- Lots of random fixes

This commit is contained in:
Daniel J Walsh 2010-06-09 21:31:42 +00:00
parent b39ccca147
commit f651bb6fdc
2 changed files with 176 additions and 25 deletions

View File

@ -556,6 +556,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
cron_system_entry(logrotate_t, logrotate_exec_t)
cron_search_spool(logrotate_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.fc serefpolicy-3.8.3/policy/modules/admin/logwatch.fc
--- nsaserefpolicy/policy/modules/admin/logwatch.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/admin/logwatch.fc 2010-06-09 16:17:01.000000000 -0400
@@ -1,7 +1,9 @@
/usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0)
+/usr/sbin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0)
/usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0)
/var/cache/logwatch(/.*)? gen_context(system_u:object_r:logwatch_cache_t, s0)
/var/lib/logcheck(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0)
+/var/lib/epylog(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0)
/var/log/logcheck/.+ -- gen_context(system_u:object_r:logwatch_lock_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.8.3/policy/modules/admin/mcelog.te
--- nsaserefpolicy/policy/modules/admin/mcelog.te 2010-03-18 06:48:09.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/admin/mcelog.te 2010-06-08 11:32:10.000000000 -0400
@ -6810,7 +6823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.8.3/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-06-08 10:35:48.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/kernel/devices.if 2010-06-08 11:32:10.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/kernel/devices.if 2010-06-09 16:40:03.000000000 -0400
@@ -606,6 +606,24 @@
########################################
@ -6904,11 +6917,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Get the attributes of sysfs directories.
## </summary>
## <param name="domain">
@@ -4166,6 +4238,7 @@
@@ -4161,11 +4233,10 @@
#
interface(`dev_rw_vhost',`
gen_require(`
- type vhost_device_t;
+ type device_t, vhost_device_t;
')
list_dirs_pattern($1, vhost_device_t, vhost_device_t)
rw_files_pattern($1, vhost_device_t, vhost_device_t)
+ read_lnk_files_pattern($1, vhost_device_t, vhost_device_t)
- list_dirs_pattern($1, vhost_device_t, vhost_device_t)
- rw_files_pattern($1, vhost_device_t, vhost_device_t)
+ rw_chr_files_pattern($1, device_t, vhost_device_t)
')
########################################
@ -10715,7 +10734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.8.3/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/abrt.te 2010-06-08 11:32:10.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/abrt.te 2010-06-09 15:57:41.000000000 -0400
@@ -70,16 +70,19 @@
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
@ -11102,7 +11121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.8.3/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-04-06 15:15:38.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/apache.if 2010-06-08 11:32:10.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/apache.if 2010-06-09 16:00:04.000000000 -0400
@@ -13,17 +13,13 @@
#
template(`apache_content_template',`
@ -12096,6 +12115,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
allow $1 avahi_t:dbus send_msg;
allow avahi_t $1:dbus send_msg;
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.8.3/policy/modules/services/bitlbee.te
--- nsaserefpolicy/policy/modules/services/bitlbee.te 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/bitlbee.te 2010-06-09 16:59:35.000000000 -0400
@@ -28,6 +28,7 @@
# Local policy
#
#
+allow bitlbee_t self:capability { setgid setuid };
allow bitlbee_t self:udp_socket create_socket_perms;
allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
@@ -81,6 +82,10 @@
libs_legacy_use_shared_libs(bitlbee_t)
+auth_use_nsswitch(bitlbee_t)
+
+logging_send_syslog_msg(bitlbee_t)
+
miscfiles_read_localization(bitlbee_t)
sysnet_dns_name_resolve(bitlbee_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.8.3/policy/modules/services/bluetooth.if
--- nsaserefpolicy/policy/modules/services/bluetooth.if 2010-01-07 14:53:53.000000000 -0500
+++ serefpolicy-3.8.3/policy/modules/services/bluetooth.if 2010-06-08 11:32:10.000000000 -0400
@ -14348,7 +14389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fpri
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.8.3/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/ftp.te 2010-06-08 11:32:10.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/ftp.te 2010-06-09 15:55:42.000000000 -0400
@@ -41,6 +41,13 @@
## <desc>
@ -14394,7 +14435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
#
-allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_nice sys_resource };
+allow ftpd_t self:capability { chown fowner fsetid setgid setuid sys_chroot sys_admin sys_nice sys_resource };
+allow ftpd_t self:capability { chown fowner fsetid ipc_lock setgid setuid sys_chroot sys_admin sys_nice sys_resource };
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
allow ftpd_t self:fifo_file rw_fifo_file_perms;
@ -15296,7 +15337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.8.3/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/hal.te 2010-06-08 11:32:10.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/hal.te 2010-06-08 15:41:48.000000000 -0400
@@ -55,6 +55,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@ -15324,7 +15365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
dev_rw_generic_usb_dev(hald_t)
dev_setattr_generic_usb_dev(hald_t)
dev_setattr_usbfs_files(hald_t)
@@ -212,10 +216,12 @@
@@ -212,10 +216,13 @@
seutil_read_default_contexts(hald_t)
seutil_read_file_contexts(hald_t)
@ -15335,10 +15376,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
+sysnet_read_config(hald_t)
sysnet_read_dhcp_config(hald_t)
+sysnet_read_dhcpc_pid(hald_t)
+sysnet_signal_dhcpc(hald_t)
userdom_dontaudit_use_unpriv_user_fds(hald_t)
userdom_dontaudit_search_user_home_dirs(hald_t)
@@ -269,6 +275,10 @@
@@ -269,6 +276,10 @@
')
optional_policy(`
@ -15349,7 +15391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
gpm_dontaudit_getattr_gpmctl(hald_t)
')
@@ -319,6 +329,10 @@
@@ -319,6 +330,10 @@
')
optional_policy(`
@ -15360,7 +15402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
udev_domtrans(hald_t)
udev_read_db(hald_t)
')
@@ -339,6 +353,10 @@
@@ -339,6 +354,10 @@
virt_manage_images(hald_t)
')
@ -15371,7 +15413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
########################################
#
# Hal acl local policy
@@ -359,6 +377,7 @@
@@ -359,6 +378,7 @@
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
@ -15379,7 +15421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
corecmd_exec_bin(hald_acl_t)
@@ -471,6 +490,10 @@
@@ -471,6 +491,10 @@
miscfiles_read_localization(hald_keymap_t)
@ -15401,6 +15443,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddt
# read hddtemp db file
files_read_usr_files(hddtemp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.8.3/policy/modules/services/icecast.te
--- nsaserefpolicy/policy/modules/services/icecast.te 2010-03-23 10:55:15.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/icecast.te 2010-06-09 16:01:05.000000000 -0400
@@ -38,6 +38,8 @@
manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
+kernel_read_system_state(icecast_t)
+
corenet_tcp_bind_soundd_port(icecast_t)
# Init script handling
@@ -52,5 +54,9 @@
sysnet_dns_name_resolve(icecast_t)
optional_policy(`
+ apache_read_sys_content(icecast_t)
+')
+
+optional_policy(`
rtkit_scheduled(icecast_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.8.3/policy/modules/services/inn.te
--- nsaserefpolicy/policy/modules/services/inn.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/inn.te 2010-06-08 11:32:10.000000000 -0400
@ -15439,7 +15503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.8.3/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/kerberos.te 2010-06-08 11:32:10.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/kerberos.te 2010-06-08 16:40:37.000000000 -0400
@@ -127,10 +127,13 @@
corenet_tcp_bind_generic_node(kadmind_t)
corenet_udp_bind_generic_node(kadmind_t)
@ -15454,6 +15518,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
dev_read_sysfs(kadmind_t)
dev_read_rand(kadmind_t)
@@ -199,8 +202,7 @@
allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
-allow krb5kdc_t krb5kdc_principal_t:file read_file_perms;
-dontaudit krb5kdc_t krb5kdc_principal_t:file write;
+allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.8.3/policy/modules/services/ksmtuned.fc
--- nsaserefpolicy/policy/modules/services/ksmtuned.fc 2010-03-29 15:04:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/ksmtuned.fc 2010-06-08 11:32:10.000000000 -0400
@ -16636,7 +16710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.8.3/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/networkmanager.te 2010-06-08 11:32:10.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/networkmanager.te 2010-06-09 16:09:47.000000000 -0400
@@ -36,7 +36,7 @@
# networkmanager will ptrace itself if gdb is installed
@ -16705,7 +16779,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
@@ -264,6 +275,7 @@
@@ -203,6 +214,10 @@
')
optional_policy(`
+ ipsec_domtrans_mgmt(NetworkManager_t)
+')
+
+optional_policy(`
iptables_domtrans(NetworkManager_t)
')
@@ -264,6 +279,7 @@
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@ -19234,6 +19319,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog
remotelogin_domtrans(rlogind_t)
remotelogin_signal(rlogind_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.8.3/policy/modules/services/rpcbind.te
--- nsaserefpolicy/policy/modules/services/rpcbind.te 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/rpcbind.te 2010-06-09 16:49:41.000000000 -0400
@@ -72,3 +72,7 @@
ifdef(`hide_broken_symptoms',`
dontaudit rpcbind_t self:udp_socket listen;
')
+
+optional_policy(`
+ nis_use_ypbind(rpcbind_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.8.3/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2010-04-06 15:15:38.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/services/rpc.if 2010-06-08 11:32:10.000000000 -0400
@ -23535,7 +23631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
# /var
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.8.3/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2010-03-18 10:35:11.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/system/init.if 2010-06-08 11:32:10.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/system/init.if 2010-06-09 16:31:07.000000000 -0400
@@ -193,8 +193,10 @@
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
@ -24228,6 +24324,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+optional_policy(`
+ fail2ban_read_lib_files(daemon)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.8.3/policy/modules/system/ipsec.if
--- nsaserefpolicy/policy/modules/system/ipsec.if 2010-03-18 06:48:09.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/system/ipsec.if 2010-06-09 16:06:08.000000000 -0400
@@ -20,6 +20,24 @@
########################################
## <summary>
+## Execute ipsec in the ipsec mgmt domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`ipsec_domtrans_mgmt',`
+ gen_require(`
+ type ipsec_mgmt_t, ipsec_mgmt_exec_t;
+ ')
+
+ domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t)
+')
+
+########################################
+## <summary>
## Connect to IPSEC using a unix domain stream socket.
## </summary>
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.8.3/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/system/ipsec.te 2010-06-08 11:32:10.000000000 -0400
@ -24457,6 +24581,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
+
+ allow $1 iscsid_t:sem create_sem_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.8.3/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/system/iscsi.te 2010-06-09 16:41:53.000000000 -0400
@@ -77,6 +77,8 @@
dev_rw_sysfs(iscsid_t)
dev_rw_userio_dev(iscsid_t)
+dev_read_raw_memory(iscsid_t)
+dev_write_raw_memory(iscsid_t)
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.8.3/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-03-23 11:19:40.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/system/libraries.fc 2010-06-08 11:32:10.000000000 -0400
@ -24919,7 +25055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
domain_system_change_exemption($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.8.3/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/system/logging.te 2010-06-08 11:32:10.000000000 -0400
+++ serefpolicy-3.8.3/policy/modules/system/logging.te 2010-06-09 16:35:41.000000000 -0400
@@ -61,6 +61,7 @@
type syslogd_t;
type syslogd_exec_t;
@ -24960,7 +25096,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
########################################
@@ -268,6 +279,8 @@
@@ -252,6 +263,7 @@
# Audit remote logger local policy
#
+allow audisp_remote_t self:process { getcap setcap };
allow audisp_remote_t self:tcp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled(audisp_remote_t)
@@ -268,8 +280,12 @@
logging_send_syslog_msg(audisp_remote_t)
@ -24968,8 +25112,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+
miscfiles_read_localization(audisp_remote_t)
+init_telinit(audisp_remote_t)
+
sysnet_dns_name_resolve(audisp_remote_t)
@@ -373,8 +386,10 @@
########################################
@@ -373,8 +389,10 @@
manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
files_search_var_lib(syslogd_t)
@ -24982,7 +25130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
@@ -492,6 +507,10 @@
@@ -492,6 +510,10 @@
')
optional_policy(`

View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.8.3
Release: 1%{?dist}
Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -469,6 +469,9 @@ exit 0
%endif
%changelog
* Wed Jun 9 2010 Dan Walsh <dwalsh@redhat.com> 3.8.3-2
- Lots of random fixes
* Tue Jun 8 2010 Dan Walsh <dwalsh@redhat.com> 3.8.3-1
- Update to upstream