From 56fa243b1970689395164f0fc850b4444d137769 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Apr 22 2008 20:00:15 +0000 Subject: - Allow nfs to look at all filesystem directories --- diff --git a/policy-20070703.patch b/policy-20070703.patch index a54031c..567fd1c 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -4675,7 +4675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-10-22 13:21:41.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2008-04-04 16:11:03.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2008-04-22 15:54:37.341464000 -0400 @@ -55,6 +55,11 @@ type reserved_port_t, port_type, reserved_port_type; @@ -4688,15 +4688,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene # server_packet_t is the default type of IPv4 and IPv6 server packets. # type server_packet_t, packet_type, server_packet_type; -@@ -67,6 +72,7 @@ +@@ -67,8 +72,10 @@ network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0) network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) +network_port(aol, udp,5190,s0, tcp,5190,s0, udp,5191,s0, tcp,5191,s0, udp,5192,s0, tcp,5192,s0, udp,5193,s0, tcp,5193,s0) network_port(apcupsd, tcp,3551,s0, udp,3551,s0) network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0) ++network_port(audit, tcp,60,s0) network_port(auth, tcp,113,s0) -@@ -93,27 +99,34 @@ + network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) + type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict +@@ -93,27 +100,34 @@ network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port network_port(howl, tcp,5335,s0, udp,5353,s0) @@ -4735,7 +4738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(nessus, tcp,1241,s0) network_port(netsupport, tcp,5405,s0, udp,5405,s0) network_port(nmbd, udp,137,s0, udp,138,s0) -@@ -122,10 +135,12 @@ +@@ -122,10 +136,12 @@ network_port(openvpn, tcp,1194,s0, udp,1194,s0) network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) @@ -4748,7 +4751,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pxe, udp,4011,s0) -@@ -137,16 +152,16 @@ +@@ -137,16 +153,16 @@ network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) @@ -4768,7 +4771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene type socks_port_t, port_type; dnl network_port(socks) # no defined portcon type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp -@@ -160,13 +175,20 @@ +@@ -160,13 +176,20 @@ type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) network_port(vnc, tcp,5900,s0) @@ -5390,7 +5393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.8/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-22 13:21:41.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2008-04-04 16:11:03.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2008-04-21 16:41:56.920656000 -0400 @@ -343,8 +343,7 @@ ######################################## @@ -5673,7 +5676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Read all tmp files. ## ## -@@ -3323,6 +3439,42 @@ +@@ -3323,6 +3439,60 @@ ######################################## ## @@ -5695,6 +5698,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + +######################################## +## ++## dontaudit write of /usr files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_dontaudit_write_usr_files',` ++ gen_require(` ++ type usr_t; ++ ') ++ ++ dontaudit $1 usr_t:file write; ++') ++ ++######################################## ++## +## Create, read, write, and delete files in the /usr directory. +## +## @@ -5716,7 +5737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Get the attributes of files in /usr. ## ## -@@ -3381,7 +3533,7 @@ +@@ -3381,7 +3551,7 @@ ######################################## ## @@ -5725,7 +5746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## ## ## -@@ -3389,17 +3541,17 @@ +@@ -3389,17 +3559,17 @@ ## ## # @@ -5746,7 +5767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## ## ## -@@ -3407,12 +3559,12 @@ +@@ -3407,12 +3577,12 @@ ## ## # @@ -5761,7 +5782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4043,7 +4195,7 @@ +@@ -4043,7 +4213,7 @@ type var_t, var_lock_t; ') @@ -5770,7 +5791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4285,6 +4437,25 @@ +@@ -4285,6 +4455,25 @@ ######################################## ## @@ -5796,7 +5817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Do not audit attempts to write to daemon runtime data files. ## ## -@@ -4560,6 +4731,8 @@ +@@ -4560,6 +4749,8 @@ # Need to give access to /selinux/member selinux_compute_member($1) @@ -5805,7 +5826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # Need sys_admin capability for mounting allow $1 self:capability { chown fsetid sys_admin }; -@@ -4582,6 +4755,11 @@ +@@ -4582,6 +4773,11 @@ # Default type for mountpoints allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -5817,7 +5838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4619,3 +4797,28 @@ +@@ -4619,3 +4815,28 @@ allow $1 { file_type -security_file_type }:dir manage_dir_perms; ') @@ -10635,7 +10656,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail +/var/run/fail2ban\.sock -s gen_context(system_u:object_r:fail2ban_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.0.8/policy/modules/services/fail2ban.te --- nsaserefpolicy/policy/modules/services/fail2ban.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/fail2ban.te 2008-04-04 16:11:03.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/fail2ban.te 2008-04-21 16:05:47.948344000 -0400 @@ -1,5 +1,5 @@ -policy_module(fail2ban,1.0.0) @@ -10663,7 +10684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail kernel_read_system_state(fail2ban_t) -@@ -46,15 +47,25 @@ +@@ -46,15 +47,26 @@ domain_use_interactive_fds(fail2ban_t) files_read_etc_files(fail2ban_t) @@ -10673,6 +10694,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail +files_search_var_lib(fail2ban_t) + +fs_list_inotifyfs(fail2ban_t) ++fs_getattr_all_fs(fail2ban_t) + +auth_use_nsswitch(fail2ban_t) +corenet_tcp_connect_whois_port(fail2ban_t) @@ -10690,7 +10712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail optional_policy(` apache_read_log(fail2ban_t) ') -@@ -64,5 +75,11 @@ +@@ -64,5 +76,11 @@ ') optional_policy(` @@ -21110,7 +21132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.0.8/policy/modules/system/miscfiles.if --- nsaserefpolicy/policy/modules/system/miscfiles.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/miscfiles.if 2008-04-04 16:11:03.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/miscfiles.if 2008-04-21 16:59:26.254295000 -0400 @@ -57,6 +57,26 @@ ## ## @@ -21147,6 +21169,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi delete_dirs_pattern($1,man_t,man_t) delete_files_pattern($1,man_t,man_t) delete_lnk_files_pattern($1,man_t,man_t) +@@ -467,3 +489,23 @@ + manage_lnk_files_pattern($1,locale_t,locale_t) + ') + ++######################################## ++## ++## dontaudit_attempts to write locale files ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`miscfiles_dontaudit_write_locale',` ++ gen_require(` ++ type locale_t; ++ ') ++ ++ dontaudit $1 locale_t:dir write; ++ dontaudit $1 locale_t:file write; ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.0.8/policy/modules/system/modutils.if --- nsaserefpolicy/policy/modules/system/modutils.if 2007-10-22 13:21:40.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/modutils.if 2008-04-04 16:11:03.000000000 -0400