- Eliminate rpm_t:fifo_file avcs

- Fix dbus path for helper app
2007-09-24 14:18:57 +00:00 · 2007-09-24 14:18:57 +00:00 · d83ea801ac
commit d83ea801ac
parent d9ab02548b
2 changed files with 122 additions and 51 deletions
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -835,8 +835,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
 /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.0.8/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/rpm.if	2007-09-17 16:20:18.000000000 -0400
-@@ -210,6 +210,24 @@
+++ serefpolicy-3.0.8/policy/modules/admin/rpm.if	2007-09-24 09:34:18.000000000 -0400
+@@ -152,6 +152,24 @@
+ 
+ ########################################
+ ## <summary>
+##	dontaudit read and write an unnamed RPM pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`rpm_dontaudit_rw_pipes',`
+	gen_require(`
+		type rpm_t;
+	')
+
+	dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+ ##	Send and receive messages from
+ ##	rpm over dbus.
+ ## </summary>
+@@ -210,6 +228,24 @@
 
 ########################################
 ## <summary>
@ -861,7 +886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
 ##	Create, read, write, and delete RPM
 ##	script temporary files.
 ## </summary>
-@@ -224,8 +242,29 @@
+@@ -224,8 +260,29 @@
 		type rpm_script_tmp_t;
 	')
 
@ -892,7 +917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
 ')
 
 ########################################
-@@ -289,3 +328,84 @@
+@@ -289,3 +346,84 @@
 	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
 	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
 ')
@ -2306,7 +2331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc	2007-09-21 14:41:45.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc	2007-09-24 09:59:57.000000000 -0400
@@ -36,6 +36,11 @@
 /etc/cipe/ip-up.*		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/cipe/ip-down.*		--	gen_context(system_u:object_r:bin_t,s0)
@ -2340,7 +2365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 
 /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 
-@@ -259,3 +265,8 @@
+@@ -259,3 +265,9 @@
 ifdef(`distro_suse',`
 /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
 ')
@ -2348,7 +2373,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 +/etc/gdm/XKeepsCrashing[^/]*	--	gen_context(system_u:object_r:bin_t,s0)
 +/etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0)
 +/etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
-+/lib(64)?/dbus-1/dbus-daemon-launch-helper --    gen_context(system_u:object_r:bin_t,s0)
+/lib/dbus-1/dbus-daemon-launch-helper --    gen_context(system_u:object_r:bin_t,s0)
+/lib64/dbus-1/dbus-daemon-launch-helper --    gen_context(system_u:object_r:bin_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in	2007-07-03 07:05:38.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.if.in	2007-09-17 16:20:18.000000000 -0400
@ -10991,8 +11017,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.0.8/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2007-08-22 07:14:12.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/init.if	2007-09-22 07:07:39.000000000 -0400
-@@ -211,6 +211,13 @@
+++ serefpolicy-3.0.8/policy/modules/system/init.if	2007-09-24 09:49:24.000000000 -0400
+@@ -211,6 +211,20 @@
 			kernel_dontaudit_use_fds($1)
 		')
 	')
@ -11003,10 +11029,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +	   term_dontaudit_use_all_user_ttys($1)
 +	   term_dontaudit_use_all_user_ptys($1)
 +	 ')
+	optional_policy(`
+		tunable_policy(`allow_daemons_use_tty',`
+		   unconfined_use_terminals($1)
+		', `
+		   unconfined_dontaudit_use_terminals($1)
+		')
+	')
 ')
 
 ########################################
-@@ -540,18 +547,19 @@
+@@ -540,18 +554,19 @@
 #
 interface(`init_spec_domtrans_script',`
 	gen_require(`
@ -11030,23 +11063,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 	')
 ')
 
-@@ -567,18 +575,46 @@
+@@ -567,18 +582,46 @@
 #
 interface(`init_domtrans_script',`
 	gen_require(`
 -		type initrc_t, initrc_exec_t;
 +		type initrc_t;
 +		attribute initscript;
-+	')
-+
-+	files_list_etc($1)
+ 	')
+ 
+ 	files_list_etc($1)
+-	domtrans_pattern($1,initrc_exec_t,initrc_t)
 +	domtrans_pattern($1,initscript,initrc_t)
-+
-+	ifdef(`enable_mcs',`
+ 
+ 	ifdef(`enable_mcs',`
+-		range_transition $1 initrc_exec_t:process s0;
 +		range_transition $1 initscript:process s0;
-+	')
-+
-+	ifdef(`enable_mls',`
+ 	')
+ 
+ 	ifdef(`enable_mls',`
+-		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
 +		range_transition $1 initscript:process s0 - mls_systemhigh;
 +	')
 +')
@ -11064,24 +11100,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +interface(`init_script_domtrans_spec',`
 +	gen_require(`
 +		type initrc_t;
- 	')
- 
- 	files_list_etc($1)
-	domtrans_pattern($1,initrc_exec_t,initrc_t)
+	')
+
+	files_list_etc($1)
 +	domtrans_pattern($1,$2,initrc_t)
- 
- 	ifdef(`enable_mcs',`
-		range_transition $1 initrc_exec_t:process s0;
+
+	ifdef(`enable_mcs',`
 +		range_transition $1 $2:process s0;
- 	')
- 
- 	ifdef(`enable_mls',`
-		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+	')
+
+	ifdef(`enable_mls',`
 +		range_transition $1 $2:process s0 - mls_systemhigh;
 	')
 ')
 
-@@ -609,11 +645,11 @@
+@@ -609,11 +652,11 @@
 # cjp: added for gentoo integrated run_init
 interface(`init_script_file_domtrans',`
 	gen_require(`
@ -11095,7 +11128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 ')
 
 ########################################
-@@ -684,11 +720,11 @@
+@@ -684,11 +727,11 @@
 #
 interface(`init_getattr_script_files',`
 	gen_require(`
@ -11109,7 +11142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 ')
 
 ########################################
-@@ -703,11 +739,11 @@
+@@ -703,11 +746,11 @@
 #
 interface(`init_exec_script_files',`
 	gen_require(`
@ -11123,7 +11156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 ')
 
 ########################################
-@@ -931,6 +967,7 @@
+@@ -931,6 +974,7 @@
 
 	dontaudit $1 initrc_t:unix_stream_socket connectto;
 ')
@ -11131,7 +11164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 ########################################
 ## <summary>
 ##	Send messages to init scripts over dbus.
-@@ -1030,11 +1067,11 @@
+@@ -1030,11 +1074,11 @@
 #
 interface(`init_read_script_files',`
 	gen_require(`
@ -11145,7 +11178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 ')
 
 ########################################
-@@ -1252,7 +1289,7 @@
+@@ -1252,7 +1296,7 @@
 		type initrc_var_run_t;
 	')
 
@ -11154,7 +11187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 ')
 
 ########################################
-@@ -1273,3 +1310,64 @@
+@@ -1273,3 +1317,64 @@
 	files_search_pids($1)
 	allow $1 initrc_var_run_t:file manage_file_perms;
 ')
@ -11221,7 +11254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.8/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2007-09-12 10:34:51.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/init.te	2007-09-22 07:06:37.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/init.te	2007-09-24 09:50:18.000000000 -0400
@@ -10,6 +10,20 @@
 # Declarations
 #
@ -11316,7 +11349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 
 selinux_get_enforce_mode(initrc_t)
 
-@@ -497,6 +515,43 @@
+@@ -497,6 +515,47 @@
 ')
 
 optional_policy(`
@ -11342,17 +11375,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 +	files_dump_core(daemon)
 +')
 +
+tunable_policy(`allow_daemons_use_tty',`
+	term_use_all_user_ttys(daemon)
+	term_use_all_user_ptys(daemon)
+', `
+	term_dontaudit_use_all_user_ttys(daemon)
+	term_dontaudit_use_all_user_ptys(daemon)
+')
+
 +optional_policy(`
 +	unconfined_dontaudit_rw_pipes(daemon)
 +
 +	tunable_policy(`allow_daemons_use_tty',`
 +		unconfined_use_terminals(daemon)
-+		term_use_all_user_ttys(daemon)
-+		term_use_all_user_ptys(daemon)
 + 	', `
 +		unconfined_dontaudit_use_terminals(daemon)
-+		term_dontaudit_use_all_user_ttys(daemon)
-+		term_dontaudit_use_all_user_ptys(daemon)
 + 	')
 +')
 + 
@ -11360,7 +11397,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
 ')
-@@ -632,12 +687,6 @@
+@@ -632,12 +691,6 @@
 	mta_read_config(initrc_t)
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
@ -11373,7 +11410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 
 optional_policy(`
 	ifdef(`distro_redhat',`
-@@ -703,6 +752,9 @@
+@@ -703,6 +756,9 @@
 
 	# why is this needed:
 	rpm_manage_db(initrc_t)
@ -11383,6 +11420,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 ')
 
 optional_policy(`
+@@ -750,6 +806,10 @@
+ ')
+ 
+ optional_policy(`
+	rpm_dontaudit_rw_pipes(daemon)
+')
+
+optional_policy(`
+ 	vmware_read_system_config(initrc_t)
+ 	vmware_append_system_config(initrc_t)
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.0.8/policy/modules/system/ipsec.te
 --- nsaserefpolicy/policy/modules/system/ipsec.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/system/ipsec.te	2007-09-17 16:20:18.000000000 -0400
@ -12803,7 +12851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.8/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2007-09-12 10:34:51.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te	2007-09-20 11:55:54.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te	2007-09-24 09:36:36.000000000 -0400
@@ -76,7 +76,6 @@
 type restorecond_exec_t;
 init_daemon_domain(restorecond_t,restorecond_exec_t)
@ -12933,7 +12981,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 auth_dontaudit_read_shadow(run_init_t)
 
 corecmd_exec_bin(run_init_t)
-@@ -423,77 +426,53 @@
+@@ -423,77 +426,54 @@
 	nscd_socket_use(run_init_t)
 ')	
 
@ -13035,12 +13083,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 +
 +optional_policy(`
 +	rpm_dontaudit_rw_tmp_files(semanage_t)
+	rpm_dontaudit_rw_pipes(semanage_t)
 +')
 +
 # cjp: need a more general way to handle this:
 ifdef(`enable_mls',`
 	# read secadm tmp files
-@@ -521,6 +500,8 @@
+@@ -521,6 +501,8 @@
 allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
 allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
 
@ -13049,7 +13098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 kernel_read_system_state(setfiles_t)
 kernel_relabelfrom_unlabeled_dirs(setfiles_t)
 kernel_relabelfrom_unlabeled_files(setfiles_t)
-@@ -537,6 +518,7 @@
+@@ -537,6 +519,7 @@
 
 fs_getattr_xattr_fs(setfiles_t)
 fs_list_all(setfiles_t)
@ -13057,8 +13106,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 fs_search_auto_mountpoints(setfiles_t)
 fs_relabelfrom_noxattr_fs(setfiles_t)
 
-@@ -592,6 +574,10 @@
+@@ -590,8 +573,16 @@
+ 	fs_relabel_tmpfs_chr_file(setfiles_t)
+ ')
 
+optional_policy(`
+	rpm_dontaudit_rw_pipes(setfiles_t)
+')
+
 ifdef(`hide_broken_symptoms',`
 	optional_policy(`
 +		ppp_dontaudit_use_fds(setfiles_t)
@ -13068,6 +13123,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 		udev_dontaudit_rw_dgram_sockets(setfiles_t)
 	')
 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.0.8/policy/modules/system/sysnetwork.fc
+--- nsaserefpolicy/policy/modules/system/sysnetwork.fc	2007-05-29 14:10:58.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.fc	2007-09-24 08:54:25.000000000 -0400
+@@ -54,7 +54,7 @@
+ 
+ /var/run/dhclient.*\.pid --	gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+ /var/run/dhclient.*\.leases --	gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+-
+/var/run/dhclient-[^/]*\.lease -- gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+ ifdef(`distro_gentoo',`
+ /var/lib/dhcpc(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.0.8/policy/modules/system/sysnetwork.if
 --- nsaserefpolicy/policy/modules/system/sysnetwork.if	2007-07-03 07:06:32.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.if	2007-09-17 16:20:18.000000000 -0400
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 9%{?dist}
+Release: 10%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -362,6 +362,10 @@ exit 0
 %endif

 %changelog
+* Mon Sep 24 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-10
+- Eliminate rpm_t:fifo_file avcs
+- Fix dbus path for helper app
+
 * Sat Sep 22 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-9
 - Fix service start stop terminal avc's