- Allow domains to search other domains keys, coverup kernel bug
This commit is contained in:
parent
094ef3d610
commit
b42a1eddf9
@ -6691,7 +6691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.5.9/policy/modules/kernel/devices.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/devices.if 2008-08-07 11:15:01.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/kernel/devices.if 2008-09-25 08:33:18.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/kernel/devices.if 2008-10-01 16:12:47.000000000 -0400
|
||||
@@ -65,7 +65,7 @@
|
||||
|
||||
relabelfrom_dirs_pattern($1, device_t, device_node)
|
||||
@ -8448,6 +8448,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
|
||||
/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.5.9/policy/modules/kernel/terminal.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-08-07 11:15:01.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/kernel/terminal.if 2008-10-02 09:16:08.000000000 -0400
|
||||
@@ -250,9 +250,11 @@
|
||||
interface(`term_dontaudit_use_console',`
|
||||
gen_require(`
|
||||
type console_device_t;
|
||||
+ type tty_device_t;
|
||||
')
|
||||
|
||||
dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
|
||||
+ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.fc serefpolicy-3.5.9/policy/modules/roles/guest.fc
|
||||
--- nsaserefpolicy/policy/modules/roles/guest.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.5.9/policy/modules/roles/guest.fc 2008-09-25 08:33:18.000000000 -0400
|
||||
@ -12154,6 +12169,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ files_list_pids($1)
|
||||
+ admin_pattern($1, named_var_run_t)
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.5.9/policy/modules/services/bind.te
|
||||
--- nsaserefpolicy/policy/modules/services/bind.te 2008-09-24 09:07:28.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/services/bind.te 2008-10-02 09:17:54.000000000 -0400
|
||||
@@ -249,6 +249,8 @@
|
||||
sysnet_read_config(ndc_t)
|
||||
sysnet_dns_name_resolve(ndc_t)
|
||||
|
||||
+term_dontaudit_use_console(ndc_t)
|
||||
+
|
||||
# for /etc/rndc.key
|
||||
ifdef(`distro_redhat',`
|
||||
allow ndc_t named_conf_t:dir search;
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.fc serefpolicy-3.5.9/policy/modules/services/bitlbee.fc
|
||||
--- nsaserefpolicy/policy/modules/services/bitlbee.fc 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/services/bitlbee.fc 2008-09-25 08:33:18.000000000 -0400
|
||||
@ -21324,7 +21351,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.5.9/policy/modules/services/prelude.te
|
||||
--- nsaserefpolicy/policy/modules/services/prelude.te 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/services/prelude.te 2008-09-25 08:33:18.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/services/prelude.te 2008-10-02 09:12:58.000000000 -0400
|
||||
@@ -13,18 +13,50 @@
|
||||
type prelude_spool_t;
|
||||
files_type(prelude_spool_t)
|
||||
@ -21418,7 +21445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
dev_read_rand(prelude_audisp_t)
|
||||
dev_read_urand(prelude_audisp_t)
|
||||
@@ -117,15 +161,129 @@
|
||||
@@ -117,15 +161,134 @@
|
||||
# Init script handling
|
||||
domain_use_interactive_fds(prelude_audisp_t)
|
||||
|
||||
@ -21445,6 +21472,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+allow prelude_correlator_t self:tcp_socket create_stream_socket_perms;
|
||||
+allow prelude_correlator_t self:unix_dgram_socket create_socket_perms;
|
||||
+
|
||||
+allow prelude_correlator_t prelude_correlator_config_t:dir list_dir_perms;
|
||||
+read_files_pattern(prelude_correlator_t, prelude_correlator_config_t, prelude_correlator_config_t)
|
||||
+
|
||||
+prelude_manage_spool(prelude_correlator_t)
|
||||
@ -21464,6 +21492,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+files_read_usr_files(prelude_correlator_t)
|
||||
+files_search_spool(prelude_correlator_t)
|
||||
+
|
||||
+kernel_read_sysctl(prelude_correlator_t)
|
||||
+
|
||||
+libs_use_ld_so(prelude_correlator_t)
|
||||
+libs_use_shared_libs(prelude_correlator_t)
|
||||
+
|
||||
@ -21504,7 +21534,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t)
|
||||
+files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file)
|
||||
+
|
||||
+corecmd_search_bin(prelude_lml_t)
|
||||
+corecmd_exec_bin(prelude_lml_t)
|
||||
+
|
||||
+corenet_tcp_sendrecv_generic_if(prelude_lml_t)
|
||||
+corenet_tcp_sendrecv_all_nodes(prelude_lml_t)
|
||||
@ -21526,6 +21556,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+fs_list_inotifyfs(prelude_lml_t)
|
||||
+
|
||||
+kernel_read_sysctl(prelude_lml_t)
|
||||
+
|
||||
+auth_use_nsswitch(prelude_lml_t)
|
||||
+
|
||||
+libs_use_ld_so(prelude_lml_t)
|
||||
@ -21548,7 +21580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# prewikka_cgi Declarations
|
||||
@@ -134,6 +292,17 @@
|
||||
@@ -134,6 +297,17 @@
|
||||
optional_policy(`
|
||||
apache_content_template(prewikka)
|
||||
files_read_etc_files(httpd_prewikka_script_t)
|
||||
@ -28122,6 +28154,109 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kernel_read_kernel_sysctls(zebra_t)
|
||||
kernel_rw_net_sysctls(zebra_t)
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.fc serefpolicy-3.5.9/policy/modules/services/zosremote.fc
|
||||
--- nsaserefpolicy/policy/modules/services/zosremote.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.5.9/policy/modules/services/zosremote.fc 2008-10-02 09:31:06.000000000 -0400
|
||||
@@ -0,0 +1,2 @@
|
||||
+
|
||||
+/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.if serefpolicy-3.5.9/policy/modules/services/zosremote.if
|
||||
--- nsaserefpolicy/policy/modules/services/zosremote.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.5.9/policy/modules/services/zosremote.if 2008-10-02 09:36:13.000000000 -0400
|
||||
@@ -0,0 +1,52 @@
|
||||
+## <summary>policy for z/OS Remote-services Audit dispatcher plugin</summary>
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute a domain transition to run audispd-zos-remote.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`zos_remote_domtrans',`
|
||||
+ gen_require(`
|
||||
+ type zos_remote_t;
|
||||
+ type zos_remote_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ domtrans_pattern($1, zos_remote_exec_t, zos_remote_t);
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow specified type and role to transition and
|
||||
+## run in the zos_remote_t domain. Allow specified type
|
||||
+## to use zos_remote_t terminal.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="role">
|
||||
+## <summary>
|
||||
+## The role to be allowed the zos_remote domain.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="terminal">
|
||||
+## <summary>
|
||||
+## The type of the role's terminal.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`zos_remote_run',`
|
||||
+ gen_require(`
|
||||
+ type zos_remote_t;
|
||||
+ ')
|
||||
+
|
||||
+ zos_remote_domtrans($1)
|
||||
+ role $2 types zos_remote_t;
|
||||
+ dontaudit zos_remote_t $3:chr_file rw_term_perms;
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.te serefpolicy-3.5.9/policy/modules/services/zosremote.te
|
||||
--- nsaserefpolicy/policy/modules/services/zosremote.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.5.9/policy/modules/services/zosremote.te 2008-10-02 09:57:33.000000000 -0400
|
||||
@@ -0,0 +1,37 @@
|
||||
+policy_module(zosremote,1.0.0)
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# Declarations
|
||||
+#
|
||||
+
|
||||
+type zos_remote_t;
|
||||
+type zos_remote_exec_t;
|
||||
+logging_dispater_domain(zos_remote_t, zos_remote_exec_t)
|
||||
+
|
||||
+## use below for RHEL5 series:
|
||||
+init_system_domain(zos_remote_t, zos_remote_exec_t)
|
||||
+
|
||||
+role system_r types zos_remote_t;
|
||||
+
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
+# zos_remote local policy
|
||||
+#
|
||||
+
|
||||
+allow zos_remote_t self:fifo_file rw_file_perms;
|
||||
+allow zos_remote_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+
|
||||
+allow zos_remote_t self:process signal;
|
||||
+
|
||||
+files_read_etc_files(zos_remote_t)
|
||||
+
|
||||
+auth_use_nsswitch(zos_remote_t);
|
||||
+
|
||||
+libs_use_ld_so(zos_remote_t)
|
||||
+libs_use_shared_libs(zos_remote_t)
|
||||
+
|
||||
+miscfiles_read_localization(zos_remote_t)
|
||||
+
|
||||
+logging_send_syslog_msg(zos_remote_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.5.9/policy/modules/system/application.te
|
||||
--- nsaserefpolicy/policy/modules/system/application.te 2008-08-07 11:15:12.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/system/application.te 2008-09-25 08:33:18.000000000 -0400
|
||||
@ -28800,7 +28935,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.9/policy/modules/system/init.te
|
||||
--- nsaserefpolicy/policy/modules/system/init.te 2008-09-24 09:07:28.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/system/init.te 2008-09-25 08:33:18.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/system/init.te 2008-10-02 09:08:34.000000000 -0400
|
||||
@@ -17,6 +17,20 @@
|
||||
## </desc>
|
||||
gen_tunable(init_upstart,false)
|
||||
@ -28990,7 +29125,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
squid_manage_logs(initrc_t)
|
||||
')
|
||||
|
||||
+ifndef(`targeted_policy',`
|
||||
+ifdef(`enabled_mls',`
|
||||
optional_policy(`
|
||||
# allow init scripts to su
|
||||
su_restricted_domain_template(initrc,initrc_t,system_r)
|
||||
@ -30962,7 +31097,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.9/policy/modules/system/sysnetwork.te
|
||||
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-08-11 11:23:34.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/system/sysnetwork.te 2008-10-01 08:16:34.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/system/sysnetwork.te 2008-10-02 09:17:09.000000000 -0400
|
||||
@@ -20,6 +20,9 @@
|
||||
init_daemon_domain(dhcpc_t,dhcpc_exec_t)
|
||||
role system_r types dhcpc_t;
|
||||
@ -31102,12 +31237,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corenet_rw_tun_tap_dev(ifconfig_t)
|
||||
|
||||
@@ -279,8 +291,12 @@
|
||||
@@ -279,8 +291,13 @@
|
||||
fs_getattr_xattr_fs(ifconfig_t)
|
||||
fs_search_auto_mountpoints(ifconfig_t)
|
||||
|
||||
+selinux_dontaudit_getattr_fs(ifconfig_t)
|
||||
+
|
||||
+term_dontaudit_use_console(ifconfig_t)
|
||||
term_dontaudit_use_all_user_ttys(ifconfig_t)
|
||||
term_dontaudit_use_all_user_ptys(ifconfig_t)
|
||||
+term_dontaudit_use_ptmx(ifconfig_t)
|
||||
@ -31115,7 +31251,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
domain_use_interactive_fds(ifconfig_t)
|
||||
|
||||
@@ -336,6 +352,14 @@
|
||||
@@ -336,6 +353,14 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -31972,7 +32108,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.9/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/system/userdomain.if 2008-09-29 10:56:25.000000000 -0400
|
||||
+++ serefpolicy-3.5.9/policy/modules/system/userdomain.if 2008-10-01 16:13:30.000000000 -0400
|
||||
@@ -28,10 +28,14 @@
|
||||
class context contains;
|
||||
')
|
||||
@ -32543,7 +32679,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# GNOME checks for usb and other devices:
|
||||
- dev_rw_usbfs($1_t)
|
||||
+ dev_rw_usbfs($1_usertype)
|
||||
+ dev_read_generic_usb_dev($1_usertype)
|
||||
+ dev_rw_generic_usb_dev($1_usertype)
|
||||
|
||||
- xserver_user_client_template($1,$1_t,$1_tmpfs_t)
|
||||
- xserver_xsession_entry_type($1_t)
|
||||
|
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.5.9
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -390,6 +390,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Oct 1 2008 Dan Walsh <dwalsh@redhat.com> 3.5.9-5
|
||||
- Allow domains to search other domains keys, coverup kernel bug
|
||||
|
||||
* Wed Oct 1 2008 Dan Walsh <dwalsh@redhat.com> 3.5.9-4
|
||||
- Fix labeling for oracle
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user