From 560df8b005316c44e88a1ce4b9cb8089e4fc32b1 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Oct 27 2007 11:44:01 +0000 Subject: - Fixes for exim to run from cron - Fix /var/run/ppp* spec --- diff --git a/policy-20070501.patch b/policy-20070501.patch index 374a802..0acd544 100644 --- a/policy-20070501.patch +++ b/policy-20070501.patch @@ -5720,7 +5720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim --- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-2.6.4/policy/modules/services/exim.fc 2007-10-05 09:28:27.000000000 -0400 @@ -0,0 +1,16 @@ -+# $Id: policy-20070501.patch,v 1.69 2007/10/18 21:56:00 dwalsh Exp $ ++# $Id: policy-20070501.patch,v 1.70 2007/10/27 11:44:01 dwalsh Exp $ +# Draft SELinux refpolicy module for the Exim MTA +# +# Devin Carraway @@ -5899,9 +5899,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-2.6.4/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-2.6.4/policy/modules/services/exim.te 2007-10-05 09:28:22.000000000 -0400 -@@ -0,0 +1,229 @@ -+# $Id: policy-20070501.patch,v 1.69 2007/10/18 21:56:00 dwalsh Exp $ ++++ serefpolicy-2.6.4/policy/modules/services/exim.te 2007-10-22 11:12:46.000000000 -0400 +@@ -0,0 +1,230 @@ ++# $Id: policy-20070501.patch,v 1.70 2007/10/27 11:44:01 dwalsh Exp $ +# Draft SELinux refpolicy module for the Exim MTA +# +# Devin Carraway @@ -6014,13 +6014,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim + +kernel_read_kernel_sysctls(exim_t) +kernel_dontaudit_read_system_state(exim_t) ++kernel_read_network_state(exim_t) + +miscfiles_read_localization(exim_t) +miscfiles_read_certs(exim_t) + +mta_read_aliases(exim_t) +mta_read_config(exim_t) -+mta_rw_spool(exim_t) ++mta_manage_spool(exim_t) +mta_mailserver_delivery(exim_t) + +# Init script handling @@ -6118,18 +6119,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim +# Debian uses a template based config generator which generates config +# files under /var +ifdef(`distro_debian',` -+ type exim_lib_t; -+ files_config_file(exim_lib_t) ++ type exim_var_lib_t; ++ files_config_file(exim_var_lib_t) + exim_read_lib(exim_t) + + type exim_lib_update_t; + type exim_lib_update_exec_t; + init_domain(exim_lib_update_t, exim_lib_update_exec_t) + domain_entry_file(exim_lib_update_t, exim_lib_update_exec_t) -+ mta_read_lib(exim_lib_update_t) ++ exim_read_lib(exim_lib_update_t) + exim_manage_var_lib(exim_lib_update_t) +') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-2.6.4/policy/modules/services/fetchmail.te +--- nsaserefpolicy/policy/modules/services/fetchmail.te 2007-05-07 14:51:01.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/fetchmail.te 2007-10-22 11:53:04.000000000 -0400 +@@ -91,6 +91,10 @@ + ') + + optional_policy(` ++ procmail_domtrans(fetchmail_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(fetchmail_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.6.4/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2007-05-07 14:51:01.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/ftp.te 2007-10-04 10:58:50.000000000 -0400 @@ -6936,7 +6951,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## Read sendmail binary. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.6.4/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/mta.te 2007-10-18 09:25:13.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/mta.te 2007-10-22 11:09:41.000000000 -0400 @@ -6,6 +6,7 @@ # Declarations # @@ -6997,6 +7012,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. cron_dontaudit_write_pipes(system_mail_t) ') +@@ -117,6 +129,10 @@ + ') + + optional_policy(` ++ exim_domtrans(system_mail_t) ++') ++ ++optional_policy(` + logrotate_read_tmp_files(system_mail_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-2.6.4/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2007-05-07 14:51:01.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/nagios.fc 2007-09-01 07:24:41.000000000 -0400 @@ -8269,6 +8295,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post +# For reading spamassasin +mta_read_config(postfix_virtual_t) +mta_manage_spool(postfix_virtual_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-2.6.4/policy/modules/services/ppp.fc +--- nsaserefpolicy/policy/modules/services/ppp.fc 2007-05-07 14:50:57.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/ppp.fc 2007-10-26 08:54:56.000000000 -0400 +@@ -25,7 +25,7 @@ + # + # /var + # +-/var/run/(i)?ppp.*pid -- gen_context(system_u:object_r:pppd_var_run_t,s0) ++/var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0) + /var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0) + /var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0) + # Fix pptp sockets diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-2.6.4/policy/modules/services/ppp.if --- nsaserefpolicy/policy/modules/services/ppp.if 2007-05-07 14:51:01.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/ppp.if 2007-10-17 14:23:28.000000000 -0400 @@ -9321,7 +9359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.6.4/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/samba.te 2007-10-18 10:21:16.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/samba.te 2007-10-22 13:13:10.000000000 -0400 @@ -16,6 +16,14 @@ ## @@ -10432,10 +10470,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln -# Allow krb5 telnetd to use fork and open /dev/tty for use -allow telnetd_t userpty_type:chr_file setattr; -') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-2.6.4/policy/modules/services/tftp.fc +--- nsaserefpolicy/policy/modules/services/tftp.fc 2007-05-07 14:51:01.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/tftp.fc 2007-10-22 13:14:48.000000000 -0400 +@@ -4,3 +4,5 @@ + + /tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0) + /tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0) ++/var/tftp -d gen_context(system_u:object_r:tftpdir_t,s0) ++/var/tftp/.* gen_context(system_u:object_r:tftpdir_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-2.6.4/policy/modules/services/tftp.te --- nsaserefpolicy/policy/modules/services/tftp.te 2007-05-07 14:50:57.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/tftp.te 2007-08-22 08:28:44.000000000 -0400 -@@ -26,6 +26,7 @@ ++++ serefpolicy-2.6.4/policy/modules/services/tftp.te 2007-10-22 13:17:56.000000000 -0400 +@@ -16,6 +16,17 @@ + type tftpdir_t; + files_type(tftpdir_t) + ++type tftpdir_rw_t; ++files_type(tftpdir_rw_t) ++ ++## ++##

++## Allow tftp to modify public files ++## used for public file transfer services. ++##

++## ++gen_tunable(allow_tftp_anon_write,false) ++ + ######################################## + # + # Local policy +@@ -26,12 +37,17 @@ allow tftpd_t self:udp_socket create_socket_perms; allow tftpd_t self:unix_dgram_socket create_socket_perms; allow tftpd_t self:unix_stream_socket create_stream_socket_perms; @@ -10443,15 +10508,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp dontaudit tftpd_t self:capability sys_tty_config; allow tftpd_t tftpdir_t:dir { getattr read search }; -@@ -69,6 +70,7 @@ + allow tftpd_t tftpdir_t:file { read getattr }; + allow tftpd_t tftpdir_t:lnk_file { getattr read }; + ++manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) ++manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) ++manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) ++ + manage_files_pattern(tftpd_t,tftpd_var_run_t,tftpd_var_run_t) + files_pid_filetrans(tftpd_t,tftpd_var_run_t,file) + +@@ -69,6 +85,11 @@ logging_send_syslog_msg(tftpd_t) miscfiles_read_localization(tftpd_t) +miscfiles_read_public_files(tftpd_t) ++ ++tunable_policy(`allow_tftp_anon_write',` ++ miscfiles_manage_public_files(tftpd_t) ++') sysnet_read_config(tftpd_t) sysnet_use_ldap(tftpd_t) -@@ -102,3 +104,4 @@ +@@ -102,3 +123,4 @@ optional_policy(` udev_read_db(tftpd_t) ') @@ -13466,7 +13545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.6.4/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2007-05-07 14:51:02.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/system/unconfined.te 2007-10-01 16:12:39.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/system/unconfined.te 2007-10-19 16:20:02.000000000 -0400 @@ -6,6 +6,15 @@ # Declarations # diff --git a/selinux-policy.spec b/selinux-policy.spec index ea5b538..30d55ae 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 2.6.4 -Release: 49%{?dist} +Release: 50%{?dist} License: GPL Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -361,6 +361,10 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init %endif %changelog +* Mon Oct 22 2007 Dan Walsh 2.6.4-50 +- Fixes for exim to run from cron +- Fix /var/run/ppp* spec + * Fri Oct 12 2007 Dan Walsh 2.6.4-49 - Change context on vmplayer - Allow eclipse to dbus_chat with hal