From 7c1be674333c257840a4fa2cbd089ba360c5a9bb Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Apr 24 2009 13:16:28 +0000 Subject: - Allow initrc_t to delete dev_null - Allow readahead to configure auditing --- diff --git a/policy-20090105.patch b/policy-20090105.patch index 77d5e4d..f91b1c7 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -779,7 +779,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te --- nsaserefpolicy/policy/modules/admin/readahead.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-04-23 17:21:40.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-04-24 09:02:26.000000000 -0400 @@ -24,7 +24,7 @@ allow readahead_t self:capability { fowner dac_override dac_read_search }; @@ -801,7 +801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol init_getattr_initctl(readahead_t) logging_send_syslog_msg(readahead_t) -+logging_send_audit_msgs(readahead_t) ++logging_set_audit_parameters(readahead_t) logging_dontaudit_search_audit_config(readahead_t) miscfiles_read_localization(readahead_t) @@ -5035,6 +5035,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) /dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.12/policy/modules/kernel/devices.if +--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-03-05 12:28:56.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/kernel/devices.if 2009-04-24 09:05:52.000000000 -0400 +@@ -2268,6 +2268,25 @@ + + ######################################## + ## ++## Delete the null device (/dev/null). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_delete_null',` ++ gen_require(` ++ type device_t, null_device_t; ++ ') ++ ++ allow $1 device_t:dir del_entry_dir_perms; ++ allow $1 null_device_t:chr_file unlink; ++') ++ ++######################################## ++## + ## Read and write to the null device (/dev/null). + ## + ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.12/policy/modules/kernel/devices.te --- nsaserefpolicy/policy/modules/kernel/devices.te 2009-03-05 12:28:57.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/kernel/devices.te 2009-04-23 09:44:57.000000000 -0400 @@ -14835,7 +14864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.te serefpolicy-3.6.12/policy/modules/services/milter.te --- nsaserefpolicy/policy/modules/services/milter.te 2008-11-25 09:01:08.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/milter.te 2009-04-24 07:22:01.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/milter.te 2009-04-24 08:31:02.000000000 -0400 @@ -14,6 +14,12 @@ milter_template(regex) milter_template(spamass) @@ -14849,18 +14878,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # milter-regex local policy -@@ -21,6 +27,10 @@ - # http://www.benzedrine.cx/milter-regex.html - # - -+# The milter runs from /var/lib/spamass-milter -+files_search_var_lib(spamass_milter_t); -+allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms; -+ - # It removes any existing socket (not owned by root) whilst running as root - # and then calls setgid() and setuid() to drop privileges - allow regex_milter_t self:capability { setuid setgid dac_override }; -@@ -41,6 +51,10 @@ +@@ -41,6 +47,10 @@ # http://savannah.nongnu.org/projects/spamass-milt/ # @@ -19956,7 +19974,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.12/policy/modules/services/razor.te --- nsaserefpolicy/policy/modules/services/razor.te 2009-01-19 11:07:32.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/razor.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/razor.te 2009-04-24 08:32:37.000000000 -0400 @@ -6,6 +6,32 @@ # Declarations # @@ -19990,12 +20008,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type razor_exec_t; corecmd_executable_file(razor_exec_t) -@@ -122,3 +148,5 @@ - optional_policy(` - nscd_socket_use(razor_t) - ') +@@ -102,6 +128,8 @@ + manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t) + files_tmp_filetrans(razor_t, razor_tmp_t, { file dir }) + ++auth_use_nsswitch(razor_t) + + logging_send_syslog_msg(razor_t) + + userdom_search_user_home_dirs(razor_t) +@@ -120,5 +148,7 @@ + ') + + optional_policy(` +- nscd_socket_use(razor_t) ++ milter_manage_spamass_state(razor_t) +') ++ + ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.12/policy/modules/services/ricci.te --- nsaserefpolicy/policy/modules/services/ricci.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/ricci.te 2009-04-23 09:44:57.000000000 -0400 @@ -21822,7 +21852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-04-24 07:23:40.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-04-24 08:31:39.000000000 -0400 @@ -20,6 +20,35 @@ ## gen_tunable(spamd_enable_home_dirs, true) @@ -21935,7 +21965,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(spamc_t) # cjp: this should probably be removed: -@@ -265,31 +324,35 @@ +@@ -265,13 +324,16 @@ sysnet_read_config(spamc_t) @@ -21950,11 +21980,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_manage_nfs_dirs(spamc_t) + fs_manage_nfs_files(spamc_t) + fs_manage_nfs_symlinks(spamc_t) - ') - --optional_policy(` -- # Allow connection to spamd socket above -- evolution_stream_connect(spamc_t) ++') ++ +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(spamc_t) + fs_manage_cifs_files(spamc_t) @@ -21962,9 +21989,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` +@@ -280,16 +342,21 @@ + ') + + optional_policy(` - nis_use_ypbind(spamc_t) -+ # Allow connection to spamd socket above -+ evolution_stream_connect(spamc_t) ++ milter_manage_spamass_state(spamc_t) ') optional_policy(` @@ -21983,7 +22013,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -301,7 +364,7 @@ +@@ -301,7 +368,7 @@ # setuids to the user running spamc. Comment this if you are not # using this ability. @@ -21992,7 +22022,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; -@@ -317,10 +380,13 @@ +@@ -317,10 +384,13 @@ allow spamd_t self:unix_stream_socket connectto; allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; @@ -22007,7 +22037,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -@@ -329,10 +395,11 @@ +@@ -329,10 +399,11 @@ # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -22020,7 +22050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) kernel_read_all_sysctls(spamd_t) -@@ -382,22 +449,27 @@ +@@ -382,22 +453,27 @@ init_dontaudit_rw_utmp(spamd_t) @@ -22052,7 +22082,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_manage_cifs_files(spamd_t) ') -@@ -415,6 +487,7 @@ +@@ -415,6 +491,7 @@ optional_policy(` dcc_domtrans_client(spamd_t) @@ -22060,7 +22090,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dcc_stream_connect_dccifd(spamd_t) ') -@@ -424,10 +497,6 @@ +@@ -424,10 +501,6 @@ ') optional_policy(` @@ -22071,7 +22101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol postfix_read_config(spamd_t) ') -@@ -442,6 +511,10 @@ +@@ -442,6 +515,10 @@ optional_policy(` razor_domtrans(spamd_t) @@ -22082,7 +22112,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -454,5 +527,9 @@ +@@ -454,5 +531,9 @@ ') optional_policy(` @@ -25882,7 +25912,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-24 08:59:22.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart,false) @@ -26020,7 +26050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -270,16 +308,19 @@ +@@ -270,16 +308,20 @@ dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) @@ -26032,6 +26062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -dev_read_lvm_control(initrc_t) +dev_rw_lvm_control(initrc_t) dev_delete_lvm_control_dev(initrc_t) ++dev_delete_null(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) # Wants to remove udev.tbl: @@ -26041,7 +26072,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -328,7 +369,7 @@ +@@ -328,7 +370,7 @@ domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -26050,7 +26081,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -343,14 +384,14 @@ +@@ -343,14 +385,14 @@ files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -26067,7 +26098,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_exec_etc_files(initrc_t) files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) -@@ -366,7 +407,9 @@ +@@ -366,7 +408,9 @@ libs_rw_ld_so_cache(initrc_t) libs_exec_lib_files(initrc_t) @@ -26077,7 +26108,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(initrc_t) logging_manage_generic_logs(initrc_t) logging_read_all_logs(initrc_t) -@@ -451,7 +494,7 @@ +@@ -451,7 +495,7 @@ # Red Hat systems seem to have a stray # fd open from the initrd @@ -26086,7 +26117,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_dontaudit_read_root_files(initrc_t) selinux_set_enforce_mode(initrc_t) -@@ -465,6 +508,7 @@ +@@ -465,6 +509,7 @@ storage_raw_read_fixed_disk(initrc_t) storage_raw_write_fixed_disk(initrc_t) @@ -26094,7 +26125,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) # wants to read /.fonts directory -@@ -498,6 +542,7 @@ +@@ -498,6 +543,7 @@ optional_policy(` #for /etc/rc.d/init.d/nfs to create /etc/exports rpc_write_exports(initrc_t) @@ -26102,7 +26133,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -516,6 +561,33 @@ +@@ -516,6 +562,33 @@ ') ') @@ -26136,7 +26167,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -570,6 +642,10 @@ +@@ -570,6 +643,10 @@ dbus_read_config(initrc_t) optional_policy(` @@ -26147,7 +26178,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol networkmanager_dbus_chat(initrc_t) ') ') -@@ -591,6 +667,10 @@ +@@ -591,6 +668,10 @@ ') optional_policy(` @@ -26158,7 +26189,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_usbfs(initrc_t) # init scripts run /etc/hotplug/usb.rc -@@ -647,6 +727,11 @@ +@@ -647,6 +728,11 @@ ') optional_policy(` @@ -26170,7 +26201,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mailman_list_data(initrc_t) mailman_read_data_symlinks(initrc_t) ') -@@ -655,12 +740,6 @@ +@@ -655,12 +741,6 @@ mta_read_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') @@ -26183,7 +26214,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ifdef(`distro_redhat',` -@@ -719,8 +798,6 @@ +@@ -719,8 +799,6 @@ # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -26192,7 +26223,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -733,10 +810,12 @@ +@@ -733,10 +811,12 @@ squid_manage_logs(initrc_t) ') @@ -26205,7 +26236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -754,6 +833,11 @@ +@@ -754,6 +834,11 @@ uml_setattr_util_sockets(initrc_t) ') @@ -26217,7 +26248,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` unconfined_domain(initrc_t) -@@ -765,6 +849,13 @@ +@@ -765,6 +850,13 @@ optional_policy(` mono_domtrans(initrc_t) ') @@ -26231,7 +26262,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -790,3 +881,35 @@ +@@ -790,3 +882,35 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -26811,7 +26842,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.12/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/logging.if 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/logging.if 2009-04-24 09:01:14.000000000 -0400 @@ -623,7 +623,7 @@ ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 664dad7..e83c633 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 16%{?dist} +Release: 17%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -446,6 +446,10 @@ exit 0 %endif %changelog +* Fri Apr 24 2009 Dan Walsh 3.6.12-17 +- Allow initrc_t to delete dev_null +- Allow readahead to configure auditing + * Fri Apr 24 2009 Dan Walsh 3.6.12-16 - Update to latest milter code from Paul Howarth