rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Add conflicts for dirsrv package

Browse Source
This commit is contained in:
Dan Walsh 2010-11-09 07:55:52 -05:00
parent 3e0b7834a6
commit fc9bf2f03d
3 changed files with 300 additions and 172 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
modules-targeted.conf
View File

@ -510,6 +510,20 @@ dmidecode = base
#
domain = base
# Layer: services
# Module: drbd
#
# DRBD mirrors a block device over the network to another machine.
#
drbd = module
# Layer: services
# Module: ddclient
#
# Update dynamic IP address at DynDNS.org
#
ddclient = module
# Layer: services
# Module: dovecot
#

452
policy-F15.patch
View File

@ -7335,70 +7335,27 @@ index 82842a0..369c3b5 100644
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 34c9d01..8b6dc89 100644
index 34c9d01..94ec653 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -122,6 +122,8 @@ ifdef(`distro_debian',`
/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -128,8 +128,8 @@ ifdef(`distro_debian',`
+/etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
#
# /lib
#
@@ -130,6 +132,7 @@ ifdef(`distro_debian',`
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
-/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0)
/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -146,6 +149,8 @@ ifdef(`distro_gentoo',`
/lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
')
+/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
#
# /sbin
@@ -266,6 +271,8 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/gitolite/hooks/gitolite-admin/post-update -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/gitolite-admin/post-update -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
@@ -382,3 +389,25 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
+/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
+/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib/wicd/monitor.py -- gen_context(system_u:object_r:bin_t, s0)
+
+/usr/lib(64)?/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -307,6 +307,7 @@ ifdef(`distro_redhat', `
/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 9e9263a..24018ce 100644
--- a/policy/modules/kernel/corecommands.if
@ -8319,7 +8276,7 @@ index 3517db2..bd4c23d 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 5302dac..5dcb9ad 100644
index 5302dac..9b828ee 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@ -8335,7 +8292,32 @@ index 5302dac..5dcb9ad 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
@@ -1446,6 +1444,60 @@ interface(`files_dontaudit_search_all_mountpoints',`
@@ -1410,6 +1408,24 @@ interface(`files_getattr_all_mountpoints',`
########################################
## <summary>
+## Set the attributes of all mount points.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_setattr_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ allow $1 mountpoint:dir setattr;
+')
+
+########################################
+## <summary>
## Search all mount points.
## </summary>
## <param name="domain">
@@ -1446,6 +1462,60 @@ interface(`files_dontaudit_search_all_mountpoints',`
########################################
## <summary>
@ -8396,7 +8378,7 @@ index 5302dac..5dcb9ad 100644
## List the contents of the root directory.
## </summary>
## <param name="domain">
@@ -1836,6 +1888,25 @@ interface(`files_relabelfrom_boot_files',`
@@ -1836,6 +1906,25 @@ interface(`files_relabelfrom_boot_files',`
relabelfrom_files_pattern($1, boot_t, boot_t)
')
@ -8422,7 +8404,7 @@ index 5302dac..5dcb9ad 100644
########################################
## <summary>
## Read and write symbolic links
@@ -2435,6 +2506,24 @@ interface(`files_delete_etc_files',`
@@ -2435,6 +2524,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@ -8447,7 +8429,7 @@ index 5302dac..5dcb9ad 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
@@ -2605,6 +2694,24 @@ interface(`files_read_etc_runtime_files',`
@@ -2605,6 +2712,24 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@ -8472,7 +8454,7 @@ index 5302dac..5dcb9ad 100644
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
@@ -3086,6 +3193,7 @@ interface(`files_getattr_home_dir',`
@@ -3086,6 +3211,7 @@ interface(`files_getattr_home_dir',`
')
allow $1 home_root_t:dir getattr;
@ -8480,7 +8462,7 @@ index 5302dac..5dcb9ad 100644
')
########################################
@@ -3106,6 +3214,7 @@ interface(`files_dontaudit_getattr_home_dir',`
@@ -3106,6 +3232,7 @@ interface(`files_dontaudit_getattr_home_dir',`
')
dontaudit $1 home_root_t:dir getattr;
@ -8488,7 +8470,7 @@ index 5302dac..5dcb9ad 100644
')
########################################
@@ -3347,6 +3456,24 @@ interface(`files_list_mnt',`
@@ -3347,6 +3474,24 @@ interface(`files_list_mnt',`
allow $1 mnt_t:dir list_dir_perms;
')
@ -8513,7 +8495,7 @@ index 5302dac..5dcb9ad 100644
########################################
## <summary>
## Mount a filesystem on /mnt.
@@ -3420,6 +3547,24 @@ interface(`files_read_mnt_files',`
@@ -3420,6 +3565,24 @@ interface(`files_read_mnt_files',`
read_files_pattern($1, mnt_t, mnt_t)
')
@ -8538,7 +8520,7 @@ index 5302dac..5dcb9ad 100644
########################################
## <summary>
## Create, read, write, and delete symbolic links in /mnt.
@@ -3711,6 +3856,100 @@ interface(`files_read_world_readable_sockets',`
@@ -3711,6 +3874,100 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@ -8639,7 +8621,7 @@ index 5302dac..5dcb9ad 100644
########################################
## <summary>
## Allow the specified type to associate
@@ -3896,6 +4135,32 @@ interface(`files_manage_generic_tmp_dirs',`
@@ -3896,6 +4153,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@ -8672,7 +8654,7 @@ index 5302dac..5dcb9ad 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
@@ -3950,6 +4215,42 @@ interface(`files_rw_generic_tmp_sockets',`
@@ -3950,6 +4233,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@ -8715,7 +8697,7 @@ index 5302dac..5dcb9ad 100644
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
@@ -4109,6 +4410,13 @@ interface(`files_purge_tmp',`
@@ -4109,6 +4428,13 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@ -8729,7 +8711,7 @@ index 5302dac..5dcb9ad 100644
')
########################################
@@ -4718,6 +5026,24 @@ interface(`files_read_var_files',`
@@ -4718,6 +5044,24 @@ interface(`files_read_var_files',`
########################################
## <summary>
@ -8754,7 +8736,7 @@ index 5302dac..5dcb9ad 100644
## Read and write files in the /var directory.
## </summary>
## <param name="domain">
@@ -5053,6 +5379,24 @@ interface(`files_manage_mounttab',`
@@ -5053,6 +5397,24 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@ -8779,7 +8761,7 @@ index 5302dac..5dcb9ad 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
@@ -5138,12 +5482,12 @@ interface(`files_getattr_generic_locks',`
@@ -5138,12 +5500,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@ -8796,64 +8778,103 @@ index 5302dac..5dcb9ad 100644
')
########################################
@@ -5189,6 +5533,27 @@ interface(`files_delete_all_locks',`
@@ -5189,29 +5551,28 @@ interface(`files_delete_all_locks',`
########################################
## <summary>
-## Read all lock files.
+## Relabel all lock files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <rolecap/>
#
-interface(`files_read_all_locks',`
+interface(`files_relabel_all_lock_dirs',`
gen_require(`
attribute lockfile;
- type var_t, var_lock_t;
+ type var_t;
')
- allow $1 { var_t var_lock_t }:dir search_dir_perms;
- allow $1 lockfile:dir list_dir_perms;
- read_files_pattern($1, lockfile, lockfile)
- read_lnk_files_pattern($1, lockfile, lockfile)
+ allow $1 var_t:dir search_dir_perms;
+ relabel_dirs_pattern($1, lockfile, lockfile)
')
########################################
## <summary>
-## manage all lock files.
+## Read all lock files.
## </summary>
## <param name="domain">
## <summary>
@@ -5219,15 +5580,37 @@ interface(`files_read_all_locks',`
## </summary>
## </param>
#
-interface(`files_manage_all_locks',`
+interface(`files_read_all_locks',`
gen_require(`
attribute lockfile;
type var_t, var_lock_t;
')
allow $1 { var_t var_lock_t }:dir search_dir_perms;
- manage_dirs_pattern($1, lockfile, lockfile)
- manage_files_pattern($1, lockfile, lockfile)
+ allow $1 lockfile:dir list_dir_perms;
+ read_files_pattern($1, lockfile, lockfile)
+ read_lnk_files_pattern($1, lockfile, lockfile)
+')
+
+########################################
+## <summary>
+## manage all lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_all_lock_dirs',`
+interface(`files_manage_all_locks',`
+ gen_require(`
+ attribute lockfile;
+ type var_t;
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ relabel_dirs_pattern($1, lockfile, lockfile)
+')
+
+########################################
+## <summary>
## Read all lock files.
## </summary>
## <param name="domain">
@@ -5317,23 +5682,60 @@ interface(`files_search_pids',`
+ allow $1 { var_t var_lock_t }:dir search_dir_perms;
+ manage_dirs_pattern($1, lockfile, lockfile)
+ manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
')
@@ -5317,6 +5700,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
-########################################
+######################################
## <summary>
-## Do not audit attempts to search
-## the /var/run directory.
+## <summary>
+## Add and remove entries from pid directories.
## </summary>
## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
-interface(`files_dontaudit_search_pids',`
- gen_require(`
- type var_run_t;
- ')
+## </param>
+#
+interface(`files_rw_pid_dirs',`
+ gen_require(`
+ type var_run_t;
+ ')
- dontaudit $1 var_run_t:dir search_dir_perms;
+
+ allow $1 var_run_t:dir rw_dir_perms;
+')
+
@ -8876,27 +8897,10 @@ index 5302dac..5dcb9ad 100644
+ allow $1 var_run_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search
+## the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_search_pids',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ dontaudit $1 var_run_t:dir search_dir_perms;
')
########################################
@@ -5524,6 +5926,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
## <summary>
## Do not audit attempts to search
@@ -5524,6 +5944,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@ -8959,7 +8963,7 @@ index 5302dac..5dcb9ad 100644
## Read all process ID files.
## </summary>
## <param name="domain">
@@ -5541,6 +5999,44 @@ interface(`files_read_all_pids',`
@@ -5541,6 +6017,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@ -9004,7 +9008,7 @@ index 5302dac..5dcb9ad 100644
')
########################################
@@ -5826,3 +6322,247 @@ interface(`files_unconfined',`
@@ -5826,3 +6340,247 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@ -12353,7 +12357,7 @@ index 0b827c5..8961dba 100644
admin_pattern($1, abrt_tmp_t)
')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
index 98646c4..5be7dc8 100644
index 98646c4..73ae7f0 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,6 +5,14 @@ policy_module(abrt, 1.1.1)
@ -12397,7 +12401,15 @@ index 98646c4..5be7dc8 100644
kernel_read_ring_buffer(abrt_t)
kernel_read_system_state(abrt_t)
@@ -121,6 +130,8 @@ files_read_generic_tmp_files(abrt_t)
@@ -114,6 +123,7 @@ domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
files_read_etc_files(abrt_t)
+files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
@@ -121,6 +131,8 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@ -12406,7 +12418,7 @@ index 98646c4..5be7dc8 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
@@ -131,7 +142,7 @@ fs_read_nfs_files(abrt_t)
@@ -131,7 +143,7 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@ -12415,7 +12427,7 @@ index 98646c4..5be7dc8 100644
logging_read_generic_logs(abrt_t)
logging_send_syslog_msg(abrt_t)
@@ -140,6 +151,15 @@ miscfiles_read_generic_certs(abrt_t)
@@ -140,6 +152,15 @@ miscfiles_read_generic_certs(abrt_t)
miscfiles_read_localization(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
@ -12431,7 +12443,7 @@ index 98646c4..5be7dc8 100644
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
@@ -150,6 +170,11 @@ optional_policy(`
@@ -150,6 +171,11 @@ optional_policy(`
')
optional_policy(`
@ -12443,7 +12455,7 @@ index 98646c4..5be7dc8 100644
policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
@@ -178,12 +203,18 @@ optional_policy(`
@@ -178,12 +204,18 @@ optional_policy(`
')
optional_policy(`
@ -12463,7 +12475,7 @@ index 98646c4..5be7dc8 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
@@ -203,6 +234,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -203,6 +235,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
domain_read_all_domains_state(abrt_helper_t)
files_read_etc_files(abrt_helper_t)
@ -12471,7 +12483,7 @@ index 98646c4..5be7dc8 100644
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
@@ -216,7 +248,8 @@ miscfiles_read_localization(abrt_helper_t)
@@ -216,7 +249,8 @@ miscfiles_read_localization(abrt_helper_t)
term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)
@ -12481,7 +12493,7 @@ index 98646c4..5be7dc8 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
@@ -224,4 +257,18 @@ ifdef(`hide_broken_symptoms', `
@@ -224,4 +258,18 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@ -19790,7 +19802,7 @@ index e1d7dc5..ee51a19 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index cbe14e4..dd7fe41 100644
index cbe14e4..9e2f6d5 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@ -19865,7 +19877,16 @@ index cbe14e4..dd7fe41 100644
allow dovecot_auth_t self:process { signal_perms getcap setcap };
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
@@ -242,6 +252,7 @@ optional_policy(`
@@ -189,6 +199,8 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
+read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
+
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
@@ -242,6 +254,7 @@ optional_policy(`
')
optional_policy(`
@ -19873,7 +19894,7 @@ index cbe14e4..dd7fe41 100644
postfix_search_spool(dovecot_auth_t)
')
@@ -253,19 +264,31 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
@@ -253,19 +266,31 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
allow dovecot_deliver_t dovecot_t:process signull;
@ -19907,7 +19928,7 @@ index cbe14e4..dd7fe41 100644
miscfiles_read_localization(dovecot_deliver_t)
@@ -302,4 +325,5 @@ tunable_policy(`use_samba_home_dirs',`
@@ -302,4 +327,5 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
@ -25548,15 +25569,16 @@ index 4876cae..5f2ba87 100644
allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
index 85188dc..99cefb8 100644
index 85188dc..76f26dd 100644
--- a/policy/modules/services/nscd.if
+++ b/policy/modules/services/nscd.if
@@ -116,7 +116,25 @@ interface(`nscd_socket_use',`
@@ -116,7 +116,26 @@ interface(`nscd_socket_use',`
dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
files_search_pids($1)
stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
- dontaudit $1 nscd_var_run_t:file { getattr read };
+ dontaudit $1 nscd_var_run_t:file read_file_perms;
+ ps_process_pattern(nscd_t, $1)
+')
+
+########################################
@ -25578,7 +25600,7 @@ index 85188dc..99cefb8 100644
')
########################################
@@ -146,11 +164,14 @@ interface(`nscd_shm_use',`
@@ -146,11 +165,14 @@ interface(`nscd_shm_use',`
# nscd_socket_domain macro. need to investigate
# if they are all actually required
allow $1 self:unix_stream_socket create_stream_socket_perms;
@ -25596,7 +25618,7 @@ index 85188dc..99cefb8 100644
')
########################################
@@ -168,7 +189,7 @@ interface(`nscd_dontaudit_search_pid',`
@@ -168,7 +190,7 @@ interface(`nscd_dontaudit_search_pid',`
type nscd_var_run_t;
')
@ -25605,7 +25627,7 @@ index 85188dc..99cefb8 100644
')
########################################
@@ -224,6 +245,7 @@ interface(`nscd_unconfined',`
@@ -224,6 +246,7 @@ interface(`nscd_unconfined',`
## Role allowed access.
## </summary>
## </param>
@ -26093,7 +26115,7 @@ index 9d0a67b..9197ef0 100644
#
interface(`openct_domtrans',`
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index 8b550f4..cb87bef 100644
index 8b550f4..e41ff47 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -6,9 +6,9 @@ policy_module(openvpn, 1.10.0)
@ -26155,7 +26177,16 @@ index 8b550f4..cb87bef 100644
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
@@ -113,20 +120,20 @@ sysnet_manage_config(openvpn_t)
@@ -102,6 +109,8 @@ files_read_etc_runtime_files(openvpn_t)
auth_use_pam(openvpn_t)
+init_read_utmp(openvpn_t)
+
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
@@ -113,20 +122,20 @@ sysnet_manage_config(openvpn_t)
sysnet_etc_filetrans_config(openvpn_t)
userdom_use_user_terminals(openvpn_t)
@ -26183,7 +26214,7 @@ index 8b550f4..cb87bef 100644
optional_policy(`
daemontools_service_domain(openvpn_t, openvpn_exec_t)
@@ -138,3 +145,7 @@ optional_policy(`
@@ -138,3 +147,7 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
@ -27733,10 +27764,21 @@ index 55e62d2..c114a40 100644
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
index 46bee12..ff521d5 100644
index 46bee12..9c13189 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -50,7 +50,7 @@ template(`postfix_domain_template',`
@@ -34,8 +34,9 @@ template(`postfix_domain_template',`
domain_entry_file(postfix_$1_t, postfix_$1_exec_t)
role system_r types postfix_$1_t;
+ allow postfix_$1_t self:capability sys_nice;
dontaudit postfix_$1_t self:capability sys_tty_config;
- allow postfix_$1_t self:process { signal_perms setpgid };
+ allow postfix_$1_t self:process { signal_perms setpgid setsched };
allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_$1_t self:unix_stream_socket connectto;
@@ -50,7 +51,7 @@ template(`postfix_domain_template',`
can_exec(postfix_$1_t, postfix_$1_exec_t)
@ -27745,7 +27787,7 @@ index 46bee12..ff521d5 100644
allow postfix_$1_t postfix_master_t:process sigchld;
@@ -77,6 +77,7 @@ template(`postfix_domain_template',`
@@ -77,6 +78,7 @@ template(`postfix_domain_template',`
files_read_etc_files(postfix_$1_t)
files_read_etc_runtime_files(postfix_$1_t)
@ -27753,7 +27795,7 @@ index 46bee12..ff521d5 100644
files_read_usr_symlinks(postfix_$1_t)
files_search_spool(postfix_$1_t)
files_getattr_tmp_dirs(postfix_$1_t)
@@ -272,7 +273,8 @@ interface(`postfix_read_local_state',`
@@ -272,7 +274,8 @@ interface(`postfix_read_local_state',`
type postfix_local_t;
')
@ -27763,7 +27805,7 @@ index 46bee12..ff521d5 100644
')
########################################
@@ -290,7 +292,8 @@ interface(`postfix_read_master_state',`
@@ -290,7 +293,8 @@ interface(`postfix_read_master_state',`
type postfix_master_t;
')
@ -27773,7 +27815,7 @@ index 46bee12..ff521d5 100644
')
########################################
@@ -376,6 +379,25 @@ interface(`postfix_domtrans_master',`
@@ -376,6 +380,25 @@ interface(`postfix_domtrans_master',`
domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
')
@ -27799,7 +27841,7 @@ index 46bee12..ff521d5 100644
########################################
## <summary>
## Execute the master postfix program in the
@@ -404,7 +426,6 @@ interface(`postfix_exec_master',`
@@ -404,7 +427,6 @@ interface(`postfix_exec_master',`
## Domain allowed access.
## </summary>
## </param>
@ -27807,7 +27849,7 @@ index 46bee12..ff521d5 100644
#
interface(`postfix_stream_connect_master',`
gen_require(`
@@ -529,6 +550,25 @@ interface(`postfix_domtrans_smtp',`
@@ -529,6 +551,25 @@ interface(`postfix_domtrans_smtp',`
########################################
## <summary>
@ -27833,7 +27875,7 @@ index 46bee12..ff521d5 100644
## Search postfix mail spool directories.
## </summary>
## <param name="domain">
@@ -539,10 +579,10 @@ interface(`postfix_domtrans_smtp',`
@@ -539,10 +580,10 @@ interface(`postfix_domtrans_smtp',`
#
interface(`postfix_search_spool',`
gen_require(`
@ -27846,7 +27888,7 @@ index 46bee12..ff521d5 100644
files_search_spool($1)
')
@@ -558,10 +598,10 @@ interface(`postfix_search_spool',`
@@ -558,10 +599,10 @@ interface(`postfix_search_spool',`
#
interface(`postfix_list_spool',`
gen_require(`
@ -27859,7 +27901,7 @@ index 46bee12..ff521d5 100644
files_search_spool($1)
')
@@ -577,11 +617,11 @@ interface(`postfix_list_spool',`
@@ -577,11 +618,11 @@ interface(`postfix_list_spool',`
#
interface(`postfix_read_spool_files',`
gen_require(`
@ -27873,7 +27915,7 @@ index 46bee12..ff521d5 100644
')
########################################
@@ -596,11 +636,11 @@ interface(`postfix_read_spool_files',`
@@ -596,11 +637,11 @@ interface(`postfix_read_spool_files',`
#
interface(`postfix_manage_spool_files',`
gen_require(`
@ -27887,7 +27929,7 @@ index 46bee12..ff521d5 100644
')
########################################
@@ -621,3 +661,103 @@ interface(`postfix_domtrans_user_mail_handler',`
@@ -621,3 +662,103 @@ interface(`postfix_domtrans_user_mail_handler',`
typeattribute $1 postfix_user_domtrans;
')
@ -30293,13 +30335,47 @@ index 340a6c0..f24c52e 100644
+ ')
')
diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te
index 0a76027..cdd0542 100644
index 0a76027..88ac667 100644
--- a/policy/modules/services/remotelogin.te
+++ b/policy/modules/services/remotelogin.te
@@ -114,7 +114,6 @@ optional_policy(`
@@ -49,6 +49,7 @@ fs_getattr_xattr_fs(remote_login_t)
fs_search_auto_mountpoints(remote_login_t)
term_relabel_all_ptys(remote_login_t)
+term_use_all_ptys(remote_login_t)
auth_rw_login_records(remote_login_t)
auth_rw_faillog(remote_login_t)
@@ -77,7 +78,7 @@ files_list_mnt(remote_login_t)
# for when /var/mail is a sym-link
files_read_var_symlinks(remote_login_t)
-sysnet_dns_name_resolve(remote_login_t)
+auth_use_nsswitch(remote_login_t)
miscfiles_read_localization(remote_login_t)
@@ -87,6 +88,7 @@ userdom_search_user_home_content(remote_login_t)
# since very weak authentication is used.
userdom_signal_unpriv_users(remote_login_t)
userdom_spec_domtrans_unpriv_users(remote_login_t)
+userdom_use_user_ptys(remote_login_t)
# Search for mail spool file.
mta_getattr_spool(remote_login_t)
@@ -106,15 +108,10 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(remote_login_t)
+ telnet_use_ptys(remote_login_t)
')
optional_policy(`
- nscd_socket_use(remote_login_t)
-')
-
-optional_policy(`
- unconfined_domain(remote_login_t)
unconfined_shell_domtrans(remote_login_t)
')
@ -34424,6 +34500,30 @@ index 7038b55..4e84f23 100644
type tcpd_tmp_t;
files_tmp_file(tcpd_tmp_t)
diff --git a/policy/modules/services/telnet.if b/policy/modules/services/telnet.if
index 58e7ec0..cf4cc85 100644
--- a/policy/modules/services/telnet.if
+++ b/policy/modules/services/telnet.if
@@ -1 +1,19 @@
## <summary>Telnet daemon</summary>
+
+########################################
+## <summary>
+## Read and write a telnetd domain pty.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`telnet_use_ptys',`
+ gen_require(`
+ type telnetd_devpts_t;
+ ')
+
+ allow $1 telnetd_devpts_t:chr_file rw_term_perms;
+')
diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te
index f40e67b..34c4c57 100644
--- a/policy/modules/services/telnet.te
@ -42712,7 +42812,7 @@ index 8b5c196..3490497 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index fca6947..43cb923 100644
index fca6947..e1f7531 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,8 +17,15 @@ type mount_exec_t;
@ -42762,7 +42862,7 @@ index fca6947..43cb923 100644
allow mount_t mount_loopback_t:file read_file_perms;
@@ -46,50 +68,83 @@ can_exec(mount_t, mount_exec_t)
@@ -46,50 +68,84 @@ can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
@ -42814,6 +42914,7 @@ index fca6947..43cb923 100644
+# for when /etc/mtab loses its type
+files_delete_etc_files(mount_t)
files_mounton_all_mountpoints(mount_t)
+files_setattr_all_mountpoints(mount_t)
+# ntfs-3g checks whether the mountpoint is writable before mounting
+files_write_all_mountpoints(mount_t)
files_unmount_rootfs(mount_t)
@ -42853,7 +42954,7 @@ index fca6947..43cb923 100644
mls_file_read_all_levels(mount_t)
mls_file_write_all_levels(mount_t)
@@ -100,6 +155,7 @@ storage_raw_read_fixed_disk(mount_t)
@@ -100,6 +156,7 @@ storage_raw_read_fixed_disk(mount_t)
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@ -42861,7 +42962,7 @@ index fca6947..43cb923 100644
term_use_all_terms(mount_t)
@@ -108,6 +164,8 @@ auth_use_nsswitch(mount_t)
@@ -108,6 +165,8 @@ auth_use_nsswitch(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@ -42870,7 +42971,7 @@ index fca6947..43cb923 100644
logging_send_syslog_msg(mount_t)
@@ -118,6 +176,12 @@ sysnet_use_portmap(mount_t)
@@ -118,6 +177,12 @@ sysnet_use_portmap(mount_t)
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@ -42883,7 +42984,7 @@ index fca6947..43cb923 100644
ifdef(`distro_redhat',`
optional_policy(`
@@ -133,10 +197,17 @@ ifdef(`distro_ubuntu',`
@@ -133,10 +198,17 @@ ifdef(`distro_ubuntu',`
')
')
@ -42901,7 +43002,7 @@ index fca6947..43cb923 100644
')
optional_policy(`
@@ -166,6 +237,8 @@ optional_policy(`
@@ -166,6 +238,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@ -42910,7 +43011,7 @@ index fca6947..43cb923 100644
')
optional_policy(`
@@ -173,6 +246,28 @@ optional_policy(`
@@ -173,6 +247,28 @@ optional_policy(`
')
optional_policy(`
@ -42939,7 +43040,7 @@ index fca6947..43cb923 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
@@ -180,13 +275,44 @@ optional_policy(`
@@ -180,13 +276,44 @@ optional_policy(`
')
')
@ -42984,7 +43085,7 @@ index fca6947..43cb923 100644
')
########################################
@@ -195,6 +321,42 @@ optional_policy(`
@@ -195,6 +322,42 @@ optional_policy(`
#
optional_policy(`
@ -43932,9 +44033,18 @@ index 0e48679..78b3429 100644
type setrans_initrc_exec_t;
init_script_file(setrans_initrc_exec_t)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index 726619b..4bb3158 100644
index 726619b..36426f7 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -13,7 +13,7 @@
/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0)
-/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/hosts[^/]* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
@@ -64,3 +64,5 @@ ifdef(`distro_redhat',`
ifdef(`distro_gentoo',`
/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)

6
selinux-policy.spec
View File

@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.8
Release: 1%{?dist}
Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -319,6 +319,7 @@ Conflicts: audispd-plugins <= 1.7.7-1
Obsoletes: mod_fcgid-selinux <= %{version}-%{release}
Obsoletes: cachefilesd-selinux <= 0.10-1
Conflicts: seedit
Conflicts: 389-ds-base < 1.2.7, 389-admin < 1.1.12
%description targeted
SELinux Reference policy targeted base module.
@ -470,6 +471,9 @@ exit 0
%endif
%changelog
* Fri Nov 5 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-2
- Add conflicts for dirsrv package
* Fri Nov 5 2010 Dan Walsh <dwalsh@redhat.com> 3.9.8-1
- Update to upstream
- Add vlock policy