From 90ea5b3fefd6cd42a55e53a392b90ffa78f69e2a Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Apr 02 2009 15:23:58 +0000 Subject: - Dontaudit listing of /root directory for cron system jobs --- diff --git a/policy-20090105.patch b/policy-20090105.patch index 618d25c..fd0c50c 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -1580,6 +1580,68 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/cdrecord -- gen_context(system_u:object_r:cdrecord_exec_t,s0) +/usr/bin/growisoifs -- gen_context(system_u:object_r:cdrecord_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.fc serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.fc +--- nsaserefpolicy/policy/modules/apps/cpufreqselector.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.fc 2009-04-02 10:05:45.000000000 -0400 +@@ -0,0 +1 @@ ++/usr/bin/cpufreq-selector -- gen_context(system_u:object_r:cpufreqselector_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.if serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.if +--- nsaserefpolicy/policy/modules/apps/cpufreqselector.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.if 2009-04-02 10:05:45.000000000 -0400 +@@ -0,0 +1,2 @@ ++## cpufreq-selector policy ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.te +--- nsaserefpolicy/policy/modules/apps/cpufreqselector.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.10/policy/modules/apps/cpufreqselector.te 2009-04-02 10:05:45.000000000 -0400 +@@ -0,0 +1,47 @@ ++policy_module(cpufreqselector,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type cpufreqselector_t; ++type cpufreqselector_exec_t; ++ ++dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) ++ ++######################################## ++# ++# cpufreq-selector local policy ++# ++ ++allow cpufreqselector_t self:capability { sys_nice sys_ptrace }; ++allow cpufreqselector_t self:fifo_file rw_fifo_file_perms; ++ ++files_read_etc_files(cpufreqselector_t) ++files_read_usr_files(cpufreqselector_t) ++ ++corecmd_search_bin(cpufreqselector_t) ++ ++dev_rw_sysfs(cpufreqselector_t) ++ ++fs_list_inotifyfs(cpufreqselector_t) ++ ++libs_use_ld_so(cpufreqselector_t) ++libs_use_shared_libs(cpufreqselector_t) ++ ++userdom_read_all_users_state(cpufreqselector_t) ++ ++nscd_dontaudit_search_pid(cpufreqselector_t) ++ ++optional_policy(` ++ consolekit_dbus_chat(cpufreqselector_t) ++') ++ ++optional_policy(` ++ polkit_domtrans_auth(cpufreqselector_t) ++ polkit_read_lib(cpufreqselector_t) ++ polkit_read_reload(cpufreqselector_t) ++') ++ ++permissive cpufreqselector_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/git.fc serefpolicy-3.6.10/policy/modules/apps/git.fc --- nsaserefpolicy/policy/modules/apps/git.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.10/policy/modules/apps/git.fc 2009-03-30 10:09:41.000000000 -0400 @@ -9098,7 +9160,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.10/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/cron.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/services/cron.if 2009-04-02 11:21:32.000000000 -0400 @@ -12,6 +12,10 @@ ## # @@ -9187,7 +9249,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` gen_require(` -@@ -261,6 +277,7 @@ +@@ -261,10 +277,12 @@ allow $1 system_cronjob_t:fifo_file rw_file_perms; allow $1 system_cronjob_t:process sigchld; @@ -9195,7 +9257,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1 crond_t:fifo_file rw_file_perms; allow $1 crond_t:fd use; allow $1 crond_t:process sigchld; -@@ -343,6 +360,24 @@ + ++ userdom_dontaudit_list_admin_dir($1) + role system_r types $1; + ') + +@@ -343,6 +361,24 @@ ######################################## ## @@ -9220,7 +9287,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read and write a cron daemon unnamed pipe. ## ## -@@ -361,7 +396,7 @@ +@@ -361,7 +397,7 @@ ######################################## ## @@ -9229,7 +9296,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -369,7 +404,7 @@ +@@ -369,7 +405,7 @@ ## ## # @@ -9238,7 +9305,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol gen_require(` type crond_t; ') -@@ -416,6 +451,42 @@ +@@ -416,6 +452,42 @@ ######################################## ## @@ -9281,7 +9348,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Inherit and use a file descriptor ## from system cron jobs. ## -@@ -481,11 +552,14 @@ +@@ -481,11 +553,14 @@ # interface(`cron_read_system_job_tmp_files',` gen_require(` @@ -9297,7 +9364,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -506,3 +580,101 @@ +@@ -506,3 +581,101 @@ dontaudit $1 system_cronjob_tmp_t:file append; ') @@ -18450,7 +18517,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.10/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/samba.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/services/samba.if 2009-04-01 15:42:15.000000000 -0400 @@ -4,6 +4,45 @@ ## from Windows NT servers. ## @@ -18850,7 +18917,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.10/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/samba.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/services/samba.te 2009-04-01 15:20:37.000000000 -0400 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -19136,7 +19203,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow swat_t self:udp_socket create_socket_perms; +allow swat_t self:unix_stream_socket connectto; -+can_exec(swat_t, smbd_exec_t) ++samba_domtrans_smb(swat_t) +allow swat_t smbd_port_t:tcp_socket name_bind; +allow swat_t smbd_t:process { signal signull }; +allow swat_t smbd_var_run_t:file { lock unlink }; @@ -23819,13 +23886,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.10/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/init.if 2009-03-30 10:09:41.000000000 -0400 -@@ -280,6 +280,27 @@ ++++ serefpolicy-3.6.10/policy/modules/system/init.if 2009-04-01 15:00:12.000000000 -0400 +@@ -280,6 +280,28 @@ kernel_dontaudit_use_fds($1) ') ') + + userdom_dontaudit_search_user_home_dirs($1) ++ userdom_dontaudit_rw_stream($1) + + tunable_policy(`allow_daemons_use_tty',` + term_use_all_user_ttys($1) @@ -23848,7 +23916,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -546,7 +567,7 @@ +@@ -546,7 +568,7 @@ # upstart uses a datagram socket instead of initctl pipe allow $1 self:unix_dgram_socket create_socket_perms; @@ -23857,7 +23925,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -619,18 +640,19 @@ +@@ -619,18 +641,19 @@ # interface(`init_spec_domtrans_script',` gen_require(` @@ -23881,7 +23949,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -646,23 +668,43 @@ +@@ -646,23 +669,43 @@ # interface(`init_domtrans_script',` gen_require(` @@ -23929,7 +23997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute a init script in a specified domain. ## ## -@@ -1291,6 +1333,25 @@ +@@ -1291,6 +1334,25 @@ ######################################## ## @@ -23955,7 +24023,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create files in a init script ## temporary data directory. ## -@@ -1521,3 +1582,51 @@ +@@ -1521,3 +1583,51 @@ ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -24009,7 +24077,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.10/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/init.te 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/system/init.te 2009-04-01 15:00:25.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart,false) @@ -24292,13 +24360,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol vmware_read_system_config(initrc_t) vmware_append_system_config(initrc_t) ') -@@ -790,3 +865,17 @@ +@@ -790,3 +865,19 @@ optional_policy(` zebra_read_config(initrc_t) ') + +userdom_append_user_home_content_files(daemon) +userdom_write_user_tmp_files(daemon) ++userdom_dontaudit_rw_stream(daemon) ++ +logging_append_all_logs(daemon) + +optional_policy(` @@ -26941,7 +27011,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.10/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/unconfined.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/system/unconfined.if 2009-04-01 14:58:39.000000000 -0400 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -27598,7 +27668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.10/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/userdomain.if 2009-03-30 10:09:41.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/system/userdomain.if 2009-04-01 14:59:58.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -28982,7 +29052,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -2981,3 +3182,462 @@ +@@ -2981,3 +3182,482 @@ allow $1 userdomain:dbus send_msg; ') @@ -29445,6 +29515,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 userdomain:key manage_key_perms; +') + ++ ++######################################## ++## ++## Do not audit attempts to read and write ++## unserdomain stream. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_rw_stream',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ dontaudit $1 userdomain:unix_stream_socket rw_file_perms; ++') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.10/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.10/policy/modules/system/userdomain.te 2009-03-30 10:09:41.000000000 -0400 diff --git a/selinux-policy.spec b/selinux-policy.spec index 5541e53..ae2a379 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.10 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -444,6 +444,9 @@ exit 0 %endif %changelog +* Thu Apr 2 2009 Dan Walsh 3.6.10-6 +- Dontaudit listing of /root directory for cron system jobs + * Mon Mar 30 2009 Dan Walsh 3.6.10-5 - Fix missing ld.so.cache label