From ff71f8e306092aed2484d2f3da6616653f46ad99 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Apr 14 2009 09:57:14 +0000 Subject: - Fix fail2ban policy --- diff --git a/policy-20080710.patch b/policy-20080710.patch index 3cc1037..3e5372e 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -15131,7 +15131,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.5.13/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/cups.te 2009-02-10 15:07:15.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/services/cups.te 2009-04-09 14:15:20.000000000 +0200 @@ -20,9 +20,18 @@ type cupsd_etc_t; files_config_file(cupsd_etc_t) @@ -15162,7 +15162,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups type hplip_etc_t; files_config_file(hplip_etc_t) -@@ -65,6 +78,16 @@ +@@ -55,6 +68,9 @@ + type hplip_var_run_t; + files_pid_file(hplip_var_run_t) + ++type hplip_tmp_t; ++files_tmp_file(hplip_tmp_t) ++ + type ptal_t; + type ptal_exec_t; + init_daemon_domain(ptal_t, ptal_exec_t) +@@ -65,6 +81,16 @@ type ptal_var_run_t; files_pid_file(ptal_var_run_t) @@ -15179,7 +15189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ifdef(`enable_mcs',` init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh) ') -@@ -79,13 +102,14 @@ +@@ -79,13 +105,14 @@ # # /usr/lib/cups/backend/serial needs sys_admin(?!) @@ -15197,7 +15207,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups allow cupsd_t self:tcp_socket create_stream_socket_perms; allow cupsd_t self:udp_socket create_socket_perms; allow cupsd_t self:appletalk_socket create_socket_perms; -@@ -97,6 +121,9 @@ +@@ -97,6 +124,9 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) files_search_etc(cupsd_t) @@ -15207,7 +15217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) -@@ -104,8 +131,11 @@ +@@ -104,8 +134,11 @@ # allow cups to execute its backend scripts can_exec(cupsd_t, cupsd_exec_t) @@ -15221,7 +15231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) allow cupsd_t cupsd_log_t:dir setattr; -@@ -116,13 +146,20 @@ +@@ -116,13 +149,20 @@ manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) @@ -15244,7 +15254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups allow cupsd_t hplip_var_run_t:file read_file_perms; stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) -@@ -149,44 +186,49 @@ +@@ -149,44 +189,49 @@ corenet_tcp_bind_reserved_port(cupsd_t) corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) @@ -15299,7 +15309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups files_list_world_readable(cupsd_t) files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) -@@ -195,15 +237,16 @@ +@@ -195,15 +240,16 @@ files_read_var_symlinks(cupsd_t) # for /etc/printcap files_dontaudit_write_etc_files(cupsd_t) @@ -15320,7 +15330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups auth_use_nsswitch(cupsd_t) libs_use_ld_so(cupsd_t) -@@ -219,17 +262,21 @@ +@@ -219,17 +265,21 @@ miscfiles_read_fonts(cupsd_t) seutil_read_config(cupsd_t) @@ -15345,7 +15355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -246,8 +293,16 @@ +@@ -246,8 +296,16 @@ userdom_dbus_send_all_users(cupsd_t) optional_policy(` @@ -15362,7 +15372,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -263,6 +318,10 @@ +@@ -263,6 +321,10 @@ ') optional_policy(` @@ -15373,7 +15383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) -@@ -281,7 +340,7 @@ +@@ -281,7 +343,7 @@ # Cups configuration daemon local policy # @@ -15382,7 +15392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups dontaudit cupsd_config_t self:capability sys_tty_config; allow cupsd_config_t self:process signal_perms; allow cupsd_config_t self:fifo_file rw_fifo_file_perms; -@@ -313,7 +372,7 @@ +@@ -313,7 +375,7 @@ files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file) kernel_read_system_state(cupsd_config_t) @@ -15391,7 +15401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups corenet_all_recvfrom_unlabeled(cupsd_config_t) corenet_all_recvfrom_netlabel(cupsd_config_t) -@@ -326,6 +385,7 @@ +@@ -326,6 +388,7 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) @@ -15399,7 +15409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups fs_getattr_all_fs(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t) -@@ -343,7 +403,7 @@ +@@ -343,7 +406,7 @@ files_read_var_symlinks(cupsd_config_t) # Alternatives asks for this @@ -15408,7 +15418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups auth_use_nsswitch(cupsd_config_t) -@@ -353,6 +413,7 @@ +@@ -353,6 +416,7 @@ logging_send_syslog_msg(cupsd_config_t) miscfiles_read_localization(cupsd_config_t) @@ -15416,7 +15426,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups seutil_dontaudit_search_config(cupsd_config_t) -@@ -365,14 +426,16 @@ +@@ -365,14 +429,16 @@ sysadm_dontaudit_search_home_dirs(cupsd_config_t) ifdef(`distro_redhat',` @@ -15435,7 +15445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') -@@ -388,6 +451,7 @@ +@@ -388,6 +454,7 @@ optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) @@ -15443,7 +15453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -500,7 +564,11 @@ +@@ -500,7 +567,10 @@ allow hplip_t self:udp_socket create_socket_perms; allow hplip_t self:rawip_socket create_socket_perms; @@ -15452,20 +15462,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) +manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t) +files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir }) -+ cups_stream_connect(hplip_t) -@@ -509,6 +577,8 @@ +@@ -509,6 +579,11 @@ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) +read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) + ++manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) ++files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file ) ++ manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) -@@ -538,7 +608,8 @@ +@@ -538,7 +613,8 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -15475,7 +15487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups fs_getattr_all_fs(hplip_t) fs_search_auto_mountpoints(hplip_t) -@@ -552,6 +623,8 @@ +@@ -552,6 +628,8 @@ files_read_etc_runtime_files(hplip_t) files_read_usr_files(hplip_t) @@ -15484,7 +15496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups libs_use_ld_so(hplip_t) libs_use_shared_libs(hplip_t) -@@ -564,12 +637,14 @@ +@@ -564,12 +642,14 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_all_users_home_content(hplip_t) @@ -15500,7 +15512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -651,3 +726,55 @@ +@@ -651,3 +731,55 @@ optional_policy(` udev_read_db(ptal_t) ') @@ -15601,7 +15613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.5.13/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/dbus.if 2009-02-10 15:07:15.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/services/dbus.if 2009-04-14 10:39:44.000000000 +0200 @@ -53,19 +53,19 @@ gen_require(` type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t; @@ -15830,7 +15842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ## Read dbus configuration. ## ## -@@ -366,3 +440,120 @@ +@@ -366,3 +440,122 @@ allow $1 system_dbusd_t:dbus *; ') @@ -15885,6 +15897,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + dbus_system_bus_client_template($1, $1) + dbus_connect_system_bus($1) + ++ userdom_dontaudit_search_admin_dir($1) ++ + ifdef(`hide_broken_symptoms', ` + dbus_dontaudit_rw_system_selinux_socket($1) + '); @@ -17248,10 +17262,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim + spamassassin_exec(exim_t) + spamassassin_exec_client(exim_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.5.13/policy/modules/services/fail2ban.fc +--- nsaserefpolicy/policy/modules/services/fail2ban.fc 2008-10-17 14:49:13.000000000 +0200 ++++ serefpolicy-3.5.13/policy/modules/services/fail2ban.fc 2009-04-14 11:02:53.000000000 +0200 +@@ -2,5 +2,6 @@ + + /usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0) + /usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) ++/var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0) + /var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0) + /var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.5.13/policy/modules/services/fail2ban.if --- nsaserefpolicy/policy/modules/services/fail2ban.if 2008-10-17 14:49:11.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/fail2ban.if 2009-03-30 12:51:09.000000000 +0200 -@@ -79,6 +79,27 @@ ++++ serefpolicy-3.5.13/policy/modules/services/fail2ban.if 2009-04-14 11:02:23.000000000 +0200 +@@ -60,6 +60,26 @@ + allow $1 fail2ban_log_t:file append_file_perms; + ') + ++####################################### ++## ++## Read fail2ban lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fail2ban_read_lib_files',` ++ gen_require(` ++ type fail2ban_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ allow $1 fail2ban_var_lib_t:file read_file_perms; ++') ++ ++ + ######################################## + ## + ## Read fail2ban PID files. +@@ -79,6 +99,27 @@ allow $1 fail2ban_var_run_t:file read_file_perms; ') @@ -17279,10 +17330,39 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail ######################################## ## ## All of the rules required to administrate +@@ -100,6 +141,7 @@ + gen_require(` + type fail2ban_t, fail2ban_log_t; + type fail2ban_var_run_t, fail2ban_initrc_exec_t; ++ type fail2ban_var_lib_t; + ') + + allow $1 fail2ban_t:process { ptrace signal_perms }; +@@ -113,6 +155,9 @@ + logging_list_logs($1) + admin_pattern($1, fail2ban_log_t) + ++ files_list_var_lib($1) ++ admin_pattern($1, fail2ban_var_lib_t) ++ + files_list_pids($1) + admin_pattern($1, fail2ban_var_run_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.5.13/policy/modules/services/fail2ban.te --- nsaserefpolicy/policy/modules/services/fail2ban.te 2008-10-17 14:49:11.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/fail2ban.te 2009-03-30 12:52:34.000000000 +0200 -@@ -27,6 +27,7 @@ ++++ serefpolicy-3.5.13/policy/modules/services/fail2ban.te 2009-04-14 10:56:48.000000000 +0200 +@@ -17,6 +17,10 @@ + type fail2ban_log_t; + logging_log_file(fail2ban_log_t) + ++# lib files ++type fail2ban_var_lib_t; ++files_type(fail2ban_var_lib_t) ++ + # pid files + type fail2ban_var_run_t; + files_pid_file(fail2ban_var_run_t) +@@ -27,6 +31,7 @@ # allow fail2ban_t self:process signal; @@ -17290,6 +17370,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail allow fail2ban_t self:fifo_file rw_fifo_file_perms; allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow fail2ban_t self:tcp_socket create_stream_socket_perms; +@@ -36,6 +41,11 @@ + manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) + logging_log_filetrans(fail2ban_t, fail2ban_log_t, file) + ++# lib files ++manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t) ++manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t) ++files_var_lib_filetrans(fail2ban_t, fail2ban_var_lib_t, { dir file }) ++ + # pid file + manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) + manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.fc serefpolicy-3.5.13/policy/modules/services/fetchmail.fc --- nsaserefpolicy/policy/modules/services/fetchmail.fc 2008-10-17 14:49:11.000000000 +0200 +++ serefpolicy-3.5.13/policy/modules/services/fetchmail.fc 2009-03-05 15:02:41.000000000 +0100 @@ -17990,7 +18082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.5.13/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/hal.te 2009-03-25 09:04:18.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/services/hal.te 2009-04-14 10:23:38.000000000 +0200 @@ -49,6 +49,15 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -18161,7 +18253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. dev_rw_input_dev(hald_keymap_t) files_read_usr_files(hald_keymap_t) -@@ -419,4 +476,51 @@ +@@ -419,4 +476,53 @@ # This is caused by a bug in hald and PolicyKit. # Should be removed when this is fixed @@ -18211,6 +18303,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. +libs_use_ld_so(hald_dccm_t) +libs_use_shared_libs(hald_dccm_t) + ++logging_send_syslog_msg(hald_dccm_t) ++ +miscfiles_read_localization(hald_dccm_t) + +permissive hald_dccm_t; @@ -19168,7 +19262,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ####################################### diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.5.13/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2008-10-17 14:49:11.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/mta.te 2009-02-10 15:07:15.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/services/mta.te 2009-04-14 10:49:52.000000000 +0200 @@ -39,34 +39,50 @@ # @@ -19271,7 +19365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') optional_policy(` -@@ -142,11 +171,40 @@ +@@ -142,11 +171,44 @@ ') optional_policy(` @@ -19292,6 +19386,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ') -# should break this up among sections: ++optional_policy(` ++ unconfined_use_terms(system_mail_t) ++') ++ +read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) + +init_stream_connect_script(mailserver_delivery) @@ -27301,7 +27399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.5.13/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/sendmail.te 2009-02-10 15:07:15.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/services/sendmail.te 2009-04-14 11:07:49.000000000 +0200 @@ -20,13 +20,17 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -27361,7 +27459,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send auth_use_nsswitch(sendmail_t) -@@ -91,34 +102,59 @@ +@@ -91,34 +102,63 @@ libs_read_lib_files(sendmail_t) logging_send_syslog_msg(sendmail_t) @@ -27392,10 +27490,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send optional_policy(` clamav_search_lib(sendmail_t) + clamav_stream_connect(sendmail_t) + ') + + optional_policy(` +- postfix_exec_master(sendmail_t) ++ cyrus_stream_connect(sendmail_t) +') + +optional_policy(` -+ cyrus_stream_connect(sendmail_t) ++ fail2ban_read_lib_files(daemon) +') + +optional_policy(` @@ -27408,10 +27511,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send + +optional_policy(` + munin_dontaudit_search_lib(sendmail_t) - ') - - optional_policy(` -- postfix_exec_master(sendmail_t) ++') ++ ++optional_policy(` + postfix_domtrans_postdrop(sendmail_t) + postfix_domtrans_master(sendmail_t) postfix_read_config(sendmail_t) @@ -27424,7 +27526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send ') optional_policy(` -@@ -126,24 +162,33 @@ +@@ -126,24 +166,33 @@ ') optional_policy(` @@ -27946,11 +28048,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.5.13/policy/modules/services/spamassassin.fc --- nsaserefpolicy/policy/modules/services/spamassassin.fc 2008-10-17 14:49:11.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/spamassassin.fc 2009-02-10 15:07:15.000000000 +0100 -@@ -1,16 +1,27 @@ ++++ serefpolicy-3.5.13/policy/modules/services/spamassassin.fc 2009-04-14 10:34:25.000000000 +0200 +@@ -1,16 +1,26 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) + ++/root/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) ++ +/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) @@ -27961,7 +28065,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam /usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) /usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) -+#/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamd_exec_t,s0) +/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0) /var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) @@ -27971,8 +28074,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam + /var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) -/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) -+#/var/run/spamass-milter.* gen_context(system_u:object_r:spamd_var_run_t,s0) -+#/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) @@ -32899,7 +33000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.13/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/system/init.te 2009-03-27 09:06:57.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/system/init.te 2009-04-14 11:07:25.000000000 +0200 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart,false) @@ -33123,7 +33224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -759,6 +819,11 @@ +@@ -759,6 +819,15 @@ uml_setattr_util_sockets(initrc_t) ') @@ -33132,10 +33233,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t + cron_rw_pipes(daemon) +') + ++optional_policy(` ++ fail2ban_read_lib_files(daemon) ++') ++ optional_policy(` unconfined_domain(initrc_t) -@@ -773,6 +838,10 @@ +@@ -773,6 +842,10 @@ ') optional_policy(` @@ -33146,7 +33251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t vmware_read_system_config(initrc_t) vmware_append_system_config(initrc_t) ') -@@ -795,3 +864,17 @@ +@@ -795,3 +868,19 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -33164,6 +33269,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t + fs_dontaudit_rw_cifs_files(daemon) + ') +') ++ ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.5.13/policy/modules/system/ipsec.fc --- nsaserefpolicy/policy/modules/system/ipsec.fc 2008-10-17 14:49:13.000000000 +0200 +++ serefpolicy-3.5.13/policy/modules/system/ipsec.fc 2009-02-10 15:07:15.000000000 +0100 @@ -36673,7 +36780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2009-03-05 13:30:03.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2009-04-14 10:42:32.000000000 +0200 @@ -28,10 +28,14 @@ class context contains; ') @@ -38894,7 +39001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5513,3 +5725,622 @@ +@@ -5513,3 +5725,642 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -39500,6 +39607,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + allow $1 user_home_t:file execmod; +') ++ ++####################################### ++## ++## dontaudit Search /root ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_dontaudit_search_admin_dir',` ++ gen_require(` ++ type admin_home_t; ++ ') ++ ++ dontaudit $1 admin_home_t:dir search_dir_perms; ++') ++ +######################################## +## +## dontaudit list /root @@ -39517,6 +39643,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + dontaudit $1 admin_home_t:dir list_dir_perms; +') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.5.13/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2008-10-17 14:49:13.000000000 +0200 +++ serefpolicy-3.5.13/policy/modules/system/userdomain.te 2009-02-10 15:07:15.000000000 +0100 diff --git a/selinux-policy.spec b/selinux-policy.spec index 7d536d1..9acccb1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.5.13 -Release: 55%{?dist} +Release: 56%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -460,6 +460,9 @@ exit 0 %endif %changelog +* Tue Apr 14 2009 Miroslav Grepl 3.5.13-56 +- Fix fail2ban policy + * Tue Apr 7 2009 Miroslav Grepl 3.5.13-55 - Allow swat_t domtrans to smbd_t