From d611f1191af7ce7a5c626ae7dc5a940339ea043e Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 26 Sep 2008 12:38:56 +0000 Subject: [PATCH] - Upgrade to upstream --- .cvsignore | 1 + policy-20080710.patch | 123 ++++++++++++++++++++++++------------------ sources | 2 +- 3 files changed, 74 insertions(+), 52 deletions(-) diff --git a/.cvsignore b/.cvsignore index ac3c5db2..5e012d27 100644 --- a/.cvsignore +++ b/.cvsignore @@ -150,3 +150,4 @@ serefpolicy-3.5.5.tgz serefpolicy-3.5.6.tgz serefpolicy-3.5.7.tgz serefpolicy-3.5.8.tgz +serefpolicy-3.5.9.tgz diff --git a/policy-20080710.patch b/policy-20080710.patch index 1024624f..db41980a 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -431,7 +431,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-3.5.9/policy/modules/admin/amanda.te --- nsaserefpolicy/policy/modules/admin/amanda.te 2008-08-14 10:07:05.000000000 -0400 -+++ serefpolicy-3.5.9/policy/modules/admin/amanda.te 2008-09-25 08:33:18.000000000 -0400 ++++ serefpolicy-3.5.9/policy/modules/admin/amanda.te 2008-09-25 15:03:17.000000000 -0400 @@ -129,6 +129,8 @@ corenet_tcp_bind_all_nodes(amanda_t) corenet_udp_bind_all_nodes(amanda_t) @@ -541,22 +541,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -') dnl end TODO diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.5.9/policy/modules/admin/kismet.te --- nsaserefpolicy/policy/modules/admin/kismet.te 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.9/policy/modules/admin/kismet.te 2008-09-25 08:33:18.000000000 -0400 -@@ -26,7 +26,10 @@ ++++ serefpolicy-3.5.9/policy/modules/admin/kismet.te 2008-09-25 15:06:28.000000000 -0400 +@@ -26,7 +26,11 @@ # allow kismet_t self:capability { net_admin net_raw setuid setgid }; +allow kismet_t self:fifo_file rw_file_perms; allow kismet_t self:packet_socket create_socket_perms; -+allow kismet_t self:unix_dgram_socket create_socket_perms; ++allow kismet_t self:unix_dgram_socket { create_socket_perms sendto }; +allow kismet_t self:unix_stream_socket create_stream_socket_perms; ++allow kismet_t self:tcp_socket create_stream_socket_perms; manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t) allow kismet_t kismet_log_t:dir setattr; -@@ -42,6 +45,8 @@ +@@ -42,6 +46,16 @@ corecmd_exec_bin(kismet_t) ++corenet_all_recvfrom_unlabeled(kismet_t) ++corenet_all_recvfrom_netlabel(kismet_t) ++corenet_tcp_sendrecv_all_if(kismet_t) ++corenet_tcp_sendrecv_all_nodes(kismet_t) ++corenet_tcp_sendrecv_all_ports(kismet_t) ++corenet_tcp_bind_all_nodes(kismet_t) ++corenet_tcp_bind_all_kismet_port(kismet_t) ++ +kernel_search_debugfs(kismet_t) + auth_use_nsswitch(kismet_t) @@ -6482,7 +6491,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.9/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-09-24 09:07:27.000000000 -0400 -+++ serefpolicy-3.5.9/policy/modules/kernel/corenetwork.te.in 2008-09-25 08:33:18.000000000 -0400 ++++ serefpolicy-3.5.9/policy/modules/kernel/corenetwork.te.in 2008-09-25 15:05:47.000000000 -0400 @@ -75,6 +75,7 @@ network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0) network_port(apcupsd, tcp,3551,s0, udp,3551,s0) @@ -6499,10 +6508,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(ftp_data, tcp,20,s0) network_port(ftp, tcp,21,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) -@@ -116,14 +118,17 @@ +@@ -116,14 +118,18 @@ network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0) ++network_port(kismet, tcp,2501,s0) +network_port(kprop, tcp,754,s0) network_port(ktalkd, udp,517,s0, udp,518,s0) network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) @@ -6517,7 +6527,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(mysqld, tcp,1186,s0, tcp,3306,s0) portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) network_port(nessus, tcp,1241,s0) -@@ -135,11 +140,13 @@ +@@ -135,11 +141,13 @@ network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) network_port(postfix_policyd, tcp,10031,s0) @@ -6531,7 +6541,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pxe, udp,4011,s0) -@@ -157,7 +164,7 @@ +@@ -157,7 +165,7 @@ network_port(rwho, udp,513,s0) network_port(smbd, tcp,137-139,s0, tcp,445,s0) network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) @@ -6540,7 +6550,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(spamd, tcp,783,s0) network_port(ssh, tcp,22,s0) network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) -@@ -168,13 +175,16 @@ +@@ -168,13 +176,16 @@ network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -7261,7 +7271,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## all protocols (TCP, UDP, etc) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.5.9/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.9/policy/modules/kernel/domain.te 2008-09-25 08:33:18.000000000 -0400 ++++ serefpolicy-3.5.9/policy/modules/kernel/domain.te 2008-09-25 15:20:04.000000000 -0400 @@ -5,6 +5,13 @@ # # Declarations @@ -14248,7 +14258,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.5.9/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.9/policy/modules/services/dbus.if 2008-09-25 08:33:18.000000000 -0400 ++++ serefpolicy-3.5.9/policy/modules/services/dbus.if 2008-09-25 15:21:22.000000000 -0400 @@ -53,6 +53,7 @@ gen_require(` type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t; @@ -18661,7 +18671,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.9/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.5.9/policy/modules/services/networkmanager.te 2008-09-25 08:33:18.000000000 -0400 ++++ serefpolicy-3.5.9/policy/modules/services/networkmanager.te 2008-09-25 15:14:50.000000000 -0400 @@ -33,9 +33,9 @@ # networkmanager will ptrace itself if gdb is installed @@ -18720,7 +18730,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_ld_so(NetworkManager_t) libs_use_shared_libs(NetworkManager_t) -@@ -133,9 +141,12 @@ +@@ -128,14 +136,18 @@ + # in /etc created by NetworkManager will be labelled net_conf_t. + sysnet_manage_config(NetworkManager_t) + sysnet_etc_filetrans_config(NetworkManager_t) ++sysnet_read_dhcp_config(NetworkManager_t) + + userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t) # Read gnome-keyring userdom_read_unpriv_users_home_content_files(NetworkManager_t) @@ -18733,7 +18749,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` bind_domtrans(NetworkManager_t) bind_manage_cache(NetworkManager_t) -@@ -151,21 +162,26 @@ +@@ -151,21 +163,26 @@ ') optional_policy(` @@ -18765,7 +18781,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -174,9 +190,17 @@ +@@ -174,9 +191,17 @@ ') optional_policy(` @@ -31056,36 +31072,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.5.9/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-09-11 16:42:49.000000000 -0400 -+++ serefpolicy-3.5.9/policy/modules/system/unconfined.fc 2008-09-25 08:33:18.000000000 -0400 -@@ -2,15 +2,11 @@ ++++ serefpolicy-3.5.9/policy/modules/system/unconfined.fc 2008-09-25 14:37:47.000000000 -0400 +@@ -2,15 +2,29 @@ # e.g.: # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t -/usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) - /usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +-/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) -+/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) - - /usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +- +-/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) - - /usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -- +-/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ++/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) + ++/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ifdef(`distro_gentoo',` - /usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ++/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ') -@@ -14,3 +10,20 @@ - ifdef(`distro_gentoo',` - /usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) - ') -+/usr/bin/rhythmbox -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ++/usr/bin/totem.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/rhythmbox -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) +/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) + -+/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -+/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ++/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/usr/bin/haddock.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/bin/hasktags -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) @@ -31097,7 +31114,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.5.9/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2008-09-11 16:42:49.000000000 -0400 -+++ serefpolicy-3.5.9/policy/modules/system/unconfined.if 2008-09-25 08:33:18.000000000 -0400 ++++ serefpolicy-3.5.9/policy/modules/system/unconfined.if 2008-09-25 14:28:00.000000000 -0400 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -31249,10 +31266,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +interface(`unconfined_execmem_domtrans',` + + gen_require(` -+ type unconfined_execmem_t, unconfined_execmem_exec_t; ++ type unconfined_execmem_t, execmem_exec_t; + ') + -+ domtrans_pattern($1, unconfined_execmem_exec_t, unconfined_execmem_t) ++ domtrans_pattern($1, execmem_exec_t, unconfined_execmem_t) +') + +######################################## @@ -31428,8 +31445,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.5.9/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-09-11 16:42:49.000000000 -0400 -+++ serefpolicy-3.5.9/policy/modules/system/unconfined.te 2008-09-25 08:33:18.000000000 -0400 -@@ -1,40 +1,80 @@ ++++ serefpolicy-3.5.9/policy/modules/system/unconfined.te 2008-09-25 14:27:15.000000000 -0400 +@@ -1,40 +1,81 @@ -policy_module(unconfined, 2.3.1) +policy_module(unconfined, 2.3.0) @@ -31482,26 +31499,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +role system_r types unconfined_t; type unconfined_execmem_t; - type unconfined_execmem_exec_t; - init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) +-type unconfined_execmem_exec_t; +-init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) ++type execmem_exec_t; ++init_system_domain(unconfined_execmem_t, execmem_exec_t) role unconfined_r types unconfined_execmem_t; - ++type execmem_exec_t alias unconfined_execmem_exec_t; ++ +type unconfined_notrans_t; +type unconfined_notrans_exec_t; +init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t) +role unconfined_r types unconfined_notrans_t; -+ + ######################################## # # Local policy # +-domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t) +dontaudit unconfined_t self:dir write; + +allow unconfined_t self:system syslog_read; +dontaudit unconfined_t self:capability sys_module; + - domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t) ++domtrans_pattern(unconfined_t, execmem_exec_t, unconfined_execmem_t) files_create_boot_flag(unconfined_t) +files_create_default_dir(unconfined_t) @@ -31515,7 +31536,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -@@ -42,28 +82,37 @@ +@@ -42,28 +83,37 @@ logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) @@ -31557,7 +31578,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -75,12 +124,6 @@ +@@ -75,12 +125,6 @@ ') optional_policy(` @@ -31570,7 +31591,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol init_dbus_chat_script(unconfined_t) dbus_stub(unconfined_t) -@@ -106,12 +149,24 @@ +@@ -106,12 +150,24 @@ ') optional_policy(` @@ -31595,7 +31616,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -123,31 +178,33 @@ +@@ -123,31 +179,33 @@ ') optional_policy(` @@ -31636,7 +31657,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -159,43 +216,48 @@ +@@ -159,43 +217,48 @@ ') optional_policy(` @@ -31701,7 +31722,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -203,7 +265,7 @@ +@@ -203,7 +266,7 @@ ') optional_policy(` @@ -31710,7 +31731,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -215,11 +277,12 @@ +@@ -215,11 +278,12 @@ ') optional_policy(` @@ -31725,7 +31746,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -229,14 +292,35 @@ +@@ -229,14 +293,35 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) diff --git a/sources b/sources index 4c951a36..5417c924 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -dcacf4cddcb4232564044e8d33c4d28e serefpolicy-3.5.8.tgz +1fc530b9656edfe96053b028274f6658 serefpolicy-3.5.9.tgz