From 798a73de69a9084e14d47c04a6974275d7dddcc3 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Oct 24 2008 13:41:09 +0000 Subject: - Dontaudit domains trying to write to .xsession-errors --- diff --git a/policy-20080710.patch b/policy-20080710.patch index cce5e88..b570c5c 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -6953,7 +6953,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## all protocols (TCP, UDP, etc) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.5.13/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/domain.te 2008-10-21 11:21:45.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/domain.te 2008-10-24 08:28:13.000000000 -0400 @@ -5,6 +5,13 @@ # # Declarations @@ -6983,7 +6983,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # create child processes in the domain allow domain self:process { fork sigchld }; -@@ -131,6 +141,9 @@ +@@ -113,6 +123,7 @@ + optional_policy(` + xserver_dontaudit_use_xdm_fds(domain) + xserver_dontaudit_rw_xdm_pipes(domain) ++ xserver_dontaudit_rw_xdm_home_files(domain) + ') + + ######################################## +@@ -131,6 +142,9 @@ allow unconfined_domain_type domain:fd use; allow unconfined_domain_type domain:fifo_file rw_file_perms; @@ -6993,7 +7001,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -140,7 +153,7 @@ +@@ -140,7 +154,7 @@ # For /proc/pid allow unconfined_domain_type domain:dir list_dir_perms; @@ -7002,7 +7010,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys -@@ -148,3 +161,39 @@ +@@ -148,3 +162,39 @@ # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) @@ -7063,7 +7071,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/localtime -l gen_context(system_u:object_r:etc_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.5.13/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/files.if 2008-10-17 10:31:27.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/files.if 2008-10-24 08:41:49.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -7076,7 +7084,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_type($1) ') -@@ -1303,6 +1308,24 @@ +@@ -1060,6 +1065,24 @@ + ## + ## + # ++interface(`files_relabel_all_file_type_fs',` ++ gen_require(` ++ attribute file_type; ++ ') ++ ++ allow $1 file_type:filesystem { relabelfrom relabelto }; ++') ++ ++######################################## ++## ++## Relabel a filesystem to the type of a file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# + interface(`files_relabelto_all_file_type_fs',` + gen_require(` + attribute file_type; +@@ -1303,6 +1326,24 @@ ######################################## ## @@ -7101,7 +7134,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Unmount a rootfs filesystem. ## ## -@@ -1889,6 +1912,26 @@ +@@ -1889,6 +1930,26 @@ ######################################## ## @@ -7128,7 +7161,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to write generic files in /etc. ## ## -@@ -2224,6 +2267,49 @@ +@@ -2224,6 +2285,49 @@ ######################################## ## @@ -7178,7 +7211,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to search directories on new filesystems ## that have not yet been labeled. ## -@@ -2744,6 +2830,24 @@ +@@ -2744,6 +2848,24 @@ ######################################## ## @@ -7203,7 +7236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete symbolic links in /mnt. ## ## -@@ -3394,6 +3498,8 @@ +@@ -3394,6 +3516,8 @@ delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -7212,7 +7245,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3471,6 +3577,47 @@ +@@ -3471,6 +3595,47 @@ ######################################## ## @@ -7260,7 +7293,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Get the attributes of files in /usr. ## ## -@@ -3547,6 +3694,24 @@ +@@ -3547,6 +3712,24 @@ ######################################## ## @@ -7285,7 +7318,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Relabel a file to the type used in /usr. ## ## -@@ -4433,6 +4598,25 @@ +@@ -4433,6 +4616,25 @@ ######################################## ## @@ -7311,7 +7344,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write generic process ID files. ## ## -@@ -4761,12 +4945,14 @@ +@@ -4761,12 +4963,14 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -7327,7 +7360,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -4787,3 +4973,71 @@ +@@ -4787,3 +4991,71 @@ typeattribute $1 files_unconfined_type; ') @@ -7894,7 +7927,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.5.13/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-10-14 11:58:07.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te 2008-10-17 10:31:27.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te 2008-10-24 08:34:16.000000000 -0400 @@ -21,7 +21,6 @@ # Use xattrs for the following filesystem types. @@ -7915,15 +7948,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type eventpollfs_t; fs_type(eventpollfs_t) # change to task SID 20060628 -@@ -141,6 +145,7 @@ +@@ -141,6 +145,8 @@ fs_noxattr_type(vmblock_t) files_mountpoint(vmblock_t) genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0) +genfscon vboxsf / gen_context(system_u:object_r:vmblock_t,s0) ++genfscon vmhgfs / gen_context(system_u:object_r:vmblock_t,s0) type vxfs_t; fs_noxattr_type(vxfs_t) -@@ -241,6 +246,7 @@ +@@ -241,6 +247,7 @@ genfscon lustre / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) @@ -12391,7 +12425,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.5.13/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/cron.if 2008-10-23 17:00:09.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/cron.if 2008-10-24 08:57:55.000000000 -0400 @@ -35,39 +35,24 @@ # template(`cron_per_role_template',` @@ -12744,7 +12778,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## -+## Manage lib files used by cron ++## Manage pid files used by cron +## +## +## @@ -12752,13 +12786,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`cron_manage_lib_files',` ++interface(`cron_manage_pid_files',` + gen_require(` -+ type crond_var_lib_t; ++ type crond_var_run_t; + ') + + -+ manage_files_pattern($1, crond_var_lib_t, crond_var_lib_t) ++ manage_files_pattern($1, crond_var_run_t, crond_var_run_t) +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.5.13/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2008-08-07 11:15:11.000000000 -0400 @@ -13652,7 +13686,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.5.13/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dbus.if 2008-10-17 17:55:07.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/dbus.if 2008-10-24 09:08:08.000000000 -0400 @@ -53,19 +53,19 @@ gen_require(` type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t; @@ -13881,7 +13915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read dbus configuration. ## ## -@@ -366,3 +440,99 @@ +@@ -366,3 +440,120 @@ allow $1 system_dbusd_t:dbus *; ') @@ -13936,6 +13970,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dbus_system_bus_client_template($1, $1) + dbus_connect_system_bus($1) + ++ ifdef(`hide_broken_symptoms', ` ++ dbus_dontaudit_rw_system_selinux_socket($1) ++ '); +') + +######################################## @@ -13981,6 +14018,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + dontaudit $2 dbusd_userbus:unix_stream_socket connectto; +') ++ ++######################################## ++## ++## dontaudit attempts to use system_dbus_t selinux_socket ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dbus_dontaudit_rw_system_selinux_socket',` ++ gen_require(` ++ type system_dbusd_t; ++ ') ++ ++ dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.5.13/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2008-10-16 17:21:16.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/services/dbus.te 2008-10-17 17:54:43.000000000 -0400 @@ -14622,7 +14677,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.5.13/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.te 2008-10-23 16:59:49.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.te 2008-10-24 08:57:28.000000000 -0400 @@ -10,6 +10,9 @@ type dnsmasq_exec_t; init_daemon_domain(dnsmasq_t, dnsmasq_exec_t) @@ -14682,7 +14737,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - nis_use_ypbind(dnsmasq_t) -+ cron_manage_lib_files(crond_var_lib_t) ++ cron_manage_pid_files(dnsmasq_t) ') optional_policy(` @@ -17899,7 +17954,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.5.13/policy/modules/services/pads.te --- nsaserefpolicy/policy/modules/services/pads.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/services/pads.te 2008-10-17 10:31:27.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/pads.te 2008-10-24 08:49:04.000000000 -0400 @@ -0,0 +1,68 @@ + +policy_module(pads, 0.0.1) @@ -17940,7 +17995,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow pads_t pads_var_run_t:file manage_file_perms; +files_pid_filetrans(pads_t, pads_var_run_t, file) + -+corecmd_search_sbin(pads_t) ++corecmd_search_bin(pads_t) + +corenet_all_recvfrom_unlabeled(pads_t) +corenet_all_recvfrom_netlabel(pads_t) @@ -19691,7 +19746,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.5.13/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/prelude.te 2008-10-23 14:47:03.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/prelude.te 2008-10-24 09:28:30.000000000 -0400 @@ -13,25 +13,57 @@ type prelude_spool_t; files_type(prelude_spool_t) @@ -19785,6 +19840,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(prelude_t) +@@ -89,7 +132,7 @@ + # + # prelude_audisp local policy + # +- ++allow prelude_audisp_t self:capability dac_override; + allow prelude_audisp_t self:fifo_file rw_file_perms; + allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms; + allow prelude_audisp_t self:unix_dgram_socket create_socket_perms; @@ -110,6 +153,7 @@ corenet_tcp_sendrecv_all_if(prelude_audisp_t) corenet_tcp_sendrecv_all_nodes(prelude_audisp_t) @@ -19793,7 +19857,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_rand(prelude_audisp_t) dev_read_urand(prelude_audisp_t) -@@ -117,15 +161,143 @@ +@@ -117,15 +161,139 @@ # Init script handling domain_use_interactive_fds(prelude_audisp_t) @@ -19817,7 +19881,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# + +allow prelude_correlator_t self:capability dac_override; -+ +allow prelude_correlator_t self:netlink_route_socket r_netlink_socket_perms; +allow prelude_correlator_t self:tcp_socket create_stream_socket_perms; +allow prelude_correlator_t self:unix_dgram_socket create_socket_perms; @@ -19827,7 +19890,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +prelude_manage_spool(prelude_correlator_t) + -+corecmd_search_sbin(prelude_correlator_t) ++corecmd_search_bin(prelude_correlator_t) + +corenet_all_recvfrom_unlabeled(prelude_correlator_t) +corenet_all_recvfrom_netlabel(prelude_correlator_t) @@ -19844,8 +19907,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +files_read_usr_files(prelude_correlator_t) +files_search_spool(prelude_correlator_t) + -+kernel_read_sysctl(prelude_correlator_t) -+ +libs_use_ld_so(prelude_correlator_t) +libs_use_shared_libs(prelude_correlator_t) + @@ -19910,8 +19971,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +fs_list_inotifyfs(prelude_lml_t) +fs_read_anon_inodefs_files(prelude_lml_t) -+ -+kernel_read_sysctl(prelude_lml_t) ++fs_rw_anon_inodefs_files(prelude_lml_t) + +auth_use_nsswitch(prelude_lml_t) + @@ -19937,12 +19997,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # prewikka_cgi Declarations -@@ -134,6 +306,17 @@ +@@ -134,6 +302,20 @@ optional_policy(` apache_content_template(prewikka) files_read_etc_files(httpd_prewikka_script_t) + files_search_tmp(httpd_prewikka_script_t) + ++ kernel_read_sysctl(httpd_prewikka_script_t) ++ kernel_search_network_sysctl(httpd_prewikka_script_t) ++ + can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t) + + corenet_tcp_connect_postgresql_port(httpd_prewikka_script_t) @@ -23701,6 +23764,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_var_files(tftpd_t) files_read_var_symlinks(tftpd_t) files_search_var(tftpd_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.5.13/policy/modules/services/tor.te +--- nsaserefpolicy/policy/modules/services/tor.te 2008-10-16 17:21:16.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/tor.te 2008-10-24 08:19:01.000000000 -0400 +@@ -34,7 +34,7 @@ + # tor local policy + # + +-allow tor_t self:capability { setgid setuid }; ++allow tor_t self:capability { setgid setuid sys_tty_config }; + allow tor_t self:fifo_file rw_fifo_file_perms; + allow tor_t self:unix_stream_socket create_stream_socket_perms; + allow tor_t self:netlink_route_socket r_netlink_socket_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.5.13/policy/modules/services/virt.fc --- nsaserefpolicy/policy/modules/services/virt.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/services/virt.fc 2008-10-17 10:31:27.000000000 -0400 @@ -24039,7 +24114,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.13/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2008-10-08 19:00:27.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/xserver.if 2008-10-23 17:14:25.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/xserver.if 2008-10-24 08:25:44.000000000 -0400 @@ -16,6 +16,7 @@ gen_require(` type xkb_var_lib_t, xserver_exec_t, xserver_log_t; @@ -26652,7 +26727,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.13/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/init.te 2008-10-20 14:36:54.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/init.te 2008-10-24 08:50:27.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart,false) @@ -26755,7 +26830,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol can_exec(initrc_t,initrc_tmp_t) allow initrc_t initrc_tmp_t:file manage_file_perms; -@@ -276,7 +305,7 @@ +@@ -253,6 +282,7 @@ + kernel_dontaudit_getattr_message_if(initrc_t) + + files_read_kernel_symbol_table(initrc_t) ++files_exec_etc_files(initrc_t) + + corenet_all_recvfrom_unlabeled(initrc_t) + corenet_all_recvfrom_netlabel(initrc_t) +@@ -276,7 +306,7 @@ dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) @@ -26764,7 +26847,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -330,7 +359,7 @@ +@@ -330,7 +360,7 @@ domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -26773,7 +26856,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -371,6 +400,7 @@ +@@ -371,6 +401,7 @@ libs_use_shared_libs(initrc_t) libs_exec_lib_files(initrc_t) @@ -26781,7 +26864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(initrc_t) logging_manage_generic_logs(initrc_t) logging_read_all_logs(initrc_t) -@@ -503,6 +533,7 @@ +@@ -503,6 +534,7 @@ optional_policy(` #for /etc/rc.d/init.d/nfs to create /etc/exports rpc_write_exports(initrc_t) @@ -26789,7 +26872,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -521,6 +552,31 @@ +@@ -521,6 +553,31 @@ ') ') @@ -26821,18 +26904,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -536,6 +592,10 @@ - ') - - optional_policy(` -+ automount_exec_config(initrc_t) -+') -+ -+optional_policy(` - bind_read_config(initrc_t) - - # for chmod in start script -@@ -575,6 +635,10 @@ +@@ -575,6 +632,10 @@ dbus_read_config(initrc_t) optional_policy(` @@ -26843,7 +26915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol networkmanager_dbus_chat(initrc_t) ') ') -@@ -660,12 +724,6 @@ +@@ -660,12 +721,6 @@ mta_read_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') @@ -26856,7 +26928,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ifdef(`distro_redhat',` -@@ -726,6 +784,9 @@ +@@ -726,6 +781,9 @@ # why is this needed: rpm_manage_db(initrc_t) @@ -26866,7 +26938,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -738,10 +799,12 @@ +@@ -738,10 +796,12 @@ squid_manage_logs(initrc_t) ') @@ -26879,7 +26951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -759,6 +822,11 @@ +@@ -759,6 +819,11 @@ uml_setattr_util_sockets(initrc_t) ') @@ -26891,7 +26963,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` unconfined_domain(initrc_t) -@@ -773,6 +841,10 @@ +@@ -773,6 +838,10 @@ ') optional_policy(` @@ -26902,7 +26974,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol vmware_read_system_config(initrc_t) vmware_append_system_config(initrc_t) ') -@@ -795,3 +867,11 @@ +@@ -795,3 +864,11 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -27753,7 +27825,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol samba_run_smbmount($1, $2, $3) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.5.13/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/mount.te 2008-10-20 11:20:42.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/mount.te 2008-10-24 08:40:39.000000000 -0400 @@ -18,17 +18,18 @@ init_system_domain(mount_t,mount_exec_t) role system_r types mount_t; @@ -27835,6 +27907,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_all(mount_t) files_read_etc_files(mount_t) +@@ -87,7 +98,7 @@ + files_mounton_all_mountpoints(mount_t) + files_unmount_rootfs(mount_t) + # These rules need to be generalized. Only admin, initrc should have it: +-files_relabelto_all_file_type_fs(mount_t) ++files_relabel_all_file_type_fs(mount_t) + files_mount_all_file_type_fs(mount_t) + files_unmount_all_file_type_fs(mount_t) + # for when /etc/mtab loses its type @@ -100,6 +111,8 @@ init_use_fds(mount_t) init_use_script_ptys(mount_t) @@ -33169,15 +33250,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.5.13/support/Makefile.devel --- nsaserefpolicy/support/Makefile.devel 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.5.13/support/Makefile.devel 2008-10-24 08:13:54.000000000 -0400 -@@ -181,8 +181,8 @@ ++++ serefpolicy-3.5.13/support/Makefile.devel 2008-10-24 09:40:08.000000000 -0400 +@@ -181,8 +181,7 @@ tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te @$(EINFO) "Compiling $(NAME) $(basename $(@F)) module" @test -d $(@D) || mkdir -p $(@D) - $(call peruser-expansion,$(basename $(@F)),$@.role) - $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) -+# $(call peruser-expansion,$(basename $(@F)),$@.role) -+# $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) ++ $(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp) $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ tmp/%.mod.fc: $(m4support) %.fc diff --git a/selinux-policy.spec b/selinux-policy.spec index a4ee6cb..85971d3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.5.13 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -462,6 +462,9 @@ exit 0 %endif %changelog +* Thu Oct 23 2008 Dan Walsh 3.5.13-7 +- Dontaudit domains trying to write to .xsession-errors + * Thu Oct 23 2008 Dan Walsh 3.5.13-6 - Allow nsplugin to look at autofs_t directory