From 4c32c8b47bbc23c718a26c640d123d6bafd00982 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mar 04 2008 21:37:10 +0000 Subject: - Allow mozilla to auth_use_nsswitch - Change location of mock - Fix context on /usr/sbin/validate - allow vbetool to map low kernel memory - Allow fail2ban to connect to whois port - Allow bitlbee to read locale files - Allow clamd to execute shell - dontaudit setroubleshoot reading cifs and nfs files --- diff --git a/policy-20070703.patch b/policy-20070703.patch index 0ac4e3e..3162eee 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -1124,7 +1124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-3.0.8/policy/modules/admin/bootloader.te --- nsaserefpolicy/policy/modules/admin/bootloader.te 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/admin/bootloader.te 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/admin/bootloader.te 2008-02-27 23:26:06.000000000 -0500 @@ -215,3 +215,7 @@ userdom_dontaudit_search_staff_home_dirs(bootloader_t) userdom_dontaudit_search_sysadm_home_dirs(bootloader_t) @@ -2507,8 +2507,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.0.8/policy/modules/admin/vbetool.te --- nsaserefpolicy/policy/modules/admin/vbetool.te 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/admin/vbetool.te 2008-01-17 09:03:07.000000000 -0500 -@@ -33,4 +33,5 @@ ++++ serefpolicy-3.0.8/policy/modules/admin/vbetool.te 2008-03-04 15:48:23.000000000 -0500 +@@ -23,6 +23,8 @@ + dev_rwx_zero(vbetool_t) + dev_read_sysfs(vbetool_t) + ++domain_mmap_low(vbetool_t) ++ + term_use_unallocated_ttys(vbetool_t) + + libs_use_ld_so(vbetool_t) +@@ -33,4 +35,5 @@ optional_policy(` hal_rw_pid_files(vbetool_t) hal_write_log(vbetool_t) @@ -3444,7 +3453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.8/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/apps/mozilla.if 2008-01-21 12:59:59.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/apps/mozilla.if 2008-03-04 10:34:00.000000000 -0500 @@ -36,6 +36,8 @@ gen_require(` type mozilla_conf_t, mozilla_exec_t; @@ -3477,7 +3486,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. allow $1_mozilla_t self:fifo_file rw_fifo_file_perms; allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create }; allow $1_mozilla_t self:sem create_sem_perms; -@@ -71,6 +81,11 @@ +@@ -66,11 +76,15 @@ + allow $1_mozilla_t self:unix_stream_socket { listen accept }; + # Browse the web, connect to printer + allow $1_mozilla_t self:tcp_socket create_socket_perms; +- allow $1_mozilla_t self:netlink_route_socket r_netlink_socket_perms; + # for bash - old mozilla binary can_exec($1_mozilla_t, mozilla_exec_t) @@ -3489,7 +3503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. # X access, Home files manage_dirs_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t) manage_files_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t) -@@ -96,15 +111,41 @@ +@@ -96,15 +110,41 @@ relabel_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t) relabel_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t) @@ -3538,7 +3552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. # Unrestricted inheritance from the caller. allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh }; -@@ -112,11 +153,13 @@ +@@ -112,11 +152,13 @@ ps_process_pattern($2,$1_mozilla_t) allow $2 $1_mozilla_t:process signal_perms; @@ -3554,7 +3568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. # Look for plugins corecmd_list_bin($1_mozilla_t) -@@ -165,10 +208,23 @@ +@@ -165,13 +207,28 @@ files_read_var_files($1_mozilla_t) files_read_var_symlinks($1_mozilla_t) files_dontaudit_getattr_boot_dirs($1_mozilla_t) @@ -3578,10 +3592,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. term_dontaudit_getattr_pty_dirs($1_mozilla_t) -@@ -184,12 +240,8 @@ - sysnet_dns_name_resolve($1_mozilla_t) - sysnet_read_config($1_mozilla_t) - ++ auth_use_nsswitch($1_mozilla_t) ++ + libs_use_ld_so($1_mozilla_t) + libs_use_shared_libs($1_mozilla_t) + +@@ -180,16 +237,8 @@ + miscfiles_read_fonts($1_mozilla_t) + miscfiles_read_localization($1_mozilla_t) + +- # Browse the web, connect to printer +- sysnet_dns_name_resolve($1_mozilla_t) +- sysnet_read_config($1_mozilla_t) +- - userdom_manage_user_home_content_dirs($1,$1_mozilla_t) - userdom_manage_user_home_content_files($1,$1_mozilla_t) - userdom_manage_user_home_content_symlinks($1,$1_mozilla_t) @@ -3593,7 +3616,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t) xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t) -@@ -211,131 +263,8 @@ +@@ -211,131 +260,8 @@ fs_manage_cifs_symlinks($1_mozilla_t) ') @@ -3727,7 +3750,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') optional_policy(` -@@ -350,21 +279,27 @@ +@@ -350,21 +276,27 @@ optional_policy(` cups_read_rw_config($1_mozilla_t) cups_dbus_chat($1_mozilla_t) @@ -3759,7 +3782,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') optional_policy(` -@@ -384,25 +319,6 @@ +@@ -377,32 +309,9 @@ + ') + + optional_policy(` +- nscd_socket_use($1_mozilla_t) +- ') +- +- optional_policy(` thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t) ') @@ -3785,7 +3815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') ######################################## -@@ -575,3 +491,27 @@ +@@ -575,3 +484,27 @@ allow $2 $1_mozilla_t:tcp_socket rw_socket_perms; ') @@ -4294,7 +4324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-10-22 13:21:41.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2008-02-20 17:16:46.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2008-03-04 16:32:54.000000000 -0500 @@ -55,6 +55,11 @@ type reserved_port_t, port_type, reserved_port_type; @@ -4387,10 +4417,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene type socks_port_t, port_type; dnl network_port(socks) # no defined portcon type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp -@@ -160,13 +175,19 @@ +@@ -160,13 +175,20 @@ type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) network_port(vnc, tcp,5900,s0) ++network_port(whois, tcp,43,s0, udp,43,s0) +network_port(wccp, udp,2048,s0) +network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) @@ -4410,7 +4441,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2008-02-20 08:52:30.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2008-02-27 17:11:36.000000000 -0500 @@ -1,8 +1,9 @@ /dev -d gen_context(system_u:object_r:device_t,s0) @@ -4476,7 +4507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0) /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) -@@ -65,9 +83,8 @@ +@@ -65,14 +83,14 @@ /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) @@ -4488,7 +4519,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) -@@ -94,12 +111,23 @@ + ') + /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) ++/dev/vboxadd.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) + /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0) + /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0) + /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0) +@@ -94,12 +112,23 @@ /dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0) @@ -4512,7 +4549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/pts(/.*)? <> -@@ -113,14 +141,9 @@ +@@ -113,14 +142,9 @@ /dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0) /dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) @@ -7683,8 +7720,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitl + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.0.8/policy/modules/services/bitlbee.te --- nsaserefpolicy/policy/modules/services/bitlbee.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.0.8/policy/modules/services/bitlbee.te 2008-02-26 16:46:48.000000000 -0500 -@@ -0,0 +1,75 @@ ++++ serefpolicy-3.0.8/policy/modules/services/bitlbee.te 2008-03-03 11:03:14.000000000 -0500 +@@ -0,0 +1,77 @@ + +policy_module(bitlbee, 1.0.0) + @@ -7754,6 +7791,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitl +libs_legacy_use_shared_libs(bitlbee_t) +libs_use_ld_so(bitlbee_t) + ++miscfiles_read_localization(bitlbee_t) ++ +sysnet_dns_name_resolve(bitlbee_t) + +optional_policy(` @@ -7850,7 +7889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam /var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.0.8/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/clamav.te 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/clamav.te 2008-03-03 09:51:53.000000000 -0500 @@ -1,5 +1,5 @@ -policy_module(clamav,1.4.1) @@ -7858,24 +7897,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam ######################################## # -@@ -87,6 +87,7 @@ +@@ -87,6 +87,9 @@ kernel_dontaudit_list_proc(clamd_t) kernel_read_sysctl(clamd_t) kernel_read_kernel_sysctls(clamd_t) +kernel_read_system_state(clamd_t) ++ ++corecmd_exec_shell(clamd_t) corenet_all_recvfrom_unlabeled(clamd_t) corenet_all_recvfrom_netlabel(clamd_t) -@@ -120,6 +121,8 @@ +@@ -120,6 +123,9 @@ cron_use_system_job_fds(clamd_t) cron_rw_pipes(clamd_t) +mta_read_config(clamd_t) ++mta_send_mail(clamd_t) + optional_policy(` amavis_read_lib_files(clamd_t) amavis_read_spool_files(clamd_t) -@@ -127,6 +130,10 @@ +@@ -127,6 +133,10 @@ amavis_create_pid_files(clamd_t) ') @@ -7886,7 +7928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam ######################################## # # Freshclam local policy -@@ -233,3 +240,7 @@ +@@ -233,3 +243,7 @@ optional_policy(` apache_read_sys_content(clamscan_t) ') @@ -10087,16 +10129,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.0.8/policy/modules/services/fail2ban.fc --- nsaserefpolicy/policy/modules/services/fail2ban.fc 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/fail2ban.fc 2008-02-01 10:04:19.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/fail2ban.fc 2008-03-04 16:30:22.000000000 -0500 @@ -1,3 +1,5 @@ -+/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) /usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0) - /var/log/fail2ban.log -- gen_context(system_u:object_r:fail2ban_log_t,s0) - /var/run/fail2ban.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0) +-/var/log/fail2ban.log -- gen_context(system_u:object_r:fail2ban_log_t,s0) +-/var/run/fail2ban.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0) ++/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) ++/var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0) ++/var/run/fail2ban\.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0) +/var/run/fail2ban\.sock -s gen_context(system_u:object_r:fail2ban_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.0.8/policy/modules/services/fail2ban.te --- nsaserefpolicy/policy/modules/services/fail2ban.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/fail2ban.te 2008-02-01 07:42:49.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/fail2ban.te 2008-03-04 16:29:48.000000000 -0500 +@@ -1,5 +1,5 @@ + +-policy_module(fail2ban,1.0.0) ++policy_module(fail2ban,1.1.0) + + ######################################## + # @@ -33,8 +33,9 @@ logging_log_filetrans(fail2ban_t,fail2ban_log_t,file) @@ -10108,7 +10159,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail kernel_read_system_state(fail2ban_t) -@@ -55,6 +56,8 @@ +@@ -47,14 +48,20 @@ + + files_read_etc_files(fail2ban_t) + files_read_usr_files(fail2ban_t) ++files_list_var(fail2ban_t) ++files_search_var_lib(fail2ban_t) ++ ++fs_list_inotifyfs(fail2ban_t) + + libs_use_ld_so(fail2ban_t) + libs_use_shared_libs(fail2ban_t) + +-logging_read_generic_logs(fail2ban_t) ++logging_read_all_logs(fail2ban_t) miscfiles_read_localization(fail2ban_t) @@ -15514,7 +15578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send -') dnl end TODO diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te 2008-02-15 15:40:37.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te 2008-02-29 09:08:55.000000000 -0500 @@ -1,5 +1,5 @@ -policy_module(setroubleshoot,1.4.1) @@ -15551,7 +15615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) -@@ -67,16 +72,22 @@ +@@ -67,16 +72,24 @@ corenet_sendrecv_smtp_client_packets(setroubleshootd_t) dev_read_urand(setroubleshootd_t) @@ -15572,10 +15636,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr fs_getattr_all_dirs(setroubleshootd_t) fs_getattr_all_files(setroubleshootd_t) +fs_read_fusefs_symlinks(setroubleshootd_t) ++fs_dontaudit_read_nfs_files(setroubleshootd_t) ++fs_dontaudit_read_cifs_files(setroubleshootd_t) selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) -@@ -96,17 +107,23 @@ +@@ -96,17 +109,23 @@ locallogin_dontaudit_use_fds(setroubleshootd_t) @@ -17184,7 +17250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2008-01-24 13:40:36.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2008-02-27 23:18:23.000000000 -0500 @@ -16,6 +16,13 @@ ## @@ -17513,16 +17579,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.0.8/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc 2008-01-29 09:14:26.000000000 -0500 -@@ -14,6 +14,7 @@ ++++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc 2008-03-04 15:32:46.000000000 -0500 +@@ -13,7 +13,9 @@ + /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ++/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) +/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) ifdef(`distro_suse', ` /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ') -@@ -38,5 +39,9 @@ +@@ -38,5 +40,9 @@ /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0) /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0) @@ -18157,7 +18225,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.0.8/policy/modules/system/fstools.te --- nsaserefpolicy/policy/modules/system/fstools.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/fstools.te 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/fstools.te 2008-02-27 23:25:25.000000000 -0500 @@ -109,8 +109,7 @@ term_use_console(fsadm_t) @@ -18597,7 +18665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.8/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/init.te 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/init.te 2008-02-27 23:24:47.000000000 -0500 @@ -10,6 +10,20 @@ # Declarations # @@ -18827,7 +18895,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -749,6 +803,12 @@ +@@ -738,6 +792,7 @@ + + optional_policy(` + unconfined_domain(initrc_t) ++ unconfined_domain(init_t) + + ifdef(`distro_redhat',` + # system-config-services causes avc messages that should be dontaudited +@@ -749,6 +804,12 @@ ') ') @@ -19283,7 +19359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.8/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/logging.if 2008-02-15 15:38:14.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/logging.if 2008-02-29 15:22:06.000000000 -0500 @@ -34,6 +34,51 @@ # interface(`logging_send_audit_msgs',` @@ -19400,7 +19476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin ') ######################################## -@@ -597,3 +657,270 @@ +@@ -597,3 +657,272 @@ files_search_var($1) manage_files_pattern($1,var_log_t,var_log_t) ') @@ -19666,10 +19742,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin +interface(`logging_stream_connect_audisp',` + gen_require(` + type audisp_t, audisp_var_run_t; ++ type auditd_t, auditd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1,audisp_var_run_t,audisp_var_run_t,audisp_t) ++ stream_connect_pattern($1,auditd_var_run_t,auditd_var_run_t,auditd_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.8/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2007-10-22 13:21:40.000000000 -0400 @@ -19917,7 +19995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc /etc/lvm/lock(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.0.8/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/lvm.te 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/lvm.te 2008-02-27 23:24:15.000000000 -0500 @@ -44,9 +44,9 @@ # Cluster LVM daemon local policy # @@ -19987,18 +20065,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te userdom_dontaudit_use_unpriv_user_fds(clvmd_t) userdom_dontaudit_search_sysadm_home_dirs(clvmd_t) -@@ -131,10 +144,6 @@ +@@ -131,12 +144,12 @@ ') optional_policy(` - nis_use_ypbind(clvmd_t) --') -- --optional_policy(` - ricci_dontaudit_rw_modcluster_pipes(clvmd_t) - ricci_dontaudit_use_modcluster_fds(clvmd_t) ++ ricci_dontaudit_rw_modcluster_pipes(clvmd_t) ++ ricci_dontaudit_use_modcluster_fds(clvmd_t) ') -@@ -150,7 +159,8 @@ + + optional_policy(` +- ricci_dontaudit_rw_modcluster_pipes(clvmd_t) +- ricci_dontaudit_use_modcluster_fds(clvmd_t) ++ unconfined_domain(clvmd_t) + ') + + optional_policy(` +@@ -150,7 +163,8 @@ # DAC overrides and mknod for modifying /dev entries (vgmknodes) # rawio needed for dmraid @@ -20008,7 +20091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te dontaudit lvm_t self:capability sys_tty_config; allow lvm_t self:process { sigchld sigkill sigstop signull signal }; # LVM will complain a lot if it cannot set its priority. -@@ -160,7 +170,8 @@ +@@ -160,7 +174,8 @@ allow lvm_t self:unix_dgram_socket create_socket_perms; allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -20018,7 +20101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t) manage_files_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t) -@@ -208,7 +219,6 @@ +@@ -208,7 +223,6 @@ selinux_compute_user_contexts(lvm_t) dev_create_generic_chr_files(lvm_t) @@ -20026,7 +20109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te dev_read_rand(lvm_t) dev_read_urand(lvm_t) dev_rw_lvm_control(lvm_t) -@@ -228,6 +238,8 @@ +@@ -228,6 +242,8 @@ dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -20035,7 +20118,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te fs_getattr_xattr_fs(lvm_t) fs_search_auto_mountpoints(lvm_t) -@@ -246,6 +258,7 @@ +@@ -246,6 +262,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) @@ -20043,7 +20126,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te term_getattr_all_user_ttys(lvm_t) term_list_ptys(lvm_t) -@@ -254,10 +267,12 @@ +@@ -254,10 +271,12 @@ domain_use_interactive_fds(lvm_t) @@ -20056,7 +20139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te init_use_fds(lvm_t) init_dontaudit_getattr_initctl(lvm_t) -@@ -275,6 +290,8 @@ +@@ -275,6 +294,8 @@ seutil_search_default_contexts(lvm_t) seutil_sigchld_newrole(lvm_t) @@ -20065,7 +20148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te ifdef(`distro_redhat',` # this is from the initrd: files_rw_isid_type_dirs(lvm_t) -@@ -293,5 +310,18 @@ +@@ -293,5 +314,18 @@ ') optional_policy(` @@ -21292,7 +21375,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet xen_append_log(ifconfig_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/udev.te 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/udev.te 2008-02-27 23:27:54.000000000 -0500 @@ -132,6 +132,7 @@ init_read_utmp(udev_t) @@ -21337,7 +21420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.0.8/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/unconfined.fc 2008-01-22 09:29:20.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/unconfined.fc 2008-03-04 10:18:00.000000000 -0500 @@ -7,6 +7,10 @@ /usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) @@ -21348,7 +21431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf /usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/bin/rhythmbox -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -+/usr/bin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) ++/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) +/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2007-10-22 13:21:40.000000000 -0400 @@ -24123,7 +24206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.0.8/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/xen.te 2008-01-17 09:03:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/xen.te 2008-02-27 23:16:42.000000000 -0500 @@ -45,9 +45,7 @@ type xenstored_t; diff --git a/selinux-policy.spec b/selinux-policy.spec index b421a07..e142f05 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.8 -Release: 89%{?dist} +Release: 90%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -381,6 +381,17 @@ exit 0 %endif %changelog +* Tue Mar 4 2008 Dan Walsh 3.0.8-90 +- Allow mozilla to auth_use_nsswitch +- Change location of mock +- Fix context on /usr/sbin/validate +- allow vbetool to map low kernel memory +- Allow fail2ban to connect to whois port +- Allow bitlbee to read locale files +- Allow clamd to execute shell +- dontaudit setroubleshoot reading cifs and nfs files + + * Thu Feb 21 2008 Dan Walsh 3.0.8-89 - Add jkubin changes for nx and groupadd - Add isns port