From e9371620f32c07af73838ea8970be523f59f29c2 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Apr 25 2012 12:01:24 +0000 Subject: * Wed Apr 25 2012 Miroslav Grepl 3.10.0-87 - More fixes for l2tpd * Allow pppd to stream connet to l2tpd * Allow l2tpd to send sigkill to pppd * Allow l2tpd to use the generic pty --- diff --git a/policy-F16.patch b/policy-F16.patch index ac7ec1f..57fc850 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -42590,10 +42590,10 @@ index 0000000..6b27066 +/var/run/xl2tpd\.pid -- gen_context(system_u:object_r:l2tpd_var_run_t,s0) diff --git a/policy/modules/services/l2tpd.if b/policy/modules/services/l2tpd.if new file mode 100644 -index 0000000..cd14d24 +index 0000000..6d046d4 --- /dev/null +++ b/policy/modules/services/l2tpd.if -@@ -0,0 +1,153 @@ +@@ -0,0 +1,174 @@ +## Layer 2 Tunneling Protocol daemons. + +######################################## @@ -42689,6 +42689,27 @@ index 0000000..cd14d24 + allow $1 l2tpd_var_run_t:file read_file_perms; +') + ++##################################### ++## ++## Connect to l2tpd over a unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`l2tpd_stream_connect',` ++ gen_require(` ++ type l2tpd_t, l2tpd_var_run_t, l2tpd_tmp_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, l2tpd_tmp_t, l2tpd_tmp_t, l2tpd_t) ++ stream_connect_pattern($1, l2tpd_var_run_t, l2tpd_var_run_t, l2tpd_t) ++') ++ +######################################## +## +## Read and write l2tpd unnamed pipes. @@ -42749,10 +42770,10 @@ index 0000000..cd14d24 +') diff --git a/policy/modules/services/l2tpd.te b/policy/modules/services/l2tpd.te new file mode 100644 -index 0000000..5d5f56e +index 0000000..365eb93 --- /dev/null +++ b/policy/modules/services/l2tpd.te -@@ -0,0 +1,97 @@ +@@ -0,0 +1,101 @@ +policy_module(l2tpd, 1.0.0) + +######################################## @@ -42829,6 +42850,9 @@ index 0000000..5d5f56e +# net-pf-24 (pppox) +kernel_request_load_module(l2tpd_t) + ++term_use_ptmx(l2tpd_t) ++term_use_generic_ptys(l2tpd_t) ++ +# prol2tpc +corecmd_exec_bin(l2tpd_t) + @@ -42849,6 +42873,7 @@ index 0000000..5d5f56e +optional_policy(` + ppp_domtrans(l2tpd_t) + ppp_signal(l2tpd_t) ++ ppp_kill(l2tpd_t) +') diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc index c62f23e..8b7e71f 100644 @@ -53028,7 +53053,7 @@ index b524673..921a60f 100644 + ppp_systemctl($1) ') diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te -index 2af42e7..20f5d6b 100644 +index 2af42e7..f530c23 100644 --- a/policy/modules/services/ppp.te +++ b/policy/modules/services/ppp.te @@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0) @@ -53112,7 +53137,7 @@ index 2af42e7..20f5d6b 100644 allow pppd_t pptp_t:process signal; -@@ -143,6 +147,7 @@ fs_getattr_all_fs(pppd_t) +@@ -143,10 +147,12 @@ fs_getattr_all_fs(pppd_t) fs_search_auto_mountpoints(pppd_t) term_use_unallocated_ttys(pppd_t) @@ -53120,7 +53145,12 @@ index 2af42e7..20f5d6b 100644 term_setattr_unallocated_ttys(pppd_t) term_ioctl_generic_ptys(pppd_t) # for pppoe -@@ -166,6 +171,8 @@ init_dontaudit_write_utmp(pppd_t) + term_create_pty(pppd_t, pppd_devpts_t) ++term_use_generic_ptys(pppd_t) + + # allow running ip-up and ip-down scripts and running chat. + corecmd_exec_bin(pppd_t) +@@ -166,6 +172,8 @@ init_dontaudit_write_utmp(pppd_t) init_signal_script(pppd_t) auth_use_nsswitch(pppd_t) @@ -53129,7 +53159,7 @@ index 2af42e7..20f5d6b 100644 logging_send_syslog_msg(pppd_t) logging_send_audit_msgs(pppd_t) -@@ -176,7 +183,7 @@ sysnet_exec_ifconfig(pppd_t) +@@ -176,7 +184,7 @@ sysnet_exec_ifconfig(pppd_t) sysnet_manage_config(pppd_t) sysnet_etc_filetrans_config(pppd_t) @@ -53138,7 +53168,7 @@ index 2af42e7..20f5d6b 100644 userdom_dontaudit_use_unpriv_user_fds(pppd_t) userdom_search_user_home_dirs(pppd_t) -@@ -187,13 +194,15 @@ optional_policy(` +@@ -187,13 +195,21 @@ optional_policy(` ') optional_policy(` @@ -53149,13 +53179,19 @@ index 2af42e7..20f5d6b 100644 ') optional_policy(` ++ l2tpd_dgram_send(pppd_t) ++ l2tpd_rw_socket(pppd_t) ++ l2tpd_stream_connect(pppd_t) ++') ++ ++optional_policy(` mta_send_mail(pppd_t) + mta_system_content(pppd_etc_t) + mta_system_content(pppd_etc_rw_t) ') optional_policy(` -@@ -243,14 +252,18 @@ allow pptp_t pppd_log_t:file append_file_perms; +@@ -243,14 +259,18 @@ allow pptp_t pppd_log_t:file append_file_perms; allow pptp_t pptp_log_t:file manage_file_perms; logging_log_filetrans(pptp_t, pptp_log_t, file) @@ -53175,7 +53211,7 @@ index 2af42e7..20f5d6b 100644 dev_read_sysfs(pptp_t) -@@ -265,9 +278,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t) +@@ -265,9 +285,8 @@ corenet_tcp_sendrecv_generic_node(pptp_t) corenet_raw_sendrecv_generic_node(pptp_t) corenet_tcp_sendrecv_all_ports(pptp_t) corenet_tcp_bind_generic_node(pptp_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 428dd52..565a4fe 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 86%{?dist} +Release: 87%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,12 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Apr 25 2012 Miroslav Grepl 3.10.0-87 +- More fixes for l2tpd + * Allow pppd to stream connet to l2tpd + * Allow l2tpd to send sigkill to pppd + * Allow l2tpd to use the generic pty + * Tue Apr 24 2012 Miroslav Grepl 3.10.0-86 - /var/spool/postfix/lib64 should be labeled lib_t - Add filename transitions for system conf files to make sure they will have system_conf