From 7b62a83f6b1e07c8e0283ce4dec5f7e9f3a3e8a3 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Tue, 7 Dec 2010 15:10:29 +0000 Subject: [PATCH 1/3] - Fixes for lvm to work with systemd --- policy-F15.patch | 25 +++++++++++++++++++++---- selinux-policy.spec | 5 ++++- 2 files changed, 25 insertions(+), 5 deletions(-) diff --git a/policy-F15.patch b/policy-F15.patch index 9fcff4df..ae8d5e91 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -43754,7 +43754,7 @@ index aa2b0a6..304fbba 100644 ') diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc -index 879bb1e..31efcb2 100644 +index 879bb1e..5ce52c0 100644 --- a/policy/modules/system/lvm.fc +++ b/policy/modules/system/lvm.fc @@ -28,10 +28,12 @@ ifdef(`distro_gentoo',` @@ -43770,6 +43770,14 @@ index 879bb1e..31efcb2 100644 /sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0) /sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0) +@@ -97,5 +99,7 @@ ifdef(`distro_gentoo',` + /var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) + /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) + /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) ++/var/run/lvm(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0) + /var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0) ++/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0) + /var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if index 58bc27f..b4f0663 100644 --- a/policy/modules/system/lvm.if @@ -43797,7 +43805,7 @@ index 58bc27f..b4f0663 100644 + allow $1 clvmd_tmpfs_t:file rw_file_perms; +') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index 86ef2da..17aeb3e 100644 +index 86ef2da..a251276 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -43861,6 +43869,15 @@ index 86ef2da..17aeb3e 100644 manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) +@@ -200,7 +214,7 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) + manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) + manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) + manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) +-files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file }) ++files_pid_filetrans(lvm_t, lvm_var_run_t, { dir file sock_file }) + + read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) + read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) @@ -210,12 +224,15 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file) files_etc_filetrans(lvm_t, lvm_metadata_t, file) files_search_mnt(lvm_t) @@ -47269,7 +47286,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 35f1476..d74e327 100644 +index 35f1476..1571559 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -49473,7 +49490,7 @@ index 35f1476..d74e327 100644 + type home_cert_t; + ') + -+ userdom_search_user_home_dirs($1) ++ userdom_search_user_home_content($1) + allow $1 home_cert_t:dir list_dir_perms; + read_files_pattern($1, home_cert_t, home_cert_t) + read_lnk_files_pattern($1, home_cert_t, home_cert_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 5802923e..625f0b63 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.10 -Release: 7%{?dist} +Release: 8%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,9 @@ exit 0 %endif %changelog +* Tue Dec 7 2010 Miroslav Grepl 3.9.9-8 +- Fixes for lvm to work with systemd + * Mon Dec 6 2010 Miroslav Grepl 3.9.9-7 - Fix the label for wicd log - plymouthd creates force-display-on-active-vt file From c2ad3681fa878f6d3a2569cce2d35847587974de Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Tue, 7 Dec 2010 17:51:16 +0000 Subject: [PATCH 2/3] - Push fixes to allow disabling of unlabeled_t packet access - Enable unlabelednet policy --- modules-mls.conf | 7 +++ modules-targeted.conf | 8 +++ policy-F15.patch | 125 +++++++++++++++++++++++------------------- selinux-policy.spec | 6 +- 4 files changed, 89 insertions(+), 57 deletions(-) diff --git a/modules-mls.conf b/modules-mls.conf index 302837ac..357039ae 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -2082,3 +2082,10 @@ shorewall = base # Policy for shutdown # shutdown = module + +# Layer: kernel +# Module: unlabelednet +# +# The unlabelednet module. +# +unlabelednet = module diff --git a/modules-targeted.conf b/modules-targeted.conf index 208a1587..26f50fa2 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1762,6 +1762,14 @@ userdomain = base # unconfined = module + +# Layer: kernel +# Module: unconfined +# +# The unlabelednet module. +# +unlabelednet = module + # Layer: services # Module: ulogd # diff --git a/policy-F15.patch b/policy-F15.patch index ae8d5e91..e8e3b9b8 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -7681,7 +7681,7 @@ index 82842a0..4111a1d 100644 dbus_system_bus_client($1_wm_t) dbus_session_bus_client($1_wm_t) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 34c9d01..4842e56 100644 +index 34c9d01..6e68bd2 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -72,7 +72,9 @@ ifdef(`distro_redhat',` @@ -7705,7 +7705,16 @@ index 34c9d01..4842e56 100644 /lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0) /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -307,6 +309,7 @@ ifdef(`distro_redhat', ` +@@ -247,6 +249,8 @@ ifdef(`distro_gentoo',` + /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) + /usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/local/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0) ++/usr/local/Brother/(.*/)?inf/setup.* gen_context(system_u:object_r:bin_t,s0) + /usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) + + /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) +@@ -307,6 +311,7 @@ ifdef(`distro_redhat', ` /usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -7737,7 +7746,7 @@ index 9e5c83e..953e0e8 100644 +/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0) +/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in -index b06df19..ae572ad 100644 +index b06df19..f20833d 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -86,6 +86,33 @@ interface(`corenet_rpc_port',` @@ -7774,7 +7783,7 @@ index b06df19..ae572ad 100644 ## Define type to be a network client packet type ## ## -@@ -2149,13 +2176,18 @@ interface(`corenet_tcp_recvfrom_netlabel',` +@@ -2149,9 +2176,14 @@ interface(`corenet_tcp_recvfrom_netlabel',` ## # interface(`corenet_tcp_recvfrom_unlabeled',` @@ -7789,13 +7798,8 @@ index b06df19..ae572ad 100644 # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break # older systems -- kernel_sendrecv_unlabeled_association($1) -+# kernel_sendrecv_unlabeled_association($1) - ') - - ######################################## diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 36ba519..7be305d 100644 +index 36ba519..e2d8b49 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -15,6 +15,7 @@ attribute rpc_port_type; @@ -8003,17 +8007,6 @@ index 36ba519..7be305d 100644 network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) -@@ -262,6 +302,10 @@ network_interface(lo, lo, s0 - mls_systemhigh) - typealias netif_t alias { lo_netif_t netif_lo_t }; - ') - -+optional_policy(` -+ unlabelednet_sendrecv_packets(corenet_unlabeled_type) -+') -+ - ######################################## - # - # Unconfined access to this module diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index 3b2da10..7c29e17 100644 --- a/policy/modules/kernel/devices.fc @@ -10399,7 +10392,7 @@ index 6d21b3d..255b47a 100644 # diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index b4ad6d7..0937933 100644 +index b4ad6d7..67e89f0 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -716,6 +716,26 @@ interface(`kernel_dontaudit_write_debugfs_dirs',` @@ -10463,6 +10456,15 @@ index b4ad6d7..0937933 100644 ## Do not audit attempts by caller to get attributes for ## unlabeled character devices. ## +@@ -2561,7 +2599,7 @@ interface(`kernel_sendrecv_unlabeled_association',` + allow $1 unlabeled_t:association { sendto recvfrom }; + + # temporary hack until labeling on packets is supported +- allow $1 unlabeled_t:packet { send recv }; ++# allow $1 unlabeled_t:packet { send recv }; + ') + + ######################################## @@ -2882,6 +2920,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` ######################################## @@ -10922,38 +10924,24 @@ index 0000000..f310b9d +# No unlabelednet file contexts. diff --git a/policy/modules/kernel/unlabelednet.if b/policy/modules/kernel/unlabelednet.if new file mode 100644 -index 0000000..ba2f0b8 +index 0000000..0ce0470 --- /dev/null +++ b/policy/modules/kernel/unlabelednet.if -@@ -0,0 +1,19 @@ -+## Policy for allowing confined domains to talk use unlabeled_t packets. -+ -+######################################## -+## -+## Allow specified type to send recv unlabeled packets -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unlabelednet_sendrecv_packets',` -+ gen_require(` -+ attribute unlabelednet_domain; -+ ') -+ -+ kernel_sendrecv_unlabeled_association($1) -+') +@@ -0,0 +1 @@ ++## Policy for allowing confined domains to use unlabeled_t packets diff --git a/policy/modules/kernel/unlabelednet.te b/policy/modules/kernel/unlabelednet.te new file mode 100644 -index 0000000..dee5ba8 +index 0000000..571c3b9 --- /dev/null +++ b/policy/modules/kernel/unlabelednet.te -@@ -0,0 +1,3 @@ +@@ -0,0 +1,7 @@ +policy_module(unlabelednet, 1.0) + -+attribute unlabelednet_domain; ++gen_require(` ++ attribute corenet_unlabeled_type; ++') ++ ++kernel_sendrecv_unlabeled_association(corenet_unlabeled_type) diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te index b0d5b27..a96f2e6 100644 --- a/policy/modules/roles/auditadm.te @@ -20245,10 +20233,10 @@ index 0000000..60c81d6 +') diff --git a/policy/modules/services/dirsrv-admin.te b/policy/modules/services/dirsrv-admin.te new file mode 100644 -index 0000000..c88f611 +index 0000000..b4d0dd0 --- /dev/null +++ b/policy/modules/services/dirsrv-admin.te -@@ -0,0 +1,94 @@ +@@ -0,0 +1,95 @@ +policy_module(dirsrv-admin,1.0.0) + +######################################## @@ -20318,7 +20306,8 @@ index 0000000..c88f611 + +kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t) + -+corenet_sendrecv_unlabeled_packets(httpd_dirsrvadmin_script_t) ++corenet_all_recvfrom_unlabeled(httpd_dirsrvadmin_script_t) ++corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t) +corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t) +corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t) +corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t) @@ -26440,7 +26429,7 @@ index 8581040..cfcdf10 100644 allow $1 nagios_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te -index da5b33d..3ce90f7 100644 +index da5b33d..8b56967 100644 --- a/policy/modules/services/nagios.te +++ b/policy/modules/services/nagios.te @@ -107,13 +107,11 @@ files_read_etc_files(nagios_t) @@ -26494,7 +26483,17 @@ index da5b33d..3ce90f7 100644 domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t) -@@ -270,7 +271,6 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) +@@ -201,7 +202,8 @@ corecmd_exec_shell(nrpe_t) + + corenet_tcp_bind_generic_node(nrpe_t) + corenet_tcp_bind_inetd_child_port(nrpe_t) +-corenet_sendrecv_unlabeled_packets(nrpe_t) ++corenet_all_recvfrom_unlabeled(nrpe_t) ++corenet_all_recvfrom_netlabel(nrpe_t) + + dev_read_sysfs(nrpe_t) + dev_read_urand(nrpe_t) +@@ -270,7 +272,6 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) # allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; @@ -26502,7 +26501,7 @@ index da5b33d..3ce90f7 100644 allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms; allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms; allow nagios_mail_plugin_t self:udp_socket create_socket_perms; -@@ -299,7 +299,7 @@ optional_policy(` +@@ -299,7 +300,7 @@ optional_policy(` optional_policy(` postfix_stream_connect_master(nagios_mail_plugin_t) @@ -26511,7 +26510,7 @@ index da5b33d..3ce90f7 100644 ') ###################################### -@@ -310,6 +310,9 @@ optional_policy(` +@@ -310,6 +311,9 @@ optional_policy(` # needed by ioctl() allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; @@ -26521,7 +26520,7 @@ index da5b33d..3ce90f7 100644 files_read_etc_runtime_files(nagios_checkdisk_plugin_t) fs_getattr_all_fs(nagios_checkdisk_plugin_t) -@@ -323,7 +326,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) +@@ -323,7 +327,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) allow nagios_services_plugin_t self:capability { net_bind_service net_raw }; allow nagios_services_plugin_t self:process { signal sigkill }; @@ -26529,7 +26528,7 @@ index da5b33d..3ce90f7 100644 allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms; allow nagios_services_plugin_t self:udp_socket create_socket_perms; -@@ -340,6 +342,8 @@ files_read_usr_files(nagios_services_plugin_t) +@@ -340,6 +343,8 @@ files_read_usr_files(nagios_services_plugin_t) optional_policy(` netutils_domtrans_ping(nagios_services_plugin_t) @@ -30160,7 +30159,7 @@ index 2316653..77ef768 100644 + admin_pattern($1, prelude_lml_tmp_t) ') diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te -index 7e84587..7a7310d 100644 +index 7e84587..febda2f 100644 --- a/policy/modules/services/prelude.te +++ b/policy/modules/services/prelude.te @@ -35,7 +35,6 @@ files_pid_file(prelude_audisp_var_run_t) @@ -30182,6 +30181,20 @@ index 7e84587..7a7310d 100644 allow prelude_lml_t self:fifo_file rw_fifo_file_perms; allow prelude_lml_t self:unix_stream_socket connectto; +@@ -236,11 +235,12 @@ kernel_read_sysctl(prelude_lml_t) + + corecmd_exec_bin(prelude_lml_t) + ++corenet_all_recvfrom_unlabeled(prelude_lml_t) ++corenet_all_recvfrom_netlabel(prelude_lml_t) + corenet_tcp_sendrecv_generic_if(prelude_lml_t) + corenet_tcp_sendrecv_generic_node(prelude_lml_t) + corenet_tcp_recvfrom_netlabel(prelude_lml_t) + corenet_tcp_recvfrom_unlabeled(prelude_lml_t) +-corenet_sendrecv_unlabeled_packets(prelude_lml_t) + corenet_tcp_connect_prelude_port(prelude_lml_t) + + dev_read_rand(prelude_lml_t) diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te index 6f1b2c3..3f1a3fe 100644 --- a/policy/modules/services/privoxy.te diff --git a/selinux-policy.spec b/selinux-policy.spec index 625f0b63..d0fa9603 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.10 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,10 @@ exit 0 %endif %changelog +* Tue Dec 7 2010 Miroslav Grepl 3.9.9-9 +- Push fixes to allow disabling of unlabeled_t packet access +- Enable unlabelednet policy + * Tue Dec 7 2010 Miroslav Grepl 3.9.9-8 - Fixes for lvm to work with systemd From b04a855a22171845490e13fe677eee576fb83b23 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Fri, 10 Dec 2010 13:55:11 +0000 Subject: [PATCH 3/3] - Fixes for clamscan and boinc policy - Add boinc_project_t setpgid - Allow alsa to create tmp files in /tmp --- policy-F15.patch | 114 +++++++++++++++++++++++++++++++++++++------- selinux-policy.spec | 7 ++- 2 files changed, 102 insertions(+), 19 deletions(-) diff --git a/policy-F15.patch b/policy-F15.patch index e8e3b9b8..06da897d 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -220,18 +220,35 @@ index 90d5203..1392679 100644 ## ## diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te -index 453834c..5ff732d 100644 +index 453834c..9d83d66 100644 --- a/policy/modules/admin/alsa.te +++ b/policy/modules/admin/alsa.te -@@ -11,7 +11,7 @@ init_system_domain(alsa_t, alsa_exec_t) +@@ -11,7 +11,10 @@ init_system_domain(alsa_t, alsa_exec_t) role system_r types alsa_t; type alsa_etc_rw_t; -files_type(alsa_etc_rw_t) +files_config_file(alsa_etc_rw_t) ++ ++type alsa_tmp_t; ++files_tmp_file(alsa_tmp_t) type alsa_var_lib_t; files_type(alsa_var_lib_t) +@@ -39,6 +42,13 @@ files_etc_filetrans(alsa_t, alsa_etc_rw_t, file) + + can_exec(alsa_t, alsa_exec_t) + ++manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) ++manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) ++files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) ++userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file }) ++userdom_dontaudit_setattr_user_tmp(alsa_t) ++ ++ + manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) + manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t) + files_search_var_lib(alsa_t) diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te index f76ed8a..9a9526a 100644 --- a/policy/modules/admin/anaconda.te @@ -347,7 +364,7 @@ index a2e9cb5..b2de42c 100644 optional_policy(` apache_exec_modules(certwatch_t) diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te -index 66fee7d..9191e32 100644 +index 66fee7d..1d231b8 100644 --- a/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te @@ -79,16 +79,18 @@ optional_policy(` @@ -355,7 +372,7 @@ index 66fee7d..9191e32 100644 optional_policy(` + devicekit_dontaudit_read_pid_files(consoletype_t) -+ devicekit_dontaudit_write_log(consoletype_t) ++ devicekit_dontaudit_rw_log(consoletype_t) +') + +optional_policy(` @@ -4165,7 +4182,7 @@ index 9a6d67d..b0c1197 100644 ## mozilla over dbus. ## diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index cbf4bec..9826f66 100644 +index cbf4bec..1aa992d 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -7,7 +7,7 @@ policy_module(mozilla, 2.2.2) @@ -4247,7 +4264,7 @@ index cbf4bec..9826f66 100644 pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) -@@ -266,3 +291,144 @@ optional_policy(` +@@ -266,3 +291,145 @@ optional_policy(` optional_policy(` thunderbird_domtrans(mozilla_t) ') @@ -4375,6 +4392,7 @@ index cbf4bec..9826f66 100644 + nsplugin_manage_home_dirs(mozilla_plugin_t) + nsplugin_manage_home_files(mozilla_plugin_t) + nsplugin_user_home_dir_filetrans(mozilla_plugin_t, dir) ++ nsplugin_user_home_filetrans(mozilla_plugin_t, file) + nsplugin_signal(mozilla_plugin_t) +') + @@ -4495,10 +4513,10 @@ index 0000000..717eb3f +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if new file mode 100644 -index 0000000..c06e99e +index 0000000..4f9cb05 --- /dev/null +++ b/policy/modules/apps/nsplugin.if -@@ -0,0 +1,455 @@ +@@ -0,0 +1,480 @@ + +## policy for nsplugin + @@ -4933,7 +4951,32 @@ index 0000000..c06e99e + type nsplugin_home_t; + ') + -+ userdom_user_home_content_filetrans($1, nsplugin_home_t, $2) ++ userdom_user_home_dir_filetrans($1, nsplugin_home_t, $2) ++') ++ ++####################################### ++## ++## Create objects in a user home directory ++## with an automatic type transition to ++## the nsplugin home file type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++# ++interface(`nsplugin_user_home_filetrans',` ++ gen_require(` ++ type nsplugin_home_t; ++ ') ++ ++ userdom_user_home_content_filetrans($1, nsplugin_home_t, $2) +') + +######################################## @@ -15986,10 +16029,10 @@ index 0000000..fa9b95a +') diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te new file mode 100644 -index 0000000..4bc3f06 +index 0000000..3b58d07 --- /dev/null +++ b/policy/modules/services/boinc.te -@@ -0,0 +1,167 @@ +@@ -0,0 +1,169 @@ +policy_module(boinc, 1.0.0) + +######################################## @@ -16110,7 +16153,7 @@ index 0000000..4bc3f06 +domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t) +allow boinc_t boinc_project_t:process sigkill; + -+allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigstop }; ++allow boinc_project_t self:process { ptrace setpgid setsched signal signull sigkill sigstop }; +allow boinc_project_t self:process { execmem execstack }; + +allow boinc_project_t self:fifo_file rw_fifo_file_perms; @@ -16150,6 +16193,8 @@ index 0000000..4bc3f06 +dev_rw_xserver_misc(boinc_project_t) + +files_read_etc_files(boinc_project_t) ++files_read_etc_runtime_files(boinc_project_t) ++files_read_usr_files(boinc_project_t) + +miscfiles_read_fonts(boinc_project_t) +miscfiles_read_localization(boinc_project_t) @@ -17119,7 +17164,7 @@ index 1f11572..7f6a7ab 100644 ') diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te -index 8c36027..532fa91 100644 +index 8c36027..28863a5 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -1,9 +1,9 @@ @@ -17226,7 +17271,11 @@ index 8c36027..532fa91 100644 ######################################## # # clamscam local policy -@@ -251,6 +266,7 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t) +@@ -248,9 +263,11 @@ corenet_tcp_sendrecv_generic_if(clamscan_t) + corenet_tcp_sendrecv_generic_node(clamscan_t) + corenet_tcp_sendrecv_all_ports(clamscan_t) + corenet_tcp_sendrecv_clamd_port(clamscan_t) ++corenet_tcp_bind_generic_node(clamscan_t) corenet_tcp_connect_clamd_port(clamscan_t) kernel_read_kernel_sysctls(clamscan_t) @@ -17234,6 +17283,16 @@ index 8c36027..532fa91 100644 files_read_etc_files(clamscan_t) files_read_etc_runtime_files(clamscan_t) +@@ -265,6 +282,9 @@ miscfiles_read_public_files(clamscan_t) + clamav_stream_connect(clamscan_t) + + mta_send_mail(clamscan_t) ++mta_read_queue(clamscan_t) ++ ++sysnet_read_config(clamscan_t) + + optional_policy(` + amavis_read_spool_files(clamscan_t) diff --git a/policy/modules/services/clogd.if b/policy/modules/services/clogd.if index c0a66a4..e438c5f 100644 --- a/policy/modules/services/clogd.if @@ -19737,7 +19796,7 @@ index 418a5a0..28d9e41 100644 /var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) /var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if -index f706b99..4b3d7f7 100644 +index f706b99..6149a45 100644 --- a/policy/modules/services/devicekit.if +++ b/policy/modules/services/devicekit.if @@ -5,9 +5,9 @@ @@ -19752,7 +19811,7 @@ index f706b99..4b3d7f7 100644 ## # interface(`devicekit_domtrans',` -@@ -118,6 +118,63 @@ interface(`devicekit_dbus_chat_power',` +@@ -118,6 +118,82 @@ interface(`devicekit_dbus_chat_power',` allow devicekit_power_t $1:dbus send_msg; ') @@ -19794,6 +19853,25 @@ index f706b99..4b3d7f7 100644 + dontaudit $1 devicekit_var_log_t:file { write }; +') + ++###################################### ++## ++## Do not audit attempts to read and write the devicekit ++## log files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`devicekit_dontaudit_rw_log',` ++ gen_require(` ++ type devicekit_var_log_t; ++ ') ++ ++ dontaudit $1 devicekit_var_log_t:file rw_inherited_file_perms; ++') ++ +######################################## +## +## Allow the domain to read devicekit_power state files in /proc. @@ -19816,7 +19894,7 @@ index f706b99..4b3d7f7 100644 ######################################## ## ## Read devicekit PID files. -@@ -139,22 +196,52 @@ interface(`devicekit_read_pid_files',` +@@ -139,22 +215,52 @@ interface(`devicekit_read_pid_files',` ######################################## ## @@ -19876,7 +19954,7 @@ index f706b99..4b3d7f7 100644 ## ## ## -@@ -165,21 +252,22 @@ interface(`devicekit_admin',` +@@ -165,21 +271,22 @@ interface(`devicekit_admin',` type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index d0fa9603..1b911508 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.10 -Release: 9%{?dist} +Release: 10%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,11 @@ exit 0 %endif %changelog +* Fri Dec 10 2010 Miroslav Grepl 3.9.9-10 +- Fixes for clamscan and boinc policy +- Add boinc_project_t setpgid +- Allow alsa to create tmp files in /tmp + * Tue Dec 7 2010 Miroslav Grepl 3.9.9-9 - Push fixes to allow disabling of unlabeled_t packet access - Enable unlabelednet policy