From 9eefb8aef380c8c4d30f002162c8a75335334784 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Aug 20 2009 11:27:42 +0000 Subject: - Fixes for racoon - Fixes for ptchown - Fixes for openvpn --- diff --git a/booleans-targeted.conf b/booleans-targeted.conf index 3f67bf8..1239382 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -122,6 +122,10 @@ nfs_export_all_rw = true # nfs_export_all_ro = true +# Allow openvpn to read home directories +# +openvpn_enable_homedirs = true + # Allow pppd to load kernel modules for certain modems # pppd_can_insmod = false diff --git a/policy-20090521.patch b/policy-20090521.patch index 855450a..0c2d2ce 100644 --- a/policy-20090521.patch +++ b/policy-20090521.patch @@ -1,3 +1,21 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/samba_selinux.8 serefpolicy-3.6.12/man/man8/samba_selinux.8 +--- nsaserefpolicy/man/man8/samba_selinux.8 2009-04-07 21:54:45.000000000 +0200 ++++ serefpolicy-3.6.12/man/man8/samba_selinux.8 2009-08-19 18:01:06.000000000 +0200 +@@ -20,7 +20,7 @@ + .TP + This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local: + .TP +-/var/eng(/.*)? system_u:object_r:samba_share_t ++/var/eng(/.*)? system_u:object_r:samba_share_t:s0 + .TP + Run the restorecon command to apply the changes: + .TP +@@ -53,4 +53,4 @@ + This manual page was written by Dan Walsh . + + .SH "SEE ALSO" +-selinux(8), samba(7), chcon(1), setsebool(8) ++selinux(8), samba(7), chcon(1), setsebool(8), semanage(8) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.12/policy/mcs --- nsaserefpolicy/policy/mcs 2009-06-25 10:19:43.000000000 +0200 +++ serefpolicy-3.6.12/policy/mcs 2009-07-08 21:09:33.000000000 +0200 @@ -550,6 +568,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(groupadd_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.12/policy/modules/apps/awstats.te +--- nsaserefpolicy/policy/modules/apps/awstats.te 2009-06-25 10:19:43.000000000 +0200 ++++ serefpolicy-3.6.12/policy/modules/apps/awstats.te 2009-08-19 18:08:12.000000000 +0200 +@@ -28,6 +28,8 @@ + awstats_rw_pipes(awstats_t) + awstats_cgi_exec(awstats_t) + ++can_exec(awstats_t, awstats_exec_t) ++ + manage_dirs_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t) + manage_files_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t) + files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file }) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/calamaris.te serefpolicy-3.6.12/policy/modules/apps/calamaris.te --- nsaserefpolicy/policy/modules/apps/calamaris.te 2009-04-07 21:54:49.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/apps/calamaris.te 2009-08-05 23:27:19.000000000 +0200 @@ -718,6 +748,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + ssh_rw_pipes(gitosis_t) +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.6.12/policy/modules/apps/gpg.if +--- nsaserefpolicy/policy/modules/apps/gpg.if 2009-06-25 10:19:43.000000000 +0200 ++++ serefpolicy-3.6.12/policy/modules/apps/gpg.if 2009-08-18 15:05:46.000000000 +0200 +@@ -30,7 +30,7 @@ + + # allow ps to show gpg + ps_process_pattern($2, gpg_t) +- allow $2 gpg_t:process { signal sigkill }; ++ allow $2 gpg_t:process { signull sigstop signal sigkill }; + + # communicate with the user + allow gpg_helper_t $2:fd use; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.12/policy/modules/apps/gpg.te +--- nsaserefpolicy/policy/modules/apps/gpg.te 2009-06-25 10:19:43.000000000 +0200 ++++ serefpolicy-3.6.12/policy/modules/apps/gpg.te 2009-08-18 15:06:47.000000000 +0200 +@@ -90,6 +90,7 @@ + corenet_tcp_connect_all_ports(gpg_t) + corenet_sendrecv_all_client_packets(gpg_t) + ++dev_read_generic_usb_dev(gpg_t) + dev_read_rand(gpg_t) + dev_read_urand(gpg_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.12/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-06-25 10:19:43.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/apps/mozilla.if 2009-07-08 21:12:05.000000000 +0200 @@ -856,8 +909,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.te serefpolicy-3.6.12/policy/modules/apps/ptchown.te --- nsaserefpolicy/policy/modules/apps/ptchown.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.6.12/policy/modules/apps/ptchown.te 2009-08-14 08:31:55.000000000 +0200 -@@ -0,0 +1,39 @@ ++++ serefpolicy-3.6.12/policy/modules/apps/ptchown.te 2009-08-20 09:35:25.000000000 +0200 +@@ -0,0 +1,40 @@ +policy_module(ptchown,1.0.0) + +######################################## @@ -877,7 +930,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# ptchown local policy +# + -+allow ptchown_t self:capability { fowner chown setuid }; ++allow ptchown_t self:capability { chown fowner fsetid setuid }; +allow ptchown_t self:process { getcap setcap }; + +# Init script handling @@ -891,9 +944,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +fs_rw_anon_inodefs_files(ptchown_t) + -+term_use_generic_ptys(ptchown_t) +term_setattr_generic_ptys(ptchown_t) +term_setattr_all_user_ptys(ptchown_t) ++term_use_generic_ptys(ptchown_t) ++term_use_ptmx(ptchown_t) + +miscfiles_read_localization(ptchown_t) + @@ -3305,7 +3359,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +logging_send_syslog_msg(nslcd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.12/policy/modules/services/openvpn.te --- nsaserefpolicy/policy/modules/services/openvpn.te 2009-04-07 21:54:45.000000000 +0200 -+++ serefpolicy-3.6.12/policy/modules/services/openvpn.te 2009-07-08 21:10:15.000000000 +0200 ++++ serefpolicy-3.6.12/policy/modules/services/openvpn.te 2009-08-20 09:42:28.000000000 +0200 @@ -86,6 +86,7 @@ corenet_udp_bind_openvpn_port(openvpn_t) corenet_tcp_connect_openvpn_port(openvpn_t) @@ -3314,6 +3368,39 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_rw_tun_tap_dev(openvpn_t) corenet_sendrecv_openvpn_server_packets(openvpn_t) corenet_sendrecv_openvpn_client_packets(openvpn_t) +@@ -98,6 +99,8 @@ + files_read_etc_files(openvpn_t) + files_read_etc_runtime_files(openvpn_t) + ++auth_use_pam(openvpn_t) ++ + logging_send_syslog_msg(openvpn_t) + + miscfiles_read_localization(openvpn_t) +@@ -114,6 +117,16 @@ + userdom_read_user_home_content_files(openvpn_t) + ') + ++tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` ++ fs_read_nfs_files(openvpn_t) ++ fs_read_nfs_symlinks(openvpn_t) ++') ++ ++tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',` ++ fs_read_cifs_files(openvpn_t) ++ fs_read_cifs_symlinks(openvpn_t) ++') ++ + optional_policy(` + daemontools_service_domain(openvpn_t, openvpn_exec_t) + ') +@@ -122,5 +135,6 @@ + dbus_system_bus_client(openvpn_t) + dbus_connect_system_bus(openvpn_t) + ++ fprintd_dbus_chat(openvpn_t) + networkmanager_dbus_chat(openvpn_t) + ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.12/policy/modules/services/pcscd.te --- nsaserefpolicy/policy/modules/services/pcscd.te 2009-04-07 21:54:45.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/pcscd.te 2009-06-25 10:21:01.000000000 +0200 @@ -3630,6 +3717,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_read_all_dirs_except_shadow(rsync_t) auth_read_all_files_except_shadow(rsync_t) auth_read_all_symlinks_except_shadow(rsync_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.12/policy/modules/services/sasl.te +--- nsaserefpolicy/policy/modules/services/sasl.te 2009-06-25 10:19:44.000000000 +0200 ++++ serefpolicy-3.6.12/policy/modules/services/sasl.te 2009-08-18 14:47:01.000000000 +0200 +@@ -31,7 +31,7 @@ + # Local policy + # + +-allow saslauthd_t self:capability setuid; ++allow saslauthd_t self:capability { setgid setuid }; + dontaudit saslauthd_t self:capability sys_tty_config; + allow saslauthd_t self:process signal_perms; + allow saslauthd_t self:fifo_file rw_fifo_file_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.12/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/sendmail.if 2009-07-31 13:22:05.000000000 +0200 @@ -4029,7 +4128,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.12/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-06-25 10:19:44.000000000 +0200 -+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.fc 2009-07-07 08:44:02.000000000 +0200 ++++ serefpolicy-3.6.12/policy/modules/services/spamassassin.fc 2009-08-19 17:48:56.000000000 +0200 @@ -1,13 +1,15 @@ +/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) @@ -4047,6 +4146,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) /usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0) +@@ -20,5 +22,5 @@ + + /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) + /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +-/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +-/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) ++/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) ++/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-07-13 11:32:30.000000000 +0200 @@ -4380,8 +4487,62 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.12/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2009-06-25 10:19:44.000000000 +0200 -+++ serefpolicy-3.6.12/policy/modules/system/authlogin.if 2009-08-04 12:46:42.000000000 +0200 -@@ -42,8 +42,7 @@ ++++ serefpolicy-3.6.12/policy/modules/system/authlogin.if 2009-08-20 10:24:42.000000000 +0200 +@@ -30,6 +30,53 @@ + dontaudit $2 shadow_t:file read_file_perms; + ') + ++####################################### ++## ++## Make the specified domain used for a login program. ++## ++## ++## ++## Domain type used for a login program domain. ++## ++## ++# ++interface(`auth_use_pam',` ++ ++ # for SSP/ProPolice ++ dev_read_urand($1) ++ # for encrypted homedir ++ dev_read_sysfs($1) ++ ++ auth_domtrans_chk_passwd($1) ++ auth_domtrans_upd_passwd($1) ++ auth_dontaudit_read_shadow($1) ++ auth_read_login_records($1) ++ auth_append_login_records($1) ++ auth_rw_lastlog($1) ++ auth_rw_faillog($1) ++ auth_exec_pam($1) ++ auth_use_nsswitch($1) ++ ++ logging_send_audit_msgs($1) ++ logging_send_syslog_msg($1) ++ ++ optional_policy(` ++ dbus_system_bus_client($1) ++ optional_policy(` ++ consolekit_dbus_chat($1) ++ ') ++ ') ++ ++ optional_policy(` ++ kerberos_manage_host_rcache($1) ++ kerberos_read_config($1) ++ ') ++ ++ optional_policy(` ++ nis_authenticate($1) ++ ') ++') ++ + ######################################## + ## + ## Make the specified domain used for a login program. +@@ -42,8 +89,7 @@ # interface(`auth_login_pgm_domain',` gen_require(` @@ -4391,7 +4552,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') domain_type($1) -@@ -77,6 +76,8 @@ +@@ -77,6 +123,8 @@ # for SSP/ProPolice dev_read_urand($1) @@ -4400,7 +4561,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for fingerprint readers dev_rw_input_dev($1) dev_rw_generic_usb_dev($1) -@@ -143,6 +144,11 @@ +@@ -143,6 +191,11 @@ ') optional_policy(` @@ -4412,7 +4573,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fprintd_dbus_chat($1) ') -@@ -153,6 +159,7 @@ +@@ -153,6 +206,7 @@ optional_policy(` ssh_agent_exec($1) userdom_read_user_home_content_files($1) @@ -4420,7 +4581,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -238,6 +245,97 @@ +@@ -238,6 +292,97 @@ ######################################## ## @@ -4518,7 +4679,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Run unix_chkpwd to check a password. ## ## -@@ -726,7 +824,7 @@ +@@ -726,7 +871,7 @@ ######################################## ## @@ -4527,7 +4688,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1258,6 +1356,25 @@ +@@ -1258,6 +1403,25 @@ ######################################## ## @@ -4553,7 +4714,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to write to ## login records files. ## -@@ -1415,6 +1532,10 @@ +@@ -1415,6 +1579,10 @@ ') optional_policy(` @@ -4564,7 +4725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sssd_stream_connect($1) ') -@@ -1456,99 +1577,3 @@ +@@ -1456,99 +1624,3 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -4796,15 +4957,38 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2009-06-25 10:19:44.000000000 +0200 -+++ serefpolicy-3.6.12/policy/modules/system/ipsec.te 2009-06-25 10:21:01.000000000 +0200 -@@ -1,5 +1,5 @@ ++++ serefpolicy-3.6.12/policy/modules/system/ipsec.te 2009-08-20 13:08:01.000000000 +0200 +@@ -1,11 +1,18 @@ -policy_module(ipsec, 1.9.0) +policy_module(ipsec, 1.9.1) ######################################## # -@@ -53,7 +53,7 @@ + # Declarations + # + ++## ++##

++## Allow racoon to read shadow ++##

++## ++gen_tunable(racoon_read_shadow, false) ++ + type ipsec_t; + type ipsec_exec_t; + init_daemon_domain(ipsec_t,ipsec_exec_t) +@@ -43,6 +50,9 @@ + init_daemon_domain(racoon_t,racoon_exec_t) + role system_r types racoon_t; + ++type racoon_tmp_t; ++files_tmp_file(racoon_tmp_t) ++ + type setkey_t; + type setkey_exec_t; + init_system_domain(setkey_t,setkey_exec_t) +@@ -53,7 +63,7 @@ # ipsec Local policy # @@ -4813,7 +4997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit ipsec_t self:capability sys_tty_config; allow ipsec_t self:process { getsched signal setsched }; allow ipsec_t self:tcp_socket create_stream_socket_perms; -@@ -67,7 +67,7 @@ +@@ -67,7 +77,7 @@ read_lnk_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t) allow ipsec_t ipsec_key_file_t:dir list_dir_perms; @@ -4822,7 +5006,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t) manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) -@@ -103,13 +103,11 @@ +@@ -82,7 +92,7 @@ + # so try flipping back into the ipsec_mgmt_t domain + corecmd_shell_domtrans(ipsec_t,ipsec_mgmt_t) + allow ipsec_mgmt_t ipsec_t:fd use; +-allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms; ++allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms; + allow ipsec_mgmt_t ipsec_t:process sigchld; + + kernel_read_kernel_sysctls(ipsec_t) +@@ -103,13 +113,11 @@ corenet_raw_sendrecv_all_nodes(ipsec_t) corenet_tcp_sendrecv_all_ports(ipsec_t) corenet_tcp_bind_all_nodes(ipsec_t) @@ -4837,7 +5030,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_sendrecv_generic_server_packets(ipsec_t) corenet_sendrecv_isakmp_server_packets(ipsec_t) -@@ -130,7 +128,7 @@ +@@ -130,7 +138,7 @@ files_read_etc_files(ipsec_t) files_read_usr_files(ipsec_t) @@ -4846,7 +5039,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol init_use_fds(ipsec_t) init_use_script_ptys(ipsec_t) -@@ -158,12 +156,12 @@ +@@ -158,12 +166,12 @@ # allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search }; @@ -4861,7 +5054,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t,ipsec_mgmt_lock_t,file) -@@ -171,8 +169,6 @@ +@@ -171,8 +179,6 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file) @@ -4870,7 +5063,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t) manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t) -@@ -248,6 +244,8 @@ +@@ -248,6 +254,8 @@ init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) @@ -4879,15 +5072,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(ipsec_mgmt_t) modutils_domtrans_insmod(ipsec_mgmt_t) -@@ -284,6 +282,7 @@ +@@ -284,6 +292,13 @@ allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; allow racoon_t self:key_socket create_socket_perms; +allow racoon_t self:fifo_file rw_fifo_file_perms; ++ ++manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t) ++manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t) ++files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file }) ++ ++can_exec(racoon_t, setkey_exec_t) # manage pid file manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t) -@@ -301,11 +300,21 @@ +@@ -301,11 +316,21 @@ kernel_read_system_state(racoon_t) kernel_read_network_state(racoon_t) @@ -4910,7 +5109,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_udp_bind_ipsecnat_port(racoon_t) dev_read_urand(racoon_t) -@@ -348,6 +357,7 @@ +@@ -315,6 +340,8 @@ + + files_read_etc_files(racoon_t) + ++fs_dontaudit_getattr_xattr_fs(racoon_t) ++ + # allow racoon to use avc_has_perm to check context on proposed SA + selinux_compute_access_vector(racoon_t) + +@@ -329,6 +356,13 @@ + + miscfiles_read_localization(racoon_t) + ++auth_use_pam(racoon_t) ++ ++auth_can_read_shadow_passwords(racoon_t) ++tunable_policy(`racoon_read_shadow',` ++ auth_tunable_read_shadow(racoon_t) ++') ++ + ######################################## + # + # Setkey local policy +@@ -348,6 +382,7 @@ files_read_etc_files(setkey_t) init_dontaudit_use_fds(setkey_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 8489d32..3980483 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 78%{?dist} +Release: 79%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -475,6 +475,11 @@ exit 0 %endif %changelog +* Thu Aug 20 2009 Miroslav Grepl 3.6.12-79 +- Fixes for racoon +- Fixes for ptchown +- Fixes for openvpn + * Fri Aug 14 2009 Miroslav Grepl 3.6.12-78 - Add ptchown policy from Dan Walsh