From 424a9a3dae3cabdadcb77a3b9e91a551bf19a762 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jun 22 2007 19:15:52 +0000 Subject: --- diff --git a/policy-20070501.patch b/policy-20070501.patch index 7c08193..67b0bb4 100644 --- a/policy-20070501.patch +++ b/policy-20070501.patch @@ -12,7 +12,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 sere .TP diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-2.6.4/policy/flask/access_vectors --- nsaserefpolicy/policy/flask/access_vectors 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/flask/access_vectors 2007-06-18 10:18:55.000000000 -0400 ++++ serefpolicy-2.6.4/policy/flask/access_vectors 2007-06-22 14:29:33.000000000 -0400 @@ -598,6 +598,8 @@ shmempwd shmemgrp @@ -31,6 +31,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors } class key +@@ -648,3 +652,9 @@ + node_bind + name_connect + } ++ ++class memprotect ++{ ++ mmap_zero ++} ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/security_classes serefpolicy-2.6.4/policy/flask/security_classes +--- nsaserefpolicy/policy/flask/security_classes 2007-05-07 14:50:57.000000000 -0400 ++++ serefpolicy-2.6.4/policy/flask/security_classes 2007-06-22 14:34:57.000000000 -0400 +@@ -97,4 +97,6 @@ + + class dccp_socket + ++class memprotect ++ + # FLASK diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_booleans serefpolicy-2.6.4/policy/global_booleans --- nsaserefpolicy/policy/global_booleans 2007-05-07 14:51:05.000000000 -0400 +++ serefpolicy-2.6.4/policy/global_booleans 2007-06-18 10:18:55.000000000 -0400 @@ -629,7 +649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.6.4/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-07 14:51:05.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/admin/rpm.if 2007-06-18 11:07:56.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/admin/rpm.if 2007-06-21 09:36:31.000000000 -0400 @@ -211,6 +211,24 @@ ######################################## @@ -686,7 +706,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if ') ######################################## -@@ -290,3 +329,46 @@ +@@ -290,3 +329,65 @@ dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') @@ -717,6 +737,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if + +######################################## +## ++## allow domain to read, ++## write RPM tmp files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`rpm_rw_tmp_files',` ++ gen_require(` ++ type rpm_tmp_t; ++ ') ++ ++ allow $1 rpm_tmp_t:file rw_file_perms; ++') ++ ++######################################## ++## +## Do not audit attempts to read, +## write RPM tmp files +## @@ -1611,7 +1650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-2.6.4/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2007-05-07 14:51:04.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/kernel/domain.if 2007-06-20 07:41:47.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/kernel/domain.if 2007-06-22 14:12:55.000000000 -0400 @@ -64,6 +64,7 @@ ') @@ -1620,7 +1659,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain selinux_dontaudit_read_fs($1) ') -@@ -1254,3 +1255,21 @@ +@@ -1254,3 +1255,44 @@ typeattribute $1 can_change_object_identity; typeattribute $1 set_curr_context; ') @@ -1642,9 +1681,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain + + allow $1 domain:association { sendto recvfrom }; +') ++ ++######################################## ++## ++## Ability to mmap a low area of the address space, ++## as configured by /proc/sys/kernel/mmap_min_addr. ++## Preventing such mappings helps protect against ++## exploiting null deref bugs in the kernel. ++## ++## ++## ++## Domain allowed to mmap low memory. ++## ++## ++# ++interface(`domain_mmap_low',` ++ gen_require(` ++ attribute mmap_low_domain_type; ++ ') ++ ++ allow $1 self:memprotect mmap_zero; ++ ++ typeattribute $1 mmap_low_domain_type; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-2.6.4/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2007-05-07 14:51:04.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/kernel/domain.te 2007-06-18 10:18:55.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/kernel/domain.te 2007-06-22 14:13:13.000000000 -0400 @@ -6,6 +6,29 @@ # Declarations # @@ -1675,7 +1737,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain # Mark process types as domains attribute domain; -@@ -144,3 +167,26 @@ +@@ -15,6 +38,10 @@ + # Domains that are unconfined + attribute unconfined_domain_type; + ++# Domains that can mmap low memory. ++attribute mmap_low_domain_type; ++neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero; ++ + # Domains that can set their current context + # (perform dynamic transitions) + attribute set_curr_context; +@@ -144,3 +171,26 @@ # act on all domains keys allow unconfined_domain_type domain:key *; @@ -3262,8 +3335,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cour diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-2.6.4/policy/modules/services/cron.fc --- nsaserefpolicy/policy/modules/services/cron.fc 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/cron.fc 2007-06-18 10:18:55.000000000 -0400 -@@ -45,3 +45,4 @@ ++++ serefpolicy-2.6.4/policy/modules/services/cron.fc 2007-06-20 09:54:43.000000000 -0400 +@@ -17,6 +17,8 @@ + /var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0) + /var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0) + ++/var/spool/anacron(/.*) gen_context(system_u:object_r:cron_spool_t,s0) ++ + /var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0) + /var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0) + /var/spool/at/[^/]* -- <> +@@ -45,3 +47,4 @@ /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0) @@ -4500,7 +4582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-2.6.4/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/kerberos.te 2007-06-18 10:18:55.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/kerberos.te 2007-06-22 14:06:28.000000000 -0400 @@ -5,6 +5,7 @@ # # Declarations @@ -4509,7 +4591,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb ## ##

-@@ -126,6 +127,7 @@ +@@ -91,6 +92,7 @@ + kernel_read_kernel_sysctls(kadmind_t) + kernel_list_proc(kadmind_t) + kernel_read_proc_symlinks(kadmind_t) ++kernel_read_system_state(kadmind_t) + + corenet_non_ipsec_sendrecv(kadmind_t) + corenet_tcp_sendrecv_all_if(kadmind_t) +@@ -117,6 +119,9 @@ + domain_use_interactive_fds(kadmind_t) + + files_read_etc_files(kadmind_t) ++files_read_usr_symlinks(kadmind_t) ++files_read_usr_files(kadmind_t) ++files_read_var_files(kadmind_t) + + libs_use_ld_so(kadmind_t) + libs_use_shared_libs(kadmind_t) +@@ -126,6 +131,7 @@ miscfiles_read_localization(kadmind_t) sysnet_read_config(kadmind_t) @@ -4517,7 +4617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb userdom_dontaudit_use_unpriv_user_fds(kadmind_t) userdom_dontaudit_search_sysadm_home_dirs(kadmind_t) -@@ -227,6 +229,7 @@ +@@ -227,6 +233,7 @@ miscfiles_read_localization(krb5kdc_t) sysnet_read_config(krb5kdc_t) @@ -4525,7 +4625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t) -@@ -248,3 +251,36 @@ +@@ -248,3 +255,36 @@ optional_policy(` udev_read_db(krb5kdc_t) ') @@ -5473,7 +5573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.6.4/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/postfix.te 2007-06-18 10:19:49.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/postfix.te 2007-06-22 09:40:25.000000000 -0400 @@ -84,6 +84,12 @@ type postfix_var_run_t; files_pid_file(postfix_var_run_t) @@ -5557,7 +5657,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post # connect to master process stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t) -@@ -552,9 +574,45 @@ +@@ -528,6 +550,8 @@ + + allow postfix_smtp_t postfix_spool_t:file rw_file_perms; + ++files_dontaudit_getattr_home_dir(postfix_smtp_t) ++ + optional_policy(` + cyrus_stream_connect(postfix_smtp_t) + ') +@@ -552,9 +576,45 @@ mta_read_aliases(postfix_smtpd_t) optional_policy(` @@ -7013,8 +7122,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c. +miscfiles_read_certs(httpd_w3c_validator_script_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.6.4/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/xserver.if 2007-06-18 10:18:55.000000000 -0400 -@@ -1136,7 +1136,7 @@ ++++ serefpolicy-2.6.4/policy/modules/services/xserver.if 2007-06-22 14:12:37.000000000 -0400 +@@ -83,6 +83,8 @@ + manage_files_pattern($1_xserver_t,xserver_log_t,xserver_log_t) + logging_log_filetrans($1_xserver_t,xserver_log_t,file) + ++ domain_mmap_low($1_xserver_t) ++ + kernel_read_system_state($1_xserver_t) + kernel_read_device_sysctls($1_xserver_t) + kernel_read_modprobe_sysctls($1_xserver_t) +@@ -540,6 +542,9 @@ + allow $2 self:unix_dgram_socket create_socket_perms; + allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; + ++ # this should cause the .xsession-errors file to be written to /tmp ++ dontaudit xdm_t $1_home_t:file rw_file_perms; ++ + # Read .Xauthority file + allow $2 $1_xauth_home_t:file { getattr read }; + allow $2 $1_iceauth_home_t:file { getattr read }; +@@ -1136,7 +1141,7 @@ type xdm_xserver_tmp_t; ') @@ -8004,7 +8132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.6.4/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/libraries.fc 2007-06-19 08:52:19.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/libraries.fc 2007-06-22 09:06:18.000000000 -0400 @@ -81,8 +81,8 @@ /opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -8033,7 +8161,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -254,6 +257,8 @@ +@@ -157,6 +160,8 @@ + /usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/NX/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/NX/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + /usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -254,6 +259,8 @@ /usr/lib(64)?/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -8044,7 +8181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar # vmware diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-2.6.4/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/libraries.te 2007-06-18 10:18:55.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/libraries.te 2007-06-21 09:35:57.000000000 -0400 @@ -62,7 +62,8 @@ manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t) @@ -8065,6 +8202,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar ') optional_policy(` +@@ -113,4 +113,6 @@ + # and executes ldconfig on it. If you dont allow this kernel installs + # blow up. + rpm_manage_script_tmp_files(ldconfig_t) ++ # smart package manager needs the following for the same reason ++ rpm_rw_tmp_files(ldconfig_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-2.6.4/policy/modules/system/locallogin.te --- nsaserefpolicy/policy/modules/system/locallogin.te 2007-05-07 14:51:02.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/system/locallogin.te 2007-06-18 10:18:55.000000000 -0400 @@ -9082,7 +9226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-2.6.4/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/udev.te 2007-06-18 11:26:44.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/udev.te 2007-06-22 11:40:29.000000000 -0400 @@ -18,11 +18,6 @@ type udev_etc_t alias etc_udev_t; files_config_file(udev_etc_t) @@ -9129,20 +9273,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t files_read_etc_runtime_files(udev_t) files_read_etc_files(udev_t) files_exec_etc_files(udev_t) -@@ -142,8 +144,12 @@ +@@ -142,8 +144,14 @@ seutil_read_file_contexts(udev_t) seutil_domtrans_restorecon(udev_t) +sysnet_read_dhcpc_pid(udev_t) -+sysnet_read_dhcp_config(udev_t) ++sysnet_rw_dhcp_config(udev_t) +sysnet_delete_dhcpc_pid(udev_t) sysnet_domtrans_ifconfig(udev_t) sysnet_domtrans_dhcpc(udev_t) +sysnet_signal_dhcpc(udev_t) ++sysnet_etc_filetrans_config(udev_t) ++sysnet_manage_config(udev_t) userdom_use_sysadm_ttys(udev_t) userdom_dontaudit_search_all_users_home_content(udev_t) -@@ -194,5 +200,24 @@ +@@ -194,5 +202,24 @@ ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index e239c86..eee173b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 2.6.4 -Release: 21%{?dist} +Release: 22%{?dist} License: GPL Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -360,6 +360,8 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init %endif %changelog +* Thu Jun 21 2007 Dan Walsh 2.6.4-22 + * Wed Jun 20 2007 Dan Walsh 2.6.4-21 - Still fixing cron