rpms/selinux-policy
6
0
Fork 0
Code Issues Pull Requests Releases Activity

- Dontaudit to getattr on dirs for dovecot-deliver

Browse Source 
- Allow raiudusd server connect to postgresql socket
- Add kerberos support for radiusd
- Allow saslauthd to connect to ldap port
- Allow postfix to manage postfix_private_t files
- Add chronyd support for #965457
- Fix labeling for HOME_DIR/\.icedtea
- CHange squid and snmpd to be allowed also write own logs
- Fix labeling for /usr/libexec/qemu-ga
- Allow virtd_t to use virt_lock_t
- Allow also sealert to read the policy from the kernel
- qemu-ga needs to execute scripts in /usr/libexec/qemu-ga and to use
- Dontaudit listing of users homedir by sendmail Seems like a leak
- Allow passenger to transition to puppet master
- Allow apache to connect to mythtv
- Add definition for mythtv ports
This commit is contained in:
Miroslav Grepl 2013-05-22 14:29:22 +02:00
parent 471c1eb0e1
commit d4d3448653
3 changed files with 413 additions and 268 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
policy-rawhide-base.patch
View File

@ -5083,7 +5083,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 4edc40d..2b87328 100644
index 4edc40d..999b8f1 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@ -5276,7 +5276,11 @@ index 4edc40d..2b87328 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
@@ -188,21 +221,28 @@ network_port(mysqlmanagerd, tcp,2273,s0)
@@ -185,24 +218,32 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
+network_port(mythtv, tcp,6543-6544,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@ -5308,7 +5312,7 @@ index 4edc40d..2b87328 100644
network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
@@ -214,38 +254,42 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
@@ -214,38 +255,42 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
@ -5357,7 +5361,7 @@ index 4edc40d..2b87328 100644
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
@@ -257,8 +301,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
@@ -257,8 +302,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@ -5368,7 +5372,7 @@ index 4edc40d..2b87328 100644
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(ups, tcp,3493,s0)
@@ -268,10 +313,10 @@ network_port(varnishd, tcp,6081-6082,s0)
@@ -268,10 +314,10 @@ network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@ -5381,7 +5385,7 @@ index 4edc40d..2b87328 100644
network_port(winshadow, tcp,3161,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
@@ -292,12 +337,16 @@ network_port(zope, tcp,8021,s0)
@@ -292,12 +338,16 @@ network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
@ -5400,7 +5404,7 @@ index 4edc40d..2b87328 100644
########################################
#
@@ -330,6 +379,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
@@ -330,6 +380,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
@ -5409,7 +5413,7 @@ index 4edc40d..2b87328 100644
',`
typealias netif_t alias { lo_netif_t netif_lo_t };
')
@@ -342,9 +393,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
@@ -342,9 +394,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@ -8714,7 +8718,7 @@ index c2c6e05..be423a7 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 64ff4d7..9389e60 100644
index 64ff4d7..92d80ef 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@ -11193,7 +11197,7 @@ index 64ff4d7..9389e60 100644
## </param>
## <param name="class">
## <summary>
@@ -6562,3 +7781,459 @@ interface(`files_unconfined',`
@@ -6562,3 +7781,467 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@ -11516,7 +11520,9 @@ index 64ff4d7..9389e60 100644
+ gen_require(`
+ type mnt_t;
+ type usr_t;
+ type tmp_t;
+ type var_t;
+ type var_run_t;
+ type tmp_t;
+ ')
+
@ -11527,7 +11533,12 @@ index 64ff4d7..9389e60 100644
+ files_root_filetrans($1, mnt_t, dir, "misc")
+ files_root_filetrans($1, mnt_t, dir, "net")
+ files_root_filetrans($1, usr_t, dir, "export")
+ files_root_filetrans($1, usr_t, dir, "opt")
+ files_root_filetrans($1, usr_t, dir, "emul")
+ files_root_filetrans($1, var_t, dir, "srv")
+ files_root_filetrans($1, var_run_t, dir, "run")
+ files_root_filetrans($1, tmp_t, dir, "sandbox")
+ files_root_filetrans($1, tmp_t, dir, "tmp")
+ files_root_filetrans($1, var_t, dir, "nsr")
+ files_etc_filetrans_etc_runtime($1, file, "runtime")
+ files_etc_filetrans_etc_runtime($1, dir, "blkid")
@ -11541,6 +11552,7 @@ index 64ff4d7..9389e60 100644
+ files_etc_filetrans_etc_runtime($1, file, "hwconf")
+ files_etc_filetrans_etc_runtime($1, file, "iptables.save")
+ files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
+ files_var_filetrans($1, tmp_t, dir, "tmp")
+')
+
+########################################
@ -18853,7 +18865,7 @@ index 76d9f66..3063a17 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index fe0c682..2e18809 100644
index fe0c682..871b8fd 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@ -19373,16 +19385,35 @@ index fe0c682..2e18809 100644
## Read ssh server keys
## </summary>
## <param name="domain">
@@ -714,7 +814,7 @@ interface(`ssh_dontaudit_read_server_keys',`
@@ -714,7 +814,26 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
- dontaudit $1 sshd_key_t:file { getattr read };
+ dontaudit $1 sshd_key_t:file read_file_perms;
+')
+
+######################################
+## <summary>
+## Append ssh home directory content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ssh_append_home_files',`
+ gen_require(`
+ type ssh_home_t;
+ ')
+
+ append_files_pattern($1, ssh_home_t, ssh_home_t)
+ userdom_search_user_home_dirs($1)
')
######################################
@@ -754,3 +854,124 @@ interface(`ssh_delete_tmp',`
@@ -754,3 +873,124 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@ -31362,7 +31393,7 @@ index 4584457..e432df3 100644
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 6a50270..117a29a 100644
index 6a50270..ca097a7 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -10,35 +10,60 @@ policy_module(mount, 1.15.1)
@ -31671,7 +31702,7 @@ index 6a50270..117a29a 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
@@ -194,24 +300,128 @@ optional_policy(`
@@ -194,24 +300,129 @@ optional_policy(`
')
optional_policy(`
@ -31726,6 +31757,7 @@ index 6a50270..117a29a 100644
-#
+optional_policy(`
+ ssh_exec(mount_t)
+ ssh_append_home_files(mount_t)
+')
+
+optional_policy(`

599
policy-rawhide-contrib.patch
View File

File diff suppressed because it is too large Load Diff

20
selinux-policy.spec
View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
Release: 45%{?dist}
Release: 46%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -530,6 +530,24 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Wed May 22 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-46
- Dontaudit to getattr on dirs for dovecot-deliver
- Allow raiudusd server connect to postgresql socket
- Add kerberos support for radiusd
- Allow saslauthd to connect to ldap port
- Allow postfix to manage postfix_private_t files
- Add chronyd support for #965457
- Fix labeling for HOME_DIR/\.icedtea
- CHange squid and snmpd to be allowed also write own logs
- Fix labeling for /usr/libexec/qemu-ga
- Allow virtd_t to use virt_lock_t
- Allow also sealert to read the policy from the kernel
- qemu-ga needs to execute scripts in /usr/libexec/qemu-ga and to use /tmp content
- Dontaudit listing of users homedir by sendmail Seems like a leak
- Allow passenger to transition to puppet master
- Allow apache to connect to mythtv
- Add definition for mythtv ports
* Fri May 17 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-45
- Add additional fixes for #948073 bug
- Allow sge_execd_t to also connect to sge ports