From 025c1c8a9828d3d53f23f9b3464273812dd98645 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: May 05 2010 13:48:58 +0000 Subject: - Allow denyhosts sys_tty_config capability - Fixes for chrony policy - Allow ksmtuned to use terminals - Allow lircd to write to generic usb devices --- diff --git a/policy-20100106.patch b/policy-20100106.patch index 11e9862..dab1f84 100644 --- a/policy-20100106.patch +++ b/policy-20100106.patch @@ -851,8 +851,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2010-01-18 18:24:22.567540216 +0100 -+++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2010-02-26 16:58:42.643856793 +0100 -@@ -189,22 +189,23 @@ ++++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2010-05-05 14:53:13.095879968 +0200 +@@ -14,12 +14,14 @@ + gen_require(` + type rpm_t, rpm_exec_t; + type debuginfo_exec_t; ++ attribute rpm_transition_domain; + ') + + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, rpm_exec_t, rpm_t) + domtrans_pattern($1, debuginfo_exec_t, rpm_t) ++ typeattribute $1 rpm_transition_domain; + ') + + ######################################## +@@ -189,22 +191,23 @@ type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t; ') @@ -886,7 +901,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -273,6 +274,26 @@ +@@ -273,6 +276,26 @@ ##################################### ## ## Allow the specified domain to append @@ -913,7 +928,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## to rpm log files. ## ## -@@ -599,8 +620,10 @@ +@@ -599,8 +622,10 @@ interface(`rpm_transition_script',` gen_require(` type rpm_script_t; @@ -924,7 +939,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1 rpm_script_t:process transition; allow $1 rpm_script_t:fd use; -@@ -627,3 +650,20 @@ +@@ -627,3 +652,20 @@ allow $1 rpm_t:process signull; ') @@ -1655,7 +1670,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.32/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2010-01-18 18:24:22.607530707 +0100 -+++ serefpolicy-3.6.32/policy/modules/apps/java.if 2010-03-03 10:39:47.588611900 +0100 ++++ serefpolicy-3.6.32/policy/modules/apps/java.if 2010-05-05 14:55:46.648641964 +0200 @@ -196,7 +196,6 @@ files_execmod_all_files($1_java_t) @@ -1666,7 +1681,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.32/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2010-01-18 18:24:22.608531393 +0100 -+++ serefpolicy-3.6.32/policy/modules/apps/java.te 2010-03-03 10:39:47.589622916 +0100 ++++ serefpolicy-3.6.32/policy/modules/apps/java.te 2010-05-05 14:55:01.693628197 +0200 @@ -131,7 +131,6 @@ ') @@ -5878,7 +5893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 2010-01-18 18:24:22.722530039 +0100 -+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2010-03-30 09:03:46.339860958 +0200 ++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2010-05-05 15:46:53.873628549 +0200 @@ -39,6 +39,8 @@ type unconfined_exec_t; init_system_domain(unconfined_t, unconfined_exec_t) @@ -6862,20 +6877,55 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.6.32/policy/modules/services/chronyd.if +--- nsaserefpolicy/policy/modules/services/chronyd.if 2010-01-18 18:24:22.754542770 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/chronyd.if 2010-05-05 13:39:25.638629347 +0200 +@@ -56,6 +56,28 @@ + read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t) + ') + ++######################################## ++## ++## Read and write chronyd shared memory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`chronyd_rw_shm',` ++ gen_require(` ++ type chronyd_t, chronyd_tmpfs_t; ++ ') ++ ++ allow $1 chronyd_t:shm rw_shm_perms; ++ allow $1 chronyd_tmpfs_t:dir list_dir_perms; ++ rw_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t) ++ read_lnk_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t) ++ fs_search_tmpfs($1) ++') ++ + #################################### + ## + ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.6.32/policy/modules/services/chronyd.te --- nsaserefpolicy/policy/modules/services/chronyd.te 2010-01-18 18:24:22.755539963 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/chronyd.te 2010-02-02 18:55:49.615067744 +0100 -@@ -12,6 +12,9 @@ ++++ serefpolicy-3.6.32/policy/modules/services/chronyd.te 2010-05-05 13:34:27.856629876 +0200 +@@ -12,6 +12,12 @@ type chronyd_initrc_exec_t; init_script_file(chronyd_initrc_exec_t) +type chronyd_keys_t; +files_type(chronyd_keys_t) + ++type chronyd_tmpfs_t; ++files_tmpfs_file(chronyd_tmpfs_t) ++ # var/lib files type chronyd_var_lib_t; files_type(chronyd_var_lib_t) -@@ -30,11 +33,14 @@ +@@ -30,11 +36,18 @@ # chronyd local policy # @@ -6889,10 +6939,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow chronyd_t self:shm create_shm_perms; + +allow chronyd_t chronyd_keys_t:file read_file_perms; ++ ++manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) ++manage_files_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) ++fs_tmpfs_filetrans(chronyd_t, chronyd_tmpfs_t, { dir file }) # chronyd var/lib files manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t) -@@ -64,4 +70,7 @@ +@@ -64,4 +77,7 @@ miscfiles_read_localization(chronyd_t) @@ -7173,7 +7227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.6.32/policy/modules/services/cobbler.te --- nsaserefpolicy/policy/modules/services/cobbler.te 2010-01-18 18:24:22.760530473 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/cobbler.te 2010-03-01 15:49:21.826741385 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/cobbler.te 2010-05-05 13:28:18.436628603 +0200 @@ -1,5 +1,135 @@ -policy_module(cobbler, 1.10.0) @@ -7267,7 +7321,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` -+ apache_list_sys_content(cobblerd_t) ++ apache_read_sys_content(cobblerd_t) +') + +optional_policy(` @@ -7688,8 +7742,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.6.32/policy/modules/services/denyhosts.te --- nsaserefpolicy/policy/modules/services/denyhosts.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/denyhosts.te 2010-04-13 14:45:02.622619355 +0200 -@@ -0,0 +1,73 @@ ++++ serefpolicy-3.6.32/policy/modules/services/denyhosts.te 2010-05-05 13:07:41.253629289 +0200 +@@ -0,0 +1,75 @@ + +policy_module(denyhosts, 1.0.0) + @@ -7719,6 +7773,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# DenyHosts personal policy. +# + ++# Bug #588563 ++allow denyhosts_t self:capability sys_tty_config; +allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms; +allow denyhosts_t self:tcp_socket create_socket_perms; +allow denyhosts_t self:udp_socket create_socket_perms; @@ -9242,6 +9298,48 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/gpm -- gen_context(system_u:object_r:gpm_exec_t,s0) + +/var/run/gpm\.pid -- gen_context(system_u:object_r:gpm_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.6.32/policy/modules/services/gpsd.if +--- nsaserefpolicy/policy/modules/services/gpsd.if 2010-01-18 18:24:22.792542645 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/gpsd.if 2010-05-05 13:38:54.252629406 +0200 +@@ -64,24 +64,3 @@ + read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) + fs_search_tmpfs($1) + ') +- +-######################################## +-## +-## Read/write gpsd tmpfs files. +-## +-## +-## +-## The type of the process performing this action. +-## +-## +-# +-interface(`gpsd_rw_tmpfs_files',` +- gen_require(` +- type gpsd_tmpfs_t; +- ') +- +- fs_search_tmpfs($1) +- allow $1 gpsd_tmpfs_t:dir list_dir_perms; +- rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) +- read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) +-') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.32/policy/modules/services/gpsd.te +--- nsaserefpolicy/policy/modules/services/gpsd.te 2010-01-18 18:24:22.793530130 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/gpsd.te 2010-05-05 13:35:00.486880002 +0200 +@@ -57,6 +57,10 @@ + miscfiles_read_localization(gpsd_t) + + optional_policy(` ++ chronyd_rw_shm(gpsd_t) ++') ++ ++optional_policy(` + dbus_system_bus_client(gpsd_t) + ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.32/policy/modules/services/hal.if --- nsaserefpolicy/policy/modules/services/hal.if 2010-01-18 18:24:22.794542550 +0100 +++ serefpolicy-3.6.32/policy/modules/services/hal.if 2010-04-21 14:18:06.698657484 +0200 @@ -9460,6 +9558,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create a derived type for kerberos keytab +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.6.32/policy/modules/services/ksmtuned.te +--- nsaserefpolicy/policy/modules/services/ksmtuned.te 2010-01-18 18:24:22.803539923 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/ksmtuned.te 2010-05-05 13:04:10.736879272 +0200 +@@ -21,13 +21,10 @@ + # + # ksmtuned local policy + # +-allow ksmtuned_t self:capability { sys_ptrace sys_tty_config }; +- +-# Init script handling +-domain_use_interactive_fds(ksmtuned_t) + +-# internal communication is often done using fifo and unix sockets. ++allow ksmtuned_t self:capability { sys_ptrace sys_tty_config }; + allow ksmtuned_t self:fifo_file rw_file_perms; ++ + allow ksmtuned_t self:unix_stream_socket create_stream_socket_perms; + + manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t) +@@ -43,4 +40,6 @@ + + files_read_etc_files(ksmtuned_t) + ++term_use_all_terms(ksmtuned_t) ++ + miscfiles_read_localization(ksmtuned_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.6.32/policy/modules/services/ldap.fc --- nsaserefpolicy/policy/modules/services/ldap.fc 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/services/ldap.fc 2010-02-23 14:49:51.037529698 +0100 @@ -9967,7 +10091,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.32/policy/modules/services/lircd.te --- nsaserefpolicy/policy/modules/services/lircd.te 2010-01-18 18:24:22.806540025 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/lircd.te 2010-02-01 20:50:49.950161278 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/lircd.te 2010-05-05 13:42:46.172629066 +0200 @@ -1,5 +1,5 @@ -policy_module(lircd, 1.0.0) @@ -9988,6 +10112,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow lircd_t self:tcp_socket create_stream_socket_perms; # etc file +@@ -45,7 +46,7 @@ + + # /dev/lircd socket + dev_filetrans(lircd_t, lircd_var_run_t, sock_file ) +-dev_read_generic_usb_dev(lircd_t) ++dev_rw_generic_usb_dev(lircd_t) + dev_read_mouse(lircd_t) + dev_filetrans_lirc(lircd_t) + dev_rw_lirc(lircd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.32/policy/modules/services/mailman.te --- nsaserefpolicy/policy/modules/services/mailman.te 2010-01-18 18:24:22.808530642 +0100 +++ serefpolicy-3.6.32/policy/modules/services/mailman.te 2010-01-22 17:16:41.576604913 +0100 @@ -10055,8 +10188,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.32/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2010-01-18 18:24:22.812540439 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/mta.if 2010-02-21 18:58:04.580309576 +0100 -@@ -786,6 +786,25 @@ ++++ serefpolicy-3.6.32/policy/modules/services/mta.if 2010-05-05 13:09:11.543628812 +0200 +@@ -383,6 +383,9 @@ + allow mta_user_agent $1:process sigchld; + allow mta_user_agent $1:fifo_file rw_fifo_file_perms; + ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit system_mail_t $1:socket_class_set { read write }; ++ ') + ') + + ######################################## +@@ -786,6 +789,25 @@ allow $1 mqueue_spool_t:dir search_dir_perms; ') @@ -10082,7 +10225,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ####################################### ## ## Read the mail queue. -@@ -902,3 +921,22 @@ +@@ -902,3 +924,22 @@ allow $1 system_mail_t:process signal; ') @@ -10895,6 +11038,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(ypxfr_t) corenet_all_recvfrom_netlabel(ypxfr_t) corenet_tcp_sendrecv_generic_if(ypxfr_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.32/policy/modules/services/ntp.te +--- nsaserefpolicy/policy/modules/services/ntp.te 2010-01-18 18:24:22.834540025 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/ntp.te 2010-05-05 13:39:16.557631066 +0200 +@@ -97,6 +97,7 @@ + dev_read_sysfs(ntpd_t) + # for SSP + dev_read_urand(ntpd_t) ++dev_rw_realtime_clock(ntpd_t) + + fs_getattr_all_fs(ntpd_t) + fs_search_auto_mountpoints(ntpd_t) +@@ -134,7 +135,6 @@ + + optional_policy(` + gpsd_rw_shm(ntpd_t) +- gpsd_rw_tmpfs_files(ntpd_t) + ') + + optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.6.32/policy/modules/services/nut.te --- nsaserefpolicy/policy/modules/services/nut.te 2010-01-18 18:24:22.836530501 +0100 +++ serefpolicy-3.6.32/policy/modules/services/nut.te 2010-03-15 12:18:24.764614391 +0100 @@ -11355,8 +11517,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.6.32/policy/modules/services/plymouthd.te --- nsaserefpolicy/policy/modules/services/plymouthd.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/plymouthd.te 2010-03-09 16:16:21.119384494 +0100 -@@ -0,0 +1,106 @@ ++++ serefpolicy-3.6.32/policy/modules/services/plymouthd.te 2010-05-05 14:14:20.776880043 +0200 +@@ -0,0 +1,108 @@ +policy_module(plymouthd, 1.0.0) + +######################################## @@ -11461,6 +11623,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + hal_dontaudit_write_log(plymouth_t) + hal_dontaudit_rw_pipes(plymouth_t) ++ ++ pppd_dontaudit_rw_packet_sockets(plymouth_t) +') +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.fc serefpolicy-3.6.32/policy/modules/services/plymouth.fc @@ -12075,6 +12239,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0) /etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0) /etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.32/policy/modules/services/ppp.if +--- nsaserefpolicy/policy/modules/services/ppp.if 2010-01-18 18:24:22.859530983 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/ppp.if 2010-05-05 14:14:40.154879579 +0200 +@@ -339,6 +339,26 @@ + init_labeled_script_domtrans($1, pppd_initrc_exec_t) + ') + ++ ++######################################## ++## ++## Do not audit attempts to read and write ++## pppd packet sockets. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`pppd_dontaudit_rw_packet_sockets',` ++ gen_require(` ++ type pppd_t; ++ ') ++ ++ dontaudit $1 pppd_t:packet_socket { read write }; ++') ++ + ######################################## + ## + ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.32/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2010-01-18 18:24:22.860530341 +0100 +++ serefpolicy-3.6.32/policy/modules/services/ppp.te 2010-03-26 07:52:50.814601031 +0100 @@ -12768,7 +12962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute a domain transition to run groupd. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.6.32/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 2010-01-18 18:24:22.874530726 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/rhcs.te 2010-03-01 09:19:23.343490629 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/rhcs.te 2010-05-05 15:00:49.174628912 +0200 @@ -1,5 +1,5 @@ -policy_module(rhcs,1.0.0) @@ -12941,7 +13135,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow fenced_t self:tcp_socket create_stream_socket_perms; allow fenced_t self:udp_socket create_socket_perms; -@@ -166,25 +74,17 @@ +@@ -166,27 +74,20 @@ # tmp files manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) @@ -12974,8 +13168,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +corenet_tcp_connect_http_port(fenced_t) corecmd_exec_bin(fenced_t) ++corecmd_exec_shell(fenced_t) -@@ -195,19 +95,13 @@ + dev_read_sysfs(fenced_t) + dev_read_urand(fenced_t) +@@ -195,19 +96,13 @@ storage_raw_write_fixed_disk(fenced_t) storage_raw_read_removable_device(fenced_t) @@ -12996,7 +13193,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`fenced_can_network_connect',` corenet_tcp_connect_all_ports(fenced_t) ') -@@ -217,10 +111,6 @@ +@@ -217,10 +112,6 @@ ') optional_policy(` @@ -13007,7 +13204,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol lvm_domtrans(fenced_t) lvm_read_config(fenced_t) ') -@@ -230,53 +120,26 @@ +@@ -230,53 +121,26 @@ # gfs_controld local policy # @@ -13067,7 +13264,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -290,78 +153,29 @@ +@@ -290,78 +154,29 @@ allow groupd_t self:capability { sys_nice sys_resource }; allow groupd_t self:process setsched; @@ -13148,7 +13345,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_getattr_sbin_files(qdiskd_t) corecmd_exec_shell(qdiskd_t) -@@ -391,13 +205,6 @@ +@@ -391,13 +206,6 @@ files_read_etc_files(qdiskd_t) @@ -13162,7 +13359,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` netutils_domtrans_ping(qdiskd_t) ') -@@ -406,5 +213,28 @@ +@@ -406,5 +214,28 @@ udev_read_db(qdiskd_t) ') @@ -15818,7 +16015,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-18 18:24:22.923530253 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-04-08 15:04:19.058115631 +0200 ++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-05-05 15:11:20.701878862 +0200 @@ -1,5 +1,5 @@ -policy_module(xserver, 3.2.3) @@ -15879,16 +16076,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +type xproperty_t, xproperty_type; +type seclabel_xproperty_t, xproperty_type; type clipboard_xproperty_t, xproperty_type; -+ -+# X Selections -+attribute xselection_type; -+type xselection_t, xselection_type; - type clipboard_xselection_t, xselection_type; +-type clipboard_xselection_t, xselection_type; -type debug_xext_t, xextension_type; -type directhw_xext_t alias disallowed_xext_t, xextension_type; -type focus_xevent_t, xevent_type; -+#type settings_xselection_t, xselection_type; -+#type dbus_xselection_t, xselection_type; -type iceauth_t; -type iceauth_exec_t; @@ -15896,18 +16087,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -typealias iceauth_t alias { auditadm_iceauth_t secadm_iceauth_t }; -application_domain(iceauth_t, iceauth_exec_t) -ubac_constrained(iceauth_t) -+# X Drawables -+attribute xdrawable_type; -+attribute xcolormap_type; -+type root_xdrawable_t, xdrawable_type; -+type root_xcolormap_t, xcolormap_type; ++# X Selections ++attribute xselection_type; ++type xselection_t, xselection_type; ++type clipboard_xselection_t, xselection_type; ++#type settings_xselection_t, xselection_type; ++#type dbus_xselection_t, xselection_type; -type iceauth_home_t; -typealias iceauth_home_t alias { user_iceauth_home_t staff_iceauth_home_t sysadm_iceauth_home_t }; -typealias iceauth_home_t alias { auditadm_iceauth_home_t secadm_iceauth_home_t xguest_iceauth_home_t }; -files_poly_member(iceauth_home_t) -userdom_user_home_content(iceauth_home_t) -- ++# X Drawables ++attribute xdrawable_type; ++attribute xcolormap_type; ++type root_xdrawable_t, xdrawable_type; ++type root_xcolormap_t, xcolormap_type; + -type info_xproperty_t, xproperty_type; -type input_xevent_t, xevent_type; -type manage_xevent_t, xevent_type; @@ -16083,7 +16280,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xauth_t xauth_home_t:file manage_file_perms; userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file) -@@ -301,15 +321,19 @@ +@@ -301,15 +321,21 @@ manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t) files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir }) @@ -16091,6 +16288,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -dev_rw_xserver_misc(xauth_t) ++kernel_read_system_state(xauth_t) ++ +domain_use_interactive_fds(xauth_t) +domain_dontaudit_leaks(xauth_t) @@ -16105,7 +16304,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(xauth_t) fs_search_auto_mountpoints(xauth_t) -@@ -325,12 +349,15 @@ +@@ -325,12 +351,15 @@ ifdef(`hide_broken_symptoms', ` userdom_manage_user_home_content_files(xauth_t) userdom_manage_user_tmp_files(xauth_t) @@ -16121,7 +16320,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`use_samba_home_dirs',` -@@ -340,7 +367,6 @@ +@@ -340,7 +369,6 @@ ifdef(`hide_broken_symptoms', ` term_dontaudit_use_unallocated_ttys(xauth_t) dev_dontaudit_rw_dri(xauth_t) @@ -16129,7 +16328,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -394,12 +420,12 @@ +@@ -394,12 +422,12 @@ # this is ugly, daemons should not create files under /etc! manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t) @@ -16148,7 +16347,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) -@@ -433,7 +459,7 @@ +@@ -433,7 +461,7 @@ manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file }) @@ -16157,7 +16356,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t xserver_t:unix_stream_socket connectto; allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms; -@@ -504,7 +530,7 @@ +@@ -504,7 +532,7 @@ dev_getattr_misc_dev(xdm_t) dev_setattr_misc_dev(xdm_t) dev_dontaudit_rw_misc(xdm_t) @@ -16166,7 +16365,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) -@@ -549,8 +575,11 @@ +@@ -549,8 +577,11 @@ storage_dontaudit_rw_fuse(xdm_t) term_setattr_console(xdm_t) @@ -16178,7 +16377,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) -@@ -566,7 +595,6 @@ +@@ -566,7 +597,6 @@ logging_read_generic_logs(xdm_t) @@ -16186,7 +16385,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_search_man_pages(xdm_t) miscfiles_read_localization(xdm_t) miscfiles_read_fonts(xdm_t) -@@ -583,6 +611,7 @@ +@@ -583,6 +613,7 @@ userdom_signal_all_users(xdm_t) userdom_stream_connect(xdm_t) userdom_manage_user_tmp_dirs(xdm_t) @@ -16194,7 +16393,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_manage_user_tmp_sockets(xdm_t) userdom_manage_tmpfs_role(system_r, xdm_t) -@@ -635,6 +664,7 @@ +@@ -635,6 +666,7 @@ dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms; xserver_xdm_append_log(xdm_dbusd_t) @@ -16202,7 +16401,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_bin_entry_type(xdm_t) -@@ -667,7 +697,9 @@ +@@ -667,7 +699,9 @@ ') optional_policy(` @@ -16212,7 +16411,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -685,11 +717,6 @@ +@@ -685,11 +719,6 @@ optional_policy(` # Do not audit attempts to check whether user root has email mta_dontaudit_getattr_spool_files(xdm_t) @@ -16224,7 +16423,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -705,13 +732,18 @@ +@@ -705,13 +734,18 @@ ') optional_policy(` @@ -16245,7 +16444,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') # On crash gdm execs gdb to dump stack -@@ -726,6 +758,10 @@ +@@ -726,6 +760,10 @@ ') optional_policy(` @@ -16256,7 +16455,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(xdm_t) ') -@@ -767,6 +803,14 @@ +@@ -767,6 +805,14 @@ # X server local policy # @@ -16271,7 +16470,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer # sys_admin, locking shared mem? chowning IPC message queues or semaphores? -@@ -802,18 +846,12 @@ +@@ -802,18 +848,12 @@ allow xserver_t xauth_home_t:file read_file_perms; @@ -16291,7 +16490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -907,6 +945,7 @@ +@@ -907,6 +947,7 @@ mls_process_write_to_clearance(xserver_t) mls_file_read_to_clearance(xserver_t) mls_file_write_all_levels(xserver_t) @@ -16299,7 +16498,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -928,13 +967,14 @@ +@@ -928,13 +969,14 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -16315,7 +16514,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -952,7 +992,7 @@ +@@ -952,7 +994,7 @@ ') ifdef(`enable_mls',` @@ -16324,7 +16523,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; ') -@@ -961,15 +1001,17 @@ +@@ -961,15 +1003,17 @@ # but typeattribute doesnt work in conditionals allow xserver_t xserver_t:x_server *; @@ -16345,7 +16544,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t xextension_type:x_extension *; allow xserver_t { x_domain xserver_t }:x_resource *; allow xserver_t xevent_type:{ x_event x_synthetic_event } *; -@@ -1016,6 +1058,7 @@ +@@ -1016,6 +1060,7 @@ # cjp: when xdm is configurable via tunable these # rules will be enabled only when xdm is enabled @@ -16353,7 +16552,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t xdm_t:process { signal getpgid }; allow xserver_t xdm_t:shm rw_shm_perms; -@@ -1027,9 +1070,9 @@ +@@ -1027,9 +1072,9 @@ read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) # Label pid and temporary files with derived types. @@ -16366,7 +16565,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Run xkbcomp. allow xserver_t xkb_var_lib_t:lnk_file read; -@@ -1088,136 +1131,139 @@ +@@ -1088,136 +1133,139 @@ # # Hacks @@ -16945,7 +17144,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2010-01-18 18:24:22.936530091 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-03-23 13:26:01.477640912 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-05-05 13:58:31.862629041 +0200 @@ -40,6 +40,7 @@ attribute init_script_domain_type; attribute init_script_file_type; @@ -17046,7 +17245,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`allow_daemons_use_tty',` term_use_unallocated_ttys(daemon) -@@ -868,10 +889,12 @@ +@@ -795,6 +816,10 @@ + ') + + optional_policy(` ++ pulseaudio_stream_connect(initrc_t) ++') ++ ++optional_policy(` + quota_manage_flags(initrc_t) + ') + +@@ -868,10 +893,12 @@ # Cron jobs used to start and stop services optional_policy(` cron_rw_pipes(daemon) @@ -17059,7 +17269,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -885,6 +908,9 @@ +@@ -885,6 +912,9 @@ # Allow SELinux aware applications to request rpm_script_t execution rpm_transition_script(initrc_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index a2ba15d..53a4307 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 113%{?dist} +Release: 114%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,12 @@ exit 0 %endif %changelog +* Wed May 5 2010 Miroslav Grepl 3.6.32-114 +- Allow denyhosts sys_tty_config capability +- Fixes for chrony policy +- Allow ksmtuned to use terminals +- Allow lircd to write to generic usb devices + * Thu Apr 22 2010 Miroslav Grepl 3.6.32-113 - Allow pulseaudio to read udev process state. - Dontaudit hal leaks