- Allow domains to search other domains keys, coverup kernel bug

2008-10-03 15:07:40 +00:00 · 2008-10-03 15:07:40 +00:00 · b42a1eddf9
parent 094ef3d610
commit b42a1eddf9
2 changed files with 152 additions and 13 deletions
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@ -6691,7 +6691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.5.9/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2008-08-07 11:15:01.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/kernel/devices.if	2008-09-25 08:33:18.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/kernel/devices.if	2008-10-01 16:12:47.000000000 -0400
@@ -65,7 +65,7 @@
 
 	relabelfrom_dirs_pattern($1, device_t, device_node)
@ -8448,6 +8448,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /dev/nb[^/]+		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/optcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/p[fg][0-3]		-b	gen_context(system_u:object_r:removable_device_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.5.9/policy/modules/kernel/terminal.if
+--- nsaserefpolicy/policy/modules/kernel/terminal.if	2008-08-07 11:15:01.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/kernel/terminal.if	2008-10-02 09:16:08.000000000 -0400
+@@ -250,9 +250,11 @@
+ interface(`term_dontaudit_use_console',`
+ 	gen_require(`
+ 		type console_device_t;
+		type tty_device_t;
+ 	')
+ 
+ 	dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
+	dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
+ ')
+ 
+ ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.fc serefpolicy-3.5.9/policy/modules/roles/guest.fc
 --- nsaserefpolicy/policy/modules/roles/guest.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.5.9/policy/modules/roles/guest.fc	2008-09-25 08:33:18.000000000 -0400
@ -12154,6 +12169,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	files_list_pids($1)
 +	admin_pattern($1, named_var_run_t)
 ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.5.9/policy/modules/services/bind.te
+--- nsaserefpolicy/policy/modules/services/bind.te	2008-09-24 09:07:28.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/services/bind.te	2008-10-02 09:17:54.000000000 -0400
+@@ -249,6 +249,8 @@
+ sysnet_read_config(ndc_t)
+ sysnet_dns_name_resolve(ndc_t)
+ 
+term_dontaudit_use_console(ndc_t)
+
+ # for /etc/rndc.key
+ ifdef(`distro_redhat',`
+ 	allow ndc_t named_conf_t:dir search;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.fc serefpolicy-3.5.9/policy/modules/services/bitlbee.fc
 --- nsaserefpolicy/policy/modules/services/bitlbee.fc	2008-08-07 11:15:11.000000000 -0400
 +++ serefpolicy-3.5.9/policy/modules/services/bitlbee.fc	2008-09-25 08:33:18.000000000 -0400
@ -21324,7 +21351,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.5.9/policy/modules/services/prelude.te
 --- nsaserefpolicy/policy/modules/services/prelude.te	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/services/prelude.te	2008-09-25 08:33:18.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/services/prelude.te	2008-10-02 09:12:58.000000000 -0400
@@ -13,18 +13,50 @@
 type prelude_spool_t;
 files_type(prelude_spool_t)
@ -21418,7 +21445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 dev_read_rand(prelude_audisp_t)
 dev_read_urand(prelude_audisp_t)
-@@ -117,15 +161,129 @@
+@@ -117,15 +161,134 @@
 # Init script handling
 domain_use_interactive_fds(prelude_audisp_t)
 
@ -21445,6 +21472,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +allow prelude_correlator_t self:tcp_socket create_stream_socket_perms;
 +allow prelude_correlator_t self:unix_dgram_socket create_socket_perms;
 +
+allow prelude_correlator_t prelude_correlator_config_t:dir list_dir_perms;
 +read_files_pattern(prelude_correlator_t, prelude_correlator_config_t, prelude_correlator_config_t)
 +
 +prelude_manage_spool(prelude_correlator_t)
@ -21464,6 +21492,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +files_read_usr_files(prelude_correlator_t)
 +files_search_spool(prelude_correlator_t)
 +
+kernel_read_sysctl(prelude_correlator_t)
+
 +libs_use_ld_so(prelude_correlator_t)
 +libs_use_shared_libs(prelude_correlator_t)
 +
@ -21504,7 +21534,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t)
 +files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file)
 +
-+corecmd_search_bin(prelude_lml_t)
+corecmd_exec_bin(prelude_lml_t)
 +
 +corenet_tcp_sendrecv_generic_if(prelude_lml_t)
 +corenet_tcp_sendrecv_all_nodes(prelude_lml_t)
@ -21526,6 +21556,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +fs_list_inotifyfs(prelude_lml_t)
 +
+kernel_read_sysctl(prelude_lml_t)
+
 +auth_use_nsswitch(prelude_lml_t)
 +
 +libs_use_ld_so(prelude_lml_t)
@ -21548,7 +21580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # prewikka_cgi Declarations
-@@ -134,6 +292,17 @@
+@@ -134,6 +297,17 @@
 optional_policy(`
 	apache_content_template(prewikka)
 	files_read_etc_files(httpd_prewikka_script_t)
@ -28122,6 +28154,109 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 kernel_read_kernel_sysctls(zebra_t)
 kernel_rw_net_sysctls(zebra_t)
 
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.fc serefpolicy-3.5.9/policy/modules/services/zosremote.fc
+--- nsaserefpolicy/policy/modules/services/zosremote.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.9/policy/modules/services/zosremote.fc	2008-10-02 09:31:06.000000000 -0400
+@@ -0,0 +1,2 @@
+
+/sbin/audispd-zos-remote	--	gen_context(system_u:object_r:zos_remote_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.if serefpolicy-3.5.9/policy/modules/services/zosremote.if
+--- nsaserefpolicy/policy/modules/services/zosremote.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.9/policy/modules/services/zosremote.if	2008-10-02 09:36:13.000000000 -0400
+@@ -0,0 +1,52 @@
+## <summary>policy for z/OS Remote-services Audit dispatcher plugin</summary>
+
+########################################
+## <summary>
+##      Execute a domain transition to run audispd-zos-remote.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`zos_remote_domtrans',`
+        gen_require(`
+                type zos_remote_t;
+                type zos_remote_exec_t;
+        ')
+
+        domtrans_pattern($1, zos_remote_exec_t, zos_remote_t);
+')
+
+########################################
+## <summary>
+##	Allow specified type and role to transition and
+##	run in the zos_remote_t domain. Allow specified type
+##	to use zos_remote_t terminal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the zos_remote domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the role's terminal.
+##	</summary>
+## </param>
+#
+interface(`zos_remote_run',`
+	gen_require(`
+		type zos_remote_t;
+	')
+
+	zos_remote_domtrans($1)
+	role $2 types zos_remote_t;
+	dontaudit zos_remote_t $3:chr_file rw_term_perms;
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.te serefpolicy-3.5.9/policy/modules/services/zosremote.te
+--- nsaserefpolicy/policy/modules/services/zosremote.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.9/policy/modules/services/zosremote.te	2008-10-02 09:57:33.000000000 -0400
+@@ -0,0 +1,37 @@
+policy_module(zosremote,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type zos_remote_t;
+type zos_remote_exec_t;
+logging_dispater_domain(zos_remote_t, zos_remote_exec_t)
+
+## use below for RHEL5 series:
+init_system_domain(zos_remote_t, zos_remote_exec_t)
+
+role system_r types zos_remote_t;
+
+
+########################################
+#
+# zos_remote local policy
+#
+
+allow zos_remote_t self:fifo_file rw_file_perms;
+allow zos_remote_t self:unix_stream_socket create_stream_socket_perms;
+
+allow zos_remote_t self:process signal;
+
+files_read_etc_files(zos_remote_t)
+
+auth_use_nsswitch(zos_remote_t);
+
+libs_use_ld_so(zos_remote_t)
+libs_use_shared_libs(zos_remote_t)
+
+miscfiles_read_localization(zos_remote_t)
+
+logging_send_syslog_msg(zos_remote_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.5.9/policy/modules/system/application.te
 --- nsaserefpolicy/policy/modules/system/application.te	2008-08-07 11:15:12.000000000 -0400
 +++ serefpolicy-3.5.9/policy/modules/system/application.te	2008-09-25 08:33:18.000000000 -0400
@ -28800,7 +28935,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.9/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2008-09-24 09:07:28.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/system/init.te	2008-09-25 08:33:18.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/system/init.te	2008-10-02 09:08:34.000000000 -0400
@@ -17,6 +17,20 @@
 ## </desc>
 gen_tunable(init_upstart,false)
@ -28990,7 +29125,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	squid_manage_logs(initrc_t)
 ')
 
-+ifndef(`targeted_policy',`
+ifdef(`enabled_mls',`
 optional_policy(`
 	# allow init scripts to su
 	su_restricted_domain_template(initrc,initrc_t,system_r)
@ -30962,7 +31097,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.9/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2008-08-11 11:23:34.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/system/sysnetwork.te	2008-10-01 08:16:34.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/system/sysnetwork.te	2008-10-02 09:17:09.000000000 -0400
@@ -20,6 +20,9 @@
 init_daemon_domain(dhcpc_t,dhcpc_exec_t)
 role system_r types dhcpc_t;
@ -31102,12 +31237,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 corenet_rw_tun_tap_dev(ifconfig_t)
 
-@@ -279,8 +291,12 @@
+@@ -279,8 +291,13 @@
 fs_getattr_xattr_fs(ifconfig_t)
 fs_search_auto_mountpoints(ifconfig_t)
 
 +selinux_dontaudit_getattr_fs(ifconfig_t)
 +
+term_dontaudit_use_console(ifconfig_t)
 term_dontaudit_use_all_user_ttys(ifconfig_t)
 term_dontaudit_use_all_user_ptys(ifconfig_t)
 +term_dontaudit_use_ptmx(ifconfig_t)
@ -31115,7 +31251,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 domain_use_interactive_fds(ifconfig_t)
 
-@@ -336,6 +352,14 @@
+@@ -336,6 +353,14 @@
 ')
 
 optional_policy(`
@ -31972,7 +32108,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.9/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.9/policy/modules/system/userdomain.if	2008-09-29 10:56:25.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/system/userdomain.if	2008-10-01 16:13:30.000000000 -0400
@@ -28,10 +28,14 @@
 		class context contains;
 	')
@ -32543,7 +32679,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# GNOME checks for usb and other devices:
 -	dev_rw_usbfs($1_t)
 +	dev_rw_usbfs($1_usertype)
-+	dev_read_generic_usb_dev($1_usertype)
+	dev_rw_generic_usb_dev($1_usertype)
 
 -	xserver_user_client_template($1,$1_t,$1_tmpfs_t)
 -	xserver_xsession_entry_type($1_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.5.9
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -390,6 +390,9 @@ exit 0
 %endif

 %changelog
+* Wed Oct 1 2008 Dan Walsh <dwalsh@redhat.com> 3.5.9-5
+- Allow domains to search other domains keys, coverup kernel bug
+
 * Wed Oct 1 2008 Dan Walsh <dwalsh@redhat.com> 3.5.9-4
 - Fix labeling for oracle