From 40c7a88c69235c9e2a56db9707a4c48146099ebf Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Nov 20 2007 12:11:27 +0000 Subject: - Allow rhgb to getattr on filesystems - Allow dictd to use /var/run direcory - Fix printer labels under /usr/local/Printer and Brother - Fix /var/log/clamav labeling - Remove a lot of foolish avc's from terminal redirection\ --- diff --git a/policy-20070501.patch b/policy-20070501.patch index fd10ad8..d0b0f32 100644 --- a/policy-20070501.patch +++ b/policy-20070501.patch @@ -1827,7 +1827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.f /opt/vmware/workstation/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-05-07 14:51:04.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc 2007-10-18 17:18:18.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc 2007-11-14 10:47:47.000000000 -0500 @@ -36,6 +36,11 @@ /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0) @@ -1863,16 +1863,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) -@@ -164,6 +168,8 @@ +@@ -164,6 +168,10 @@ /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) -+/usr/local/Brother/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/local/Brother/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/local/Brother(/.*)?/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/local/Brother(/.*)?/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -189,6 +195,7 @@ +@@ -189,6 +197,7 @@ ifdef(`distro_redhat', ` /usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -1880,7 +1882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -220,6 +227,7 @@ +@@ -220,6 +229,7 @@ /usr/share/system-config-network/neat-control\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-nfs/nfs-export\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-nfs/system-config-nfs\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -1888,7 +1890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -248,6 +256,7 @@ +@@ -248,6 +258,7 @@ /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) @@ -1896,7 +1898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -256,3 +265,18 @@ +@@ -256,3 +267,18 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -2422,7 +2424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.6.4/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2007-05-07 14:51:04.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/kernel/domain.te 2007-10-30 16:16:45.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/kernel/domain.te 2007-11-16 09:43:24.000000000 -0500 @@ -6,6 +6,29 @@ # Declarations # @@ -2464,7 +2466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain # Domains that can set their current context # (perform dynamic transitions) attribute set_curr_context; -@@ -144,3 +171,33 @@ +@@ -144,3 +171,35 @@ # act on all domains keys allow unconfined_domain_type domain:key *; @@ -2495,9 +2497,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +# Allow all domains to use fds past to them +allow domain domain:fd use; +optional_policy(` -+ rpm_dontaudit_rw_pipes(domain) ++ rpm_rw_pipes(domain) ++') ++optional_policy(` ++ unconfined_dontaudit_rw_pipes(domain) +') -+ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.6.4/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2007-05-07 14:51:02.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/kernel/files.fc 2007-10-18 17:13:23.000000000 -0400 @@ -4623,7 +4627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind fs_getattr_xattr_fs(ndc_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.6.4/policy/modules/services/bluetooth.te --- nsaserefpolicy/policy/modules/services/bluetooth.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/bluetooth.te 2007-09-18 13:32:53.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/bluetooth.te 2007-11-14 10:31:00.000000000 -0500 @@ -139,6 +139,8 @@ dbus_system_bus_client_template(bluetooth,bluetooth_t) dbus_connect_system_bus(bluetooth_t) @@ -4635,16 +4639,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-2.6.4/policy/modules/services/clamav.fc --- nsaserefpolicy/policy/modules/services/clamav.fc 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/clamav.fc 2007-08-07 09:42:35.000000000 -0400 -@@ -9,6 +9,8 @@ ++++ serefpolicy-2.6.4/policy/modules/services/clamav.fc 2007-11-14 10:43:00.000000000 -0500 +@@ -9,8 +9,9 @@ /var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0) /var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0) +/var/run/clamd\..* gen_context(system_u:object_r:clamd_var_run_t,s0) +/var/run/clamav\..* gen_context(system_u:object_r:clamd_var_run_t,s0) /var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0) - /var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0) - /var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0) +-/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0) +-/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0) ++/var/log/clamav(/.*)? gen_context(system_u:object_r:clamd_var_log_t,s0) + /var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0) + /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-2.6.4/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2007-05-07 14:50:57.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/clamav.te 2007-08-13 19:28:50.000000000 -0400 @@ -5139,7 +5146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.6.4/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/cups.fc 2007-09-11 08:58:55.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/cups.fc 2007-11-14 10:50:09.000000000 -0500 @@ -8,6 +8,7 @@ /etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -5157,11 +5164,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups /usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0) /usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0) -@@ -52,3 +53,4 @@ +@@ -52,3 +53,5 @@ /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) /var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh) +/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) ++/usr/local/Printer/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.6.4/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2007-05-07 14:51:01.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/cups.te 2007-10-05 08:56:23.000000000 -0400 @@ -5507,6 +5515,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp ') optional_policy(` +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.fc serefpolicy-2.6.4/policy/modules/services/dictd.fc +--- nsaserefpolicy/policy/modules/services/dictd.fc 2007-05-07 14:51:01.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/dictd.fc 2007-11-14 12:27:15.000000000 -0500 +@@ -4,3 +4,4 @@ + /usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0) + + /var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0) ++/var/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.te serefpolicy-2.6.4/policy/modules/services/dictd.te +--- nsaserefpolicy/policy/modules/services/dictd.te 2007-05-07 14:51:01.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/dictd.te 2007-11-14 11:34:47.000000000 -0500 +@@ -16,6 +16,9 @@ + type dictd_var_lib_t alias var_lib_dictd_t; + files_type(dictd_var_lib_t) + ++type dictd_var_run_t; ++files_pid_file(dictd_var_run_t) ++ + ######################################## + # + # Local policy +@@ -34,6 +37,9 @@ + allow dictd_t dictd_var_lib_t:dir list_dir_perms; + allow dictd_t dictd_var_lib_t:file read_file_perms; + ++manage_files_pattern(dictd_t,dictd_var_run_t,dictd_var_run_t) ++files_pid_filetrans(dictd_t,dictd_var_run_t,file) ++ + kernel_read_system_state(dictd_t) + kernel_read_kernel_sysctls(dictd_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-2.6.4/policy/modules/services/djbdns.te --- nsaserefpolicy/policy/modules/services/djbdns.te 2007-05-07 14:51:01.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/djbdns.te 2007-08-07 09:42:35.000000000 -0400 @@ -5782,7 +5821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim --- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-2.6.4/policy/modules/services/exim.fc 2007-10-05 09:28:27.000000000 -0400 @@ -0,0 +1,16 @@ -+# $Id: policy-20070501.patch,v 1.76 2007/11/13 21:43:23 dwalsh Exp $ ++# $Id: policy-20070501.patch,v 1.77 2007/11/20 12:11:26 dwalsh Exp $ +# Draft SELinux refpolicy module for the Exim MTA +# +# Devin Carraway @@ -5963,7 +6002,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim --- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-2.6.4/policy/modules/services/exim.te 2007-10-30 16:46:45.000000000 -0400 @@ -0,0 +1,231 @@ -+# $Id: policy-20070501.patch,v 1.76 2007/11/13 21:43:23 dwalsh Exp $ ++# $Id: policy-20070501.patch,v 1.77 2007/11/20 12:11:26 dwalsh Exp $ +# Draft SELinux refpolicy module for the Exim MTA +# +# Devin Carraway @@ -12063,7 +12102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.6.4/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/init.te 2007-09-04 12:06:53.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/init.te 2007-11-16 09:39:37.000000000 -0500 @@ -10,13 +10,20 @@ # Declarations # @@ -12184,6 +12223,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` +@@ -786,3 +815,8 @@ + optional_policy(` + zebra_read_config(initrc_t) + ') ++ ++optional_policy(` ++ rpm_dontaudit_rw_pipes(daemon) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-2.6.4/policy/modules/system/ipsec.if --- nsaserefpolicy/policy/modules/system/ipsec.if 2007-05-07 14:51:01.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/system/ipsec.if 2007-08-07 09:42:35.000000000 -0400 diff --git a/selinux-policy.spec b/selinux-policy.spec index cdcf06c..392314e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 2.6.4 -Release: 57%{?dist} +Release: 58%{?dist} License: GPL Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -363,6 +363,13 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init %endif %changelog +* Tue Nov 20 2007 Dan Walsh 2.6.4-58 +- Allow rhgb to getattr on filesystems +- Allow dictd to use /var/run direcory +- Fix printer labels under /usr/local/Printer and Brother +- Fix /var/log/clamav labeling +- Remove a lot of foolish avc's from terminal redirection\ + * Tue Nov 13 2007 Dan Walsh 2.6.4-57 - Allow dovecot to communicate with postfix_private sockets