- Fix up corecommands.fc to match upstream

- Make sure /lib/systemd/* is labeled init_exec_t - mount wants to setattr on all mountpoints - dovecot auth wants to read dovecot etc files - nscd daemon looks at the exe file of the comunicating daemon - openvpn wants to read utmp file - postfix apps now set sys_nice and lower limits - remote_login (telnetd/login) wants to use telnetd_devpts_t and user_devpts_t to work correctly - Also resolves nsswitch - Fix labels on /etc/hosts.* - Cleanup to make upsteam patch work - allow abrt to read etc_runtime_t
2010-11-09 17:41:15 -05:00 · 2010-11-09 17:41:15 -05:00 · ded1efb9d8
commit ded1efb9d8
parent fc9bf2f03d
2 changed files with 128 additions and 25 deletions
--- a/policy-F15.patch
+++ b/policy-F15.patch
@ -8173,7 +8173,7 @@ index 099f57f..5843cad 100644
 +# broken kernel
 +dontaudit can_change_object_identity can_change_object_identity:key link;
 diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 3517db2..bd4c23d 100644
+index 3517db2..4dd4bef 100644
 --- a/policy/modules/kernel/files.fc
 +++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@ -8269,12 +8269,14 @@ index 3517db2..bd4c23d 100644
 /var/tmp/.*			<<none>>
 /var/tmp/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /var/tmp/lost\+found/.*		<<none>>
-@@ -258,3 +268,5 @@ ifndef(`distro_redhat',`
+@@ -258,3 +268,7 @@ ifndef(`distro_redhat',`
 ifdef(`distro_debian',`
 /var/run/motd		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 ')
 +/nsr(/.*)?						gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?						gen_context(system_u:object_r:var_log_t,s0)
+
+/usr/lib/debug			<<none>>
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
 index 5302dac..9b828ee 100644
 --- a/policy/modules/kernel/files.if
@ -9313,7 +9315,7 @@ index 59bae6a..2e55e71 100644
 +/dev/hugepages	-d	gen_context(system_u:object_r:hugetlbfs_t,s0)
 +/dev/hugepages(/.*)?		<<none>>
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 437a42a..54a884b 100644
+index 437a42a..b9e3aa9 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
@@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
@ -9542,7 +9544,23 @@ index 437a42a..54a884b 100644
 ')
 
 ########################################
-@@ -2395,6 +2514,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2331,6 +2450,7 @@ interface(`fs_read_nfs_files',`
+ 		type nfs_t;
+ 	')
+ 
+	fs_search_auto_mountpoints($1)
+ 	allow $1 nfs_t:dir list_dir_perms;
+ 	read_files_pattern($1, nfs_t, nfs_t)
+ ')
+@@ -2369,6 +2489,7 @@ interface(`fs_write_nfs_files',`
+ 		type nfs_t;
+ 	')
+ 
+	fs_search_auto_mountpoints($1)
+ 	allow $1 nfs_t:dir list_dir_perms;
+ 	write_files_pattern($1, nfs_t, nfs_t)
+ ')
+@@ -2395,6 +2516,25 @@ interface(`fs_exec_nfs_files',`
 
 ########################################
 ## <summary>
@ -9568,7 +9586,7 @@ index 437a42a..54a884b 100644
 ##	Append files
 ##	on a NFS filesystem.
 ## </summary>
-@@ -2435,6 +2573,24 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2435,6 +2575,24 @@ interface(`fs_dontaudit_append_nfs_files',`
 
 ########################################
 ## <summary>
@ -9593,7 +9611,7 @@ index 437a42a..54a884b 100644
 ##	Do not audit attempts to read or
 ##	write files on a NFS filesystem.
 ## </summary>
-@@ -2449,7 +2605,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2449,7 +2607,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
 		type nfs_t;
 	')
 
@ -9602,7 +9620,7 @@ index 437a42a..54a884b 100644
 ')
 
 ########################################
-@@ -2637,6 +2793,24 @@ interface(`fs_dontaudit_read_removable_files',`
+@@ -2637,6 +2795,24 @@ interface(`fs_dontaudit_read_removable_files',`
 
 ########################################
 ## <summary>
@ -9627,7 +9645,23 @@ index 437a42a..54a884b 100644
 ##	Read removable storage symbolic links.
 ## </summary>
 ## <param name="domain">
-@@ -2845,7 +3019,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
+@@ -2779,6 +2955,7 @@ interface(`fs_manage_nfs_dirs',`
+ 		type nfs_t;
+ 	')
+ 
+	fs_search_auto_mountpoints($1)
+ 	allow $1 nfs_t:dir manage_dir_perms;
+ ')
+ 
+@@ -2819,6 +2996,7 @@ interface(`fs_manage_nfs_files',`
+ 		type nfs_t;
+ 	')
+ 
+	fs_search_auto_mountpoints($1)
+ 	manage_files_pattern($1, nfs_t, nfs_t)
+ ')
+ 
+@@ -2845,7 +3023,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
 #########################################
 ## <summary>
 ##	Create, read, write, and delete symbolic links
@ -9636,7 +9670,15 @@ index 437a42a..54a884b 100644
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -3970,6 +4144,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -2859,6 +3037,7 @@ interface(`fs_manage_nfs_symlinks',`
+ 		type nfs_t;
+ 	')
+ 
+	fs_search_auto_mountpoints($1)
+ 	manage_lnk_files_pattern($1, nfs_t, nfs_t)
+ ')
+ 
+@@ -3970,6 +4149,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
 
 ########################################
 ## <summary>
@ -9679,7 +9721,7 @@ index 437a42a..54a884b 100644
 ##	Relabel character nodes on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
-@@ -4252,6 +4462,8 @@ interface(`fs_mount_all_fs',`
+@@ -4252,6 +4467,8 @@ interface(`fs_mount_all_fs',`
 	')
 
 	allow $1 filesystem_type:filesystem mount;
@ -9688,7 +9730,7 @@ index 437a42a..54a884b 100644
 ')
 
 ########################################
-@@ -4662,3 +4874,24 @@ interface(`fs_unconfined',`
+@@ -4662,3 +4879,24 @@ interface(`fs_unconfined',`
 
 	typeattribute $1 filesystem_unconfined_type;
 ')
@ -14885,6 +14927,19 @@ index 4deca04..0bde225 100644
 ')
 
 optional_policy(`
+diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te
+index 5f239ca..29de096 100644
+--- a/policy/modules/services/bitlbee.te
+++ b/policy/modules/services/bitlbee.te
+@@ -28,7 +28,7 @@ files_type(bitlbee_var_t)
+ #
+ 
+ allow bitlbee_t self:capability { setgid setuid };
+-allow bitlbee_t self:process signal;
+allow bitlbee_t self:process { setsched signal };
+ allow bitlbee_t self:udp_socket create_socket_perms;
+ allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
+ allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
 diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
 index 3e45431..fa57a6f 100644
 --- a/policy/modules/services/bluetooth.if
@ -15908,7 +15963,7 @@ index 7a6e5ba..d664be8 100644
 	admin_pattern($1, certmonger_var_run_t)
 ')
 diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
-index 1a65b5e..e281c74 100644
+index 1a65b5e..1bc0bc7 100644
 --- a/policy/modules/services/certmonger.te
 +++ b/policy/modules/services/certmonger.te
@@ -24,6 +24,7 @@ files_type(certmonger_var_lib_t)
@ -15919,7 +15974,7 @@ index 1a65b5e..e281c74 100644
 allow certmonger_t self:process { getsched setsched sigkill };
 allow certmonger_t self:fifo_file rw_file_perms;
 allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
-@@ -32,7 +33,7 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -32,16 +33,19 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
 
 manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
 manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
@ -15928,7 +15983,19 @@ index 1a65b5e..e281c74 100644
 
 manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
 manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
-@@ -51,6 +52,8 @@ files_read_etc_files(certmonger_t)
+ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { file dir })
+ 
+corecmd_exec_bin(certmonger_t)
+
+ corenet_tcp_sendrecv_generic_if(certmonger_t)
+ corenet_tcp_sendrecv_generic_node(certmonger_t)
+ corenet_tcp_sendrecv_all_ports(certmonger_t)
+ corenet_tcp_connect_certmaster_port(certmonger_t)
+corenet_tcp_connect_http_port(certmonger_t)
+ 
+ dev_read_urand(certmonger_t)
+ 
+@@ -51,6 +55,8 @@ files_read_etc_files(certmonger_t)
 files_read_usr_files(certmonger_t)
 files_list_tmp(certmonger_t)
 
@ -15937,7 +16004,7 @@ index 1a65b5e..e281c74 100644
 logging_send_syslog_msg(certmonger_t)
 
 miscfiles_read_localization(certmonger_t)
-@@ -58,6 +61,16 @@ miscfiles_manage_generic_cert_files(certmonger_t)
+@@ -58,6 +64,16 @@ miscfiles_manage_generic_cert_files(certmonger_t)
 
 sysnet_dns_name_resolve(certmonger_t)
 
@ -15954,7 +16021,7 @@ index 1a65b5e..e281c74 100644
 optional_policy(`
 	dbus_system_bus_client(certmonger_t)
 	dbus_connect_system_bus(certmonger_t)
-@@ -68,5 +81,7 @@ optional_policy(`
+@@ -68,5 +84,7 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -29139,7 +29206,7 @@ index 2855a44..0456b11 100644
 		type puppet_tmp_t;
 	')
 diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..80c1f5d 100644
+index 64c5f95..76da005 100644
 --- a/policy/modules/services/puppet.te
 +++ b/policy/modules/services/puppet.te
@@ -6,10 +6,10 @@ policy_module(puppet, 1.0.0)
@ -29198,7 +29265,7 @@ index 64c5f95..80c1f5d 100644
 
 corecmd_exec_bin(puppetmaster_t)
 corecmd_exec_shell(puppetmaster_t)
-@@ -214,13 +219,19 @@ domain_read_all_domains_state(puppetmaster_t)
+@@ -214,13 +219,20 @@ domain_read_all_domains_state(puppetmaster_t)
 files_read_etc_files(puppetmaster_t)
 files_search_var_lib(puppetmaster_t)
 
@ -29207,9 +29274,10 @@ index 64c5f95..80c1f5d 100644
 logging_send_syslog_msg(puppetmaster_t)
 
 miscfiles_read_localization(puppetmaster_t)
- 
-+seutil_read_file_contexts(puppetmaster_t)
+miscfiles_read_certs(puppetmaster_t)
 +
+seutil_read_file_contexts(puppetmaster_t)
+ 
 sysnet_dns_name_resolve(puppetmaster_t)
 sysnet_run_ifconfig(puppetmaster_t, system_r)
 
@ -29218,6 +29286,15 @@ index 64c5f95..80c1f5d 100644
 optional_policy(`
 	hostname_exec(puppetmaster_t)
 ')
+@@ -231,3 +243,8 @@ optional_policy(`
+ 	rpm_exec(puppetmaster_t)
+ 	rpm_read_db(puppetmaster_t)
+ ')
+
+optional_policy(`
+	usermanage_domtrans_groupadd(puppetmaster_t)
+	usermanage_domtrans_useradd(puppetmaster_t)
+')
 diff --git a/policy/modules/services/pyzor.fc b/policy/modules/services/pyzor.fc
 index d4a7750..705196e 100644
 --- a/policy/modules/services/pyzor.fc
@ -29866,10 +29943,10 @@ index 0000000..c403abc
 +')
 diff --git a/policy/modules/services/qpidd.te b/policy/modules/services/qpidd.te
 new file mode 100644
-index 0000000..43639a0
+index 0000000..d9c56d4
 --- /dev/null
 +++ b/policy/modules/services/qpidd.te
-@@ -0,0 +1,59 @@
+@@ -0,0 +1,64 @@
 +policy_module(qpidd, 1.0.0)
 +
 +########################################
@ -29929,6 +30006,11 @@ index 0000000..43639a0
 +miscfiles_read_localization(qpidd_t)
 +
 +sysnet_dns_name_resolve(qpidd_t)
+
+optional_policy(`
+	corosync_stream_connect(qpidd_t)
+')
+
 diff --git a/policy/modules/services/radius.if b/policy/modules/services/radius.if
 index 9a78598..8f132e7 100644
 --- a/policy/modules/services/radius.if
@ -39262,7 +39344,7 @@ index 88df85d..2fa3974 100644
 	ssh_sigchld(application_domain_type)
 	ssh_rw_stream_sockets(application_domain_type)
 diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 1c4b1e7..2997dd7 100644
+index 1c4b1e7..8d326d4 100644
 --- a/policy/modules/system/authlogin.fc
 +++ b/policy/modules/system/authlogin.fc
@@ -10,6 +10,7 @@
@ -39273,7 +39355,7 @@ index 1c4b1e7..2997dd7 100644
 /sbin/unix_update	--	gen_context(system_u:object_r:updpwd_exec_t,s0)
 /sbin/unix_verify	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
 ifdef(`distro_suse', `
-@@ -27,6 +28,7 @@ ifdef(`distro_gentoo', `
+@@ -27,12 +28,14 @@ ifdef(`distro_gentoo', `
 
 /var/db/shadow.*	--	gen_context(system_u:object_r:shadow_t,s0)
 
@ -39281,6 +39363,13 @@ index 1c4b1e7..2997dd7 100644
 /var/lib/abl(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
 /var/lib/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
 
+ /var/log/btmp.*		--	gen_context(system_u:object_r:faillog_t,s0)
+ /var/log/dmesg		--	gen_context(system_u:object_r:var_log_t,s0)
+ /var/log/faillog	--	gen_context(system_u:object_r:faillog_t,s0)
+/var/log/faillock(/.*)?		gen_context(system_u:object_r:faillog_t,s0)
+ /var/log/lastlog	--	gen_context(system_u:object_r:lastlog_t,s0)
+ /var/log/syslog		--	gen_context(system_u:object_r:var_log_t,s0)
+ /var/log/tallylog	--	gen_context(system_u:object_r:faillog_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
 index bea0ade..6f47773 100644
 --- a/policy/modules/system/authlogin.if
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.8
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -471,6 +471,20 @@ exit 0
 %endif

 %changelog
+* Tue Nov 9 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-3
+- Fix up corecommands.fc to match upstream
+- Make sure /lib/systemd/* is labeled init_exec_t
+- mount wants to setattr on all mountpoints
+- dovecot auth wants to read dovecot etc files
+- nscd daemon looks at the exe file of the comunicating daemon
+- openvpn wants to read utmp file
+- postfix apps now set sys_nice and lower limits
+- remote_login (telnetd/login) wants to use telnetd_devpts_t and user_devpts_t to work correctly
+- Also resolves nsswitch
+- Fix labels on /etc/hosts.*
+- Cleanup to make upsteam patch work
+- allow abrt to read etc_runtime_t
+
 * Fri Nov 5 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-2
 - Add conflicts for dirsrv package