From 85a292efc2e7ef5bf50dd557cecfdbe92a35a69d Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jul 27 2011 13:00:22 +0000 Subject: - Backport ABRT changes - Make tmux working with scree policy - Allow root cron jobs can't run without unconfined - add interface to dontaudit writes to urand, needed by libra - Add label for /var/cache/krb5rcache directory --- diff --git a/policy-F15.patch b/policy-F15.patch index 772f19f..651fdc7 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -8913,10 +8913,10 @@ index 0000000..74ce3e2 + mozilla_plugin_dontaudit_leaks(sandbox_x_domain) +') diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc -index 1f2cde4..7227631 100644 +index 1f2cde4..b73334e 100644 --- a/policy/modules/apps/screen.fc +++ b/policy/modules/apps/screen.fc -@@ -2,6 +2,9 @@ +@@ -2,13 +2,18 @@ # /home # HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0) @@ -8926,8 +8926,17 @@ index 1f2cde4..7227631 100644 # # /usr + # + /usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0) ++/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) + + # + # /var + # + /var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) ++/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if -index 320df26..0def31c 100644 +index 320df26..9889ff2 100644 --- a/policy/modules/apps/screen.if +++ b/policy/modules/apps/screen.if @@ -50,7 +50,7 @@ template(`screen_role_template',` @@ -8939,7 +8948,7 @@ index 320df26..0def31c 100644 allow $1_screen_t self:unix_dgram_socket create_socket_perms; manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) -@@ -61,9 +61,15 @@ template(`screen_role_template',` +@@ -61,18 +61,26 @@ template(`screen_role_template',` # Create fifo manage_fifo_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t) manage_dirs_pattern($1_screen_t, screen_var_run_t, screen_var_run_t) @@ -8955,12 +8964,14 @@ index 320df26..0def31c 100644 read_files_pattern($1_screen_t, screen_home_t, screen_home_t) read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t) -@@ -71,8 +77,10 @@ template(`screen_role_template',` - +- allow $1_screen_t $3:process signal; +- domtrans_pattern($3, screen_exec_t, $1_screen_t) allow $3 $1_screen_t:process { signal sigchld }; + dontaudit $3 $1_screen_t:unix_stream_socket { read write }; ++ allow $1_screen_t $3:unix_stream_socket { connectto }; allow $1_screen_t $3:process signal; ++ ps_process_pattern($1_screen_t, $3) + manage_fifo_files_pattern($3, screen_home_t, screen_home_t) manage_dirs_pattern($3, screen_home_t, screen_home_t) @@ -11646,7 +11657,7 @@ index 6cf8784..e244a9d 100644 +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index e9313fb..8ce76cc 100644 +index e9313fb..97fbf5b 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',` @@ -11996,7 +12007,33 @@ index e9313fb..8ce76cc 100644 ## Read and write the TPM device. ## ## -@@ -4514,6 +4641,24 @@ interface(`dev_rwx_vmware',` +@@ -4051,6 +4178,25 @@ interface(`dev_write_urand',` + + ######################################## + ## ++## Do not audit attempts to write to pseudo ++## random devices (e.g., /dev/urandom) ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_write_urand',` ++ gen_require(` ++ type urandom_device_t; ++ ') ++ ++ dontaudit $1 urandom_device_t:chr_file write; ++') ++ ++######################################## ++## + ## Getattr generic the USB devices. + ## + ## +@@ -4514,6 +4660,24 @@ interface(`dev_rwx_vmware',` ######################################## ## @@ -12021,7 +12058,7 @@ index e9313fb..8ce76cc 100644 ## Write to watchdog devices. ## ## -@@ -4748,3 +4893,22 @@ interface(`dev_unconfined',` +@@ -4748,3 +4912,22 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -17971,7 +18008,7 @@ index 0b827c5..7382308 100644 + read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) +') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..f3f9354 100644 +index 30861ec..5d66681 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0) @@ -17989,14 +18026,20 @@ index 30861ec..f3f9354 100644 type abrt_t; type abrt_exec_t; init_daemon_domain(abrt_t, abrt_exec_t) -@@ -37,20 +45,44 @@ files_pid_file(abrt_var_run_t) - type abrt_helper_t; - type abrt_helper_exec_t; - application_domain(abrt_helper_t, abrt_helper_exec_t) -+#init_system_domain(abrt_helper_t, abrt_helper_exec_t) - role system_r types abrt_helper_t; +@@ -32,6 +40,12 @@ files_type(abrt_var_cache_t) + type abrt_var_run_t; + files_pid_file(abrt_var_run_t) - ifdef(`enable_mcs',` ++type abrt_dump_oops_t; ++type abrt_dump_oops_exec_t; ++init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t) ++ ++permissive abrt_dump_oops_t; ++ + # type needed to allow all domains + # to handle /var/cache/abrt + type abrt_helper_t; +@@ -43,14 +57,37 @@ ifdef(`enable_mcs',` init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) ') @@ -18036,7 +18079,7 @@ index 30861ec..f3f9354 100644 allow abrt_t self:fifo_file rw_fifo_file_perms; allow abrt_t self:tcp_socket create_stream_socket_perms; -@@ -59,6 +91,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms; +@@ -59,6 +96,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms; allow abrt_t self:netlink_route_socket r_netlink_socket_perms; # abrt etc files @@ -18044,7 +18087,7 @@ index 30861ec..f3f9354 100644 rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) # log file -@@ -69,6 +102,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) +@@ -69,6 +107,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -18052,7 +18095,7 @@ index 30861ec..f3f9354 100644 # abrt var/cache files manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -@@ -82,7 +116,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +@@ -82,7 +121,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) @@ -18061,7 +18104,7 @@ index 30861ec..f3f9354 100644 kernel_read_ring_buffer(abrt_t) kernel_read_system_state(abrt_t) -@@ -104,6 +138,7 @@ corenet_tcp_connect_all_ports(abrt_t) +@@ -104,6 +143,7 @@ corenet_tcp_connect_all_ports(abrt_t) corenet_sendrecv_http_client_packets(abrt_t) dev_getattr_all_chr_files(abrt_t) @@ -18069,7 +18112,7 @@ index 30861ec..f3f9354 100644 dev_read_urand(abrt_t) dev_rw_sysfs(abrt_t) dev_dontaudit_read_raw_memory(abrt_t) -@@ -113,7 +148,8 @@ domain_read_all_domains_state(abrt_t) +@@ -113,7 +153,8 @@ domain_read_all_domains_state(abrt_t) domain_signull_all_domains(abrt_t) files_getattr_all_files(abrt_t) @@ -18079,7 +18122,7 @@ index 30861ec..f3f9354 100644 files_read_var_symlinks(abrt_t) files_read_var_lib_files(abrt_t) files_read_usr_files(abrt_t) -@@ -121,6 +157,8 @@ files_read_generic_tmp_files(abrt_t) +@@ -121,6 +162,8 @@ files_read_generic_tmp_files(abrt_t) files_read_kernel_modules(abrt_t) files_dontaudit_list_default(abrt_t) files_dontaudit_read_default_files(abrt_t) @@ -18088,7 +18131,7 @@ index 30861ec..f3f9354 100644 fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) -@@ -131,7 +169,7 @@ fs_read_nfs_files(abrt_t) +@@ -131,7 +174,7 @@ fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) @@ -18097,7 +18140,7 @@ index 30861ec..f3f9354 100644 logging_read_generic_logs(abrt_t) logging_send_syslog_msg(abrt_t) -@@ -140,6 +178,16 @@ miscfiles_read_generic_certs(abrt_t) +@@ -140,6 +183,16 @@ miscfiles_read_generic_certs(abrt_t) miscfiles_read_localization(abrt_t) userdom_dontaudit_read_user_home_content_files(abrt_t) @@ -18114,7 +18157,7 @@ index 30861ec..f3f9354 100644 optional_policy(` dbus_system_domain(abrt_t, abrt_exec_t) -@@ -150,6 +198,11 @@ optional_policy(` +@@ -150,6 +203,11 @@ optional_policy(` ') optional_policy(` @@ -18126,7 +18169,7 @@ index 30861ec..f3f9354 100644 policykit_dbus_chat(abrt_t) policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) -@@ -167,6 +220,7 @@ optional_policy(` +@@ -167,6 +225,7 @@ optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) @@ -18134,7 +18177,7 @@ index 30861ec..f3f9354 100644 rpm_manage_pid_files(abrt_t) rpm_read_db(abrt_t) rpm_signull(abrt_t) -@@ -178,12 +232,18 @@ optional_policy(` +@@ -178,12 +237,18 @@ optional_policy(` ') optional_policy(` @@ -18154,7 +18197,7 @@ index 30861ec..f3f9354 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -200,9 +260,12 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) +@@ -200,9 +265,12 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) @@ -18167,7 +18210,7 @@ index 30861ec..f3f9354 100644 fs_list_inotifyfs(abrt_helper_t) fs_getattr_all_fs(abrt_helper_t) -@@ -216,7 +279,8 @@ miscfiles_read_localization(abrt_helper_t) +@@ -216,7 +284,8 @@ miscfiles_read_localization(abrt_helper_t) term_dontaudit_use_all_ttys(abrt_helper_t) term_dontaudit_use_all_ptys(abrt_helper_t) @@ -18177,7 +18220,7 @@ index 30861ec..f3f9354 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +288,100 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +293,131 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -18185,7 +18228,7 @@ index 30861ec..f3f9354 100644 + optional_policy(` + rpm_dontaudit_leaks(abrt_helper_t) + ') -+') + ') + +ifdef(`hide_broken_symptoms',` + gen_require(` @@ -18277,7 +18320,38 @@ index 30861ec..f3f9354 100644 + +optional_policy(` + mock_domtrans(abrt_retrace_worker_t) - ') ++') ++ ++######################################## ++# ++# abrt_dump_oops local policy ++# ++ ++allow abrt_dump_oops_t self:capability dac_override; ++allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms; ++allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms; ++ ++files_search_spool(abrt_dump_oops_t) ++manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) ++manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) ++manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) ++files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir }) ++ ++read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) ++read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) ++ ++kernel_read_kernel_sysctls(abrt_dump_oops_t) ++kernel_read_ring_buffer(abrt_dump_oops_t) ++kernel_read_system_state(abrt_dump_oops_t) ++ ++domain_use_interactive_fds(abrt_dump_oops_t) ++ ++files_read_etc_files(abrt_dump_oops_t) ++ ++logging_read_generic_logs(abrt_dump_oops_t) ++logging_send_syslog_msg(abrt_dump_oops_t) ++ ++miscfiles_read_localization(abrt_dump_oops_t) diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if index c0f858d..d639ae0 100644 --- a/policy/modules/services/accountsd.if @@ -24507,7 +24581,7 @@ index 35241ed..a75e22c 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index f7583ab..e6ddde9 100644 +index f7583ab..80426f1 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -10,18 +10,18 @@ gen_require(` @@ -24670,9 +24744,12 @@ index f7583ab..e6ddde9 100644 logging_send_syslog_msg(crond_t) logging_set_loginuid(crond_t) -@@ -220,8 +243,10 @@ miscfiles_read_localization(crond_t) +@@ -218,10 +241,12 @@ seutil_sigchld_newrole(crond_t) + miscfiles_read_localization(crond_t) + userdom_use_unpriv_users_fds(crond_t) - # Not sure why this is needed +-# Not sure why this is needed ++userdom_list_admin_dir(crond_t) userdom_list_user_home_dirs(crond_t) +userdom_create_all_users_keys(crond_t) @@ -30475,7 +30552,7 @@ index da2127e..10197f7 100644 + +sysnet_read_config(jabberd_domain) diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc -index 3525d24..923e979 100644 +index 3525d24..d50a883 100644 --- a/policy/modules/services/kerberos.fc +++ b/policy/modules/services/kerberos.fc @@ -8,7 +8,7 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) @@ -30487,7 +30564,15 @@ index 3525d24..923e979 100644 /etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) -@@ -31,3 +31,4 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) +@@ -21,6 +21,7 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) + /usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) + /usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) + ++/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) + /var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) + /var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) + /var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) +@@ -31,3 +32,4 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) /var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) @@ -37495,7 +37580,7 @@ index 55e62d2..f2674e8 100644 /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if -index 46bee12..83cb270 100644 +index 46bee12..fc18bf2 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -34,8 +34,9 @@ template(`postfix_domain_template',` @@ -37712,7 +37797,7 @@ index 46bee12..83cb270 100644 ') ######################################## -@@ -621,3 +682,103 @@ interface(`postfix_domtrans_user_mail_handler',` +@@ -621,3 +682,108 @@ interface(`postfix_domtrans_user_mail_handler',` typeattribute $1 postfix_user_domtrans; ') @@ -37815,6 +37900,11 @@ index 46bee12..83cb270 100644 + + postfix_domtrans_postdrop($1) + role $2 types postfix_postdrop_t; ++ ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit postfix_postdrop_t $1:socket_class_set { getattr read write }; ++ ') ++ +') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 06e37d4..b4d7354 100644 @@ -39016,7 +39106,7 @@ index bc329d1..0589f97 100644 admin_pattern($1, psad_tmp_t) ') diff --git a/policy/modules/services/psad.te b/policy/modules/services/psad.te -index d4000e0..f1e983e 100644 +index d4000e0..f35afa4 100644 --- a/policy/modules/services/psad.te +++ b/policy/modules/services/psad.te @@ -11,7 +11,7 @@ init_daemon_domain(psad_t, psad_exec_t) @@ -39033,7 +39123,7 @@ index d4000e0..f1e983e 100644 allow psad_t self:capability { net_admin net_raw setuid setgid dac_override }; dontaudit psad_t self:capability sys_tty_config; -allow psad_t self:process signull; -+allow psad_t self:process { signal signull }; ++allow psad_t self:process signal_perms; allow psad_t self:fifo_file rw_fifo_file_perms; allow psad_t self:rawip_socket create_socket_perms; @@ -43145,7 +43235,7 @@ index adea9f9..d5b2d93 100644 init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te -index 606a098..14535da 100644 +index 606a098..7cff55a 100644 --- a/policy/modules/services/smartmon.te +++ b/policy/modules/services/smartmon.te @@ -73,19 +73,26 @@ files_read_etc_runtime_files(fsdaemon_t) @@ -43175,6 +43265,17 @@ index 606a098..14535da 100644 libs_exec_ld_so(fsdaemon_t) libs_exec_lib_files(fsdaemon_t) +@@ -113,6 +120,10 @@ tunable_policy(`smartmon_3ware',` + ') + + optional_policy(` ++ application_signull(fsdaemon_t) ++') ++ ++optional_policy(` + mta_send_mail(fsdaemon_t) + ') + diff --git a/policy/modules/services/smokeping.te b/policy/modules/services/smokeping.te index 740994a..a92ba26 100644 --- a/policy/modules/services/smokeping.te diff --git a/selinux-policy.spec b/selinux-policy.spec index ba9ac82..458b848 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 35%{?dist} +Release: 36%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,13 @@ exit 0 %endif %changelog +* Wed Jul 27 2011 Miroslav Grepl 3.9.16-36 +- Backport ABRT changes +- Make tmux working with scree policy +- Allow root cron jobs can't run without unconfined +- add interface to dontaudit writes to urand, needed by libra +- Add label for /var/cache/krb5rcache directory + * Wed Jul 20 2011 Miroslav Grepl 3.9.16-35 - Allow jabberd_router_t to read system state - Rename oracledb_port to oracle_port