From 071fdd8b9c7b303bab41f5dba55d0df334cf58fd Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Nov 08 2007 21:07:44 +0000 Subject: - Add policy.xml --- diff --git a/policy-20070501.patch b/policy-20070501.patch index 4ed26b1..c520940 100644 --- a/policy-20070501.patch +++ b/policy-20070501.patch @@ -2054,7 +2054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in 2007-09-11 15:52:36.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in 2007-11-07 08:37:43.000000000 -0500 @@ -48,6 +48,11 @@ type reserved_port_t, port_type, reserved_port_type; @@ -2093,7 +2093,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon network_port(lmtp, tcp,24,s0, udp,24,s0) network_port(mail, tcp,2000,s0) -@@ -152,13 +158,18 @@ +@@ -114,6 +120,7 @@ + network_port(openvpn, tcp,1194,s0, udp,1194,s0) + network_port(pegasus_http, tcp,5988,s0) + network_port(pegasus_https, tcp,5989,s0) ++network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) + network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) + network_port(portmap, udp,111,s0, tcp,111,s0) + network_port(postgresql, tcp,5432,s0) +@@ -152,13 +159,18 @@ type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) network_port(vnc, tcp,5900,s0) @@ -5513,8 +5521,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-2.6.4/policy/modules/services/dovecot.fc --- nsaserefpolicy/policy/modules/services/dovecot.fc 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/dovecot.fc 2007-08-07 09:42:35.000000000 -0400 -@@ -17,16 +17,19 @@ ++++ serefpolicy-2.6.4/policy/modules/services/dovecot.fc 2007-11-06 10:59:31.000000000 -0500 +@@ -17,21 +17,22 @@ ifdef(`distro_debian', ` /usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) @@ -5534,6 +5542,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) +-/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) +- +- +- ++/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0) + ++/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-2.6.4/policy/modules/services/dovecot.if --- nsaserefpolicy/policy/modules/services/dovecot.if 2007-05-07 14:51:01.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/dovecot.if 2007-08-07 09:42:35.000000000 -0400 @@ -5583,7 +5598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.6.4/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/dovecot.te 2007-10-09 10:28:10.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/dovecot.te 2007-11-06 11:00:24.000000000 -0500 @@ -15,6 +15,12 @@ domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t) role system_r types dovecot_auth_t; @@ -5597,7 +5612,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove type dovecot_cert_t; files_type(dovecot_cert_t) -@@ -46,8 +52,6 @@ +@@ -31,6 +37,9 @@ + type dovecot_var_lib_t; + files_type(dovecot_var_lib_t) + ++type dovecot_var_log_t; ++logging_log_file(dovecot_var_log_t) ++ + type dovecot_var_run_t; + files_pid_file(dovecot_var_run_t) + +@@ -46,8 +55,6 @@ allow dovecot_t self:tcp_socket create_stream_socket_perms; allow dovecot_t self:unix_dgram_socket create_socket_perms; allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -5606,7 +5631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t) allow dovecot_t dovecot_cert_t:dir list_dir_perms; -@@ -67,6 +71,8 @@ +@@ -67,6 +74,8 @@ manage_sock_files_pattern(dovecot_t,dovecot_var_run_t,dovecot_var_run_t) files_pid_filetrans(dovecot_t,dovecot_var_run_t,file) @@ -5615,7 +5640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove kernel_read_kernel_sysctls(dovecot_t) kernel_read_system_state(dovecot_t) -@@ -98,7 +104,7 @@ +@@ -98,7 +107,7 @@ files_dontaudit_list_default(dovecot_t) # Dovecot now has quota support and it uses getmntent() to find the mountpoints. files_read_etc_runtime_files(dovecot_t) @@ -5624,7 +5649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove init_getattr_utmp(dovecot_t) -@@ -110,9 +116,6 @@ +@@ -110,9 +119,6 @@ miscfiles_read_certs(dovecot_t) miscfiles_read_localization(dovecot_t) @@ -5634,7 +5659,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove userdom_dontaudit_use_unpriv_user_fds(dovecot_t) userdom_dontaudit_search_sysadm_home_dirs(dovecot_t) userdom_priveleged_home_dir_manager(dovecot_t) -@@ -130,10 +133,6 @@ +@@ -130,10 +136,6 @@ ') optional_policy(` @@ -5645,7 +5670,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove seutil_sigchld_newrole(dovecot_t) ') -@@ -150,33 +149,39 @@ +@@ -150,33 +152,43 @@ # dovecot auth local policy # @@ -5661,6 +5686,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove allow dovecot_auth_t dovecot_passwd_t:file { getattr read }; ++# log files ++manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t) ++logging_log_filetrans(dovecot_t, dovecot_var_log_t, file) ++ # Allow dovecot to create and read SSL parameters file manage_files_pattern(dovecot_t,dovecot_var_lib_t,dovecot_var_lib_t) files_search_var_lib(dovecot_t) @@ -5687,7 +5716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove files_read_usr_symlinks(dovecot_auth_t) files_search_tmp(dovecot_auth_t) files_read_var_lib_files(dovecot_t) -@@ -190,12 +195,58 @@ +@@ -190,12 +202,58 @@ seutil_dontaudit_search_config(dovecot_auth_t) @@ -5753,7 +5782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim --- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-2.6.4/policy/modules/services/exim.fc 2007-10-05 09:28:27.000000000 -0400 @@ -0,0 +1,16 @@ -+# $Id: policy-20070501.patch,v 1.73 2007/11/01 18:15:45 dwalsh Exp $ ++# $Id: policy-20070501.patch,v 1.74 2007/11/08 21:07:44 dwalsh Exp $ +# Draft SELinux refpolicy module for the Exim MTA +# +# Devin Carraway @@ -5934,7 +5963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim --- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-2.6.4/policy/modules/services/exim.te 2007-10-30 16:46:45.000000000 -0400 @@ -0,0 +1,231 @@ -+# $Id: policy-20070501.patch,v 1.73 2007/11/01 18:15:45 dwalsh Exp $ ++# $Id: policy-20070501.patch,v 1.74 2007/11/08 21:07:44 dwalsh Exp $ +# Draft SELinux refpolicy module for the Exim MTA +# +# Devin Carraway @@ -6890,8 +6919,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-2.6.4/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/mta.if 2007-10-31 07:39:32.000000000 -0400 -@@ -226,6 +226,15 @@ ++++ serefpolicy-2.6.4/policy/modules/services/mta.if 2007-11-06 10:44:21.000000000 -0500 +@@ -87,6 +87,8 @@ + # It wants to check for nscd + files_dontaudit_search_pids($1_mail_t) + ++ auth_use_nsswitch($1_mail_t) ++ + libs_use_ld_so($1_mail_t) + libs_use_shared_libs($1_mail_t) + +@@ -94,17 +96,6 @@ + + miscfiles_read_localization($1_mail_t) + +- sysnet_read_config($1_mail_t) +- sysnet_dns_name_resolve($1_mail_t) +- +- optional_policy(` +- nis_use_ypbind($1_mail_t) +- ') +- +- optional_policy(` +- nscd_socket_use($1_mail_t) +- ') +- + optional_policy(` + postfix_domtrans_user_mail_handler($1_mail_t) + ') +@@ -226,6 +217,15 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files($1_mail_t) fs_manage_cifs_symlinks($1_mail_t) @@ -6907,7 +6963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -316,6 +325,42 @@ +@@ -316,6 +316,42 @@ ######################################## ## @@ -6950,7 +7006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## Modified mailserver interface for ## sendmail daemon use. ## -@@ -394,6 +439,7 @@ +@@ -394,6 +430,7 @@ allow $1 mail_spool_t:dir list_dir_perms; create_files_pattern($1,mail_spool_t,mail_spool_t) read_files_pattern($1,mail_spool_t,mail_spool_t) @@ -6958,7 +7014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. create_lnk_files_pattern($1,mail_spool_t,mail_spool_t) read_lnk_files_pattern($1,mail_spool_t,mail_spool_t) -@@ -449,11 +495,12 @@ +@@ -449,11 +486,12 @@ interface(`mta_send_mail',` gen_require(` attribute mta_user_agent; @@ -6974,7 +7030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. allow $1 system_mail_t:fd use; allow system_mail_t $1:fd use; -@@ -847,6 +894,25 @@ +@@ -847,6 +885,25 @@ manage_files_pattern($1,mqueue_spool_t,mqueue_spool_t) ') @@ -7002,7 +7058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## Read sendmail binary. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.6.4/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/mta.te 2007-10-31 07:38:22.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/mta.te 2007-11-02 09:53:09.000000000 -0400 @@ -6,6 +6,8 @@ # Declarations # @@ -10376,8 +10432,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-2.6.4/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/squid.te 2007-09-04 13:40:38.000000000 -0400 -@@ -91,6 +91,7 @@ ++++ serefpolicy-2.6.4/policy/modules/services/squid.te 2007-11-07 10:42:09.000000000 -0500 +@@ -91,10 +91,12 @@ corenet_udp_bind_gopher_port(squid_t) corenet_tcp_bind_squid_port(squid_t) corenet_udp_bind_squid_port(squid_t) @@ -10385,7 +10441,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi corenet_tcp_connect_ftp_port(squid_t) corenet_tcp_connect_gopher_port(squid_t) corenet_tcp_connect_http_port(squid_t) -@@ -108,6 +109,8 @@ + corenet_tcp_connect_http_cache_port(squid_t) ++corenet_tcp_connect_pgpkeyserver_port(squid_t) + corenet_sendrecv_http_client_packets(squid_t) + corenet_sendrecv_ftp_client_packets(squid_t) + corenet_sendrecv_gopher_client_packets(squid_t) +@@ -108,6 +110,8 @@ fs_getattr_all_fs(squid_t) fs_search_auto_mountpoints(squid_t) @@ -10394,7 +10455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi selinux_dontaudit_getattr_dir(squid_t) -@@ -181,7 +184,11 @@ +@@ -181,7 +185,11 @@ udev_read_db(squid_t) ') @@ -12193,8 +12254,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.6.4/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/libraries.fc 2007-08-07 09:42:35.000000000 -0400 -@@ -81,8 +81,9 @@ ++++ serefpolicy-2.6.4/policy/modules/system/libraries.fc 2007-11-08 16:05:30.000000000 -0500 +@@ -81,8 +81,10 @@ /opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -12202,10 +12263,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/f-secure/fspms/libexec/librapi.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/opt/ibm/java2-ppc64-50/jre/bin/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ifdef(`distro_gentoo',` # despite the extensions, they are actually libs -@@ -132,13 +133,16 @@ +@@ -132,13 +134,16 @@ /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -12223,7 +12285,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -157,6 +161,8 @@ +@@ -157,6 +162,8 @@ /usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -12232,7 +12294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -254,6 +260,8 @@ +@@ -254,6 +261,8 @@ /usr/lib(64)?/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -13346,7 +13408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-2.6.4/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/sysnetwork.if 2007-08-07 09:42:35.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/sysnetwork.if 2007-11-06 16:35:34.000000000 -0500 @@ -520,6 +520,9 @@ files_search_etc($1) @@ -13760,7 +13822,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf dbus_stub(unconfined_execmem_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.6.4/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/userdomain.if 2007-10-09 17:05:07.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/userdomain.if 2007-11-02 11:13:10.000000000 -0400 @@ -114,6 +114,22 @@ # Allow making the stack executable via mprotect. allow $1_t self:process execstack; @@ -13784,6 +13846,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### +@@ -744,7 +760,7 @@ + + fs_get_all_fs_quotas($1_t) + fs_getattr_all_fs($1_t) +- fs_getattr_all_dirs($1_t) ++ fs_search_all($1_t) + fs_search_auto_mountpoints($1_t) + fs_list_inotifyfs($1_t) + @@ -764,6 +780,8 @@ auth_search_pam_console_data($1_t) auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) diff --git a/selinux-policy.spec b/selinux-policy.spec index 7dda210..fefe47c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 2.6.4 -Release: 53%{?dist} +Release: 55%{?dist} License: GPL Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -71,6 +71,7 @@ SELinux Policy development package %{_usr}/share/selinux/devel/Makefile %{_usr}/share/selinux/devel/policygentool %{_usr}/share/selinux/devel/example.* +%{_usr}/share/selinux/devel/policy.* %attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp %post devel @@ -217,6 +218,7 @@ mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/ install -m 755 ${RPM_SOURCE_DIR}/policygentool %{buildroot}%{_usr}/share/selinux/devel/ install -m 644 ${RPM_SOURCE_DIR}/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/ +install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/ echo "htmlview file:///usr/share/doc/selinux-policy-%{version}/html/index.html"> %{buildroot}%{_usr}/share/selinux/devel/policyhelp chmod +x %{buildroot}%{_usr}/share/selinux/devel/policyhelp @@ -361,6 +363,12 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init %endif %changelog +* Tue Nov 6 2007 Dan Walsh 2.6.4-55 +- Add policy.xml + +* Tue Nov 6 2007 Dan Walsh 2.6.4-54 +- Allow dovecot to write log files + * Thu Nov 1 2007 Dan Walsh 2.6.4-53 - Allow spamd to create nfs/cifs files