From d982e7e091e15cd144e6fcae7e9df53fd43e93e0 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Apr 18 2009 12:13:36 +0000 Subject: - Fixes for podsleuth --- diff --git a/booleans-minimum.conf b/booleans-minimum.conf index 35b11a9..9abec7f 100644 --- a/booleans-minimum.conf +++ b/booleans-minimum.conf @@ -8,7 +8,7 @@ allow_execmod = false # Allow making the stack executable via mprotect.Also requires allow_execmem. # -allow_execstack = true +allow_execstack = false # Allow ftpd to read cifs directories. # @@ -56,7 +56,7 @@ allow_ypbind = false # Allow zebra to write it own configuration files # -allow_zebra_write_config = true +allow_zebra_write_config = false # Enable extra rules in the cron domainto support fcron. # @@ -96,7 +96,7 @@ httpd_enable_ftp_server = false # Allow httpd to read home directories # -httpd_enable_homedirs = true +httpd_enable_homedirs = false # Run SSI execs in system CGI script domain. # @@ -104,11 +104,11 @@ httpd_ssi_exec = false # Allow http daemon to communicate with the TTY # -httpd_tty_comm = true +httpd_tty_comm = false # Run CGI in the main httpd domain # -httpd_unified = true +httpd_unified = false # Allow BIND to write the master zone files.Generally this is used for dynamic DNS. # @@ -128,7 +128,7 @@ pppd_can_insmod = false # Allow reading of default_t files. # -read_default_t = true +read_default_t = false # Allow samba to export user home directories. # @@ -148,7 +148,7 @@ use_samba_home_dirs = false # Control users use of ping and traceroute # -user_ping = true +user_ping = false # allow host key based authentication # @@ -164,7 +164,7 @@ read_untrusted_content = false # Allow spamd to write to users homedirs # -spamd_enable_home_dirs = true +spamd_enable_home_dirs = false # Allow regular users direct mouse access # @@ -192,7 +192,7 @@ write_untrusted_content = false # Allow all domains to talk to ttys # -allow_daemons_use_tty = true +allow_daemons_use_tty = false # Allow login domains to polyinstatiate directories # @@ -208,11 +208,11 @@ samba_domain_controller = false # Allow samba to export user home directories. # -samba_run_unconfined = true +samba_run_unconfined = false # Allows XServer to execute writable memory # -allow_xserver_execmem = true +allow_xserver_execmem = false # disallow guest accounts to execute files that they can create # @@ -225,7 +225,7 @@ browser_confine_xguest=false # Allow postfix locat to write to mail spool # -allow_postfix_local_write_mail_spool=true +allow_postfix_local_write_mail_spool=false # Allow common users to read/write noexattrfile systems # diff --git a/booleans-targeted.conf b/booleans-targeted.conf index 35b11a9..9abec7f 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -8,7 +8,7 @@ allow_execmod = false # Allow making the stack executable via mprotect.Also requires allow_execmem. # -allow_execstack = true +allow_execstack = false # Allow ftpd to read cifs directories. # @@ -56,7 +56,7 @@ allow_ypbind = false # Allow zebra to write it own configuration files # -allow_zebra_write_config = true +allow_zebra_write_config = false # Enable extra rules in the cron domainto support fcron. # @@ -96,7 +96,7 @@ httpd_enable_ftp_server = false # Allow httpd to read home directories # -httpd_enable_homedirs = true +httpd_enable_homedirs = false # Run SSI execs in system CGI script domain. # @@ -104,11 +104,11 @@ httpd_ssi_exec = false # Allow http daemon to communicate with the TTY # -httpd_tty_comm = true +httpd_tty_comm = false # Run CGI in the main httpd domain # -httpd_unified = true +httpd_unified = false # Allow BIND to write the master zone files.Generally this is used for dynamic DNS. # @@ -128,7 +128,7 @@ pppd_can_insmod = false # Allow reading of default_t files. # -read_default_t = true +read_default_t = false # Allow samba to export user home directories. # @@ -148,7 +148,7 @@ use_samba_home_dirs = false # Control users use of ping and traceroute # -user_ping = true +user_ping = false # allow host key based authentication # @@ -164,7 +164,7 @@ read_untrusted_content = false # Allow spamd to write to users homedirs # -spamd_enable_home_dirs = true +spamd_enable_home_dirs = false # Allow regular users direct mouse access # @@ -192,7 +192,7 @@ write_untrusted_content = false # Allow all domains to talk to ttys # -allow_daemons_use_tty = true +allow_daemons_use_tty = false # Allow login domains to polyinstatiate directories # @@ -208,11 +208,11 @@ samba_domain_controller = false # Allow samba to export user home directories. # -samba_run_unconfined = true +samba_run_unconfined = false # Allows XServer to execute writable memory # -allow_xserver_execmem = true +allow_xserver_execmem = false # disallow guest accounts to execute files that they can create # @@ -225,7 +225,7 @@ browser_confine_xguest=false # Allow postfix locat to write to mail spool # -allow_postfix_local_write_mail_spool=true +allow_postfix_local_write_mail_spool=false # Allow common users to read/write noexattrfile systems # diff --git a/policy-20090105.patch b/policy-20090105.patch index 126dd7f..3acc136 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -3001,8 +3001,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.12/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,292 @@ ++++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te 2009-04-17 11:13:07.000000000 -0400 +@@ -0,0 +1,293 @@ + +policy_module(nsplugin, 1.0.0) + @@ -3138,6 +3138,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +miscfiles_read_localization(nsplugin_t) +miscfiles_read_fonts(nsplugin_t) ++miscfiles_dontaudit_write_fonts(nsplugin_t) + +userdom_manage_user_tmp_dirs(nsplugin_t) +userdom_manage_user_tmp_files(nsplugin_t) @@ -3462,8 +3463,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.12/policy/modules/apps/podsleuth.te --- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/apps/podsleuth.te 2009-04-07 16:01:44.000000000 -0400 -@@ -11,21 +11,68 @@ ++++ serefpolicy-3.6.12/policy/modules/apps/podsleuth.te 2009-04-18 06:04:47.000000000 -0400 +@@ -11,25 +11,80 @@ application_domain(podsleuth_t, podsleuth_exec_t) role system_r types podsleuth_t; @@ -3483,7 +3484,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # - -allow podsleuth_t self:process { signal getsched execheap execmem }; -+allow podsleuth_t self:capability { sys_admin sys_rawio }; ++allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio }; +allow podsleuth_t self:process { ptrace signal getsched execheap execmem execstack }; allow podsleuth_t self:fifo_file rw_file_perms; allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; @@ -3533,7 +3534,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + miscfiles_read_localization(podsleuth_t) - dbus_system_bus_client(podsleuth_t) +-dbus_system_bus_client(podsleuth_t) ++userdom_signal_all_users(podsleuth_t) + +-mono_exec(podsleuth_t) ++optional_policy(` ++ dbus_system_bus_client(podsleuth_t) ++') + ++optional_policy(` + hal_dbus_chat(podsleuth_t) ++') ++ ++optional_policy(` ++ mono_exec(podsleuth_t) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.6.12/policy/modules/apps/pulseaudio.fc --- nsaserefpolicy/policy/modules/apps/pulseaudio.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/pulseaudio.fc 2009-04-07 16:01:44.000000000 -0400 @@ -4923,7 +4938,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type urandom_device_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.12/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-04-15 08:01:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-04-18 06:12:57.000000000 -0400 @@ -525,7 +525,7 @@ ') @@ -6552,7 +6567,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.12/policy/modules/roles/unconfineduser.if --- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.if 2009-04-14 14:12:12.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.if 2009-04-18 06:06:56.000000000 -0400 @@ -0,0 +1,638 @@ +## Unconfiend user role + @@ -22979,7 +22994,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-17 11:32:56.000000000 -0400 @@ -8,19 +8,24 @@ ## @@ -23190,7 +23205,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -198,5 +271,78 @@ +@@ -198,5 +271,80 @@ ') optional_policy(` @@ -23226,6 +23241,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) +read_files_pattern(svirt_t, virt_content_t, virt_content_t) ++dontaudit svirt_t virt_content_t:file write_file_perms; ++dontaudit svirt_t virt_content_t:dir write; + +storage_raw_write_removable_device(svirt_t) +storage_raw_read_removable_device(svirt_t) @@ -25303,8 +25320,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.12/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/init.if 2009-04-16 10:03:08.000000000 -0400 -@@ -280,6 +280,29 @@ ++++ serefpolicy-3.6.12/policy/modules/system/init.if 2009-04-17 11:04:53.000000000 -0400 +@@ -280,6 +280,36 @@ kernel_dontaudit_use_fds($1) ') ') @@ -25330,11 +25347,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + optional_policy(` + xserver_rw_xdm_home_files($1) + ') ++ ++ optional_policy(` ++ unconfined_dontaudit_rw_pipes($1) ++ unconfined_dontaudit_rw_stream($1) ++ userdom_dontaudit_read_user_tmp_files($1) ++ ') ++ + init_rw_script_stream_sockets($1) ') ######################################## -@@ -546,7 +569,7 @@ +@@ -546,7 +576,7 @@ # upstart uses a datagram socket instead of initctl pipe allow $1 self:unix_dgram_socket create_socket_perms; @@ -25343,7 +25367,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -619,18 +642,19 @@ +@@ -619,18 +649,19 @@ # interface(`init_spec_domtrans_script',` gen_require(` @@ -25367,7 +25391,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -646,23 +670,43 @@ +@@ -646,23 +677,43 @@ # interface(`init_domtrans_script',` gen_require(` @@ -25415,7 +25439,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute a init script in a specified domain. ## ## -@@ -1291,6 +1335,25 @@ +@@ -1291,6 +1342,25 @@ ######################################## ## @@ -25441,7 +25465,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create files in a init script ## temporary data directory. ## -@@ -1521,3 +1584,51 @@ +@@ -1521,3 +1591,51 @@ ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -25495,7 +25519,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-17 07:33:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-17 11:41:15.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart,false) @@ -25714,7 +25738,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -516,6 +560,31 @@ +@@ -516,6 +560,33 @@ ') ') @@ -25741,12 +25765,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +optional_policy(` + unconfined_dontaudit_rw_pipes(daemon) ++ unconfined_dontaudit_rw_stream(daemon) ++ userdom_dontaudit_read_user_tmp_files(daemon) +') + optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -570,6 +639,10 @@ +@@ -570,6 +641,10 @@ dbus_read_config(initrc_t) optional_policy(` @@ -25757,7 +25783,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol networkmanager_dbus_chat(initrc_t) ') ') -@@ -591,6 +664,10 @@ +@@ -591,6 +666,10 @@ ') optional_policy(` @@ -25768,7 +25794,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_usbfs(initrc_t) # init scripts run /etc/hotplug/usb.rc -@@ -647,6 +724,11 @@ +@@ -647,6 +726,11 @@ ') optional_policy(` @@ -25780,7 +25806,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mailman_list_data(initrc_t) mailman_read_data_symlinks(initrc_t) ') -@@ -655,12 +737,6 @@ +@@ -655,12 +739,6 @@ mta_read_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') @@ -25793,7 +25819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ifdef(`distro_redhat',` -@@ -721,6 +797,9 @@ +@@ -721,6 +799,9 @@ # why is this needed: rpm_manage_db(initrc_t) @@ -25803,7 +25829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -733,10 +812,12 @@ +@@ -733,10 +814,12 @@ squid_manage_logs(initrc_t) ') @@ -25816,7 +25842,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -754,6 +835,11 @@ +@@ -754,6 +837,11 @@ uml_setattr_util_sockets(initrc_t) ') @@ -25828,7 +25854,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` unconfined_domain(initrc_t) -@@ -761,6 +847,8 @@ +@@ -761,6 +849,8 @@ # system-config-services causes avc messages that should be dontaudited unconfined_dontaudit_rw_pipes(daemon) ') @@ -25837,7 +25863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` mono_domtrans(initrc_t) -@@ -768,6 +856,10 @@ +@@ -768,6 +858,10 @@ ') optional_policy(` @@ -25848,7 +25874,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol vmware_read_system_config(initrc_t) vmware_append_system_config(initrc_t) ') -@@ -790,3 +882,25 @@ +@@ -790,3 +884,25 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -29135,7 +29161,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-16 11:03:07.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-18 06:14:35.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -30542,7 +30568,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -2981,3 +3187,482 @@ +@@ -2981,3 +3187,481 @@ allow $1 userdomain:dbus send_msg; ') @@ -31024,7 +31050,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + dontaudit $1 userdomain:unix_stream_socket rw_socket_perms; +') -+ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.12/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/userdomain.te 2009-04-07 16:01:44.000000000 -0400 diff --git a/selinux-policy.spec b/selinux-policy.spec index a5f89f9..333b624 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 6%{?dist} +Release: 8%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -311,9 +311,9 @@ SELinux Reference policy targeted base module. %saveFileContext targeted %post targeted -set -x if [ $1 -eq 1 ]; then -%loadpolicy targeted "unconfined.pp.bz2 unconfineduser.pp.bz2" +packages="unconfined.pp.bz2 unconfineduser.pp.bz2" +%loadpolicy targeted $packages restorecon -R /root /var/log /var/run 2> /dev/null else semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid 2>/dev/null @@ -401,7 +401,7 @@ SELinux Reference policy olpc base module. %saveFileContext olpc %post olpc -%loadpolicy olpc +%loadpolicy olpc "" if [ $1 -ne 1 ]; then %relabel olpc @@ -432,7 +432,7 @@ SELinux Reference policy mls base module. %post mls semodule -n -s mls -r mailscanner 2>/dev/null -%loadpolicy mls +%loadpolicy mls "" if [ $1 != 1 ]; then %relabel mls @@ -446,6 +446,12 @@ exit 0 %endif %changelog +* Sat Apr 18 2009 Dan Walsh 3.6.12-8 +- Fixes for podsleuth + +* Fri Apr 17 2009 Dan Walsh 3.6.12-7 +- Turn off nsplugin transition +- Remove Konsole leaked file descriptors for release * Fri Apr 17 2009 Dan Walsh 3.6.12-6 - Allow cupsd_t to create link files in print_spool_t