From 1662e47910cc1d7b49d4924f0691496b21e4139e Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Feb 27 2009 08:49:59 +0000 Subject: - Fix qemu labeling - Fix mysqld_safe policy --- diff --git a/policy-20071130.patch b/policy-20071130.patch index 6db72cc..2ea4afd 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -644450,7 +644450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav read_files_pattern(amavis_t,amavis_etc_t,amavis_etc_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.3.1/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2008-02-26 14:23:10.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2009-02-12 22:21:57.000000000 +0100 ++++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2009-02-27 09:29:43.000000000 +0100 @@ -1,28 +1,28 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0) - @@ -644498,7 +644498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -@@ -47,12 +49,18 @@ +@@ -47,12 +49,20 @@ /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -644511,21 +644511,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) + ++/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) ++ /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) +/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -@@ -65,11 +73,26 @@ +@@ -65,11 +75,26 @@ /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) ++ -/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0) -+ +/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) /var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) @@ -650871,7 +650873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.3.1/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2008-02-26 14:23:10.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/services/dovecot.te 2009-02-12 22:21:57.000000000 +0100 ++++ serefpolicy-3.3.1/policy/modules/services/dovecot.te 2009-02-27 09:21:55.000000000 +0100 @@ -15,6 +15,15 @@ domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t) role system_r types dovecot_auth_t; @@ -650971,7 +650973,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove files_read_usr_symlinks(dovecot_auth_t) files_search_tmp(dovecot_auth_t) files_read_var_lib_files(dovecot_t) -@@ -184,5 +213,53 @@ +@@ -184,5 +213,55 @@ ') optional_policy(` @@ -651008,6 +651010,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove + +files_read_etc_files(dovecot_deliver_t) +files_read_etc_runtime_files(dovecot_deliver_t) ++files_search_tmp(dovecot_deliver_t) ++fs_getattr_all_fs(dovecot_deliver_t) + +auth_use_nsswitch(dovecot_deliver_t) + @@ -653389,6 +653393,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kern + dbus_connect_system_bus(kerneloops_t) +') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.3.1/policy/modules/services/ktalk.te +--- nsaserefpolicy/policy/modules/services/ktalk.te 2008-02-26 14:23:10.000000000 +0100 ++++ serefpolicy-3.3.1/policy/modules/services/ktalk.te 2009-02-27 09:39:10.000000000 +0100 +@@ -69,6 +69,7 @@ + files_read_etc_files(ktalkd_t) + + term_search_ptys(ktalkd_t) ++term_use_all_terms(ktalkd_t) + + auth_use_nsswitch(ktalkd_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.3.1/policy/modules/services/ldap.fc --- nsaserefpolicy/policy/modules/services/ldap.fc 2008-02-26 14:23:10.000000000 +0100 +++ serefpolicy-3.3.1/policy/modules/services/ldap.fc 2009-02-12 22:21:57.000000000 +0100 @@ -654609,7 +654624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq +/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.3.1/policy/modules/services/mysql.if --- nsaserefpolicy/policy/modules/services/mysql.if 2008-02-26 14:23:10.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/services/mysql.if 2009-02-13 10:52:23.000000000 +0100 ++++ serefpolicy-3.3.1/policy/modules/services/mysql.if 2009-02-27 09:20:53.000000000 +0100 @@ -32,9 +32,11 @@ interface(`mysql_stream_connect',` gen_require(` @@ -654632,10 +654647,39 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq ') ######################################## -@@ -157,3 +160,93 @@ - logging_search_logs($1) - allow $1 mysqld_log_t:file { write append setattr ioctl }; +@@ -118,6 +121,25 @@ + allow $1 mysqld_db_t:dir manage_dir_perms; ') + ++###################################### ++## ++## Create, read, write, and delete MySQL database files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mysql_manage_db_files',` ++ gen_require(` ++ type mysqld_db_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1,mysqld_db_t,mysqld_db_t) ++') ++ + ######################################## + ## + ## Read and write to the MySQL database +@@ -155,5 +177,95 @@ + ') + + logging_search_logs($1) +- allow $1 mysqld_log_t:file { write append setattr ioctl }; ++ write_files_pattern($1,mysqld_log_t,mysqld_log_t) ++') + +#################################### +## @@ -654725,10 +654769,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq + manage_all_pattern($1,mysqld_log_t) + + manage_all_pattern($1,mysqld_tmp_t) -+') + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.3.1/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2008-02-26 14:23:10.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/services/mysql.te 2009-02-13 10:02:36.000000000 +0100 ++++ serefpolicy-3.3.1/policy/modules/services/mysql.te 2009-02-27 09:18:38.000000000 +0100 @@ -10,6 +10,10 @@ type mysqld_exec_t; init_daemon_domain(mysqld_t,mysqld_exec_t) @@ -654770,7 +654814,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq domain_use_interactive_fds(mysqld_t) -@@ -119,3 +128,32 @@ +@@ -119,3 +128,38 @@ optional_policy(` udev_read_db(mysqld_t) ') @@ -654785,14 +654829,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq +allow mysqld_safe_t self:capability { dac_override fowner chown }; +allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; + ++append_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) ++ +mysql_read_config(mysqld_safe_t) -+mysql_search_db(mysqld_safe_t) +mysql_search_pid_files(mysqld_safe_t) +mysql_write_log(mysqld_safe_t) + +kernel_read_system_state(mysqld_safe_t) + ++dev_list_sysfs(mysqld_safe_t) ++ +files_read_etc_files(mysqld_safe_t) ++files_read_usr_files(mysqld_safe_t) + +corecmd_exec_bin(mysqld_safe_t) + @@ -654801,6 +654849,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq + +miscfiles_read_localization(mysqld_safe_t) + ++hostname_exec(mysqld_safe_t) ++ +permissive mysqld_safe_t; + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.3.1/policy/modules/services/nagios.fc @@ -661418,7 +661468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. /usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.3.1/policy/modules/services/rpc.if --- nsaserefpolicy/policy/modules/services/rpc.if 2008-02-26 14:23:10.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/services/rpc.if 2009-02-12 22:21:57.000000000 +0100 ++++ serefpolicy-3.3.1/policy/modules/services/rpc.if 2009-02-27 09:13:12.000000000 +0100 @@ -88,8 +88,11 @@ # bind to arbitary unused ports corenet_tcp_bind_generic_port($1_t) @@ -661432,7 +661482,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. fs_rw_rpc_named_pipes($1_t) fs_search_auto_mountpoints($1_t) -@@ -208,6 +211,24 @@ +@@ -208,6 +211,25 @@ ######################################## ## @@ -661450,6 +661500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. + ') + + domtrans_pattern($1,rpcd_exec_t,rpcd_t) ++ allow rpcd_t $1:process signal; +') + +######################################## @@ -661457,7 +661508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ## Read NFS exported content. ## ## -@@ -338,3 +359,22 @@ +@@ -338,3 +360,22 @@ files_search_var_lib($1) read_files_pattern($1,var_lib_nfs_t,var_lib_nfs_t) ') @@ -662208,7 +662259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.3.1/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2008-02-26 14:23:10.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/services/samba.te 2009-02-13 10:19:03.000000000 +0100 ++++ serefpolicy-3.3.1/policy/modules/services/samba.te 2009-02-27 09:28:30.000000000 +0100 @@ -17,6 +17,13 @@ ## @@ -662441,17 +662492,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow nmbd_t self:tcp_socket create_stream_socket_perms; allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; -@@ -403,8 +469,7 @@ +@@ -401,14 +467,10 @@ + files_pid_filetrans(nmbd_t,nmbd_var_run_t,file) + read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t) ++read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t) -append_files_pattern(nmbd_t,samba_log_t,samba_log_t) -allow nmbd_t samba_log_t:file unlink; +- +-read_files_pattern(nmbd_t,samba_log_t,samba_log_t) +-create_files_pattern(nmbd_t,samba_log_t,samba_log_t) +-allow nmbd_t samba_log_t:dir setattr; +manage_files_pattern(nmbd_t,samba_log_t,samba_log_t) - read_files_pattern(nmbd_t,samba_log_t,samba_log_t) - create_files_pattern(nmbd_t,samba_log_t,samba_log_t) -@@ -439,6 +504,7 @@ + manage_files_pattern(nmbd_t,samba_var_t,samba_var_t) + +@@ -439,6 +501,7 @@ dev_getattr_mtrr_dev(nmbd_t) fs_getattr_all_fs(nmbd_t) @@ -662459,7 +662517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb fs_search_auto_mountpoints(nmbd_t) domain_use_interactive_fds(nmbd_t) -@@ -522,6 +588,7 @@ +@@ -522,6 +585,7 @@ storage_raw_write_fixed_disk(smbmount_t) term_list_ptys(smbmount_t) @@ -662467,7 +662525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb corecmd_list_bin(smbmount_t) -@@ -533,41 +600,50 @@ +@@ -533,41 +597,50 @@ auth_use_nsswitch(smbmount_t) @@ -662528,7 +662586,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t smbd_var_run_t:file read; manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t) -@@ -577,7 +653,9 @@ +@@ -577,7 +650,9 @@ manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t) files_pid_filetrans(swat_t,swat_var_run_t,file) @@ -662539,7 +662597,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -602,10 +680,12 @@ +@@ -602,10 +677,12 @@ dev_read_urand(swat_t) @@ -662552,7 +662610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -614,6 +694,7 @@ +@@ -614,6 +691,7 @@ libs_use_shared_libs(swat_t) logging_send_syslog_msg(swat_t) @@ -662560,7 +662618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb logging_search_logs(swat_t) miscfiles_read_localization(swat_t) -@@ -631,6 +712,17 @@ +@@ -631,6 +709,17 @@ kerberos_use(swat_t) ') @@ -662578,7 +662636,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # # Winbind local policy -@@ -673,12 +765,15 @@ +@@ -673,12 +762,15 @@ manage_dirs_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t) manage_files_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t) @@ -662594,7 +662652,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(winbind_t) kernel_list_proc(winbind_t) kernel_read_proc_symlinks(winbind_t) -@@ -764,8 +859,13 @@ +@@ -764,8 +856,13 @@ miscfiles_read_localization(winbind_helper_t) optional_policy(` @@ -662608,7 +662666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') ######################################## -@@ -774,19 +874,64 @@ +@@ -774,19 +871,64 @@ # optional_policy(` @@ -671368,18 +671426,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlab # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.fc serefpolicy-3.3.1/policy/modules/system/qemu.fc --- nsaserefpolicy/policy/modules/system/qemu.fc 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/system/qemu.fc 2009-02-13 09:48:32.000000000 +0100 -@@ -0,0 +1,6 @@ ++++ serefpolicy-3.3.1/policy/modules/system/qemu.fc 2009-02-27 09:23:38.000000000 +0100 +@@ -0,0 +1,8 @@ + +/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) + -+/var/run/libvirt/qemu(/.*)? -- gen_context(system_u:object_r:qemu_var_run_t,s0) ++/var/cache/libvirt(/.*)? gen_context(system_u:object_r:qemu_cache_t,s0) ++ ++/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.if serefpolicy-3.3.1/policy/modules/system/qemu.if --- nsaserefpolicy/policy/modules/system/qemu.if 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2009-02-13 09:47:42.000000000 +0100 -@@ -0,0 +1,341 @@ ++++ serefpolicy-3.3.1/policy/modules/system/qemu.if 2009-02-27 09:26:49.000000000 +0100 +@@ -0,0 +1,343 @@ + +## policy for qemu + @@ -671660,8 +671720,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i + manage_files_pattern($1_t,$1_tmp_t,$1_tmp_t) + files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) + ++ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) -+ files_pid_filetrans($1_t, $1_var_run_t, file) ++ manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ files_pid_filetrans($1_t, $1_var_run_t, { file dir}) + + dev_read_sound($1_t) + dev_write_sound($1_t)