,0 +1,47 @@
++policy_module(cpufreqselector,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type cpufreqselector_t;
++type cpufreqselector_exec_t;
++
++dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
++
++########################################
++#
++# cpufreq-selector local policy
++#
++
++allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
++allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
++
++files_read_etc_files(cpufreqselector_t)
++files_read_usr_files(cpufreqselector_t)
++
++corecmd_search_bin(cpufreqselector_t)
++
++dev_rw_sysfs(cpufreqselector_t)
++
++fs_list_inotifyfs(cpufreqselector_t)
++
++libs_use_ld_so(cpufreqselector_t)
++libs_use_shared_libs(cpufreqselector_t)
++
++userdom_read_all_users_state(cpufreqselector_t)
++
++nscd_dontaudit_search_pid(cpufreqselector_t)
++
++optional_policy(`
++        consolekit_dbus_chat(cpufreqselector_t)
++')
++
++optional_policy(`
++	polkit_domtrans_auth(cpufreqselector_t)
++	polkit_read_lib(cpufreqselector_t)
++	polkit_read_reload(cpufreqselector_t)
++')
++
++permissive cpufreqselector_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/git.fc serefpolicy-3.6.10/policy/modules/apps/git.fc
 --- nsaserefpolicy/policy/modules/apps/git.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.6.10/policy/modules/apps/git.fc	2009-03-30 10:09:41.000000000 -0400
@@ -9098,7 +9160,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/log/rpmpkgs.*		--	gen_context(system_u:object_r:cron_log_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.10/policy/modules/services/cron.if
 --- nsaserefpolicy/policy/modules/services/cron.if	2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/services/cron.if	2009-03-30 10:09:41.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/services/cron.if	2009-04-02 11:21:32.000000000 -0400
 @@ -12,6 +12,10 @@
  ## </param>
  #
@@ -9187,7 +9249,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	optional_policy(`
  		gen_require(`
-@@ -261,6 +277,7 @@
+@@ -261,10 +277,12 @@
  	allow $1 system_cronjob_t:fifo_file rw_file_perms;
  	allow $1 system_cronjob_t:process sigchld;
  
@@ -9195,7 +9257,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	allow $1 crond_t:fifo_file rw_file_perms;
  	allow $1 crond_t:fd use;
  	allow $1 crond_t:process sigchld;
-@@ -343,6 +360,24 @@
+ 
++	userdom_dontaudit_list_admin_dir($1)
+ 	role system_r types $1;
+ ')
+ 
+@@ -343,6 +361,24 @@
  
  ########################################
  ## <summary>
@@ -9220,7 +9287,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Read and write a cron daemon unnamed pipe.
  ## </summary>
  ## <param name="domain">
-@@ -361,7 +396,7 @@
+@@ -361,7 +397,7 @@
  
  ########################################
  ## <summary>
@@ -9229,7 +9296,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -369,7 +404,7 @@
+@@ -369,7 +405,7 @@
  ##	</summary>
  ## </param>
  #
@@ -9238,7 +9305,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	gen_require(`
  		type crond_t;
  	')
-@@ -416,6 +451,42 @@
+@@ -416,6 +452,42 @@
  
  ########################################
  ## <summary>
@@ -9281,7 +9348,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Inherit and use a file descriptor
  ##	from system cron jobs.
  ## </summary>
-@@ -481,11 +552,14 @@
+@@ -481,11 +553,14 @@
  #
  interface(`cron_read_system_job_tmp_files',`
  	gen_require(`
@@ -9297,7 +9364,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -506,3 +580,101 @@
+@@ -506,3 +581,101 @@
  
  	dontaudit $1 system_cronjob_tmp_t:file append;
  ')
@@ -18450,7 +18517,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.10/policy/modules/services/samba.if
 --- nsaserefpolicy/policy/modules/services/samba.if	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/services/samba.if	2009-03-30 10:09:41.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/services/samba.if	2009-04-01 15:42:15.000000000 -0400
 @@ -4,6 +4,45 @@
  ##	from Windows NT servers.
  ## </summary>
@@ -18850,7 +18917,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.10/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/services/samba.te	2009-03-30 10:09:41.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/services/samba.te	2009-04-01 15:20:37.000000000 -0400
 @@ -66,6 +66,13 @@
  ## </desc>
  gen_tunable(samba_share_nfs, false)
@@ -19136,7 +19203,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow swat_t self:udp_socket create_socket_perms;
  
 +allow swat_t self:unix_stream_socket connectto;
-+can_exec(swat_t, smbd_exec_t)
++samba_domtrans_smb(swat_t)
 +allow swat_t smbd_port_t:tcp_socket name_bind;
 +allow swat_t smbd_t:process { signal signull };
 +allow swat_t smbd_var_run_t:file { lock unlink };
@@ -23819,13 +23886,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  #
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.10/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/system/init.if	2009-03-30 10:09:41.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/system/init.if	2009-04-01 15:00:12.000000000 -0400
-@@ -280,6 +280,27 @@
+@@ -280,6 +280,28 @@
  			kernel_dontaudit_use_fds($1)
  		')
  	')
 +
 +	userdom_dontaudit_search_user_home_dirs($1)
++	userdom_dontaudit_rw_stream($1)
 +
 +	tunable_policy(`allow_daemons_use_tty',`
 +	   term_use_all_user_ttys($1)
@@ -23848,7 +23916,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -546,7 +567,7 @@
+@@ -546,7 +568,7 @@
  
  		# upstart uses a datagram socket instead of initctl pipe
  		allow $1 self:unix_dgram_socket create_socket_perms;
@@ -23857,7 +23925,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  ')
  
-@@ -619,18 +640,19 @@
+@@ -619,18 +641,19 @@
  #
  interface(`init_spec_domtrans_script',`
  	gen_require(`
@@ -23881,7 +23949,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  ')
  
-@@ -646,23 +668,43 @@
+@@ -646,23 +669,43 @@
  #
  interface(`init_domtrans_script',`
  	gen_require(`
@@ -23929,7 +23997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Execute a init script in a specified domain.
  ## </summary>
  ## <desc>
-@@ -1291,6 +1333,25 @@
+@@ -1291,6 +1334,25 @@
  
  ########################################
  ## <summary>
@@ -23955,7 +24023,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Create files in a init script
  ##	temporary data directory.
  ## </summary>
-@@ -1521,3 +1582,51 @@
+@@ -1521,3 +1583,51 @@
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -24009,7 +24077,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.10/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/system/init.te	2009-03-30 10:09:41.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/system/init.te	2009-04-01 15:00:25.000000000 -0400
 @@ -17,6 +17,20 @@
  ## </desc>
  gen_tunable(init_upstart,false)
@@ -24292,13 +24360,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	vmware_read_system_config(initrc_t)
  	vmware_append_system_config(initrc_t)
  ')
-@@ -790,3 +865,17 @@
+@@ -790,3 +865,19 @@
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
 +
 +userdom_append_user_home_content_files(daemon)
 +userdom_write_user_tmp_files(daemon)
++userdom_dontaudit_rw_stream(daemon)
++
 +logging_append_all_logs(daemon)
 +
 +optional_policy(`
@@ -26941,7 +27011,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/opt/real/(.*/)?realplay\.bin --	gen_context(system_u:object_r:execmem_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.10/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/system/unconfined.if	2009-03-30 10:09:41.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/system/unconfined.if	2009-04-01 14:58:39.000000000 -0400
 @@ -12,14 +12,13 @@
  #
  interface(`unconfined_domain_noaudit',`
@@ -27598,7 +27668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.10/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/system/userdomain.if	2009-03-30 10:09:41.000000000 -0400
++++ serefpolicy-3.6.10/policy/modules/system/userdomain.if	2009-04-01 14:59:58.000000000 -0400
 @@ -30,8 +30,9 @@
  	')
  
@@ -28982,7 +29052,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	kernel_search_proc($1)
  ')
  
-@@ -2981,3 +3182,462 @@
+@@ -2981,3 +3182,482 @@
  
  	allow $1 userdomain:dbus send_msg;
  ')
@@ -29445,6 +29515,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	allow $1 userdomain:key manage_key_perms;
 +')
 +
++
++########################################
++## <summary>
++##	Do not audit attempts to read and write
++##	unserdomain stream.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`userdom_dontaudit_rw_stream',`
++	gen_require(`
++		attribute userdomain;
++	')
++
++	dontaudit $1 userdomain:unix_stream_socket rw_file_perms;
++')
++
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.10/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2009-01-19 11:07:34.000000000 -0500
 +++ serefpolicy-3.6.10/policy/modules/system/userdomain.te	2009-03-30 10:09:41.000000000 -0400

selinux-policy.spec

@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.10
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -444,6 +444,9 @@ exit 0
 %endif
 
 %changelog
+* Thu Apr 2 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-6
+- Dontaudit listing of /root directory for cron system jobs
+
 * Mon Mar 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-5
 - Fix missing ld.so.cache label