From 72bc25da0eb4a34ceba70d541099902eca3b0c48 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sep 07 2009 01:29:07 +0000 Subject: - Allow xserver to use netlink_kobject_uevent_socket --- diff --git a/booleans-targeted.conf b/booleans-targeted.conf index 4e32b2e..c08c7a9 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -8,7 +8,7 @@ allow_execmod = false # Allow making the stack executable via mprotect.Also requires allow_execmem. # -allow_execstack = true +allow_execstack = false # Allow ftpd to read cifs directories. # diff --git a/policy-F12.patch b/policy-F12.patch index b7ac22e..141e251 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -16568,14 +16568,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.30/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.30/policy/modules/services/setroubleshoot.te 2009-09-06 15:49:01.000000000 -0400 ++++ serefpolicy-3.6.30/policy/modules/services/setroubleshoot.te 2009-09-06 21:25:04.000000000 -0400 @@ -22,13 +22,19 @@ type setroubleshoot_var_run_t; files_pid_file(setroubleshoot_var_run_t) -+type setroubleshoot_fixit_t; -+type setroubleshoot_fixit_exec_t; -+dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) ++ type setroubleshoot_fixit_t; ++ type setroubleshoot_fixit_exec_t; ++ dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) + ######################################## # @@ -16584,10 +16584,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -allow setroubleshootd_t self:capability { dac_override sys_tty_config }; -allow setroubleshootd_t self:process { signull signal getattr getsched }; -+allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config }; -+allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal }; ++ allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config }; ++ allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal }; +# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run -+allow setroubleshootd_t self:process { execmem execstack }; ++ allow setroubleshootd_t self:process { execmem execstack }; allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -16595,10 +16595,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(setroubleshootd_t) kernel_read_system_state(setroubleshootd_t) -+kernel_read_net_sysctls(setroubleshootd_t) ++ kernel_read_net_sysctls(setroubleshootd_t) kernel_read_network_state(setroubleshootd_t) -+kernel_dontaudit_list_all_proc(setroubleshootd_t) -+kernel_read_unlabeled_state(setroubleshootd_t) ++ kernel_dontaudit_list_all_proc(setroubleshootd_t) ++ kernel_read_unlabeled_state(setroubleshootd_t) corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) @@ -16606,27 +16606,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_urand(setroubleshootd_t) dev_read_sysfs(setroubleshootd_t) -+dev_getattr_all_blk_files(setroubleshootd_t) -+dev_getattr_all_chr_files(setroubleshootd_t) ++ dev_getattr_all_blk_files(setroubleshootd_t) ++ dev_getattr_all_chr_files(setroubleshootd_t) domain_dontaudit_search_all_domains_state(setroubleshootd_t) -+domain_signull_all_domains(setroubleshootd_t) ++ domain_signull_all_domains(setroubleshootd_t) files_read_usr_files(setroubleshootd_t) files_read_etc_files(setroubleshootd_t) -files_getattr_all_dirs(setroubleshootd_t) -+files_list_all(setroubleshootd_t) ++ files_list_all(setroubleshootd_t) files_getattr_all_files(setroubleshootd_t) -+files_getattr_all_pipes(setroubleshootd_t) -+files_getattr_all_sockets(setroubleshootd_t) -+files_read_all_symlinks(setroubleshootd_t) ++ files_getattr_all_pipes(setroubleshootd_t) ++ files_getattr_all_sockets(setroubleshootd_t) ++ files_read_all_symlinks(setroubleshootd_t) fs_getattr_all_dirs(setroubleshootd_t) fs_getattr_all_files(setroubleshootd_t) -+fs_read_fusefs_symlinks(setroubleshootd_t) -+fs_dontaudit_read_nfs_files(setroubleshootd_t) -+fs_dontaudit_read_cifs_files(setroubleshootd_t) -+fs_list_inotifyfs(setroubleshootd_t) ++ fs_read_fusefs_symlinks(setroubleshootd_t) ++ fs_dontaudit_read_nfs_files(setroubleshootd_t) ++ fs_dontaudit_read_cifs_files(setroubleshootd_t) ++ fs_list_inotifyfs(setroubleshootd_t) selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) @@ -16634,7 +16634,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol locallogin_dontaudit_use_fds(setroubleshootd_t) -+logging_send_audit_msgs(setroubleshootd_t) ++ logging_send_audit_msgs(setroubleshootd_t) logging_send_syslog_msg(setroubleshootd_t) logging_stream_connect_dispatcher(setroubleshootd_t) @@ -16642,22 +16642,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_read_file_contexts(setroubleshootd_t) - -sysnet_read_config(setroubleshootd_t) -+seutil_read_bin_policy(setroubleshootd_t) ++ seutil_read_bin_policy(setroubleshootd_t) userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) optional_policy(` -+ locate_read_lib_files(setroubleshootd_t) -+') ++ locate_read_lib_files(setroubleshootd_t) ++ ') + -+optional_policy(` ++ optional_policy(` dbus_system_bus_client(setroubleshootd_t) dbus_connect_system_bus(setroubleshootd_t) -+ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) ++ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) ') optional_policy(` -+ rpm_signull(setroubleshootd_t) ++ rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) rpm_dontaudit_manage_db(setroubleshootd_t) rpm_use_script_fds(setroubleshootd_t) @@ -16667,38 +16667,38 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +# setroubleshoot_fixit local policy +# -+allow setroubleshoot_fixit_t self:capability sys_nice; -+allow setroubleshoot_fixit_t self:process { setsched getsched }; -+allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms; -+allow setroubleshoot_fixit_t self:unix_dgram_socket create_socket_perms; ++ allow setroubleshoot_fixit_t self:capability sys_nice; ++ allow setroubleshoot_fixit_t self:process { setsched getsched }; ++ allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms; ++ allow setroubleshoot_fixit_t self:unix_dgram_socket create_socket_perms; + -+setroubleshoot_dbus_chat(setroubleshoot_fixit_t) ++ setroubleshoot_dbus_chat(setroubleshoot_fixit_t) + -+corecmd_exec_bin(setroubleshoot_fixit_t) -+corecmd_exec_shell(setroubleshoot_fixit_t) ++ corecmd_exec_bin(setroubleshoot_fixit_t) ++ corecmd_exec_shell(setroubleshoot_fixit_t) + -+seutil_domtrans_restorecon(setroubleshoot_fixit_t) ++ seutil_domtrans_restorecon(setroubleshoot_fixit_t) + -+files_read_usr_files(setroubleshoot_fixit_t) -+files_read_etc_files(setroubleshoot_fixit_t) -+files_list_tmp(setroubleshoot_fixit_t) ++ files_read_usr_files(setroubleshoot_fixit_t) ++ files_read_etc_files(setroubleshoot_fixit_t) ++ files_list_tmp(setroubleshoot_fixit_t) + -+kernel_read_system_state(setroubleshoot_fixit_t) ++ kernel_read_system_state(setroubleshoot_fixit_t) + -+auth_use_nsswitch(setroubleshoot_fixit_t) ++ auth_use_nsswitch(setroubleshoot_fixit_t) + -+logging_send_audit_msgs(setroubleshoot_fixit_t) -+logging_send_syslog_msg(setroubleshoot_fixit_t) ++ logging_send_audit_msgs(setroubleshoot_fixit_t) ++ logging_send_syslog_msg(setroubleshoot_fixit_t) + -+miscfiles_read_localization(setroubleshoot_fixit_t) ++ miscfiles_read_localization(setroubleshoot_fixit_t) + -+userdom_dontaudit_search_admin_dir(setroubleshoot_fixit_t) ++ userdom_dontaudit_search_admin_dir(setroubleshoot_fixit_t) + -+optional_policy(` -+ rpm_signull(setroubleshootd_fixit_t) -+ rpm_read_db(setroubleshootd_fixit_t) -+ rpm_dontaudit_manage_db(setroubleshootd_fixit_t) -+ rpm_use_script_fds(setroubleshootd_fixit_t) ++ optional_policy(` ++ rpm_signull(setroubleshoot_fixit_t) ++ rpm_read_db(setroubleshoot_fixit_t) ++ rpm_dontaudit_manage_db(setroubleshoot_fixit_t) ++ rpm_use_script_fds(setroubleshoot_fixit_t) +') + +optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 049c52b..78aa6eb 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.30 -Release: 2%{?dist} +Release: 4%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -165,7 +165,7 @@ if [ -s /etc/selinux/config ]; then \ . %{_sysconfdir}/selinux/config; \ FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \ - cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \ + [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \ fi \ fi @@ -443,6 +443,12 @@ exit 0 %endif %changelog +* Fri Sep 4 2009 Dan Walsh 3.6.30-4 +- Allow xserver to use netlink_kobject_uevent_socket + +* Thu Sep 3 2009 Dan Walsh 3.6.30-3 +- Fixes for sandbox + * Mon Aug 31 2009 Dan Walsh 3.6.30-2 - Dontaudit setroubleshootfix looking at /root directory