From b11dbbb323548b63145e113f669e294f0711f6b1 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Apr 27 2009 18:56:58 +0000 Subject: - Allow confined users to manace virt_content_t, since this is home dir content - Allow all domains to read rpm_script_tmp_t which is what shell creates on redirection --- diff --git a/policy-20090105.patch b/policy-20090105.patch index 2ea9a76..25f4405 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -782,7 +782,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/usr/sbin/readahead -- gen_context(system_u:object_r:readahead_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te --- nsaserefpolicy/policy/modules/admin/readahead.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-04-24 13:45:16.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-04-27 11:01:26.000000000 -0400 @@ -11,8 +11,8 @@ init_daemon_domain(readahead_t, readahead_exec_t) application_domain(readahead_t, readahead_exec_t) @@ -808,7 +808,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t) files_pid_filetrans(readahead_t, readahead_var_run_t, file) -@@ -58,6 +60,7 @@ +@@ -46,6 +48,7 @@ + storage_raw_read_fixed_disk(readahead_t) + + domain_use_interactive_fds(readahead_t) ++domain_read_all_domains_state(readahead_t) + + files_dontaudit_getattr_all_sockets(readahead_t) + files_list_non_security(readahead_t) +@@ -58,6 +61,7 @@ fs_dontaudit_search_ramfs(readahead_t) fs_dontaudit_read_ramfs_pipes(readahead_t) fs_dontaudit_read_ramfs_files(readahead_t) @@ -816,7 +824,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_read_tmpfs_symlinks(readahead_t) fs_list_inotifyfs(readahead_t) -@@ -72,6 +75,7 @@ +@@ -72,6 +76,7 @@ init_getattr_initctl(readahead_t) logging_send_syslog_msg(readahead_t) @@ -5184,7 +5192,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-04-27 11:30:40.000000000 -0400 @@ -5,6 +5,13 @@ # # Declarations @@ -5255,7 +5263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys -@@ -153,3 +172,45 @@ +@@ -153,3 +172,46 @@ # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) @@ -5280,6 +5288,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + rpm_rw_pipes(domain) + rpm_dontaudit_use_script_fds(domain) + rpm_dontaudit_write_pid_files(domain) ++ rpm_read_script_tmp_files(domain) +') + +optional_policy(` @@ -14839,8 +14848,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_system_entry(mailman_queue_t, mailman_queue_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.6.12/policy/modules/services/milter.fc --- nsaserefpolicy/policy/modules/services/milter.fc 2008-11-25 09:01:08.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/milter.fc 2009-04-27 10:00:53.000000000 -0400 -@@ -1,6 +1,8 @@ ++++ serefpolicy-3.6.12/policy/modules/services/milter.fc 2009-04-27 11:46:55.000000000 -0400 +@@ -1,6 +1,9 @@ -/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) -/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) @@ -14849,6 +14858,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0) /var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) /var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0) ++/var/lib/miltermilter.* gen_context(system_u:object_r:spamass_milter_state_t,s0) + +/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.6.12/policy/modules/services/milter.if @@ -21885,7 +21895,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-04-24 08:31:39.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-04-27 11:45:25.000000000 -0400 @@ -20,6 +20,35 @@ ## gen_tunable(spamd_enable_home_dirs, true) @@ -21982,7 +21992,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(spamc_t) corenet_all_recvfrom_netlabel(spamc_t) -@@ -255,9 +308,15 @@ +@@ -239,6 +292,7 @@ + corenet_sendrecv_all_client_packets(spamc_t) + + fs_search_auto_mountpoints(spamc_t) ++fs_list_inotifyfs(spamc_t) + + # cjp: these should probably be removed: + corecmd_list_bin(spamc_t) +@@ -255,9 +309,15 @@ files_dontaudit_search_var(spamc_t) # cjp: this may be removable: files_list_home(spamc_t) @@ -21998,7 +22016,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(spamc_t) # cjp: this should probably be removed: -@@ -265,13 +324,16 @@ +@@ -265,13 +325,16 @@ sysnet_read_config(spamc_t) @@ -22022,7 +22040,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -280,16 +342,21 @@ +@@ -280,16 +343,21 @@ ') optional_policy(` @@ -22046,7 +22064,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -301,7 +368,7 @@ +@@ -301,7 +369,7 @@ # setuids to the user running spamc. Comment this if you are not # using this ability. @@ -22055,7 +22073,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; -@@ -317,10 +384,13 @@ +@@ -317,10 +385,13 @@ allow spamd_t self:unix_stream_socket connectto; allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; @@ -22070,7 +22088,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -@@ -329,10 +399,11 @@ +@@ -329,10 +400,11 @@ # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -22083,7 +22101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) kernel_read_all_sysctls(spamd_t) -@@ -382,22 +453,27 @@ +@@ -382,22 +454,27 @@ init_dontaudit_rw_utmp(spamd_t) @@ -22115,7 +22133,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_manage_cifs_files(spamd_t) ') -@@ -415,6 +491,7 @@ +@@ -415,6 +492,7 @@ optional_policy(` dcc_domtrans_client(spamd_t) @@ -22123,7 +22141,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dcc_stream_connect_dccifd(spamd_t) ') -@@ -424,10 +501,6 @@ +@@ -424,10 +502,6 @@ ') optional_policy(` @@ -22134,7 +22152,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol postfix_read_config(spamd_t) ') -@@ -442,6 +515,10 @@ +@@ -442,6 +516,10 @@ optional_policy(` razor_domtrans(spamd_t) @@ -22145,7 +22163,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -454,5 +531,9 @@ +@@ -454,5 +532,9 @@ ') optional_policy(` @@ -23420,7 +23438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-27 11:40:19.000000000 -0400 @@ -8,19 +8,24 @@ ## @@ -23449,7 +23467,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type virt_etc_t; files_config_file(virt_etc_t) -@@ -29,8 +34,12 @@ +@@ -29,8 +34,13 @@ files_type(virt_etc_rw_t) # virt Image files @@ -23461,10 +23479,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# virt Image files +type virt_content_t; +virtual_image(virt_content_t) ++userdom_user_home_content(virt_content_t) type virt_log_t; logging_log_file(virt_log_t) -@@ -48,17 +57,39 @@ +@@ -48,17 +58,39 @@ type virtd_initrc_exec_t; init_script_file(virtd_initrc_exec_t) @@ -23506,7 +23525,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -67,7 +98,11 @@ +@@ -67,7 +99,11 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -23519,7 +23538,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -86,6 +121,7 @@ +@@ -86,6 +122,7 @@ kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) kernel_load_module(virtd_t) @@ -23527,7 +23546,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -96,7 +132,7 @@ +@@ -96,7 +133,7 @@ corenet_tcp_sendrecv_generic_node(virtd_t) corenet_tcp_sendrecv_all_ports(virtd_t) corenet_tcp_bind_generic_node(virtd_t) @@ -23536,7 +23555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_vnc_port(virtd_t) corenet_tcp_connect_vnc_port(virtd_t) corenet_tcp_connect_soundd_port(virtd_t) -@@ -104,21 +140,39 @@ +@@ -104,21 +141,39 @@ dev_read_sysfs(virtd_t) dev_read_rand(virtd_t) @@ -23577,7 +23596,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_getattr_pty_fs(virtd_t) term_use_ptmx(virtd_t) -@@ -129,6 +183,13 @@ +@@ -129,6 +184,13 @@ logging_send_syslog_msg(virtd_t) @@ -23591,7 +23610,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_read_all_users_state(virtd_t) tunable_policy(`virt_use_nfs',` -@@ -167,22 +228,34 @@ +@@ -167,22 +229,34 @@ dnsmasq_domtrans(virtd_t) dnsmasq_signal(virtd_t) dnsmasq_kill(virtd_t) @@ -23631,7 +23650,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -198,5 +271,80 @@ +@@ -198,5 +272,80 @@ ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index ec354f6..e6aaa9d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 20%{?dist} +Release: 21%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -446,6 +446,10 @@ exit 0 %endif %changelog +* Mon Apr 27 2009 Dan Walsh 3.6.12-21 +- Allow confined users to manace virt_content_t, since this is home dir content +- Allow all domains to read rpm_script_tmp_t which is what shell creates on redirection + * Mon Apr 27 2009 Dan Walsh 3.6.12-20 - Fix labeling on /var/lib/misc/prelink* - Allow xserver to rw_shm_perms with all x_clients