From 1f2f29dbbb505adaf51d868a15f5d0f7f6fafe44 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Oct 05 2009 21:16:36 +0000 Subject: - Allow dovecot_t getcap, setcap --- diff --git a/policy-F12.patch b/policy-F12.patch index 1cbb60f..222a193 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -1402,8 +1402,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.32/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/tmpreaper.te 2009-09-30 16:12:48.000000000 -0400 -@@ -52,6 +52,10 @@ ++++ serefpolicy-3.6.32/policy/modules/admin/tmpreaper.te 2009-10-05 11:13:57.000000000 -0400 +@@ -42,6 +42,7 @@ + cron_system_entry(tmpreaper_t, tmpreaper_exec_t) + + ifdef(`distro_redhat',` ++ userdom_list_user_home_content(tmpreaper_t) + userdom_delete_user_home_content_dirs(tmpreaper_t) + userdom_delete_user_home_content_files(tmpreaper_t) + userdom_delete_user_home_content_symlinks(tmpreaper_t) +@@ -52,6 +53,10 @@ ') optional_policy(` @@ -1616,10 +1624,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.6.32/policy/modules/apps/chrome.fc --- nsaserefpolicy/policy/modules/apps/chrome.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/chrome.fc 2009-10-02 08:22:43.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/apps/chrome.fc 2009-10-02 11:37:05.000000000 -0400 @@ -0,0 +1,2 @@ + -+/usr/lib64/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) ++/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.6.32/policy/modules/apps/chrome.if --- nsaserefpolicy/policy/modules/apps/chrome.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.32/policy/modules/apps/chrome.if 2009-10-02 08:37:09.000000000 -0400 @@ -1784,35 +1792,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.6.32/policy/modules/apps/execmem.fc --- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/execmem.fc 2009-10-02 10:45:59.000000000 -0400 -@@ -0,0 +1,27 @@ -+/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0) ++++ serefpolicy-3.6.32/policy/modules/apps/execmem.fc 2009-10-05 09:23:28.000000000 -0400 +@@ -0,0 +1,29 @@ ++/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/skype -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/sbin/vboxadd-service -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib(64)/virtualbox/VirtualBox -- gen_context(system_u:object_r:execmem_exec_t,s0) + -+/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) + +ifdef(`distro_gentoo',` +/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) +') -+/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib64/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib(64)?/chromium-browser/chromium-browser gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib64/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0) + -+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/lib(64)?/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib(64)/virtualbox/VirtualBox -- gen_context(system_u:object_r:execmem_exec_t,s0) + -+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) + -+/usr/lib(64)?/chromium-browser/chromium-browser gen_context(system_u:object_r:execmem_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.6.32/policy/modules/apps/execmem.if --- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.32/policy/modules/apps/execmem.if 2009-10-02 10:33:33.000000000 -0400 @@ -3457,8 +3467,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.32/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.te 2009-09-30 16:12:48.000000000 -0400 -@@ -0,0 +1,294 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.te 2009-10-05 09:30:27.000000000 -0400 +@@ -0,0 +1,295 @@ + +policy_module(nsplugin, 1.0.0) + @@ -3703,6 +3713,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_fonts(nsplugin_config_t) + +userdom_search_user_home_content(nsplugin_config_t) ++userdom_read_user_home_content_symlinks(nsplugin_config_t) +userdom_read_user_home_content_files(nsplugin_config_t) +userdom_dontaudit_search_admin_dir(nsplugin_config_t) + @@ -3874,7 +3885,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +application_domain(openoffice_t, openoffice_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if --- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if 2009-10-05 08:28:56.000000000 -0400 @@ -40,7 +40,7 @@ userdom_manage_tmpfs_role($1, pulseaudio_t) @@ -3886,7 +3897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te --- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2009-10-05 08:30:24.000000000 -0400 @@ -26,6 +26,7 @@ can_exec(pulseaudio_t, pulseaudio_exec_t) @@ -3895,7 +3906,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(pulseaudio_t) kernel_read_kernel_sysctls(pulseaudio_t) -@@ -88,6 +89,10 @@ +@@ -69,6 +70,7 @@ + optional_policy(` + dbus_system_bus_client(pulseaudio_t) + dbus_session_bus_client(pulseaudio_t) ++ dbus_connect_session_bus(pulseaudio_t) + + optional_policy(` + consolekit_dbus_chat(pulseaudio_t) +@@ -88,6 +90,10 @@ ') optional_policy(` @@ -3906,7 +3925,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol policykit_domtrans_auth(pulseaudio_t) policykit_read_lib(pulseaudio_t) policykit_read_reload(pulseaudio_t) -@@ -100,4 +105,5 @@ +@@ -100,4 +106,5 @@ optional_policy(` xserver_manage_xdm_tmp_files(pulseaudio_t) xserver_read_xdm_lib_files(pulseaudio_t) @@ -5265,7 +5284,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2009-10-05 17:13:25.000000000 -0400 @@ -65,6 +65,7 @@ type server_packet_t, packet_type, server_packet_type; @@ -5274,7 +5293,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0) network_port(afs_ka, udp,7004,s0) network_port(afs_pt, udp,7002,s0) -@@ -87,17 +88,21 @@ +@@ -87,26 +88,32 @@ network_port(comsat, udp,512,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0) @@ -5297,7 +5316,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) network_port(giftd, tcp,1213,s0) network_port(gopher, tcp,70,s0, udp,70,s0) -@@ -107,6 +112,8 @@ + network_port(gpsd, tcp,2947,s0) + network_port(hddtemp, tcp,7634,s0) +-network_port(howl, tcp,5335,s0, udp,5353,s0) ++network_port(howl, tcp,5353,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy @@ -8285,8 +8307,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-10-02 10:45:40.000000000 -0400 -@@ -0,0 +1,397 @@ ++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-10-05 09:44:21.000000000 -0400 +@@ -0,0 +1,401 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -8654,6 +8676,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +domain_ptrace_all_domains(unconfined_notrans_t) + +optional_policy(` ++ policykit_role(unconfined_r, unconfined_notrans_t) ++') ++ ++optional_policy(` + gen_require(` + type mplayer_exec_t; + ') @@ -12164,7 +12190,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.32/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/dbus.if 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/dbus.if 2009-10-05 08:30:03.000000000 -0400 @@ -42,8 +42,10 @@ gen_require(` class dbus { send_msg acquire_svc }; @@ -12662,7 +12688,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2009-10-05 09:17:34.000000000 -0400 +@@ -56,7 +56,7 @@ + + allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot }; + dontaudit dovecot_t self:capability sys_tty_config; +-allow dovecot_t self:process { setrlimit signal_perms }; ++allow dovecot_t self:process { setrlimit signal_perms getcap setcap }; + allow dovecot_t self:fifo_file rw_fifo_file_perms; + allow dovecot_t self:tcp_socket create_stream_socket_perms; + allow dovecot_t self:unix_dgram_socket create_socket_perms; @@ -103,6 +103,7 @@ dev_read_urand(dovecot_t) @@ -18515,7 +18550,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te 2009-10-05 11:42:06.000000000 -0400 @@ -22,13 +22,19 @@ type setroubleshoot_var_run_t; files_pid_file(setroubleshoot_var_run_t) @@ -18577,7 +18612,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) -@@ -94,23 +113,72 @@ +@@ -94,23 +113,74 @@ locallogin_dontaudit_use_fds(setroubleshootd_t) @@ -18619,6 +18654,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms; +allow setroubleshoot_fixit_t self:unix_dgram_socket create_socket_perms; + ++allow setroubleshoot_fixit_t setroubleshootd_t:process signull; ++ +setroubleshoot_dbus_chat(setroubleshoot_fixit_t) +setroubleshoot_stream_connect(setroubleshoot_fixit_t) + @@ -23836,7 +23873,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_localization(iscsid_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-10-05 09:46:44.000000000 -0400 @@ -60,12 +60,15 @@ # # /opt @@ -24025,7 +24062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') dnl end distro_redhat # -@@ -307,10 +295,96 @@ +@@ -307,10 +295,97 @@ /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) @@ -24036,6 +24073,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') +/usr/share/hplip/prnt/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0) ++/usr/share/squeezeboxserver/CPAN/arch/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) @@ -27255,7 +27293,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.gvfs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-02 10:53:53.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-05 11:13:48.000000000 -0400 @@ -30,8 +30,9 @@ ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 45b6296..66a33db 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 20%{?dist} +Release: 21%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -366,7 +366,7 @@ SELinux Reference policy minimum base module. %saveFileContext minimum %post minimum -packages="unconfined.pp.bz2 unconfineduser.pp.bz2" +packages="execmem.pp.bz2 unconfined.pp.bz2 unconfineduser.pp.bz2" %loadpolicy minimum $packages if [ $1 -eq 1 ]; then semanage -S minimum -i - << __eof @@ -449,6 +449,9 @@ exit 0 %endif %changelog +* Mon Oct 5 2009 Dan Walsh 3.6.32-21 +- Allow dovecot_t getcap, setcap + * Fri Oct 2 2009 Dan Walsh 3.6.32-20 - Add chrome-sandbox policy - Split out execmem policy