From 2a0b7fbf5b7e121d3b374be88dcad7e4b6dbe3fa Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Oct 13 2009 22:13:45 +0000 Subject: - Fix labeling for privoxy config files --- diff --git a/policy-F12.patch b/policy-F12.patch index a2e0562..0c65e8e 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -1313,8 +1313,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## The Fedora hardware profiler client diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.6.32/policy/modules/admin/smoltclient.te --- nsaserefpolicy/policy/modules/admin/smoltclient.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/admin/smoltclient.te 2009-09-30 16:12:48.000000000 -0400 -@@ -0,0 +1,67 @@ ++++ serefpolicy-3.6.32/policy/modules/admin/smoltclient.te 2009-10-13 10:09:59.000000000 -0400 +@@ -0,0 +1,68 @@ +policy_module(smoltclient,1.0.0) + +######################################## @@ -1359,6 +1359,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +dev_read_sysfs(smoltclient_t) + +fs_getattr_all_fs(smoltclient_t) ++fs_getattr_all_dirs(smoltclient_t) + +files_getattr_generic_locks(smoltclient_t) +files_read_etc_files(smoltclient_t) @@ -1480,8 +1481,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.32/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/usermanage.te 2009-09-30 16:12:48.000000000 -0400 -@@ -197,6 +197,7 @@ ++++ serefpolicy-3.6.32/policy/modules/admin/usermanage.te 2009-10-13 18:03:31.000000000 -0400 +@@ -82,6 +82,7 @@ + selinux_compute_relabel_context(chfn_t) + selinux_compute_user_contexts(chfn_t) + ++term_use_console(chfn_t) + term_use_all_user_ttys(chfn_t) + term_use_all_user_ptys(chfn_t) + +@@ -197,6 +198,7 @@ selinux_compute_relabel_context(groupadd_t) selinux_compute_user_contexts(groupadd_t) @@ -1489,7 +1498,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_all_user_ttys(groupadd_t) term_use_all_user_ptys(groupadd_t) -@@ -209,6 +210,7 @@ +@@ -209,6 +211,7 @@ files_manage_etc_files(groupadd_t) files_relabel_etc_files(groupadd_t) files_read_etc_runtime_files(groupadd_t) @@ -1497,7 +1506,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}. corecmd_exec_bin(groupadd_t) -@@ -218,14 +220,11 @@ +@@ -218,14 +221,11 @@ miscfiles_read_localization(groupadd_t) @@ -1514,7 +1523,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_read_config(groupadd_t) -@@ -329,6 +328,7 @@ +@@ -288,6 +288,7 @@ + selinux_compute_relabel_context(passwd_t) + selinux_compute_user_contexts(passwd_t) + ++term_use_console(passwd_t) + term_use_all_user_ttys(passwd_t) + term_use_all_user_ptys(passwd_t) + +@@ -329,6 +330,7 @@ # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -1522,7 +1539,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` nscd_domtrans(passwd_t) -@@ -446,6 +446,7 @@ +@@ -378,6 +380,7 @@ + fs_getattr_xattr_fs(sysadm_passwd_t) + fs_search_auto_mountpoints(sysadm_passwd_t) + ++term_use_console(sysadm_passwd_t) + term_use_all_user_ttys(sysadm_passwd_t) + term_use_all_user_ptys(sysadm_passwd_t) + +@@ -446,6 +449,7 @@ corecmd_exec_bin(useradd_t) domain_use_interactive_fds(useradd_t) @@ -1530,7 +1555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_manage_etc_files(useradd_t) files_search_var_lib(useradd_t) -@@ -465,18 +466,16 @@ +@@ -465,18 +469,16 @@ selinux_compute_relabel_context(useradd_t) selinux_compute_user_contexts(useradd_t) @@ -1553,7 +1578,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol init_use_fds(useradd_t) init_rw_utmp(useradd_t) -@@ -494,10 +493,8 @@ +@@ -494,10 +496,8 @@ userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories @@ -1565,7 +1590,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mta_manage_spool(useradd_t) -@@ -521,6 +518,12 @@ +@@ -521,6 +521,12 @@ ') optional_policy(` @@ -1754,8 +1779,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.6.32/policy/modules/apps/chrome.te --- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2009-10-02 11:00:23.000000000 -0400 -@@ -0,0 +1,57 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2009-10-13 17:35:54.000000000 -0400 +@@ -0,0 +1,61 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -1810,6 +1835,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_fonts(chrome_sandbox_t) + +optional_policy(` ++ xserver_read_home_fonts(chrome_sandbox_t) ++') ++ ++optional_policy(` + execmem_exec(chrome_sandbox_t) +') + @@ -6177,7 +6206,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-10-13 11:03:54.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -6614,7 +6643,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.32/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2009-10-01 17:13:44.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2009-10-13 10:09:53.000000000 -0400 @@ -1149,6 +1149,44 @@ domain_auto_transition_pattern($1, cifs_t, $2) ') @@ -6853,7 +6882,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.6.32/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.te 2009-10-13 11:34:04.000000000 -0400 @@ -93,7 +93,7 @@ type hugetlbfs_t; fs_type(hugetlbfs_t) @@ -6863,6 +6892,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type ibmasmfs_t; fs_type(ibmasmfs_t) +@@ -170,7 +170,7 @@ + # where we want to label objects with a derived type. + fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0); + fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0); +-fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0); ++fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0); + + allow tmpfs_t noxattrfs:filesystem associate; + @@ -250,9 +250,13 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) @@ -7152,7 +7190,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.32/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2009-10-09 07:40:19.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2009-10-13 18:05:04.000000000 -0400 @@ -196,7 +196,7 @@ dev_list_all_dev_nodes($1) @@ -8826,8 +8864,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.32/policy/modules/roles/unprivuser.te --- nsaserefpolicy/policy/modules/roles/unprivuser.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/roles/unprivuser.te 2009-09-30 16:12:48.000000000 -0400 -@@ -14,142 +14,21 @@ ++++ serefpolicy-3.6.32/policy/modules/roles/unprivuser.te 2009-10-13 14:49:35.000000000 -0400 +@@ -14,96 +14,19 @@ userdom_unpriv_user_template(user) optional_policy(` @@ -8847,10 +8885,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - cdrecord_role(user_r, user_t) -+ sandbox_transition(user_t, user_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - cron_role(user_r, user_t) -') - @@ -8925,13 +8962,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - -optional_policy(` - rssh_role(user_r, user_t) --') -- --optional_policy(` -- screen_role_template(user, user_r, user_t) --') -- --optional_policy(` ++ sandbox_transition(user_t, user_r) + ') + + optional_policy(` +@@ -111,45 +34,5 @@ + ') + + optional_policy(` - spamassassin_role(user_r, user_t) -') - @@ -16594,6 +16632,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow prelude_audisp_t self:fifo_file rw_file_perms; allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms; allow prelude_audisp_t self:unix_dgram_socket create_socket_perms; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.6.32/policy/modules/services/privoxy.fc +--- nsaserefpolicy/policy/modules/services/privoxy.fc 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/privoxy.fc 2009-10-13 11:19:42.000000000 -0400 +@@ -1,6 +1,5 @@ + +-/etc/privoxy/user\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0) +-/etc/privoxy/default\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0) ++/etc/privoxy/[^/]*\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0) + /etc/rc\.d/init\.d/privoxy -- gen_context(system_u:object_r:privoxy_initrc_exec_t,s0) + + /usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.32/policy/modules/services/privoxy.te --- nsaserefpolicy/policy/modules/services/privoxy.te 2009-08-14 16:14:31.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/privoxy.te 2009-09-30 16:12:48.000000000 -0400 @@ -21132,7 +21181,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.32/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-09-09 15:37:17.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2009-10-13 17:35:30.000000000 -0400 @@ -211,6 +211,7 @@ relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) @@ -22955,8 +23004,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.32/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/authlogin.te 2009-09-30 16:12:48.000000000 -0400 -@@ -125,9 +125,18 @@ ++++ serefpolicy-3.6.32/policy/modules/system/authlogin.te 2009-10-13 18:05:10.000000000 -0400 +@@ -103,6 +103,7 @@ + + fs_dontaudit_getattr_xattr_fs(chkpwd_t) + ++term_dontaudit_use_console(chkpwd_t) + term_dontaudit_use_unallocated_ttys(chkpwd_t) + term_dontaudit_use_generic_ptys(chkpwd_t) + +@@ -125,9 +126,18 @@ ') optional_policy(` @@ -26705,7 +26762,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.32/policy/modules/system/sysnetwork.te --- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.te 2009-10-07 14:46:28.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.te 2009-10-13 11:04:29.000000000 -0400 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpc_t, dhcpc_exec_t) role system_r types dhcpc_t; @@ -26762,7 +26819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_use_fds(dhcpc_t) corecmd_exec_bin(dhcpc_t) -@@ -107,11 +115,13 @@ +@@ -107,14 +115,17 @@ # for SSP: dev_read_urand(dhcpc_t) @@ -26777,7 +26834,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_home(dhcpc_t) files_search_var_lib(dhcpc_t) files_dontaudit_search_locks(dhcpc_t) -@@ -183,25 +193,23 @@ ++files_getattr_generic_locks(dhcpc_t) + + fs_getattr_all_fs(dhcpc_t) + fs_search_auto_mountpoints(dhcpc_t) +@@ -183,25 +194,23 @@ ') optional_policy(` @@ -26811,7 +26872,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -212,6 +220,7 @@ +@@ -212,6 +221,7 @@ optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -26819,7 +26880,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -223,6 +232,10 @@ +@@ -223,6 +233,10 @@ ') optional_policy(` @@ -26830,7 +26891,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_xen_state(dhcpc_t) kernel_write_xen_state(dhcpc_t) xen_append_log(dhcpc_t) -@@ -235,7 +248,6 @@ +@@ -235,7 +249,6 @@ # allow ifconfig_t self:capability { net_raw net_admin sys_tty_config }; @@ -26838,7 +26899,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow ifconfig_t self:fd use; allow ifconfig_t self:fifo_file rw_fifo_file_perms; -@@ -249,6 +261,8 @@ +@@ -249,6 +262,8 @@ allow ifconfig_t self:sem create_sem_perms; allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; @@ -26847,7 +26908,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; # for /sbin/ip -@@ -260,7 +274,9 @@ +@@ -260,7 +275,9 @@ kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) @@ -26857,7 +26918,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_rw_net_sysctls(ifconfig_t) corenet_rw_tun_tap_dev(ifconfig_t) -@@ -269,15 +285,23 @@ +@@ -269,15 +286,23 @@ # for IPSEC setup: dev_read_urand(ifconfig_t) @@ -26882,7 +26943,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_dontaudit_read_root_files(ifconfig_t) -@@ -294,6 +318,8 @@ +@@ -294,6 +319,8 @@ seutil_use_runinit_fds(ifconfig_t) @@ -26891,7 +26952,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_use_user_terminals(ifconfig_t) userdom_use_all_users_fds(ifconfig_t) -@@ -330,8 +356,22 @@ +@@ -330,8 +357,22 @@ ') optional_policy(` @@ -30028,7 +30089,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.32/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/xen.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/xen.te 2009-10-13 16:47:27.000000000 -0400 @@ -6,6 +6,13 @@ # Declarations # @@ -30220,7 +30281,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # allow xm_t self:capability { dac_override ipc_lock sys_tty_config }; -+allow xm_t self:process signal; ++allow xm_t self:process { getshed signal }; # internal communication is often done using fifo and unix sockets. allow xm_t self:fifo_file rw_fifo_file_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 55214ff..dc6ce79 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 25%{?dist} +Release: 26%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -449,6 +449,9 @@ exit 0 %endif %changelog +* Tue Oct 13 2009 Dan Walsh 3.6.32-26 +- Fix labeling for privoxy config files + * Mon Oct 12 2009 Dan Walsh 3.6.32-25 - Fix alias for execmem_exec_t - Dontaudit hal leakage