From e7d0fd8becf146e791660ccabcb3cbcd7a94d3bc Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 27 2008 13:05:46 +0000 Subject: - Allow sshd to use inotify --- diff --git a/policy-20080710.patch b/policy-20080710.patch index 2f3e88e..a11df77 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -5471,7 +5471,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.5.13/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2008-10-17 08:49:14.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/qemu.te 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/apps/qemu.te 2008-12-23 11:35:12.000000000 -0500 @@ -6,6 +6,9 @@ # Declarations # @@ -5482,12 +5482,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ##

## Allow qemu to connect fully to the network -@@ -13,16 +16,102 @@ +@@ -13,16 +16,109 @@ ## gen_tunable(qemu_full_network, false) +## +##

++## Allow qemu to use cifs/Samba file systems ++##

++## ++gen_tunable(qemu_use_cifs, true) ++ ++## ++##

+## Allow qemu to use nfs file systems +##

+## @@ -5495,10 +5502,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +## +##

-+## Allow qemu to use cifs/Samba file systems ++## Allow qemu to use usb devices +##

+## -+gen_tunable(qemu_use_cifs, true) ++gen_tunable(qemu_use_usb, true) + type qemu_exec_t; qemu_domain_template(qemu) @@ -5585,16 +5592,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`qemu_full_network',` allow qemu_t self:udp_socket create_socket_perms; -@@ -35,6 +124,30 @@ +@@ -35,6 +131,38 @@ corenet_tcp_connect_all_ports(qemu_t) ') ++tunable_policy(`qemu_use_cifs',` ++ fs_manage_cifs_dirs(qemu_t) ++ fs_manage_cifs_files(qemu_t) ++') ++ +tunable_policy(`qemu_use_nfs',` ++ fs_manage_nfs_dirs(qemu_t) + fs_manage_nfs_files(qemu_t) +') + -+tunable_policy(`qemu_use_cifs',` -+ fs_manage_cifs_dirs(qemu_t) ++tunable_policy(`qemu_use_usb',` ++ dev_rw_usbfs(qemu_t) ++ fs_manage_dos_dirs(qemu_t) ++ fs_manage_dos_files(qemu_t) +') + +optional_policy(` @@ -6571,7 +6586,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-12-08 15:25:33.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-12-19 17:15:39.000000000 -0500 @@ -1,5 +1,5 @@ -policy_module(corenetwork, 1.10.0) @@ -6593,7 +6608,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0) network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) -@@ -79,26 +82,31 @@ +@@ -79,26 +82,33 @@ network_port(auth, tcp,113,s0) network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict @@ -6606,9 +6621,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +portcon tcp 6780-6799 gen_context(system_u:object_r:cyphesis_port_t, s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(dcc, udp,6276,s0, udp,6277,s0) ++network_port(dccm, tcp,5679,s0, udp,5679,s0) network_port(dbskkd, tcp,1178,s0) - network_port(dhcpc, udp,68,s0) +-network_port(dhcpc, udp,68,s0) -network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0) ++network_port(dhcpc, udp,68,s0, tcp,68,s0) +network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) @@ -6618,6 +6635,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0) network_port(ftp_data, tcp,20,s0) network_port(ftp, tcp,21,s0) ++network_port(ftps, tcp,990,s0, udp,990,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) network_port(giftd, tcp,1213,s0) network_port(gopher, tcp,70,s0, udp,70,s0) @@ -6626,7 +6644,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) -@@ -109,6 +117,7 @@ +@@ -109,6 +119,7 @@ network_port(ipp, tcp,631,s0, udp,631,s0) network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) network_port(ircd, tcp,6667,s0) @@ -6634,7 +6652,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(isakmp, udp,500,s0) network_port(iscsi, tcp,3260,s0) network_port(isns, tcp,3205,s0, udp,3205,s0) -@@ -117,6 +126,8 @@ +@@ -117,6 +128,8 @@ network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0) @@ -6643,7 +6661,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(ktalkd, udp,517,s0, udp,518,s0) network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon -@@ -126,6 +137,7 @@ +@@ -126,6 +139,7 @@ network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) @@ -6651,7 +6669,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(mysqld, tcp,1186,s0, tcp,3306,s0) portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) network_port(nessus, tcp,1241,s0) -@@ -136,12 +148,21 @@ +@@ -136,12 +150,21 @@ network_port(openvpn, tcp,1194,s0, udp,1194,s0) network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) @@ -6673,7 +6691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pxe, udp,4011,s0) -@@ -159,9 +180,11 @@ +@@ -159,9 +182,11 @@ network_port(rwho, udp,513,s0) network_port(smbd, tcp,137-139,s0, tcp,445,s0) network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) @@ -6686,7 +6704,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) type socks_port_t, port_type; dnl network_port(socks) # no defined portcon type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict -@@ -170,14 +193,17 @@ +@@ -170,14 +195,17 @@ network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -8469,7 +8487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.5.13/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.if 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/kernel/kernel.if 2008-12-19 17:00:37.000000000 -0500 @@ -1198,6 +1198,7 @@ ') @@ -11171,7 +11189,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-12-08 16:48:00.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-12-27 07:05:53.000000000 -0500 @@ -20,6 +20,8 @@ # Declarations # @@ -13012,7 +13030,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.5.13/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2008-10-17 08:49:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/clamav.te 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/clamav.te 2008-12-22 14:30:16.000000000 -0500 @@ -13,7 +13,10 @@ # configuration files @@ -13977,7 +13995,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -') dnl end TODO diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.5.13/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2008-10-17 08:49:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/cups.fc 2008-12-18 10:07:31.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/cups.fc 2008-12-19 11:43:08.000000000 -0500 @@ -5,27 +5,38 @@ /etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -14030,19 +14048,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -@@ -43,10 +54,18 @@ +@@ -43,10 +54,19 @@ /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0) -/var/log/turboprint_cups\.log.* -- gen_context(system_u:object_r:cupsd_log_t,s0) +/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0) - /var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) + /var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0) /var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0) /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) /var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) ++/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) + +/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -16598,8 +16617,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.5.13/policy/modules/services/hal.fc --- nsaserefpolicy/policy/modules/services/hal.fc 2008-10-17 08:49:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/hal.fc 2008-11-24 10:49:49.000000000 -0500 -@@ -9,6 +9,7 @@ ++++ serefpolicy-3.5.13/policy/modules/services/hal.fc 2008-12-19 17:07:45.000000000 -0500 +@@ -5,10 +5,12 @@ + /usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0) + + /usr/libexec/hal-acl-tool -- gen_context(system_u:object_r:hald_acl_exec_t,s0) ++/usr/libexec/hal-dccm -- gen_context(system_u:object_r:hald_dccm_exec_t,s0) + /usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0) /usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0) /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) /usr/libexec/hald-addon-macbook-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) @@ -16607,7 +16631,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0) -@@ -17,7 +18,7 @@ +@@ -17,7 +19,7 @@ /var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0) /var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0) @@ -16664,18 +16688,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.5.13/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/hal.te 2008-12-12 09:32:28.000000000 -0500 -@@ -49,6 +49,9 @@ ++++ serefpolicy-3.5.13/policy/modules/services/hal.te 2008-12-19 17:16:31.000000000 -0500 +@@ -49,6 +49,15 @@ type hald_var_lib_t; files_type(hald_var_lib_t) +typealias hald_log_t alias pmtools_log_t; +typealias hald_var_run_t alias pmtools_var_run_t; + ++type hald_dccm_t; ++type hald_dccm_exec_t; ++domain_type(hald_dccm_t) ++domain_entry_file(hald_dccm_t, hald_dccm_exec_t) ++role system_r types hald_dccm_t; ++ ######################################## # # Local policy -@@ -143,6 +146,7 @@ +@@ -143,6 +152,7 @@ files_getattr_all_dirs(hald_t) files_read_kernel_img(hald_t) files_rw_lock_dirs(hald_t) @@ -16683,7 +16713,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(hald_t) fs_search_all(hald_t) -@@ -197,6 +201,7 @@ +@@ -197,6 +207,7 @@ seutil_read_file_contexts(hald_t) sysnet_read_config(hald_t) @@ -16691,7 +16721,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(hald_t) -@@ -280,6 +285,12 @@ +@@ -280,6 +291,12 @@ ') optional_policy(` @@ -16704,7 +16734,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpc_search_nfs_state_data(hald_t) ') -@@ -300,12 +311,20 @@ +@@ -300,12 +317,20 @@ vbetool_domtrans(hald_t) ') @@ -16726,7 +16756,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow hald_acl_t self:process { getattr signal }; allow hald_acl_t self:fifo_file rw_fifo_file_perms; -@@ -344,13 +363,22 @@ +@@ -344,13 +369,22 @@ libs_use_ld_so(hald_acl_t) libs_use_shared_libs(hald_acl_t) @@ -16749,7 +16779,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t) allow hald_t hald_mac_t:process signal; allow hald_mac_t hald_t:unix_stream_socket connectto; -@@ -359,6 +387,8 @@ +@@ -359,6 +393,8 @@ manage_files_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t) files_search_var_lib(hald_mac_t) @@ -16758,7 +16788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(hald_mac_t) dev_read_raw_memory(hald_mac_t) -@@ -366,6 +396,9 @@ +@@ -366,6 +402,9 @@ dev_read_sysfs(hald_mac_t) files_read_usr_files(hald_mac_t) @@ -16768,7 +16798,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_ld_so(hald_mac_t) libs_use_shared_libs(hald_mac_t) -@@ -388,6 +421,8 @@ +@@ -388,6 +427,8 @@ manage_files_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t) files_search_var_lib(hald_sonypic_t) @@ -16777,7 +16807,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_usr_files(hald_sonypic_t) libs_use_ld_so(hald_sonypic_t) -@@ -408,6 +443,8 @@ +@@ -408,6 +449,8 @@ manage_files_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t) files_search_var_lib(hald_keymap_t) @@ -16786,12 +16816,58 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_rw_input_dev(hald_keymap_t) files_read_usr_files(hald_keymap_t) -@@ -419,4 +456,4 @@ +@@ -419,4 +462,50 @@ # This is caused by a bug in hald and PolicyKit. # Should be removed when this is fixed -#cron_read_system_job_lib_files(hald_t) +cron_read_system_job_lib_files(hald_t) ++ ++######################################## ++# ++# Local hald dccm policy ++# ++allow hald_dccm_t self:capability { net_bind_service }; ++allow hald_dccm_t self:process getsched; ++ ++allow hald_dccm_t self:tcp_socket create_stream_socket_perms; ++allow hald_dccm_t self:udp_socket create_socket_perms; ++allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms; ++ ++domtrans_pattern(hald_t, hald_dccm_exec_t, hald_dccm_t) ++allow hald_t hald_dccm_t:process signal; ++allow hald_dccm_t hald_t:unix_stream_socket connectto; ++ ++corenet_all_recvfrom_unlabeled(hald_dccm_t) ++corenet_all_recvfrom_netlabel(hald_dccm_t) ++corenet_tcp_sendrecv_all_if(hald_dccm_t) ++corenet_udp_sendrecv_all_if(hald_dccm_t) ++corenet_tcp_sendrecv_all_nodes(hald_dccm_t) ++corenet_udp_sendrecv_all_nodes(hald_dccm_t) ++corenet_tcp_sendrecv_all_ports(hald_dccm_t) ++corenet_udp_sendrecv_all_ports(hald_dccm_t) ++corenet_tcp_bind_all_nodes(hald_dccm_t) ++corenet_udp_bind_all_nodes(hald_dccm_t) ++corenet_udp_bind_dhcpc_port(hald_dccm_t) ++corenet_tcp_bind_ftps_port(hald_dccm_t) ++corenet_tcp_bind_dccm_port(hald_dccm_t) ++ ++kernel_search_network_sysctl(hald_dccm_t) ++ ++manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) ++manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) ++files_search_var_lib(hald_dccm_t) ++ ++write_files_pattern(hald_dccm_t, hald_log_t, hald_log_t) ++ ++files_read_usr_files(hald_dccm_t) ++ ++libs_use_ld_so(hald_dccm_t) ++libs_use_shared_libs(hald_dccm_t) ++ ++miscfiles_read_localization(hald_dccm_t) ++ ++permissive hald_dccm_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.fc serefpolicy-3.5.13/policy/modules/services/inetd.fc --- nsaserefpolicy/policy/modules/services/inetd.fc 2008-10-17 08:49:13.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/services/inetd.fc 2008-11-24 10:49:49.000000000 -0500 @@ -17507,7 +17583,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.5.13/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2008-10-17 08:49:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/munin.te 2008-12-18 11:33:10.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/munin.te 2008-12-27 07:23:36.000000000 -0500 @@ -13,6 +13,9 @@ type munin_etc_t alias lrrd_etc_t; files_config_file(munin_etc_t) @@ -17604,7 +17680,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sysadm_dontaudit_search_home_dirs(munin_t) optional_policy(` -@@ -109,7 +129,30 @@ +@@ -109,7 +129,31 @@ ') optional_policy(` @@ -17625,6 +17701,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +optional_policy(` + postfix_list_spool(munin_t) ++ postfix_getattr_spool_files(munin_t) +') + +optional_policy(` @@ -17636,7 +17713,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -119,3 +162,9 @@ +@@ -119,3 +163,9 @@ optional_policy(` udev_read_db(munin_t) ') @@ -20918,7 +20995,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.5.13/policy/modules/services/postfix.if --- nsaserefpolicy/policy/modules/services/postfix.if 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/postfix.if 2008-12-18 11:31:38.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/postfix.if 2008-12-27 07:22:46.000000000 -0500 @@ -211,9 +211,8 @@ type postfix_etc_t; ') @@ -20979,28 +21056,49 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_spool($1) ') -@@ -480,10 +498,10 @@ +@@ -480,11 +498,30 @@ # interface(`postfix_list_spool',` gen_require(` - type postfix_spool_t; + attribute postfix_spool_type; ++ ') ++ ++ allow $1 postfix_spool_type:dir list_dir_perms; ++ files_search_spool($1) ++') ++ ++######################################## ++## ++## Getattr postfix mail spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`postfix_getattr_spool_files',` ++ gen_require(` ++ attribute postfix_spool_type; ') - allow $1 postfix_spool_t:dir list_dir_perms; -+ allow $1 postfix_spool_type:dir list_dir_perms; files_search_spool($1) ++ getattr_files_pattern($1, postfix_spool_type, postfix_spool_type) ') -@@ -499,11 +517,30 @@ + ######################################## +@@ -499,11 +536,30 @@ # interface(`postfix_read_spool_files',` gen_require(` - type postfix_spool_t; + attribute postfix_spool_type; -+ ') -+ -+ files_search_spool($1) + ') + + files_search_spool($1) +- read_files_pattern($1, postfix_spool_t, postfix_spool_t) + read_files_pattern($1, postfix_spool_type, postfix_spool_type) +') + @@ -21017,15 +21115,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +interface(`postfix_manage_spool_files',` + gen_require(` + attribute postfix_spool_type; - ') - - files_search_spool($1) -- read_files_pattern($1, postfix_spool_t, postfix_spool_t) ++ ') ++ ++ files_search_spool($1) + manage_files_pattern($1, postfix_spool_type, postfix_spool_type) ') ######################################## -@@ -524,3 +561,23 @@ +@@ -524,3 +580,23 @@ typeattribute $1 postfix_user_domtrans; ') @@ -21051,7 +21148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.13/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/postfix.te 2008-12-18 11:30:38.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/postfix.te 2008-12-22 10:48:25.000000000 -0500 @@ -6,6 +6,15 @@ # Declarations # @@ -21138,7 +21235,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_all_sysctls(postfix_master_t) -@@ -170,6 +188,8 @@ +@@ -153,6 +171,9 @@ + corenet_udp_sendrecv_all_nodes(postfix_master_t) + corenet_tcp_sendrecv_all_ports(postfix_master_t) + corenet_udp_sendrecv_all_ports(postfix_master_t) ++corenet_udp_bind_all_nodes(postfix_master_t) ++corenet_udp_bind_all_unreserved_ports(postfix_master_t) ++corenet_dontaudit_udp_bind_all_ports(postfix_master_t) + corenet_tcp_bind_all_nodes(postfix_master_t) + corenet_tcp_bind_amavisd_send_port(postfix_master_t) + corenet_tcp_bind_smtp_port(postfix_master_t) +@@ -170,6 +191,8 @@ domain_use_interactive_fds(postfix_master_t) files_read_usr_files(postfix_master_t) @@ -21147,7 +21254,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_dontaudit_search_ptys(postfix_master_t) -@@ -181,15 +201,14 @@ +@@ -181,15 +204,14 @@ mta_rw_aliases(postfix_master_t) mta_read_sendmail_bin(postfix_master_t) @@ -21167,7 +21274,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -202,9 +221,29 @@ +@@ -202,9 +224,29 @@ ') optional_policy(` @@ -21197,7 +21304,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix bounce local policy -@@ -245,6 +284,10 @@ +@@ -245,6 +287,10 @@ corecmd_exec_bin(postfix_cleanup_t) @@ -21208,7 +21315,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix local local policy -@@ -270,18 +313,25 @@ +@@ -270,18 +316,25 @@ files_read_etc_files(postfix_local_t) @@ -21234,7 +21341,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -292,8 +342,7 @@ +@@ -292,8 +345,7 @@ # # Postfix map local policy # @@ -21244,7 +21351,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; allow postfix_map_t self:unix_dgram_socket create_socket_perms; allow postfix_map_t self:tcp_socket create_stream_socket_perms; -@@ -343,8 +392,6 @@ +@@ -343,8 +395,6 @@ miscfiles_read_localization(postfix_map_t) @@ -21253,7 +21360,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`read_default_t',` files_list_default(postfix_map_t) files_read_default_files(postfix_map_t) -@@ -357,6 +404,11 @@ +@@ -357,6 +407,11 @@ locallogin_dontaudit_use_fds(postfix_map_t) ') @@ -21265,7 +21372,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix pickup local policy -@@ -381,6 +433,7 @@ +@@ -381,6 +436,7 @@ # allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; @@ -21273,7 +21380,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -388,6 +441,12 @@ +@@ -388,6 +444,12 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) @@ -21286,7 +21393,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` procmail_domtrans(postfix_pipe_t) ') -@@ -397,6 +456,15 @@ +@@ -397,6 +459,15 @@ ') optional_policy(` @@ -21302,7 +21409,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol uucp_domtrans_uux(postfix_pipe_t) ') -@@ -433,8 +501,11 @@ +@@ -433,8 +504,11 @@ ') optional_policy(` @@ -21316,7 +21423,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -460,6 +531,15 @@ +@@ -460,6 +534,15 @@ init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) @@ -21332,7 +21439,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix qmgr local policy -@@ -540,9 +620,18 @@ +@@ -540,9 +623,18 @@ # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -21351,7 +21458,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mailman_read_data_files(postfix_smtpd_t) ') -@@ -569,7 +658,7 @@ +@@ -569,7 +661,7 @@ files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir }) # connect to master process @@ -23795,7 +23902,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.5.13/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/samba.te 2008-12-15 12:24:35.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/samba.te 2008-12-22 10:23:59.000000000 -0500 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -23898,7 +24005,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # smbd Local policy # -allow smbd_t self:capability { fowner setgid setuid sys_resource lease dac_override dac_read_search }; -+allow smbd_t self:capability { chown fowner setgid setuid sys_resource lease dac_override dac_read_search }; ++allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search }; dontaudit smbd_t self:capability sys_tty_config; allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow smbd_t self:process setrlimit; @@ -26203,7 +26310,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.5.13/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ssh.te 2008-12-04 09:20:48.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/ssh.te 2008-12-27 07:06:56.000000000 -0500 @@ -24,7 +24,7 @@ # Type for the ssh-agent executable. @@ -26230,7 +26337,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ################################# # # sshd local policy -@@ -78,6 +88,9 @@ +@@ -74,10 +84,15 @@ + kernel_search_key(sshd_t) + kernel_link_key(sshd_t) + ++fs_list_inotifyfs(sshd_t) ++ + # for X forwarding corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) @@ -26240,7 +26353,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd # ioctl is necessary for logout() processing for utmp entry and for w to -@@ -99,6 +112,14 @@ +@@ -99,6 +114,14 @@ ') optional_policy(` @@ -26255,7 +26368,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol daemontools_service_domain(sshd_t, sshd_exec_t) ') -@@ -117,7 +138,11 @@ +@@ -117,7 +140,11 @@ ') optional_policy(` @@ -26268,7 +26381,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_shell_domtrans(sshd_t) ') -@@ -176,6 +201,8 @@ +@@ -176,6 +203,8 @@ init_use_fds(ssh_keygen_t) init_use_script_ptys(ssh_keygen_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index db606b3..20fc2a7 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.5.13 -Release: 35%{?dist} +Release: 37%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -459,6 +459,12 @@ exit 0 %endif %changelog +* Sat Dec 27 2008 Dan Walsh 3.5.13-37 +- Allow sshd to use inotify + +* Fri Dec 19 2008 Dan Walsh 3.5.13-36 +- Add hal_dccm policy + * Tue Dec 9 2008 Dan Walsh 3.5.13-35 - Allow staff_t to execute at jobs