diff --git a/policy-F15.patch b/policy-F15.patch index 214d01b..ceac83d 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -27384,7 +27384,7 @@ index f28f64b..0b19f11 100644 optional_policy(` diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if -index f590a1f..87f6bfb 100644 +index f590a1f..b895afb 100644 --- a/policy/modules/services/fail2ban.if +++ b/policy/modules/services/fail2ban.if @@ -5,9 +5,9 @@ @@ -27411,7 +27411,7 @@ index f590a1f..87f6bfb 100644 ## # interface(`fail2ban_append_log',` -@@ -138,6 +138,26 @@ interface(`fail2ban_read_pid_files',` +@@ -138,6 +138,45 @@ interface(`fail2ban_read_pid_files',` ######################################## ## @@ -27433,12 +27433,31 @@ index f590a1f..87f6bfb 100644 + dontaudit $1 fail2ban_t:unix_stream_socket { read write }; +') + ++###################################### ++## ++## Read and write inherited temporary files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fail2ban_rw_inherited_tmp_files',` ++ gen_require(` ++ type fail2ban_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ allow $1 fail2ban_tmp_t:file rw_inherited_file_perms; ++') ++ +######################################## +## ## All of the rules required to administrate ## an fail2ban environment ## -@@ -155,8 +175,8 @@ interface(`fail2ban_read_pid_files',` +@@ -155,8 +194,8 @@ interface(`fail2ban_read_pid_files',` # interface(`fail2ban_admin',` gen_require(` @@ -27450,10 +27469,18 @@ index f590a1f..87f6bfb 100644 allow $1 fail2ban_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te -index 2a69e5e..84e7ce2 100644 +index 2a69e5e..d4884eb 100644 --- a/policy/modules/services/fail2ban.te +++ b/policy/modules/services/fail2ban.te -@@ -28,7 +28,7 @@ files_pid_file(fail2ban_var_run_t) +@@ -23,12 +23,15 @@ files_type(fail2ban_var_lib_t) + type fail2ban_var_run_t; + files_pid_file(fail2ban_var_run_t) + ++type fail2ban_tmp_t; ++files_tmp_file(fail2ban_tmp_t) ++ + ######################################## + # # fail2ban local policy # @@ -27462,7 +27489,7 @@ index 2a69e5e..84e7ce2 100644 allow fail2ban_t self:process signal; allow fail2ban_t self:fifo_file rw_fifo_file_perms; allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms }; -@@ -36,7 +36,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms; +@@ -36,7 +39,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms; allow fail2ban_t self:tcp_socket create_stream_socket_perms; # log files @@ -27471,7 +27498,19 @@ index 2a69e5e..84e7ce2 100644 manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) logging_log_filetrans(fail2ban_t, fail2ban_log_t, file) -@@ -66,6 +66,7 @@ corenet_sendrecv_whois_client_packets(fail2ban_t) +@@ -50,6 +53,11 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) + manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) + files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file }) + ++manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) ++manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) ++exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) ++files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file }) ++ + kernel_read_system_state(fail2ban_t) + + corecmd_exec_bin(fail2ban_t) +@@ -66,6 +74,7 @@ corenet_sendrecv_whois_client_packets(fail2ban_t) dev_read_urand(fail2ban_t) domain_use_interactive_fds(fail2ban_t) @@ -27479,7 +27518,7 @@ index 2a69e5e..84e7ce2 100644 files_read_etc_files(fail2ban_t) files_read_etc_runtime_files(fail2ban_t) -@@ -94,5 +95,9 @@ optional_policy(` +@@ -94,5 +103,9 @@ optional_policy(` ') optional_policy(` @@ -29462,6 +29501,19 @@ index df48e5e..6985546 100644 gen_require(` type inetd_t; ') +diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te +index c51a7b2..46c708e 100644 +--- a/policy/modules/services/inetd.te ++++ b/policy/modules/services/inetd.te +@@ -150,6 +150,8 @@ mls_fd_share_all_levels(inetd_t) + mls_socket_read_to_clearance(inetd_t) + mls_socket_write_to_clearance(inetd_t) + mls_process_set_level(inetd_t) ++#706086 ++mls_net_outbound_all_levels(inetd_t) + + sysnet_read_config(inetd_t) + diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if index ebc9e0d..2f3d8dc 100644 --- a/policy/modules/services/inn.if @@ -32779,7 +32831,7 @@ index 343cee3..4238760 100644 + ') +') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te -index 64268e4..0d7da33 100644 +index 64268e4..8b9a0a4 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -20,8 +20,8 @@ files_type(etc_aliases_t) @@ -32869,7 +32921,7 @@ index 64268e4..0d7da33 100644 ') optional_policy(` -@@ -124,12 +132,8 @@ optional_policy(` +@@ -124,12 +132,9 @@ optional_policy(` ') optional_policy(` @@ -32880,10 +32932,11 @@ index 64268e4..0d7da33 100644 -optional_policy(` fail2ban_append_log(system_mail_t) + fail2ban_dontaudit_leaks(system_mail_t) ++ fail2ban_rw_inherited_tmp_files(system_mail_t) ') optional_policy(` -@@ -146,6 +150,10 @@ optional_policy(` +@@ -146,6 +151,10 @@ optional_policy(` ') optional_policy(` @@ -32894,7 +32947,7 @@ index 64268e4..0d7da33 100644 nagios_read_tmp_files(system_mail_t) ') -@@ -158,18 +166,6 @@ optional_policy(` +@@ -158,18 +167,6 @@ optional_policy(` files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) domain_use_interactive_fds(system_mail_t) @@ -32913,7 +32966,7 @@ index 64268e4..0d7da33 100644 ') optional_policy(` -@@ -189,6 +185,10 @@ optional_policy(` +@@ -189,6 +186,10 @@ optional_policy(` ') optional_policy(` @@ -32924,7 +32977,7 @@ index 64268e4..0d7da33 100644 smartmon_read_tmp_files(system_mail_t) ') -@@ -199,7 +199,7 @@ optional_policy(` +@@ -199,7 +200,7 @@ optional_policy(` arpwatch_search_data(mailserver_delivery) arpwatch_manage_tmp_files(mta_user_agent) @@ -32933,7 +32986,7 @@ index 64268e4..0d7da33 100644 arpwatch_dontaudit_rw_packet_sockets(mta_user_agent) ') -@@ -220,7 +220,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -220,7 +221,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -32943,7 +32996,7 @@ index 64268e4..0d7da33 100644 read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) -@@ -242,6 +243,10 @@ optional_policy(` +@@ -242,6 +244,10 @@ optional_policy(` ') optional_policy(` @@ -32954,11 +33007,15 @@ index 64268e4..0d7da33 100644 # so MTA can access /var/lib/mailman/mail/wrapper files_search_var_lib(mailserver_delivery) -@@ -249,11 +254,16 @@ optional_policy(` +@@ -249,11 +255,20 @@ optional_policy(` mailman_read_data_symlinks(mailserver_delivery) ') +optional_policy(` ++ postfix_rw_master_pipes(mailserver_delivery) ++') ++ ++optional_policy(` + uucp_domtrans_uux(mailserver_delivery) +') + @@ -32971,7 +33028,7 @@ index 64268e4..0d7da33 100644 domain_use_interactive_fds(user_mail_t) userdom_use_user_terminals(user_mail_t) -@@ -292,3 +302,44 @@ optional_policy(` +@@ -292,3 +307,44 @@ optional_policy(` postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -38216,7 +38273,7 @@ index 2855a44..0456b11 100644 type puppet_tmp_t; ') diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te -index 64c5f95..c65b6ce 100644 +index 64c5f95..eff13cc 100644 --- a/policy/modules/services/puppet.te +++ b/policy/modules/services/puppet.te @@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0) @@ -38260,7 +38317,7 @@ index 64c5f95..c65b6ce 100644 # allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; -@@ -176,24 +183,29 @@ allow puppetmaster_t self:udp_socket create_socket_perms; +@@ -176,24 +183,30 @@ allow puppetmaster_t self:udp_socket create_socket_perms; list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) @@ -38276,6 +38333,7 @@ index 64c5f95..c65b6ce 100644 +allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms; setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) ++create_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir }) +allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms; @@ -38292,7 +38350,7 @@ index 64c5f95..c65b6ce 100644 corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) -@@ -210,17 +222,38 @@ dev_read_rand(puppetmaster_t) +@@ -210,17 +223,38 @@ dev_read_rand(puppetmaster_t) dev_read_urand(puppetmaster_t) domain_read_all_domains_state(puppetmaster_t) @@ -38331,7 +38389,7 @@ index 64c5f95..c65b6ce 100644 optional_policy(` hostname_exec(puppetmaster_t) ') -@@ -231,3 +264,9 @@ optional_policy(` +@@ -231,3 +265,9 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') @@ -41301,10 +41359,10 @@ index 71ea0ea..664e68e 100644 # interface(`rwho_domtrans',` diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te -index a07b2f4..d78daf4 100644 +index a07b2f4..0ba4495 100644 --- a/policy/modules/services/rwho.te +++ b/policy/modules/services/rwho.te -@@ -55,6 +55,9 @@ files_read_etc_files(rwho_t) +@@ -55,6 +55,10 @@ files_read_etc_files(rwho_t) init_read_utmp(rwho_t) init_dontaudit_write_utmp(rwho_t) @@ -41314,6 +41372,7 @@ index a07b2f4..d78daf4 100644 sysnet_dns_name_resolve(rwho_t) + ++userdom_getattr_user_terminals(rwho_t) diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc index 69a6074..73db5ba 100644 --- a/policy/modules/services/samba.fc @@ -43595,7 +43654,7 @@ index 22adaca..7cf2180 100644 + allow $1 sshd_t:process signull; +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2dad3c8..386918b 100644 +index 2dad3c8..4474fb6 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0) @@ -43870,10 +43929,14 @@ index 2dad3c8..386918b 100644 ') optional_policy(` -@@ -284,6 +329,11 @@ optional_policy(` +@@ -284,6 +329,15 @@ optional_policy(` ') optional_policy(` ++ systemd_exec_systemctl(sshd_t) ++') ++ ++optional_policy(` + usermanage_domtrans_passwd(sshd_t) + usermanage_read_crack_db(sshd_t) +') @@ -43882,7 +43945,7 @@ index 2dad3c8..386918b 100644 unconfined_shell_domtrans(sshd_t) ') -@@ -292,26 +342,26 @@ optional_policy(` +@@ -292,26 +346,26 @@ optional_policy(` ') ifdef(`TODO',` @@ -43928,7 +43991,7 @@ index 2dad3c8..386918b 100644 ') dnl endif TODO ######################################## -@@ -322,19 +372,25 @@ tunable_policy(`ssh_sysadm_login',` +@@ -322,19 +376,25 @@ tunable_policy(`ssh_sysadm_login',` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -43955,7 +44018,7 @@ index 2dad3c8..386918b 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -351,9 +407,10 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -351,9 +411,10 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -44802,7 +44865,7 @@ index c2cf97e..037a1e8 100644 allow uptimed_t uptimed_etc_t:file read_file_perms; files_search_etc(uptimed_t) diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te -index d4349e9..d9dbcc2 100644 +index d4349e9..4d112ba 100644 --- a/policy/modules/services/uucp.te +++ b/policy/modules/services/uucp.te @@ -125,6 +125,8 @@ optional_policy(` @@ -44814,6 +44877,14 @@ index d4349e9..d9dbcc2 100644 uucp_append_log(uux_t) uucp_manage_spool(uux_t) +@@ -147,3 +149,7 @@ optional_policy(` + optional_policy(` + nscd_socket_use(uux_t) + ') ++ ++optional_policy(` ++ postfix_rw_master_pipes(uux_t) ++') diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te index f9310f3..064171e 100644 --- a/policy/modules/services/varnishd.te @@ -57730,7 +57801,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 28b88de..1f0bf32 100644 +index 28b88de..f12b86d 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -59436,7 +59507,32 @@ index 28b88de..1f0bf32 100644 ######################################## ## ## Read and write a user TTYs and PTYs. -@@ -2815,7 +3245,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2646,6 +3076,24 @@ interface(`userdom_dontaudit_use_user_terminals',` + + ######################################## + ## ++## Get attributes of user domain tty and pty. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_getattr_user_terminals',` ++ gen_require(` ++ type user_tty_device_t, user_devpts_t; ++ ') ++ ++ allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms; ++') ++ ++######################################## ++## + ## Execute a shell in all user domains. This + ## is an explicit transition, requiring the + ## caller to use setexeccon(). +@@ -2815,7 +3263,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -59445,7 +59541,7 @@ index 28b88de..1f0bf32 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2831,11 +3261,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2831,11 +3279,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -59461,7 +59557,7 @@ index 28b88de..1f0bf32 100644 ') ######################################## -@@ -2917,7 +3349,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2917,7 +3367,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -59470,7 +59566,7 @@ index 28b88de..1f0bf32 100644 ') ######################################## -@@ -2972,7 +3404,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -2972,7 +3422,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -59517,7 +59613,7 @@ index 28b88de..1f0bf32 100644 ') ######################################## -@@ -3009,6 +3479,7 @@ interface(`userdom_read_all_users_state',` +@@ -3009,6 +3497,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -59525,7 +59621,7 @@ index 28b88de..1f0bf32 100644 kernel_search_proc($1) ') -@@ -3087,6 +3558,24 @@ interface(`userdom_signal_all_users',` +@@ -3087,6 +3576,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -59550,7 +59646,7 @@ index 28b88de..1f0bf32 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3139,3 +3628,1058 @@ interface(`userdom_dbus_send_all_users',` +@@ -3139,3 +3646,1058 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 5113d4a..126b2a0 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 27%{?dist} +Release: 28%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,11 @@ exit 0 %endif %changelog +* Mon Jun 6 2011 Miroslav Grepl 3.9.16-28 +- Allow ssh to execute systemctl +- fail2ban fixes related to /tmp directory +- Allow puppetmaster to create dirs in /var/run/puppet + * Thu Jun 2 2011 Miroslav Grepl 3.9.16-27 - Add label for /var/lock/ppp - Fixes for colord policy