From ef4ca2d5e7efcf103af67e08d884b30c4ae33e4f Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 28 Jan 2010 15:29:47 +0000 Subject: [PATCH] - Fix rpm_dontaudit_leaks --- policy-F13.patch | 96 +++++++++++++++++++++++++----------------------- 1 file changed, 50 insertions(+), 46 deletions(-) diff --git a/policy-F13.patch b/policy-F13.patch index f9025c14..255c5a4c 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -626,7 +626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.8/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/admin/rpm.if 2010-01-22 10:22:49.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/admin/rpm.if 2010-01-28 10:15:39.000000000 -0500 @@ -13,11 +13,34 @@ interface(`rpm_domtrans',` gen_require(` @@ -699,16 +699,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if + dontaudit $1 rpm_t:shm rw_shm_perms; + + dontaudit $1 rpm_script_t:fd use; -+ dontaudit $1 rpm_script_t:fifo_file { read write }; ++ dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms; + + dontaudit $1 rpm_var_run_t:file write; + -+ dontaudit $1 rpm_tmp_t:file { read write }; ++ dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms; + dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms; -+ dontaudit $1 rpm_tmpfs_t:file { read write }; -+ dontaudit $1 rpm_script_tmp_t:file { read write }; -+ dontaudit $1 rpm_var_lib_t:file { read write }; -+ dontaudit $1 rpm_var_cache_t:file { read write }; ++ dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms; ++ dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms; ++ dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms; ++ dontaudit $1 rpm_var_cache_t:file rw_inherited_file_perms; +') + +######################################## @@ -6744,7 +6744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /var/lib/nfs/rpc_pipefs(/.*)? <> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.8/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/kernel/files.if 2010-01-21 13:49:10.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/kernel/files.if 2010-01-28 08:42:36.000000000 -0500 @@ -932,10 +932,8 @@ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -20815,7 +20815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.8/policy/modules/services/policykit.te --- nsaserefpolicy/policy/modules/services/policykit.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/policykit.te 2010-01-25 12:24:39.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/policykit.te 2010-01-28 09:30:05.000000000 -0500 @@ -36,11 +36,12 @@ # policykit local policy # @@ -20869,7 +20869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli +') + +optional_policy(` -+ gnome_dontaudit_search_config(policykit_t) ++ gnome_read_config(policykit_t) +') ######################################## @@ -27017,7 +27017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c. corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.8/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.8/policy/modules/services/xserver.fc 2010-01-18 15:18:03.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/xserver.fc 2010-01-28 08:44:25.000000000 -0500 @@ -3,12 +3,21 @@ # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) @@ -27079,7 +27079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) ifdef(`distro_debian', ` -@@ -89,17 +94,37 @@ +@@ -89,17 +94,40 @@ /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) @@ -27120,6 +27120,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + +/var/lib/nxserver/home/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) ++/var/lib/pqsql/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) ++/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.8/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-12-04 09:43:33.000000000 -0500 +++ serefpolicy-3.7.8/policy/modules/services/xserver.if 2010-01-18 15:18:03.000000000 -0500 @@ -27586,7 +27589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.8/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.8/policy/modules/services/xserver.te 2010-01-25 12:06:19.000000000 -0500 ++++ serefpolicy-3.7.8/policy/modules/services/xserver.te 2010-01-28 08:43:20.000000000 -0500 @@ -36,6 +36,13 @@ ## @@ -27749,7 +27752,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(iceauth_t) -@@ -250,30 +274,48 @@ +@@ -250,30 +274,49 @@ fs_manage_cifs_files(iceauth_t) ') @@ -27796,13 +27799,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +files_read_usr_files(xauth_t) files_search_pids(xauth_t) +files_dontaudit_getattr_all_dirs(xauth_t) ++files_var_lib_filetrans(xauth_t, xauth_home_t, file) -fs_getattr_xattr_fs(xauth_t) +fs_getattr_all_fs(xauth_t) fs_search_auto_mountpoints(xauth_t) # cjp: why? -@@ -283,6 +325,14 @@ +@@ -283,6 +326,14 @@ userdom_use_user_terminals(xauth_t) userdom_read_user_tmp_files(xauth_t) @@ -27817,7 +27821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_xdm_tmp_files(xauth_t) -@@ -294,6 +344,15 @@ +@@ -294,6 +345,15 @@ fs_manage_cifs_files(xauth_t) ') @@ -27833,7 +27837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) -@@ -305,20 +364,31 @@ +@@ -305,20 +365,31 @@ # XDM Local policy # @@ -27868,7 +27872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -334,22 +404,40 @@ +@@ -334,22 +405,40 @@ manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) @@ -27912,7 +27916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t xserver_t:process signal; allow xdm_t xserver_t:unix_stream_socket connectto; -@@ -363,6 +451,7 @@ +@@ -363,6 +452,7 @@ allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xserver_t:shm rw_shm_perms; @@ -27920,7 +27924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -371,10 +460,14 @@ +@@ -371,10 +461,14 @@ delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -27936,7 +27940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state(xdm_t) kernel_read_kernel_sysctls(xdm_t) -@@ -394,11 +487,13 @@ +@@ -394,11 +488,13 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -27950,7 +27954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -406,6 +501,7 @@ +@@ -406,6 +502,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -27958,7 +27962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -414,18 +510,21 @@ +@@ -414,18 +511,21 @@ dev_getattr_misc_dev(xdm_t) dev_setattr_misc_dev(xdm_t) dev_dontaudit_rw_misc(xdm_t) @@ -27983,7 +27987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -436,9 +535,15 @@ +@@ -436,9 +536,15 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -27999,7 +28003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -447,6 +552,7 @@ +@@ -447,6 +553,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -28007,7 +28011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -455,6 +561,7 @@ +@@ -455,6 +562,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -28015,7 +28019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -465,10 +572,12 @@ +@@ -465,10 +573,12 @@ logging_read_generic_logs(xdm_t) @@ -28030,7 +28034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -477,6 +586,11 @@ +@@ -477,6 +587,11 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -28042,7 +28046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -509,10 +623,12 @@ +@@ -509,10 +624,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -28055,7 +28059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -520,12 +636,49 @@ +@@ -520,12 +637,49 @@ ') optional_policy(` @@ -28105,7 +28109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser hostname_exec(xdm_t) ') -@@ -543,9 +696,42 @@ +@@ -543,9 +697,42 @@ ') optional_policy(` @@ -28148,7 +28152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` seutil_sigchld_newrole(xdm_t) ') -@@ -555,8 +741,9 @@ +@@ -555,8 +742,9 @@ ') optional_policy(` @@ -28160,7 +28164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -565,7 +752,6 @@ +@@ -565,7 +753,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -28168,7 +28172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -576,6 +762,10 @@ +@@ -576,6 +763,10 @@ ') optional_policy(` @@ -28179,7 +28183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xfs_stream_connect(xdm_t) ') -@@ -600,10 +790,9 @@ +@@ -600,10 +791,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -28191,7 +28195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -615,6 +804,18 @@ +@@ -615,6 +805,18 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -28210,7 +28214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -634,12 +835,19 @@ +@@ -634,12 +836,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -28232,7 +28236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -673,7 +881,6 @@ +@@ -673,7 +882,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -28240,7 +28244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -683,9 +890,12 @@ +@@ -683,9 +891,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -28254,7 +28258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -700,8 +910,12 @@ +@@ -700,8 +911,12 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -28267,7 +28271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -723,6 +937,7 @@ +@@ -723,6 +938,7 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -28275,7 +28279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser modutils_domtrans_insmod(xserver_t) -@@ -779,12 +994,20 @@ +@@ -779,12 +995,20 @@ ') optional_policy(` @@ -28297,7 +28301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser unconfined_domtrans(xserver_t) ') -@@ -811,7 +1034,7 @@ +@@ -811,7 +1035,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -28306,7 +28310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -832,9 +1055,14 @@ +@@ -832,9 +1056,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -28321,7 +28325,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -849,11 +1077,14 @@ +@@ -849,11 +1078,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -28338,7 +28342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -1000,17 +1231,32 @@ +@@ -1000,17 +1232,32 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;