From 4be3ba520d9ccdedda060c384dbe087824fabd38 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jan 11 2008 19:45:47 +0000 Subject: - dontaudit pam_t and dbusd writing to user_home_t --- diff --git a/policy-20071130.patch b/policy-20071130.patch index a1d2cee..d7307fb 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -1645,7 +1645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal ####################################### diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.te serefpolicy-3.2.5/policy/modules/apps/ethereal.te --- nsaserefpolicy/policy/modules/apps/ethereal.te 2007-12-19 05:32:09.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/apps/ethereal.te 2007-12-19 05:38:08.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/apps/ethereal.te 2008-01-11 13:39:25.000000000 -0500 @@ -16,6 +16,13 @@ type tethereal_tmp_t; files_tmp_file(tethereal_tmp_t) @@ -1783,7 +1783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc /usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.2.5/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/apps/gnome.if 2007-12-19 05:38:08.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/apps/gnome.if 2008-01-11 13:39:51.000000000 -0500 @@ -33,9 +33,60 @@ ## # @@ -2016,8 +2016,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.2.5/policy/modules/apps/gnome.te --- nsaserefpolicy/policy/modules/apps/gnome.te 2007-12-19 05:32:09.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/apps/gnome.te 2007-12-19 05:38:08.000000000 -0500 -@@ -8,8 +8,15 @@ ++++ serefpolicy-3.2.5/policy/modules/apps/gnome.te 2008-01-11 13:40:13.000000000 -0500 +@@ -8,8 +8,19 @@ attribute gnomedomain; @@ -2036,6 +2036,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te + +type user_gconf_tmp_t; +files_tmp_file(user_gconf_tmp_t) ++ ++typealias user_gnome_home_t alias unconfined_gnome_home_t; ++typealias user_gconf_home_t alias unconfined_gconf_home_t; ++typealias user_gconf_tmp_t alias unconfined_gconf_tmp_t; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.2.5/policy/modules/apps/gpg.fc --- nsaserefpolicy/policy/modules/apps/gpg.fc 2007-10-12 08:56:02.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/apps/gpg.fc 2008-01-03 16:26:50.000000000 -0500 @@ -2050,7 +2054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s /usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.2.5/policy/modules/apps/gpg.if --- nsaserefpolicy/policy/modules/apps/gpg.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/apps/gpg.if 2008-01-03 17:11:22.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/apps/gpg.if 2008-01-11 13:40:51.000000000 -0500 @@ -38,6 +38,10 @@ gen_require(` type gpg_exec_t, gpg_helper_exec_t; @@ -3069,7 +3073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. # /bin diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.2.5/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-29 07:52:48.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if 2008-01-03 17:10:37.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/apps/mozilla.if 2008-01-11 13:41:19.000000000 -0500 @@ -35,7 +35,10 @@ template(`mozilla_per_role_template',` gen_require(` @@ -3510,7 +3514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.2.5/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2007-12-19 05:32:09.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.te 2007-12-19 05:38:08.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/apps/mozilla.te 2008-01-11 14:37:00.000000000 -0500 @@ -6,15 +6,15 @@ # Declarations # @@ -6014,7 +6018,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto +/var/run/autofs.* gen_context(system_u:object_r:automount_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.2.5/policy/modules/services/automount.if --- nsaserefpolicy/policy/modules/services/automount.if 2007-03-26 10:39:04.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/automount.if 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/automount.if 2008-01-08 15:20:43.000000000 -0500 @@ -74,3 +74,21 @@ dontaudit $1 automount_tmp_t:dir getattr; @@ -6786,7 +6790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +/usr/local/Printer/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.2.5/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/cups.te 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/cups.te 2008-01-10 16:16:06.000000000 -0500 @@ -43,14 +43,12 @@ type cupsd_var_run_t; @@ -6931,9 +6935,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups auth_use_nsswitch(cupsd_t) libs_use_ld_so(cupsd_t) -@@ -220,16 +230,19 @@ +@@ -219,17 +229,22 @@ + miscfiles_read_fonts(cupsd_t) seutil_read_config(cupsd_t) ++sysnet_exec_ifconfig(cupsd_t) -sysnet_read_config(cupsd_t) - @@ -6944,6 +6950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups # Write to /var/spool/cups. lpd_manage_spool(cupsd_t) +lpd_read_config(cupsd_t) ++lpd_exec_lpr(cupsd_t) ifdef(`enable_mls',` lpd_relabel_spool(cupsd_t) @@ -6953,7 +6960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -242,12 +255,21 @@ +@@ -242,12 +257,21 @@ optional_policy(` dbus_system_bus_client_template(cupsd,cupsd_t) @@ -6975,7 +6982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -263,6 +285,10 @@ +@@ -263,6 +287,10 @@ ') optional_policy(` @@ -6986,7 +6993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) -@@ -326,6 +352,7 @@ +@@ -326,6 +354,7 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) @@ -6994,7 +7001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups fs_getattr_all_fs(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t) -@@ -372,6 +399,10 @@ +@@ -372,6 +401,10 @@ ') optional_policy(` @@ -7005,7 +7012,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') -@@ -387,6 +418,7 @@ +@@ -387,6 +420,7 @@ optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) @@ -7013,7 +7020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -499,14 +531,12 @@ +@@ -499,14 +533,12 @@ allow hplip_t self:udp_socket create_socket_perms; allow hplip_t self:rawip_socket create_socket_perms; @@ -7032,7 +7039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t) files_pid_filetrans(hplip_t,hplip_var_run_t,file) -@@ -537,14 +567,14 @@ +@@ -537,14 +569,14 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -7049,7 +7056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups domain_use_interactive_fds(hplip_t) files_read_etc_files(hplip_t) -@@ -565,6 +595,7 @@ +@@ -565,6 +597,7 @@ userdom_dontaudit_search_all_users_home_content(hplip_t) lpd_read_config(cupsd_t) @@ -8500,7 +8507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail +files_type(mailscanner_spool_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.5/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2007-12-06 13:12:03.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/mta.if 2008-01-04 10:12:33.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/mta.if 2008-01-11 14:28:39.000000000 -0500 @@ -133,6 +133,12 @@ sendmail_create_log($1_mail_t) ') @@ -8514,23 +8521,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ####################################### -@@ -217,6 +223,15 @@ - tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files($1_mail_t) +@@ -219,6 +225,11 @@ fs_manage_cifs_symlinks($1_mail_t) -+ fs_manage_cifs_files(mailserver_delivery) -+ fs_manage_cifs_symlinks(mailserver_delivery) -+ ') -+ + ') + + tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_files($1_mail_t) + fs_manage_nfs_symlinks($1_mail_t) -+ fs_manage_nfs_files(mailserver_delivery) -+ fs_manage_nfs_symlinks(mailserver_delivery) - ') - ++ ') ++ optional_policy(` -@@ -305,6 +320,42 @@ + allow $1_mail_t self:capability dac_override; + +@@ -305,6 +316,42 @@ ######################################## ## @@ -8573,7 +8576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## Modified mailserver interface for ## sendmail daemon use. ## -@@ -383,11 +434,13 @@ +@@ -383,11 +430,13 @@ allow $1 mail_spool_t:dir list_dir_perms; create_files_pattern($1,mail_spool_t,mail_spool_t) read_files_pattern($1,mail_spool_t,mail_spool_t) @@ -8587,7 +8590,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -422,6 +475,7 @@ +@@ -422,6 +471,7 @@ # apache should set close-on-exec apache_dontaudit_rw_stream_sockets($1) apache_dontaudit_rw_sys_script_stream_sockets($1) @@ -8595,7 +8598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ') -@@ -438,20 +492,18 @@ +@@ -438,20 +488,18 @@ interface(`mta_send_mail',` gen_require(` attribute mta_user_agent; @@ -8622,7 +8625,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') ######################################## -@@ -586,6 +638,25 @@ +@@ -586,6 +634,25 @@ files_search_etc($1) allow $1 etc_aliases_t:file { rw_file_perms setattr }; ') @@ -8648,7 +8651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ####################################### ## -@@ -837,6 +908,25 @@ +@@ -837,6 +904,25 @@ ######################################## ## @@ -8676,7 +8679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.5/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/mta.te 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/mta.te 2008-01-11 14:28:19.000000000 -0500 @@ -6,6 +6,8 @@ # Declarations # @@ -8755,7 +8758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. logrotate_read_tmp_files(system_mail_t) ') -@@ -136,6 +158,14 @@ +@@ -136,11 +158,30 @@ ') optional_policy(` @@ -8770,6 +8773,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. smartmon_read_tmp_files(system_mail_t) ') +-# should break this up among sections: ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_dirs(mailserver_delivery) ++ fs_manage_cifs_files(mailserver_delivery) ++ fs_manage_cifs_symlinks(mailserver_delivery) ++') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_dirs(mailserver_delivery) ++ fs_manage_nfs_files(mailserver_delivery) ++ fs_manage_nfs_symlinks(mailserver_delivery) ++') + ++# should break this up among sections: + optional_policy(` + # why is mail delivered to a directory of type arpwatch_data_t? + arpwatch_search_data(mailserver_delivery) +@@ -154,3 +195,4 @@ + cron_read_system_job_tmp_files(mta_user_agent) + ') + ') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.2.5/policy/modules/services/munin.fc --- nsaserefpolicy/policy/modules/services/munin.fc 2007-04-30 10:41:38.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/services/munin.fc 2007-12-31 05:55:51.000000000 -0500 @@ -9905,7 +9930,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.2.5/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/postfix.if 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/postfix.if 2008-01-08 16:12:40.000000000 -0500 @@ -416,7 +416,7 @@ ## ## @@ -9944,7 +9969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.2.5/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/postfix.te 2007-12-31 14:18:01.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/postfix.te 2008-01-11 14:27:52.000000000 -0500 @@ -6,6 +6,14 @@ # Declarations # @@ -10098,6 +10123,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix virtual local policy +@@ -584,3 +618,4 @@ + # For reading spamassasin + mta_read_config(postfix_virtual_t) + mta_manage_spool(postfix_virtual_t) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.2.5/policy/modules/services/postgresql.fc --- nsaserefpolicy/policy/modules/services/postgresql.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/postgresql.fc 2007-12-19 05:38:09.000000000 -0500 @@ -10201,6 +10231,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # postgresql Local policy +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.2.5/policy/modules/services/postgrey.te +--- nsaserefpolicy/policy/modules/services/postgrey.te 2007-12-19 05:32:17.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/postgrey.te 2008-01-08 16:15:30.000000000 -0500 +@@ -24,7 +24,7 @@ + # Local policy + # + +-allow postgrey_t self:capability { chown setgid setuid }; ++allow postgrey_t self:capability { chown dac_override setgid setuid }; + dontaudit postgrey_t self:capability sys_tty_config; + allow postgrey_t self:process signal_perms; + allow postgrey_t self:tcp_socket create_stream_socket_perms; +@@ -85,6 +85,11 @@ + ') + + optional_policy(` ++ postfix_read_config(postgrey_t) ++ postfix_read_spool_files(postgrey_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(postgrey_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.2.5/policy/modules/services/ppp.fc --- nsaserefpolicy/policy/modules/services/ppp.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/ppp.fc 2007-12-19 05:38:09.000000000 -0500 @@ -11632,13 +11686,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.2.5/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.fc 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/spamassassin.fc 2008-01-09 09:00:58.000000000 -0500 @@ -1,4 +1,4 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:user_spamassassin_home_t,s0) /usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0) /usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0) +@@ -9,8 +9,11 @@ + + /var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) + ++/var/log/spamd\.log -- gen_context(system_u:object_r:spamd_log_t,s0) ++ + /var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) + /var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) + + /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) + /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.5/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-12 08:56:07.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/services/spamassassin.if 2008-01-03 12:06:11.000000000 -0500 @@ -12085,7 +12151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.5/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.te 2008-01-03 12:54:53.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/spamassassin.te 2008-01-09 09:00:24.000000000 -0500 @@ -21,8 +21,9 @@ gen_tunable(spamd_enable_home_dirs,true) @@ -12097,7 +12163,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam type spamd_t; type spamd_exec_t; -@@ -42,7 +43,17 @@ +@@ -31,6 +32,9 @@ + type spamd_spool_t; + files_type(spamd_spool_t) + ++type spamd_log_t; ++logging_log_file(spamd_log_t) ++ + type spamd_tmp_t; + files_tmp_file(spamd_tmp_t) + +@@ -42,7 +46,17 @@ files_pid_file(spamd_var_run_t) type spamassassin_exec_t; @@ -12116,7 +12192,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam ######################################## # -@@ -81,10 +92,11 @@ +@@ -71,6 +85,9 @@ + allow spamd_t self:udp_socket create_socket_perms; + allow spamd_t self:netlink_route_socket r_netlink_socket_perms; + ++manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t) ++logging_log_filetrans(spamd_t,spamd_log_t,file) ++ + manage_dirs_pattern(spamd_t,spamd_spool_t,spamd_spool_t) + manage_files_pattern(spamd_t,spamd_spool_t,spamd_spool_t) + files_spool_filetrans(spamd_t,spamd_spool_t, { file dir }) +@@ -81,10 +98,11 @@ # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -12129,7 +12215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) kernel_read_all_sysctls(spamd_t) -@@ -149,11 +161,31 @@ +@@ -149,11 +167,31 @@ userdom_search_unpriv_users_home_dirs(spamd_t) userdom_dontaudit_search_sysadm_home_dirs(spamd_t) @@ -12161,7 +12247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam fs_manage_cifs_files(spamd_t) ') -@@ -171,6 +203,7 @@ +@@ -171,6 +209,7 @@ optional_policy(` dcc_domtrans_client(spamd_t) @@ -12169,7 +12255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam dcc_stream_connect_dccifd(spamd_t) ') -@@ -212,3 +245,206 @@ +@@ -212,3 +251,206 @@ optional_policy(` udev_read_db(spamd_t) ') @@ -14139,7 +14225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.2.5/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/authlogin.te 2007-12-19 05:38:09.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/authlogin.te 2008-01-11 14:30:57.000000000 -0500 @@ -59,6 +59,9 @@ type utempter_exec_t; application_domain(utempter_t,utempter_exec_t) @@ -14160,18 +14246,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ######################################## # # PAM local policy -@@ -121,6 +127,10 @@ +@@ -121,6 +127,11 @@ logging_send_syslog_msg(pam_t) userdom_use_unpriv_users_fds(pam_t) +userdom_write_unpriv_users_tmp_files(pam_t) +userdom_unlink_unpriv_users_tmp_files(pam_t) -+userdom_read_unpriv_users_home_content_files(pam_t) ++userdom_dontaudit_read_unpriv_users_home_content_files(pam_t) ++userdom_dontaudit_write_user_home_content_files(user, pam_t) +userdom_append_unpriv_users_home_content_files(pam_t) optional_policy(` locallogin_use_fds(pam_t) -@@ -279,8 +289,10 @@ +@@ -279,8 +290,10 @@ files_manage_etc_files(updpwd_t) term_dontaudit_use_console(updpwd_t) @@ -14183,7 +14270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo auth_manage_shadow(updpwd_t) auth_use_nsswitch(updpwd_t) -@@ -329,11 +341,6 @@ +@@ -329,11 +342,6 @@ ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index fb26e1d..2d8e2d4 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.2.5 -Release: 9%{?dist} +Release: 10%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -387,6 +387,9 @@ exit 0 %endif %changelog +* Mon Jan 7 2008 Dan Walsh 3.2.5-10 +- dontaudit pam_t and dbusd writing to user_home_t + * Mon Jan 7 2008 Dan Walsh 3.2.5-9 - Update gpg to allow reading of inotify