- Allow domains to search other domains keys, coverup kernel bug

This commit is contained in:
Daniel J Walsh 2008-10-03 15:07:40 +00:00
parent 094ef3d610
commit b42a1eddf9
2 changed files with 152 additions and 13 deletions

View File

@ -6691,7 +6691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.5.9/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2008-08-07 11:15:01.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/kernel/devices.if 2008-09-25 08:33:18.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/kernel/devices.if 2008-10-01 16:12:47.000000000 -0400
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1, device_t, device_node)
@ -8448,6 +8448,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.5.9/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-08-07 11:15:01.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/kernel/terminal.if 2008-10-02 09:16:08.000000000 -0400
@@ -250,9 +250,11 @@
interface(`term_dontaudit_use_console',`
gen_require(`
type console_device_t;
+ type tty_device_t;
')
dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
+ dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.fc serefpolicy-3.5.9/policy/modules/roles/guest.fc
--- nsaserefpolicy/policy/modules/roles/guest.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.9/policy/modules/roles/guest.fc 2008-09-25 08:33:18.000000000 -0400
@ -12154,6 +12169,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ files_list_pids($1)
+ admin_pattern($1, named_var_run_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.5.9/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2008-09-24 09:07:28.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/services/bind.te 2008-10-02 09:17:54.000000000 -0400
@@ -249,6 +249,8 @@
sysnet_read_config(ndc_t)
sysnet_dns_name_resolve(ndc_t)
+term_dontaudit_use_console(ndc_t)
+
# for /etc/rndc.key
ifdef(`distro_redhat',`
allow ndc_t named_conf_t:dir search;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.fc serefpolicy-3.5.9/policy/modules/services/bitlbee.fc
--- nsaserefpolicy/policy/modules/services/bitlbee.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/services/bitlbee.fc 2008-09-25 08:33:18.000000000 -0400
@ -21324,7 +21351,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.5.9/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/services/prelude.te 2008-09-25 08:33:18.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/services/prelude.te 2008-10-02 09:12:58.000000000 -0400
@@ -13,18 +13,50 @@
type prelude_spool_t;
files_type(prelude_spool_t)
@ -21418,7 +21445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_rand(prelude_audisp_t)
dev_read_urand(prelude_audisp_t)
@@ -117,15 +161,129 @@
@@ -117,15 +161,134 @@
# Init script handling
domain_use_interactive_fds(prelude_audisp_t)
@ -21445,6 +21472,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+allow prelude_correlator_t self:tcp_socket create_stream_socket_perms;
+allow prelude_correlator_t self:unix_dgram_socket create_socket_perms;
+
+allow prelude_correlator_t prelude_correlator_config_t:dir list_dir_perms;
+read_files_pattern(prelude_correlator_t, prelude_correlator_config_t, prelude_correlator_config_t)
+
+prelude_manage_spool(prelude_correlator_t)
@ -21464,6 +21492,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+files_read_usr_files(prelude_correlator_t)
+files_search_spool(prelude_correlator_t)
+
+kernel_read_sysctl(prelude_correlator_t)
+
+libs_use_ld_so(prelude_correlator_t)
+libs_use_shared_libs(prelude_correlator_t)
+
@ -21504,7 +21534,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t)
+files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file)
+
+corecmd_search_bin(prelude_lml_t)
+corecmd_exec_bin(prelude_lml_t)
+
+corenet_tcp_sendrecv_generic_if(prelude_lml_t)
+corenet_tcp_sendrecv_all_nodes(prelude_lml_t)
@ -21526,6 +21556,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+fs_list_inotifyfs(prelude_lml_t)
+
+kernel_read_sysctl(prelude_lml_t)
+
+auth_use_nsswitch(prelude_lml_t)
+
+libs_use_ld_so(prelude_lml_t)
@ -21548,7 +21580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# prewikka_cgi Declarations
@@ -134,6 +292,17 @@
@@ -134,6 +297,17 @@
optional_policy(`
apache_content_template(prewikka)
files_read_etc_files(httpd_prewikka_script_t)
@ -28122,6 +28154,109 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_kernel_sysctls(zebra_t)
kernel_rw_net_sysctls(zebra_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.fc serefpolicy-3.5.9/policy/modules/services/zosremote.fc
--- nsaserefpolicy/policy/modules/services/zosremote.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.9/policy/modules/services/zosremote.fc 2008-10-02 09:31:06.000000000 -0400
@@ -0,0 +1,2 @@
+
+/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.if serefpolicy-3.5.9/policy/modules/services/zosremote.if
--- nsaserefpolicy/policy/modules/services/zosremote.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.9/policy/modules/services/zosremote.if 2008-10-02 09:36:13.000000000 -0400
@@ -0,0 +1,52 @@
+## <summary>policy for z/OS Remote-services Audit dispatcher plugin</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run audispd-zos-remote.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`zos_remote_domtrans',`
+ gen_require(`
+ type zos_remote_t;
+ type zos_remote_exec_t;
+ ')
+
+ domtrans_pattern($1, zos_remote_exec_t, zos_remote_t);
+')
+
+########################################
+## <summary>
+## Allow specified type and role to transition and
+## run in the zos_remote_t domain. Allow specified type
+## to use zos_remote_t terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the zos_remote domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the role's terminal.
+## </summary>
+## </param>
+#
+interface(`zos_remote_run',`
+ gen_require(`
+ type zos_remote_t;
+ ')
+
+ zos_remote_domtrans($1)
+ role $2 types zos_remote_t;
+ dontaudit zos_remote_t $3:chr_file rw_term_perms;
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.te serefpolicy-3.5.9/policy/modules/services/zosremote.te
--- nsaserefpolicy/policy/modules/services/zosremote.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.9/policy/modules/services/zosremote.te 2008-10-02 09:57:33.000000000 -0400
@@ -0,0 +1,37 @@
+policy_module(zosremote,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type zos_remote_t;
+type zos_remote_exec_t;
+logging_dispater_domain(zos_remote_t, zos_remote_exec_t)
+
+## use below for RHEL5 series:
+init_system_domain(zos_remote_t, zos_remote_exec_t)
+
+role system_r types zos_remote_t;
+
+
+########################################
+#
+# zos_remote local policy
+#
+
+allow zos_remote_t self:fifo_file rw_file_perms;
+allow zos_remote_t self:unix_stream_socket create_stream_socket_perms;
+
+allow zos_remote_t self:process signal;
+
+files_read_etc_files(zos_remote_t)
+
+auth_use_nsswitch(zos_remote_t);
+
+libs_use_ld_so(zos_remote_t)
+libs_use_shared_libs(zos_remote_t)
+
+miscfiles_read_localization(zos_remote_t)
+
+logging_send_syslog_msg(zos_remote_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.5.9/policy/modules/system/application.te
--- nsaserefpolicy/policy/modules/system/application.te 2008-08-07 11:15:12.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/system/application.te 2008-09-25 08:33:18.000000000 -0400
@ -28800,7 +28935,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.9/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2008-09-24 09:07:28.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/system/init.te 2008-09-25 08:33:18.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/system/init.te 2008-10-02 09:08:34.000000000 -0400
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart,false)
@ -28990,7 +29125,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
squid_manage_logs(initrc_t)
')
+ifndef(`targeted_policy',`
+ifdef(`enabled_mls',`
optional_policy(`
# allow init scripts to su
su_restricted_domain_template(initrc,initrc_t,system_r)
@ -30962,7 +31097,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.9/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2008-08-11 11:23:34.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/system/sysnetwork.te 2008-10-01 08:16:34.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/system/sysnetwork.te 2008-10-02 09:17:09.000000000 -0400
@@ -20,6 +20,9 @@
init_daemon_domain(dhcpc_t,dhcpc_exec_t)
role system_r types dhcpc_t;
@ -31102,12 +31237,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_rw_tun_tap_dev(ifconfig_t)
@@ -279,8 +291,12 @@
@@ -279,8 +291,13 @@
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
+selinux_dontaudit_getattr_fs(ifconfig_t)
+
+term_dontaudit_use_console(ifconfig_t)
term_dontaudit_use_all_user_ttys(ifconfig_t)
term_dontaudit_use_all_user_ptys(ifconfig_t)
+term_dontaudit_use_ptmx(ifconfig_t)
@ -31115,7 +31251,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_use_interactive_fds(ifconfig_t)
@@ -336,6 +352,14 @@
@@ -336,6 +353,14 @@
')
optional_policy(`
@ -31972,7 +32108,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.9/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/system/userdomain.if 2008-09-29 10:56:25.000000000 -0400
+++ serefpolicy-3.5.9/policy/modules/system/userdomain.if 2008-10-01 16:13:30.000000000 -0400
@@ -28,10 +28,14 @@
class context contains;
')
@ -32543,7 +32679,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# GNOME checks for usb and other devices:
- dev_rw_usbfs($1_t)
+ dev_rw_usbfs($1_usertype)
+ dev_read_generic_usb_dev($1_usertype)
+ dev_rw_generic_usb_dev($1_usertype)
- xserver_user_client_template($1,$1_t,$1_tmpfs_t)
- xserver_xsession_entry_type($1_t)

View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.9
Release: 4%{?dist}
Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -390,6 +390,9 @@ exit 0
%endif
%changelog
* Wed Oct 1 2008 Dan Walsh <dwalsh@redhat.com> 3.5.9-5
- Allow domains to search other domains keys, coverup kernel bug
* Wed Oct 1 2008 Dan Walsh <dwalsh@redhat.com> 3.5.9-4
- Fix labeling for oracle