From eaaf2ab923a102961fb3b7e004c8594979ef6acb Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 24 Apr 2009 17:50:36 +0000 Subject: [PATCH] - Allow initrc_t to delete dev_null - Allow readahead to configure auditing - Fix milter policy - Add /var/lib/readahead --- policy-20090105.patch | 48 ++++++++++++++++++++++++++++++++++--------- selinux-policy.spec | 6 ++++-- 2 files changed, 42 insertions(+), 12 deletions(-) diff --git a/policy-20090105.patch b/policy-20090105.patch index f91b1c73..2a8bd5a8 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -770,26 +770,45 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.fc serefpolicy-3.6.12/policy/modules/admin/readahead.fc --- nsaserefpolicy/policy/modules/admin/readahead.fc 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/admin/readahead.fc 2009-04-23 17:15:49.000000000 -0400 -@@ -1,3 +1,4 @@ ++++ serefpolicy-3.6.12/policy/modules/admin/readahead.fc 2009-04-24 13:03:55.000000000 -0400 +@@ -1,3 +1,7 @@ /etc/readahead.d(/.*)? gen_context(system_u:object_r:readahead_etc_rw_t,s0) -/usr/sbin/readahead -- gen_context(system_u:object_r:readahead_exec_t,s0) +/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) +/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) ++ ++/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0) ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te --- nsaserefpolicy/policy/modules/admin/readahead.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-04-24 09:02:26.000000000 -0400 -@@ -24,7 +24,7 @@ ++++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-04-24 13:45:16.000000000 -0400 +@@ -11,8 +11,8 @@ + init_daemon_domain(readahead_t, readahead_exec_t) + application_domain(readahead_t, readahead_exec_t) + +-type readahead_etc_rw_t; +-files_pid_file(readahead_etc_rw_t) ++type readahead_var_lib_t; ++files_type(readahead_var_lib_t) + + type readahead_var_run_t; + files_pid_file(readahead_var_run_t) +@@ -24,9 +24,11 @@ allow readahead_t self:capability { fowner dac_override dac_read_search }; dontaudit readahead_t self:capability sys_tty_config; -allow readahead_t self:process signal_perms; +allow readahead_t self:process { setsched signal_perms }; - manage_files_pattern(readahead_t, readahead_etc_rw_t, readahead_etc_rw_t) +-manage_files_pattern(readahead_t, readahead_etc_rw_t, readahead_etc_rw_t) ++files_search_var_lib(readahead_t) ++manage_dirs_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t) ++manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t) -@@ -58,6 +58,7 @@ + manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t) + files_pid_filetrans(readahead_t, readahead_var_run_t, file) +@@ -58,6 +60,7 @@ fs_dontaudit_search_ramfs(readahead_t) fs_dontaudit_read_ramfs_pipes(readahead_t) fs_dontaudit_read_ramfs_files(readahead_t) @@ -797,7 +816,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_read_tmpfs_symlinks(readahead_t) fs_list_inotifyfs(readahead_t) -@@ -72,6 +73,7 @@ +@@ -72,6 +75,7 @@ init_getattr_initctl(readahead_t) logging_send_syslog_msg(readahead_t) @@ -11791,7 +11810,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.12/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/dbus.if 2009-04-23 10:31:43.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/dbus.if 2009-04-24 13:45:56.000000000 -0400 @@ -44,6 +44,7 @@ attribute session_bus_type; @@ -11993,7 +12012,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + ifdef(`hide_broken_symptoms', ` + dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; -+ '); ++ ') + + userdom_dontaudit_search_admin_dir($1) +') @@ -14836,7 +14855,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.6.12/policy/modules/services/milter.if --- nsaserefpolicy/policy/modules/services/milter.if 2008-11-25 09:01:08.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/milter.if 2009-04-24 07:22:51.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/milter.if 2009-04-24 13:45:41.000000000 -0400 +@@ -24,7 +24,7 @@ + + # Type for the milter data (e.g. the socket used to communicate with the MTA) + type $1_milter_data_t, milter_data_type; +- files_type($1_milter_data_t); ++ files_type($1_milter_data_t) + + allow $1_milter_t self:fifo_file rw_fifo_file_perms; + @@ -77,3 +77,24 @@ getattr_dirs_pattern($1, milter_data_type, milter_data_type) getattr_sock_files_pattern($1, milter_data_type, milter_data_type) diff --git a/selinux-policy.spec b/selinux-policy.spec index e83c6336..b32bae0d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 17%{?dist} +Release: 18%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -446,9 +446,11 @@ exit 0 %endif %changelog -* Fri Apr 24 2009 Dan Walsh 3.6.12-17 +* Fri Apr 24 2009 Dan Walsh 3.6.12-18 - Allow initrc_t to delete dev_null - Allow readahead to configure auditing +- Fix milter policy +- Add /var/lib/readahead * Fri Apr 24 2009 Dan Walsh 3.6.12-16 - Update to latest milter code from Paul Howarth