From 23eab7bfe4aeb97ed2119defc17f5304cbbae44b Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: May 04 2009 18:20:22 +0000 Subject: - Fix /sbin/ip6tables-save context - Allod udev to transition to mount - Fix loading of mls policy file --- diff --git a/policy-20090105.patch b/policy-20090105.patch index 8693697..109a867 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -655,7 +655,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_udp_sendrecv_lo_if(mrtg_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.12/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2009-03-12 11:16:47.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/admin/netutils.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/admin/netutils.te 2009-05-04 11:25:11.000000000 -0400 +@@ -50,7 +50,7 @@ + files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) + + kernel_search_proc(netutils_t) +-kernel_read_sysctl(netutils_t) ++kernel_read_all_sysctls(netutils_t) + + corenet_all_recvfrom_unlabeled(netutils_t) + corenet_all_recvfrom_netlabel(netutils_t) @@ -152,6 +152,10 @@ ') @@ -4479,6 +4488,42 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +permissive sambagui_t; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.6.12/policy/modules/apps/screen.fc +--- nsaserefpolicy/policy/modules/apps/screen.fc 2008-11-11 16:13:42.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/apps/screen.fc 2009-05-02 07:46:25.000000000 -0400 +@@ -13,3 +13,4 @@ + # + /var/run/screens?/S-[^/]+ -d gen_context(system_u:object_r:screen_dir_t,s0) + /var/run/screens?/S-[^/]+/.* <> ++/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.12/policy/modules/apps/screen.if +--- nsaserefpolicy/policy/modules/apps/screen.if 2009-01-19 11:03:28.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/apps/screen.if 2009-05-04 11:30:29.000000000 -0400 +@@ -165,3 +165,24 @@ + nscd_socket_use($1_screen_t) + ') + ') ++ ++######################################## ++## ++## Manage screen var_run files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`screen_manage_var_run',` ++ gen_require(` ++ type screen_var_run_t; ++ ') ++ ++ manage_dirs_pattern($1,screen_var_run_t,screen_var_run_t) ++ manage_files_pattern($1,screen_var_run_t,screen_var_run_t) ++ manage_lnk_files_pattern($1,screen_var_run_t,screen_var_run_t) ++ manage_fifo_files_pattern($1,screen_var_run_t,screen_var_run_t) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.te serefpolicy-3.6.12/policy/modules/apps/uml.te --- nsaserefpolicy/policy/modules/apps/uml.te 2009-01-19 11:03:28.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/uml.te 2009-04-28 11:42:33.000000000 -0400 @@ -5913,7 +5958,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.12/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/kernel.if 2009-05-04 11:25:35.000000000 -0400 @@ -1197,6 +1197,26 @@ ') @@ -6039,7 +6084,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.12/policy/modules/kernel/kernel.te --- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-02-03 22:50:50.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/kernel.te 2009-05-01 13:41:10.000000000 -0400 @@ -63,6 +63,15 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) @@ -6056,7 +6101,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # kvmFS # -@@ -120,6 +129,10 @@ +@@ -100,6 +109,7 @@ + genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0) + + type proc_xen_t, proc_type; ++files_mountpoint(proc_xen_t) + genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0) + + # +@@ -120,6 +130,10 @@ type sysctl_rpc_t, sysctl_type; genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0) @@ -6067,7 +6120,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # /proc/sys/fs directory and files type sysctl_fs_t, sysctl_type; files_mountpoint(sysctl_fs_t) -@@ -160,6 +173,7 @@ +@@ -160,6 +174,7 @@ # type unlabeled_t; sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) @@ -6075,7 +6128,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -@@ -198,6 +212,8 @@ +@@ -198,6 +213,8 @@ allow kernel_t self:sock_file read_sock_file_perms; allow kernel_t self:fd use; @@ -6084,7 +6137,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow kernel_t proc_t:dir list_dir_perms; allow kernel_t proc_t:file read_file_perms; allow kernel_t proc_t:lnk_file read_lnk_file_perms; -@@ -248,7 +264,8 @@ +@@ -248,7 +265,8 @@ selinux_load_policy(kernel_t) @@ -6094,7 +6147,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -262,6 +279,8 @@ +@@ -262,6 +280,8 @@ files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -6103,7 +6156,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mcs_process_set_categories(kernel_t) -@@ -269,12 +288,18 @@ +@@ -269,12 +289,18 @@ mls_process_write_down(kernel_t) mls_file_write_all_levels(kernel_t) mls_file_read_all_levels(kernel_t) @@ -6122,7 +6175,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`read_default_t',` files_list_default(kernel_t) files_read_default_files(kernel_t) -@@ -356,7 +381,11 @@ +@@ -356,7 +382,11 @@ ') optional_policy(` @@ -6135,7 +6188,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -388,3 +417,7 @@ +@@ -388,3 +418,7 @@ allow kern_unconfined unlabeled_t:association *; allow kern_unconfined unlabeled_t:packet *; allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; @@ -6257,48 +6310,46 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +gen_user(guest_u, user, guest_r, s0, s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.12/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/roles/staff.te 2009-04-23 09:44:57.000000000 -0400 -@@ -15,156 +15,90 @@ ++++ serefpolicy-3.6.12/policy/modules/roles/staff.te 2009-05-02 07:50:07.000000000 -0400 +@@ -15,156 +15,95 @@ # Local policy # -optional_policy(` - apache_role(staff_r, staff_t) -') -- --optional_policy(` -- auth_role(staff_r, staff_t) --') -- --optional_policy(` -- auditadm_role_change(staff_r) --') +kernel_read_ring_buffer(staff_t) +kernel_getattr_core_if(staff_t) +kernel_getattr_message_if(staff_t) +kernel_read_software_raid_state(staff_t) -optional_policy(` -- bluetooth_role(staff_r, staff_t) +- auth_role(staff_r, staff_t) -') +auth_domtrans_pam_console(staff_t) -optional_policy(` -- cdrecord_role(staff_r, staff_t) +- auditadm_role_change(staff_r) -') +libs_manage_shared_libs(staff_t) -optional_policy(` +- bluetooth_role(staff_r, staff_t) +-') +- +-optional_policy(` +- cdrecord_role(staff_r, staff_t) +-') +- +-optional_policy(` - cron_role(staff_r, staff_t) -') - -optional_policy(` - dbus_role_template(staff, staff_r, staff_t) -') -+seutil_run_newrole(staff_t, staff_r) -+netutils_run_ping(staff_t, staff_r) - - optional_policy(` +- +-optional_policy(` - ethereal_role(staff_r, staff_t) -') - @@ -6317,8 +6368,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - gnome_role(staff_r, staff_t) -') -- --optional_policy(` ++seutil_run_newrole(staff_t, staff_r) ++netutils_run_ping(staff_t, staff_r) + + optional_policy(` - gpg_role(staff_r, staff_t) -') - @@ -6332,122 +6385,123 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - -optional_policy(` - lockdev_role(staff_r, staff_t) --') -- --optional_policy(` -- lpd_role(staff_r, staff_t) --') -- --optional_policy(` -- mozilla_role(staff_r, staff_t) + sudo_role_template(staff, staff_r, staff_t) ') optional_policy(` -- mplayer_role(staff_r, staff_t) +- lpd_role(staff_r, staff_t) + auditadm_role_change(staff_r) ') optional_policy(` -- mta_role(staff_r, staff_t) +- mozilla_role(staff_r, staff_t) + kerneloops_manage_tmp_files(staff_t) ') optional_policy(` -- oident_manage_user_content(staff_t) -- oident_relabel_user_content(staff_t) +- mplayer_role(staff_r, staff_t) + logadm_role_change(staff_r) ') optional_policy(` -- pyzor_role(staff_r, staff_t) +- mta_role(staff_r, staff_t) + secadm_role_change(staff_r) ') optional_policy(` -- razor_role(staff_r, staff_t) +- oident_manage_user_content(staff_t) +- oident_relabel_user_content(staff_t) + ssh_role_template(staff, staff_r, staff_t) ') optional_policy(` -- rssh_role(staff_r, staff_t) +- pyzor_role(staff_r, staff_t) + sysadm_role_change(staff_r) ') optional_policy(` -- screen_role_template(staff, staff_r, staff_t) +- razor_role(staff_r, staff_t) + usernetctl_run(staff_t, staff_r) ') optional_policy(` -- secadm_role_change(staff_r) +- rssh_role(staff_r, staff_t) + unconfined_role_change(staff_r) ') optional_policy(` -- spamassassin_role(staff_r, staff_t) +- screen_role_template(staff, staff_r, staff_t) + webadm_role_change(staff_r) ') -optional_policy(` -- ssh_role_template(staff, staff_r, staff_t) +- secadm_role_change(staff_r) -') +domain_read_all_domains_state(staff_t) +domain_getattr_all_domains(staff_t) +domain_obj_id_change_exemption(staff_t) -optional_policy(` -- su_role_template(staff, staff_r, staff_t) +- spamassassin_role(staff_r, staff_t) -') +files_read_kernel_modules(staff_t) -optional_policy(` -- sudo_role_template(staff, staff_r, staff_t) +- ssh_role_template(staff, staff_r, staff_t) -') +kernel_read_fs_sysctls(staff_t) -optional_policy(` -- sysadm_role_change(staff_r) -- userdom_dontaudit_use_user_terminals(staff_t) +- su_role_template(staff, staff_r, staff_t) -') +modutils_read_module_config(staff_t) +modutils_read_module_deps(staff_t) -optional_policy(` -- thunderbird_role(staff_r, staff_t) +- sudo_role_template(staff, staff_r, staff_t) -') +miscfiles_read_hwdata(staff_t) -optional_policy(` -- tvtime_role(staff_r, staff_t) +- sysadm_role_change(staff_r) +- userdom_dontaudit_use_user_terminals(staff_t) -') +term_use_unallocated_ttys(staff_t) optional_policy(` -- uml_role(staff_r, staff_t) +- thunderbird_role(staff_r, staff_t) + gnomeclock_dbus_chat(staff_t) ') optional_policy(` -- userhelper_role_template(staff, staff_r, staff_t) +- tvtime_role(staff_r, staff_t) + kerneloops_dbus_chat(staff_t) ') optional_policy(` -- vmware_role(staff_r, staff_t) +- uml_role(staff_r, staff_t) + rpm_dbus_chat(staff_usertype) ') optional_policy(` -- wireshark_role(staff_r, staff_t) +- userhelper_role_template(staff, staff_r, staff_t) ++ screen_manage_var_run(staff_t) + ') + + optional_policy(` +- vmware_role(staff_r, staff_t) + setroubleshoot_stream_connect(staff_t) + setroubleshoot_dbus_chat(staff_t) ') optional_policy(` -- xserver_role(staff_r, staff_t) +- wireshark_role(staff_r, staff_t) + virt_stream_connect(staff_t) ') + +-optional_policy(` +- xserver_role(staff_r, staff_t) +-') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.6.12/policy/modules/roles/sysadm.if --- nsaserefpolicy/policy/modules/roles/sysadm.if 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/roles/sysadm.if 2009-04-23 09:44:57.000000000 -0400 @@ -12280,7 +12334,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.12/policy/modules/services/devicekit.if --- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/devicekit.if 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/devicekit.if 2009-05-02 07:48:49.000000000 -0400 @@ -0,0 +1,197 @@ + +## policy for devicekit @@ -13432,8 +13486,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/libexec/fprintd -- gen_context(system_u:object_r:fprintd_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.if serefpolicy-3.6.12/policy/modules/services/fprintd.if --- nsaserefpolicy/policy/modules/services/fprintd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/fprintd.if 2009-04-28 15:26:38.000000000 -0400 -@@ -0,0 +1,22 @@ ++++ serefpolicy-3.6.12/policy/modules/services/fprintd.if 2009-05-01 09:45:48.000000000 -0400 +@@ -0,0 +1,42 @@ + +## policy for fprintd + @@ -13456,6 +13510,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + domtrans_pattern($1,fprintd_exec_t,fprintd_t) +') + ++######################################## ++## ++## Send and receive messages from ++## fprintd over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fprintd_dbus_chat',` ++ gen_require(` ++ type fprintd_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 fprintd_t:dbus send_msg; ++ allow fprintd_t $1:dbus send_msg; ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te --- nsaserefpolicy/policy/modules/services/fprintd.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/fprintd.te 2009-04-29 10:10:42.000000000 -0400 @@ -14625,7 +14699,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.12/policy/modules/services/kerneloops.te --- nsaserefpolicy/policy/modules/services/kerneloops.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/kerneloops.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/kerneloops.te 2009-05-01 13:21:26.000000000 -0400 @@ -13,6 +13,9 @@ type kerneloops_initrc_exec_t; init_script_file(kerneloops_initrc_exec_t) @@ -14636,13 +14710,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # kerneloops local policy -@@ -23,8 +26,13 @@ +@@ -21,10 +24,14 @@ + allow kerneloops_t self:capability sys_nice; + allow kerneloops_t self:process { setsched getsched signal }; allow kerneloops_t self:fifo_file rw_file_perms; - allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms; - +-allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms; ++ +manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t) +files_tmp_filetrans(kerneloops_t,kerneloops_tmp_t,file) -+ + kernel_read_ring_buffer(kerneloops_t) +fs_list_inotifyfs(kerneloops_t) @@ -14650,9 +14726,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Init script handling domain_use_interactive_fds(kerneloops_t) -@@ -46,6 +54,5 @@ - sysnet_dns_name_resolve(kerneloops_t) +@@ -38,14 +45,13 @@ + + files_read_etc_files(kerneloops_t) + ++auth_use_nsswitch(kerneloops_t) ++ + logging_send_syslog_msg(kerneloops_t) + logging_read_generic_logs(kerneloops_t) + + miscfiles_read_localization(kerneloops_t) +-sysnet_dns_name_resolve(kerneloops_t) +- optional_policy(` - dbus_system_bus_client(kerneloops_t) - dbus_connect_system_bus(kerneloops_t) @@ -20431,7 +20517,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.12/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2009-03-20 12:39:39.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-05-04 12:28:35.000000000 -0400 @@ -23,7 +23,7 @@ gen_tunable(allow_nfsd_anon_write, false) @@ -20441,7 +20527,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpc_domain_template(gssd) -@@ -74,21 +74,31 @@ +@@ -74,21 +74,33 @@ files_manage_mounttab(rpcd_t) @@ -20451,6 +20537,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_read_rpc_symlinks(rpcd_t) fs_rw_rpc_sockets(rpcd_t) ++storage_getattr_fixed_disk_dev(rpcd_t) ++ +kernel_signal(rpcd_t) + selinux_dontaudit_read_fs(rpcd_t) @@ -20473,7 +20561,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # NFSD local policy -@@ -116,8 +126,9 @@ +@@ -116,8 +128,9 @@ # for exportfs and rpc.mountd files_getattr_tmp_dirs(nfsd_t) # cjp: this should really have its own type @@ -20484,7 +20572,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_mount_nfsd_fs(nfsd_t) fs_search_nfsd_fs(nfsd_t) fs_getattr_all_fs(nfsd_t) -@@ -125,6 +136,7 @@ +@@ -125,6 +138,7 @@ fs_rw_nfsd_fs(nfsd_t) storage_dontaudit_read_fixed_disk(nfsd_t) @@ -20492,7 +20580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Read access to public_content_t and public_content_rw_t miscfiles_read_public_files(nfsd_t) -@@ -141,6 +153,7 @@ +@@ -141,6 +155,7 @@ fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) ') @@ -20500,7 +20588,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`nfs_export_all_ro',` dev_getattr_all_blk_files(nfsd_t) -@@ -175,6 +188,7 @@ +@@ -175,6 +190,7 @@ corecmd_exec_bin(gssd_t) @@ -20508,7 +20596,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_list_rpc(gssd_t) fs_rw_rpc_sockets(gssd_t) fs_read_rpc_files(gssd_t) -@@ -183,9 +197,12 @@ +@@ -183,9 +199,12 @@ files_read_usr_symlinks(gssd_t) auth_use_nsswitch(gssd_t) @@ -25914,7 +26002,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.12/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/authlogin.if 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/authlogin.if 2009-05-01 09:46:46.000000000 -0400 @@ -43,20 +43,38 @@ interface(`auth_login_pgm_domain',` gen_require(` @@ -25962,7 +26050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol init_rw_utmp($1) -@@ -100,11 +119,40 @@ +@@ -100,9 +119,42 @@ seutil_read_config($1) seutil_read_default_contexts($1) @@ -25975,16 +26063,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + optional_policy(` + afs_rw_udp_sockets($1) -+ ') + ') + + optional_policy(` + dbus_system_bus_client($1) + optional_policy(` + oddjob_dbus_chat($1) + oddjob_domtrans_mkhomedir($1) - ') - ') - ++ ') ++') ++ + optional_policy(` + corecmd_exec_bin($1) + storage_getattr_fixed_disk_dev($1) @@ -25992,6 +26080,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + + optional_policy(` ++ fprintd_dbus_chat($1) ++ ') ++ ++ optional_policy(` + nis_authenticate($1) + ') + @@ -26000,12 +26092,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + userdom_read_user_home_content_files($1) + ') + -+') -+ + ') + ######################################## - ## - ## Use the login program as an entry point program. -@@ -197,8 +245,11 @@ +@@ -197,8 +249,11 @@ interface(`auth_domtrans_chk_passwd',` gen_require(` type chkpwd_t, chkpwd_exec_t, shadow_t; @@ -26017,7 +26107,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_search_bin($1) domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) -@@ -207,19 +258,16 @@ +@@ -207,19 +262,16 @@ dev_read_rand($1) dev_read_urand($1) @@ -26042,7 +26132,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -230,6 +278,29 @@ +@@ -230,6 +282,29 @@ optional_policy(` samba_stream_connect_winbind($1) ') @@ -26072,7 +26162,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -254,6 +325,7 @@ +@@ -254,6 +329,7 @@ auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -26080,7 +26170,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -650,7 +722,7 @@ +@@ -650,7 +726,7 @@ ######################################## ## @@ -26089,7 +26179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1031,6 +1103,32 @@ +@@ -1031,6 +1107,32 @@ ######################################## ## @@ -26122,7 +26212,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Manage all files on the filesystem, except ## the shadow passwords and listed exceptions. ## -@@ -1297,6 +1395,14 @@ +@@ -1297,6 +1399,14 @@ ') optional_policy(` @@ -26137,7 +26227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol nis_use_ypbind($1) ') -@@ -1305,8 +1411,13 @@ +@@ -1305,8 +1415,13 @@ ') optional_policy(` @@ -26151,7 +26241,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1341,3 +1452,99 @@ +@@ -1341,3 +1456,99 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -27102,9 +27192,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_urand(racoon_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.12/policy/modules/system/iptables.fc --- nsaserefpolicy/policy/modules/system/iptables.fc 2009-04-06 12:42:08.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/system/iptables.fc 2009-04-30 08:29:56.000000000 -0400 -@@ -1,9 +1,11 @@ - /sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) ++++ serefpolicy-3.6.12/policy/modules/system/iptables.fc 2009-04-30 18:57:54.000000000 -0400 +@@ -1,9 +1,10 @@ +-/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0) @@ -29523,7 +29613,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xen_append_log(ifconfig_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.12/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2009-04-07 15:53:36.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-05-04 14:18:49.000000000 -0400 @@ -50,6 +50,7 @@ allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -29560,7 +29650,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -242,6 +250,10 @@ +@@ -228,6 +236,10 @@ + ') + + optional_policy(` ++ mount_domtrans(udev_t) ++') ++ ++optional_policy(` + openct_read_pid_files(udev_t) + openct_domtrans(udev_t) + ') +@@ -242,6 +254,10 @@ ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index b63b10f..3615a6c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 26%{?dist} +Release: 27%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -165,11 +165,6 @@ if [ -s /etc/selinux/config ]; then \ fi \ fi -%define loadminpolicy() \ -( cd /usr/share/selinux/%1; \ -semodule -b base.pp.bz2 -i unconfined.pp.bz2 unconfineduser.pp.bz2 -s %1; \ -); \ - %define loadpolicy() \ ( cd /usr/share/selinux/%1; \ semodule -b base.pp.bz2 -i %{expand:%%moduleList %1} %2 -s %1; \ @@ -351,12 +346,12 @@ echo $packages } if [ $1 -eq 1 ]; then - packages="unconfined.pp.bz2 unconfineduser.pp.bz2" + packages="%{expand:%%moduleList targeted} unconfined.pp.bz2 unconfineduser.pp.bz2" %loadpolicy targeted $packages restorecon -R /root /var/log /var/run 2> /dev/null else semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid 2>/dev/null - packages=`get_unconfined $(semodule -l)` + packages="%{expand:%%moduleList targeted} `get_unconfined $(semodule -l)`" %loadpolicy targeted $packages %relabel targeted fi @@ -402,7 +397,8 @@ SELinux Reference policy minimum base module. %post minimum if [ $1 -eq 1 ]; then -%loadminpolicy minimum +packages="unconfined.pp.bz2 unconfineduser.pp.bz2" +%loadpolicy minimum $packages semanage -S minimum -i - << __eof login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ login -m -s unconfined_u -r s0-s0:c0.c1023 root @@ -435,7 +431,8 @@ SELinux Reference policy olpc base module. %saveFileContext olpc %post olpc -%loadpolicy olpc "" +packages="%{expand:%%moduleList olpc} unconfined.pp.bz2 unconfineduser.pp.bz2" +%loadpolicy olpc $packages if [ $1 -ne 1 ]; then %relabel olpc @@ -466,7 +463,8 @@ SELinux Reference policy mls base module. %post mls semodule -n -s mls -r mailscanner 2>/dev/null -%loadpolicy mls "" +packages="%{expand:%%moduleList mls}" +%loadpolicy mls $packages if [ $1 != 1 ]; then %relabel mls @@ -480,6 +478,11 @@ exit 0 %endif %changelog +* Fri May 1 2009 Dan Walsh 3.6.12-27 +- Fix /sbin/ip6tables-save context +- Allod udev to transition to mount +- Fix loading of mls policy file + * Thu Apr 30 2009 Dan Walsh 3.6.12-26 - Add shorewall policy