From ebce355dea018d64069a4842e46de3ccf9dab0ea Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Tue, 1 Feb 2011 18:30:35 +0000 Subject: [PATCH] - ricci_modclusterd_t needs to bind to rpc ports 500-1023 - Allow dbus to use setrlimit to increase resoueces - Mozilla_plugin is leaking to sandbox - Allow confined users to connect to lircd over unix domain stream socket whic - Allow awstats to read squid logs - seunshare needs to manage tmp_t - apcupsd cgi scripts have a new directory --- policy-F15.patch | 318 +++++++++++++++++++++++++++++++------------- selinux-policy.spec | 11 +- 2 files changed, 234 insertions(+), 95 deletions(-) diff --git a/policy-F15.patch b/policy-F15.patch index 4663488f..eac1b70a 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -2196,6 +2196,21 @@ index ebf4b26..f663276 100644 optional_policy(` dbus_system_bus_client(vpnc_t) +diff --git a/policy/modules/apps/awstats.te b/policy/modules/apps/awstats.te +index 1f42250..3d36ae2 100644 +--- a/policy/modules/apps/awstats.te ++++ b/policy/modules/apps/awstats.te +@@ -70,6 +70,10 @@ optional_policy(` + nscd_dontaudit_search_pid(awstats_t) + ') + ++optional_policy(` ++ squid_read_log(awstats_t) ++') ++ + ######################################## + # + # awstats cgi script policy diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te index 1403835..2e9a72c 100644 --- a/policy/modules/apps/cdrecord.te @@ -4697,7 +4712,7 @@ index 93ac529..aafece7 100644 /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib(64)?/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if -index 9a6d67d..76caa60 100644 +index 9a6d67d..dba7755 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -29,6 +29,8 @@ interface(`mozilla_role',` @@ -4828,7 +4843,7 @@ index 9a6d67d..76caa60 100644 ## Send and receive messages from ## mozilla over dbus. ## -@@ -204,3 +295,22 @@ interface(`mozilla_rw_tcp_sockets',` +@@ -204,3 +295,40 @@ interface(`mozilla_rw_tcp_sockets',` allow $1 mozilla_t:tcp_socket rw_socket_perms; ') @@ -4851,6 +4866,24 @@ index 9a6d67d..76caa60 100644 + allow $1 mozilla_plugin_tmpfs_t:file unlink; +') + ++######################################## ++## ++## Dontaudit read/write to a mozilla_plugin leaks ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mozilla_plugin_dontaudit_leaks',` ++ gen_require(` ++ type mozilla_plugin_t; ++ ') ++ ++ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write }; ++') ++ diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index 2a91fa8..2fad053 100644 --- a/policy/modules/apps/mozilla.te @@ -7064,10 +7097,10 @@ index 0000000..5f09eb9 +') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te new file mode 100644 -index 0000000..5259647 +index 0000000..f29f417 --- /dev/null +++ b/policy/modules/apps/sandbox.te -@@ -0,0 +1,451 @@ +@@ -0,0 +1,452 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -7517,6 +7550,7 @@ index 0000000..5259647 + mozilla_dontaudit_rw_user_home_files(sandbox_x_t) + mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t) + mozilla_dontaudit_rw_user_home_files(sandbox_x_domain) ++ mozilla_plugin_dontaudit_leaks(sandbox_x_domain) +') + diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc @@ -7629,10 +7663,10 @@ index 1dc7a85..7455c19 100644 + ') ') diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te -index 7590165..e5ef7b3 100644 +index 7590165..63db4fd 100644 --- a/policy/modules/apps/seunshare.te +++ b/policy/modules/apps/seunshare.te -@@ -5,40 +5,45 @@ policy_module(seunshare, 1.1.0) +@@ -5,40 +5,47 @@ policy_module(seunshare, 1.1.0) # Declarations # @@ -7668,6 +7702,7 @@ index 7590165..e5ef7b3 100644 +files_search_all(seunshare_domain) +files_read_etc_files(seunshare_domain) +files_mounton_all_poly_members(seunshare_domain) ++files_manage_generic_tmp_dirs(seunshare_domain) -auth_use_nsswitch(seunshare_t) +fs_manage_cgroup_dirs(seunshare_domain) @@ -7692,6 +7727,7 @@ index 7590165..e5ef7b3 100644 optional_policy(` - mozilla_dontaudit_manage_user_home_files(seunshare_t) + mozilla_dontaudit_manage_user_home_files(seunshare_domain) ++ mozilla_plugin_dontaudit_leaks(seunshare_domain) ') ') + @@ -16690,6 +16726,15 @@ index 08dfa0c..61f340d 100644 + userdom_read_user_home_content_files(httpd_suexec_t) + userdom_read_user_home_content_files(httpd_user_script_t) ') +diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc +index cd07b96..a87d1dd 100644 +--- a/policy/modules/services/apcupsd.fc ++++ b/policy/modules/services/apcupsd.fc +@@ -13,3 +13,4 @@ + /var/www/apcupsd/upsfstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) + /var/www/apcupsd/upsimage\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) + /var/www/apcupsd/upsstats\.cgi -- gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) ++/var/www/cgi-bin/apcgui(/.*)? gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0) diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te index d052bf0..8478eca 100644 --- a/policy/modules/services/apcupsd.te @@ -21077,9 +21122,18 @@ index 0d5711c..bbc1a8f 100644 + delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) +') diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te -index 98e5af6..3c13628 100644 +index 98e5af6..a7472fc 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te +@@ -52,7 +52,7 @@ ifdef(`enable_mls',` + + # dac_override: /var/run/dbus is owned by messagebus on Debian + # cjp: dac_override should probably go in a distro_debian +-allow system_dbusd_t self:capability { dac_override setgid setpcap setuid }; ++allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid }; + dontaudit system_dbusd_t self:capability sys_tty_config; + allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap }; + allow system_dbusd_t self:fifo_file rw_fifo_file_perms; @@ -74,9 +74,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t) @@ -34881,7 +34935,7 @@ index f7826f9..3128dd8 100644 + admin_pattern($1, ricci_var_run_t) +') diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te -index 33e72e8..29e7311 100644 +index 33e72e8..052a1ff 100644 --- a/policy/modules/services/ricci.te +++ b/policy/modules/services/ricci.te @@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0) @@ -34938,6 +34992,15 @@ index 33e72e8..29e7311 100644 unconfined_use_fds(ricci_t) ') +@@ -193,7 +202,7 @@ corecmd_exec_shell(ricci_modcluster_t) + corecmd_exec_bin(ricci_modcluster_t) + + corenet_tcp_bind_cluster_port(ricci_modclusterd_t) +-corenet_tcp_bind_reserved_port(ricci_modclusterd_t) ++corenet_tcp_bind_all_rpc_ports(ricci_modclusterd_t) + + domain_read_all_domains_state(ricci_modcluster_t) + @@ -241,8 +250,7 @@ optional_policy(` ') @@ -50195,7 +50258,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 28b88de..97b04f2 100644 +index 28b88de..bc98180 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -50763,7 +50826,7 @@ index 28b88de..97b04f2 100644 ') tunable_policy(`user_ttyfile_stat',` -@@ -574,67 +647,110 @@ template(`userdom_common_user_template',` +@@ -574,67 +647,114 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -50872,6 +50935,10 @@ index 28b88de..97b04f2 100644 optional_policy(` - locate_read_lib_files($1_t) ++ lircd_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` + locate_read_lib_files($1_usertype) ') @@ -50879,20 +50946,20 @@ index 28b88de..97b04f2 100644 optional_policy(` - modutils_read_module_config($1_t) + modutils_read_module_config($1_usertype) ++ ') ++ ++ optional_policy(` ++ mta_rw_spool($1_usertype) ++ mta_manage_queue($1_usertype) ') optional_policy(` - mta_rw_spool($1_t) -+ mta_rw_spool($1_usertype) -+ mta_manage_queue($1_usertype) -+ ') -+ -+ optional_policy(` + nsplugin_role($1_r, $1_usertype) ') optional_policy(` -@@ -650,41 +766,50 @@ template(`userdom_common_user_template',` +@@ -650,41 +770,50 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -50954,7 +51021,7 @@ index 28b88de..97b04f2 100644 ') ####################################### -@@ -712,13 +837,26 @@ template(`userdom_login_user_template', ` +@@ -712,13 +841,26 @@ template(`userdom_login_user_template', ` userdom_base_user_template($1) @@ -50963,12 +51030,12 @@ index 28b88de..97b04f2 100644 + + userdom_manage_tmp_role($1_r, $1_usertype) + userdom_manage_tmpfs_role($1_r, $1_usertype) -+ -+ ifelse(`$1',`unconfined',`',` -+ gen_tunable(allow_$1_exec_content, true) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) ++ ifelse(`$1',`unconfined',`',` ++ gen_tunable(allow_$1_exec_content, true) ++ + tunable_policy(`allow_$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -50986,7 +51053,7 @@ index 28b88de..97b04f2 100644 userdom_change_password_template($1) -@@ -736,72 +874,71 @@ template(`userdom_login_user_template', ` +@@ -736,72 +878,71 @@ template(`userdom_login_user_template', ` allow $1_t self:context contains; @@ -51053,49 +51120,49 @@ index 28b88de..97b04f2 100644 - miscfiles_exec_tetex_data($1_t) + miscfiles_read_tetex_data($1_usertype) + miscfiles_exec_tetex_data($1_usertype) ++ ++ seutil_read_config($1_usertype) - seutil_read_config($1_t) -+ seutil_read_config($1_usertype) ++ optional_policy(` ++ cups_read_config($1_usertype) ++ cups_stream_connect($1_usertype) ++ cups_stream_connect_ptal($1_usertype) ++ ') optional_policy(` - cups_read_config($1_t) - cups_stream_connect($1_t) - cups_stream_connect_ptal($1_t) -+ cups_read_config($1_usertype) -+ cups_stream_connect($1_usertype) -+ cups_stream_connect_ptal($1_usertype) - ') - - optional_policy(` -- kerberos_use($1_t) + kerberos_use($1_usertype) + kerberos_connect_524($1_usertype) ') optional_policy(` -- mta_dontaudit_read_spool_symlinks($1_t) +- kerberos_use($1_t) + mta_dontaudit_read_spool_symlinks($1_usertype) ') optional_policy(` -- quota_dontaudit_getattr_db($1_t) +- mta_dontaudit_read_spool_symlinks($1_t) + quota_dontaudit_getattr_db($1_usertype) ') + optional_policy(` +- quota_dontaudit_getattr_db($1_t) ++ rpm_read_db($1_usertype) ++ rpm_dontaudit_manage_db($1_usertype) ++ rpm_read_cache($1_usertype) + ') + optional_policy(` - rpm_read_db($1_t) - rpm_dontaudit_manage_db($1_t) -+ rpm_read_db($1_usertype) -+ rpm_dontaudit_manage_db($1_usertype) -+ rpm_read_cache($1_usertype) -+ ') -+ -+ optional_policy(` + oddjob_run_mkhomedir($1_t, $1_r) ') ') -@@ -833,6 +970,9 @@ template(`userdom_restricted_user_template',` +@@ -833,6 +974,9 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -51105,7 +51172,7 @@ index 28b88de..97b04f2 100644 ############################## # # Local policy -@@ -874,45 +1014,107 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -874,45 +1018,107 @@ template(`userdom_restricted_xwindows_user_template',` # auth_role($1_r, $1_t) @@ -51224,7 +51291,7 @@ index 28b88de..97b04f2 100644 ') ') -@@ -947,7 +1149,7 @@ template(`userdom_unpriv_user_template', ` +@@ -947,7 +1153,7 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -51233,7 +51300,7 @@ index 28b88de..97b04f2 100644 userdom_common_user_template($1) ############################## -@@ -956,54 +1158,77 @@ template(`userdom_unpriv_user_template', ` +@@ -956,54 +1162,77 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -51314,20 +51381,20 @@ index 28b88de..97b04f2 100644 + + optional_policy(` + java_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` -+ mono_role_template($1, $1_r, $1_t) ') - # Run pppd in pppd_t by default for user optional_policy(` - ppp_run_cond($1_t,$1_r) -+ mount_run_fusermount($1_t, $1_r) ++ mono_role_template($1, $1_r, $1_t) ') optional_policy(` - setroubleshoot_stream_connect($1_t) ++ mount_run_fusermount($1_t, $1_r) ++ ') ++ ++ optional_policy(` + wine_role_template($1, $1_r, $1_t) + ') + @@ -51341,7 +51408,7 @@ index 28b88de..97b04f2 100644 ') ') -@@ -1039,7 +1264,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1268,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -51350,7 +51417,7 @@ index 28b88de..97b04f2 100644 ') ############################## -@@ -1074,6 +1299,9 @@ template(`userdom_admin_user_template',` +@@ -1074,6 +1303,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -51360,7 +51427,7 @@ index 28b88de..97b04f2 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1088,6 +1316,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1320,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -51368,7 +51435,7 @@ index 28b88de..97b04f2 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1119,10 +1348,13 @@ template(`userdom_admin_user_template',` +@@ -1119,10 +1352,13 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -51382,7 +51449,7 @@ index 28b88de..97b04f2 100644 fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) -@@ -1142,6 +1374,7 @@ template(`userdom_admin_user_template',` +@@ -1142,6 +1378,7 @@ template(`userdom_admin_user_template',` logging_send_syslog_msg($1_t) modutils_domtrans_insmod($1_t) @@ -51390,7 +51457,7 @@ index 28b88de..97b04f2 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1210,6 +1443,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1447,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -51399,7 +51466,7 @@ index 28b88de..97b04f2 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1237,6 +1472,7 @@ template(`userdom_security_admin_template',` +@@ -1237,6 +1476,7 @@ template(`userdom_security_admin_template',` seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) @@ -51407,7 +51474,7 @@ index 28b88de..97b04f2 100644 seutil_run_setfiles($1, $2) optional_policy(` -@@ -1279,11 +1515,37 @@ template(`userdom_security_admin_template',` +@@ -1279,11 +1519,37 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -51445,7 +51512,7 @@ index 28b88de..97b04f2 100644 ubac_constrained($1) ') -@@ -1395,6 +1657,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1395,6 +1661,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -51453,7 +51520,7 @@ index 28b88de..97b04f2 100644 files_search_home($1) ') -@@ -1441,6 +1704,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1708,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -51468,7 +51535,7 @@ index 28b88de..97b04f2 100644 ') ######################################## -@@ -1456,9 +1727,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1731,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -51480,34 +51547,57 @@ index 28b88de..97b04f2 100644 ') ######################################## -@@ -1515,6 +1788,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,10 +1792,10 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') + -+######################################## -+## + ######################################## + ## +-## Create directories in the home dir root with +-## the user home directory type. +## Relabel to user home files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -1526,35 +1803,71 @@ interface(`userdom_relabelto_user_home_dirs',` + ## + ## + # +-interface(`userdom_home_filetrans_user_home_dir',` +interface(`userdom_relabelto_user_home_files',` -+ gen_require(` + gen_require(` +- type user_home_dir_t; + type user_home_t; -+ ') -+ + ') + +- files_home_filetrans($1, user_home_dir_t, dir) + allow $1 user_home_t:file relabelto; -+') -+######################################## -+## + ') +- + ######################################## + ## +-## Do a domain transition to the specified +-## domain when executing a program in the +-## user home directory. +## Relabel user home files. -+## + ## +-## +-##

+-## Do a domain transition to the specified +-## domain when executing a program in the +-## user home directory. +-##

+-##

+-## No interprocess communication (signals, pipes, +-## etc.) is provided by this interface since +-## the domains are not owned by this module. +-##

+-## +-## +## -+## + ## +-## Domain allowed to transition. +## Domain allowed access. +## +## @@ -51520,10 +51610,50 @@ index 28b88de..97b04f2 100644 + allow $1 user_home_t:file relabel_file_perms; +') + - ######################################## - ## - ## Create directories in the home dir root with -@@ -1589,6 +1898,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ++######################################## ++## ++## Create directories in the home dir root with ++## the user home directory type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_home_filetrans_user_home_dir',` ++ gen_require(` ++ type user_home_dir_t; ++ ') ++ ++ files_home_filetrans($1, user_home_dir_t, dir) ++') ++ ++######################################## ++## ++## Do a domain transition to the specified ++## domain when executing a program in the ++## user home directory. ++## ++## ++##

++## Do a domain transition to the specified ++## domain when executing a program in the ++## user home directory. ++##

++##

++## No interprocess communication (signals, pipes, ++## etc.) is provided by this interface since ++## the domains are not owned by this module. ++##

++## ++## ++## ++## Domain allowed to transition. + ## + ## + ## +@@ -1589,6 +1902,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -51532,7 +51662,7 @@ index 28b88de..97b04f2 100644 ') ######################################## -@@ -1603,10 +1914,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +1918,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -51547,7 +51677,7 @@ index 28b88de..97b04f2 100644 ') ######################################## -@@ -1649,6 +1962,25 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +1966,25 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -51573,7 +51703,7 @@ index 28b88de..97b04f2 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1700,12 +2032,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2036,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -51606,7 +51736,7 @@ index 28b88de..97b04f2 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2068,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2072,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -51624,7 +51754,7 @@ index 28b88de..97b04f2 100644 ') ######################################## -@@ -1810,8 +2165,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2169,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -51634,7 +51764,7 @@ index 28b88de..97b04f2 100644 ') ######################################## -@@ -1827,20 +2181,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2185,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -51659,7 +51789,7 @@ index 28b88de..97b04f2 100644 ######################################## ## -@@ -2182,7 +2530,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2534,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -51668,7 +51798,7 @@ index 28b88de..97b04f2 100644 ') ######################################## -@@ -2435,13 +2783,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +2787,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -51684,7 +51814,7 @@ index 28b88de..97b04f2 100644 ## ## ## -@@ -2462,26 +2811,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +2815,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -51711,7 +51841,7 @@ index 28b88de..97b04f2 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2815,7 +3144,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2815,7 +3148,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -51720,7 +51850,7 @@ index 28b88de..97b04f2 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2831,11 +3160,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2831,11 +3164,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -51736,7 +51866,7 @@ index 28b88de..97b04f2 100644 ') ######################################## -@@ -2917,7 +3248,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2917,7 +3252,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -51745,7 +51875,7 @@ index 28b88de..97b04f2 100644 ') ######################################## -@@ -2972,7 +3303,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -2972,7 +3307,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -51792,7 +51922,7 @@ index 28b88de..97b04f2 100644 ') ######################################## -@@ -3009,6 +3378,7 @@ interface(`userdom_read_all_users_state',` +@@ -3009,6 +3382,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -51800,7 +51930,7 @@ index 28b88de..97b04f2 100644 kernel_search_proc($1) ') -@@ -3139,3 +3509,1058 @@ interface(`userdom_dbus_send_all_users',` +@@ -3139,3 +3513,1058 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 6a4792b8..a3d9d270 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.13 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -472,6 +472,15 @@ exit 0 %endif %changelog +* Tue Feb 1 2011 Miroslav Grepl 3.9.13-7 +- ricci_modclusterd_t needs to bind to rpc ports 500-1023 +- Allow dbus to use setrlimit to increase resoueces +- Mozilla_plugin is leaking to sandbox +- Allow confined users to connect to lircd over unix domain stream socket which allow to use remote control +- Allow awstats to read squid logs +- seunshare needs to manage tmp_t +- apcupsd cgi scripts have a new directory + * Thu Jan 27 2011 Miroslav Grepl 3.9.13-6 - Fix xserver_dontaudit_read_xdm_pid - Change oracle_port_t to oracledb_port_t to prevent conflict with satellite