From ef3a8b9fe4169e4a0c8c573ffdd977e83b97c999 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mar 15 2010 21:57:26 +0000 Subject: - Add sosreport policy --- diff --git a/modules-minimum.conf b/modules-minimum.conf index 8d53b4c..c94436d 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -1943,6 +1943,13 @@ munin = module # bitlbee = module +# Layer: system +# Module: sosreport +# +# sosreport debuggin information generator +# +sosreport = module + # Layer: services # Module: soundserver # diff --git a/modules-mls.conf b/modules-mls.conf index c966444..4492967 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -1816,6 +1816,13 @@ munin = module # bitlbee = module +# Layer: system +# Module: sosreport +# +# sosreport debuggin information generator +# +sosreport = module + # Layer: services # Module: soundserver # diff --git a/modules-targeted.conf b/modules-targeted.conf index 8d53b4c..c94436d 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1943,6 +1943,13 @@ munin = module # bitlbee = module +# Layer: system +# Module: sosreport +# +# sosreport debuggin information generator +# +sosreport = module + # Layer: services # Module: soundserver # diff --git a/policy-20100106.patch b/policy-20100106.patch index 181449e..2baa5bf 100644 --- a/policy-20100106.patch +++ b/policy-20100106.patch @@ -4590,7 +4590,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 2010-01-18 18:24:22.722530039 +0100 -+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2010-03-11 22:33:59.863510767 +0100 ++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2010-03-15 18:09:26.443629787 +0100 @@ -39,6 +39,8 @@ type unconfined_exec_t; init_system_domain(unconfined_t, unconfined_exec_t) @@ -4633,12 +4633,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -405,7 +415,8 @@ +@@ -405,7 +415,7 @@ type unconfined_execmem_t; type nsplugin_exec_t; ') - domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t) -+ #nsplugin_exec_domtrans(unconfined_t, unconfined_execmem_t) + #domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t) domtrans_pattern(unconfined_t, nsplugin_exec_t, unconfined_execmem_t) ') @@ -4691,7 +4690,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ###################################### diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-18 18:24:22.727540243 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-03-15 11:24:00.710614337 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-03-15 22:25:29.436449382 +0100 @@ -96,16 +96,19 @@ corenet_tcp_connect_ftp_port(abrt_t) corenet_tcp_connect_all_ports(abrt_t) @@ -4721,7 +4720,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_all(abrt_t) sysnet_read_config(abrt_t) -@@ -176,6 +180,16 @@ +@@ -173,9 +177,23 @@ + ') + + optional_policy(` ++ sosreport_domtrans(abrt_t) ++') ++ ++optional_policy(` sssd_stream_connect(abrt_t) ') @@ -4738,7 +4744,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol permissive abrt_t; ######################################## -@@ -200,10 +214,16 @@ +@@ -200,10 +218,16 @@ files_read_etc_files(abrt_helper_t) files_dontaudit_all_non_security_leaks(abrt_helper_t) @@ -13748,7 +13754,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.32/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2010-01-18 18:24:22.933540325 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/init.if 2010-03-15 17:17:02.854604441 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/init.if 2010-03-15 17:34:09.965647341 +0100 @@ -165,6 +165,7 @@ type init_t; role system_r; @@ -13801,18 +13807,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -701,6 +707,10 @@ - ifdef(`enable_mls',` - range_transition $1 init_script_file_type:process s0 - mls_systemhigh; - ') -+ -+ ifdef(`hide_broken_symptoms', ` -+ dontaudit init_script_file_type $1:fifo_file rw_inherited_fifo_file_perms; -+ ') - ') - - ######################################## -@@ -775,8 +785,10 @@ +@@ -775,8 +781,10 @@ interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -13823,7 +13818,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern($1, $2, initrc_t) files_search_etc($1) ') -@@ -1686,3 +1698,26 @@ +@@ -1686,3 +1694,26 @@ allow $1 initrc_t:sem rw_sem_perms; ') @@ -14758,6 +14753,223 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(load_policy_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.fc serefpolicy-3.6.32/policy/modules/system/sosreport.fc +--- nsaserefpolicy/policy/modules/system/sosreport.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/sosreport.fc 2010-03-15 22:24:08.238477345 +0100 +@@ -0,0 +1,2 @@ ++ ++/usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.if serefpolicy-3.6.32/policy/modules/system/sosreport.if +--- nsaserefpolicy/policy/modules/system/sosreport.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/sosreport.if 2010-03-15 22:24:08.248663221 +0100 +@@ -0,0 +1,74 @@ ++ ++## policy for sosreport ++ ++######################################## ++## ++## Execute a domain transition to run sosreport. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`sosreport_domtrans',` ++ gen_require(` ++ type sosreport_t, sosreport_exec_t; ++ ') ++ ++ domtrans_pattern($1, sosreport_exec_t, sosreport_t) ++') ++ ++ ++######################################## ++## ++## Execute sosreport in the sosreport domain, and ++## allow the specified role the sosreport domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the sosreport domain. ++## ++## ++# ++interface(`sosreport_run',` ++ gen_require(` ++ type sosreport_t; ++ ') ++ ++ sosreport_domtrans($1) ++ role $2 types sosreport_t; ++') ++ ++######################################## ++## ++## Role access for sosreport ++## ++## ++## ++## Role allowed access ++## ++## ++## ++## ++## User domain for the role ++## ++## ++# ++interface(`sosreport_role',` ++ gen_require(` ++ type sosreport_t; ++ ') ++ ++ role $1 types sosreport_t; ++ ++ sosreport_domtrans($2) ++ ++ ps_process_pattern($2, sosreport_t) ++ allow $2 sosreport_t:process signal; ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.te serefpolicy-3.6.32/policy/modules/system/sosreport.te +--- nsaserefpolicy/policy/modules/system/sosreport.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/sosreport.te 2010-03-15 22:24:08.281168472 +0100 +@@ -0,0 +1,129 @@ ++ ++policy_module(sosreport,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type sosreport_t; ++type sosreport_exec_t; ++application_domain(sosreport_t, sosreport_exec_t) ++role system_r types sosreport_t; ++ ++type sosreport_tmp_t; ++files_tmp_file(sosreport_tmp_t) ++ ++type sosreport_tmpfs_t; ++files_tmpfs_file(sosreport_tmpfs_t) ++ ++######################################## ++# ++# sosreport local policy ++# ++ ++allow sosreport_t self:capability { kill net_admin net_raw setuid sys_nice sys_ptrace dac_override }; ++allow sosreport_t self:process { setsched signull }; ++ ++allow sosreport_t self:fifo_file rw_fifo_file_perms; ++allow sosreport_t self:tcp_socket create_stream_socket_perms; ++allow sosreport_t self:udp_socket create_socket_perms; ++allow sosreport_t self:unix_dgram_socket create_socket_perms; ++allow sosreport_t self:netlink_route_socket r_netlink_socket_perms; ++allow sosreport_t self:unix_stream_socket create_stream_socket_perms; ++ ++# sosreport tmp files ++manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) ++manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) ++manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) ++files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir }) ++ ++manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t) ++fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t,file) ++ ++kernel_read_device_sysctls(sosreport_t) ++kernel_read_hotplug_sysctls(sosreport_t) ++kernel_read_kernel_sysctls(sosreport_t) ++kernel_read_modprobe_sysctls(sosreport_t) ++kernel_read_net_sysctls(sosreport_t) ++kernel_read_network_state(sosreport_t) ++kernel_read_rpc_sysctls(sosreport_t) ++kernel_read_software_raid_state(sosreport_t) ++kernel_read_unix_sysctls(sosreport_t) ++kernel_read_vm_sysctls(sosreport_t) ++kernel_search_debugfs(sosreport_t) ++ ++corecmd_exec_all_executables(sosreport_t) ++ ++dev_getattr_all_chr_files(sosreport_t) ++dev_getattr_all_blk_files(sosreport_t) ++ ++dev_read_rand(sosreport_t) ++dev_read_urand(sosreport_t) ++dev_read_raw_memory(sosreport_t) ++dev_read_sysfs(sosreport_t) ++ ++domain_getattr_all_domains(sosreport_t) ++domain_read_all_domains_state(sosreport_t) ++ ++# for blkid.tab ++files_manage_etc_runtime_files(sosreport_t) ++files_etc_filetrans_etc_runtime(sosreport_t, file) ++ ++files_exec_etc_files(sosreport_t) ++files_list_all(sosreport_t) ++files_read_config_files(sosreport_t) ++files_read_etc_files(sosreport_t) ++files_read_generic_tmp_files(sosreport_t) ++files_read_usr_files(sosreport_t) ++files_read_var_lib_files(sosreport_t) ++files_read_var_symlinks(sosreport_t) ++files_read_kernel_modules(sosreport_t) ++ ++fs_getattr_all_fs(sosreport_t) ++ ++# cjp: some config files do not have configfile attribute ++# sosreport needs to read various files on system ++auth_read_all_files_except_shadow(sosreport_t) ++auth_use_nsswitch(sosreport_t) ++ ++init_domtrans_script(sosreport_t) ++ ++libs_domtrans_ldconfig(sosreport_t) ++ ++logging_read_all_logs(sosreport_t) ++logging_send_syslog_msg(sosreport_t) ++ ++miscfiles_read_localization(sosreport_t) ++ ++# needed by modinfo ++modutils_read_module_deps(sosreport_t) ++ ++sysnet_read_config(sosreport_t) ++ ++optional_policy(` ++ cups_stream_connect(sosreport_t) ++') ++ ++optional_policy(` ++ lvm_domtrans(sosreport_t) ++') ++ ++optional_policy(` ++ pulseaudio_stream_connect(sosreport_t) ++') ++ ++optional_policy(` ++ rpm_exec(sosreport_t) ++ rpm_dontaudit_manage_db(sosreport_t) ++ rpm_read_db(sosreport_t) ++') ++ ++optional_policy(` ++ xserver_stream_connect(sosreport_t) ++') ++ ++optional_policy(` ++ unconfined_domain_noaudit(sosreport_t) ++') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.32/policy/modules/system/sysnetwork.fc --- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2010-01-18 18:24:22.968540028 +0100 +++ serefpolicy-3.6.32/policy/modules/system/sysnetwork.fc 2010-03-01 16:01:07.867490672 +0100 diff --git a/selinux-policy.spec b/selinux-policy.spec index 26022dd..bd60839 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 102%{?dist} +Release: 103%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz