diff --git a/modules-mls.conf b/modules-mls.conf index d450484..a38608f 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -1004,6 +1004,13 @@ logwatch = base setrans = base # Layer: services +# Module: setroubleshoot +# +# Policy for the SELinux troubleshooting utility +# +setroubleshoot = base + +# Layer: services # Module: openvpn # # Policy for OPENVPN full-featured SSL VPN solution diff --git a/policy-20080710.patch b/policy-20080710.patch index 5330706..5a890af 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -8400,7 +8400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.5.13/policy/modules/kernel/storage.fc --- nsaserefpolicy/policy/modules/kernel/storage.fc 2008-10-08 19:00:23.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/storage.fc 2008-10-28 10:56:19.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/storage.fc 2008-11-05 13:22:07.000000000 -0500 @@ -36,7 +36,7 @@ /dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0) /dev/ps3d.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) @@ -14165,13 +14165,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.fc serefpolicy-3.5.13/policy/modules/services/cyphesis.fc --- nsaserefpolicy/policy/modules/services/cyphesis.fc 2008-09-03 11:05:02.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/cyphesis.fc 2008-11-04 09:54:55.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/cyphesis.fc 2008-11-05 15:12:14.000000000 -0500 @@ -1 +1,6 @@ /usr/bin/cyphesis -- gen_context(system_u:object_r:cyphesis_exec_t,s0) + +/var/log/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_log_t,s0) + -+/var/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_run_t,s0) ++/var/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_var_run_t,s0) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.5.13/policy/modules/services/dbus.fc --- nsaserefpolicy/policy/modules/services/dbus.fc 2008-08-07 11:15:11.000000000 -0400 @@ -26338,7 +26338,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.13/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/xserver.te 2008-10-29 13:26:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/xserver.te 2008-11-05 15:24:47.000000000 -0500 @@ -8,6 +8,14 @@ ## @@ -26443,7 +26443,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_common_domain_template(xdm) xserver_common_x_domain_template(xdm, xdm, xdm_t) init_system_domain(xdm_xserver_t, xserver_exec_t) -@@ -140,8 +193,9 @@ +@@ -140,13 +193,14 @@ # XDM Local policy # @@ -26455,6 +26455,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t self:fifo_file rw_fifo_file_perms; allow xdm_t self:shm create_shm_perms; allow xdm_t self:sem create_sem_perms; + allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms }; +-allow xdm_t self:unix_dgram_socket create_socket_perms; ++allow xdm_t self:unix_dgram_socket { create_socket_perms sendto }; + allow xdm_t self:tcp_socket create_stream_socket_perms; + allow xdm_t self:udp_socket create_socket_perms; + allow xdm_t self:socket create_socket_perms; @@ -154,6 +208,12 @@ allow xdm_t self:key { search link write }; @@ -26477,7 +26483,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) -@@ -176,15 +238,31 @@ +@@ -176,15 +238,32 @@ manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) @@ -26497,6 +26503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) manage_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) -files_var_lib_filetrans(xdm_t, xdm_var_lib_t, file) ++manage_lnk_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) +manage_sock_files_pattern(xdm_t, xdm_var_lib_t, xdm_var_lib_t) +files_var_lib_filetrans(xdm_t, xdm_var_lib_t, { file dir }) +# Read machine-id @@ -26511,7 +26518,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t xdm_xserver_t:process signal; allow xdm_t xdm_xserver_t:unix_stream_socket connectto; -@@ -198,6 +276,7 @@ +@@ -198,6 +277,7 @@ allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xdm_xserver_t:shm rw_shm_perms; @@ -26519,7 +26526,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xdm_xserver_tmp_t, xdm_xserver_tmp_t, xdm_xserver_t) -@@ -229,6 +308,7 @@ +@@ -229,6 +309,7 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_all_nodes(xdm_t) corenet_udp_bind_all_nodes(xdm_t) @@ -26527,7 +26534,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_all_ports(xdm_t) corenet_sendrecv_all_client_packets(xdm_t) # xdm tries to bind to biff_port_t -@@ -241,6 +321,7 @@ +@@ -241,6 +322,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -26535,7 +26542,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -253,14 +334,17 @@ +@@ -253,14 +335,17 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -26555,7 +26562,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -271,9 +355,13 @@ +@@ -271,9 +356,13 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -26569,7 +26576,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -282,6 +370,7 @@ +@@ -282,6 +371,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -26577,7 +26584,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -290,6 +379,7 @@ +@@ -290,6 +380,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -26585,7 +26592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -301,21 +391,26 @@ +@@ -301,21 +392,26 @@ libs_exec_lib_files(xdm_t) logging_read_generic_logs(xdm_t) @@ -26617,7 +26624,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_rw_session_template(xdm, xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -348,10 +443,12 @@ +@@ -348,10 +444,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -26630,7 +26637,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -359,6 +456,22 @@ +@@ -359,6 +457,22 @@ ') optional_policy(` @@ -26653,7 +26660,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Talk to the console mouse server. gpm_stream_connect(xdm_t) gpm_setattr_gpmctl(xdm_t) -@@ -382,16 +495,34 @@ +@@ -382,16 +496,34 @@ ') optional_policy(` @@ -26689,7 +26696,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -411,6 +542,10 @@ +@@ -411,6 +543,10 @@ ') optional_policy(` @@ -26700,7 +26707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -427,7 +562,7 @@ +@@ -427,7 +563,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -26709,7 +26716,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -439,6 +574,15 @@ +@@ -439,6 +575,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -26725,7 +26732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -450,10 +594,19 @@ +@@ -450,10 +595,19 @@ # xdm_xserver_t may no longer have any reason # to read ROLE_home_t - examine this in more detail # (xauth?) @@ -26746,7 +26753,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_xserver_t) fs_manage_nfs_files(xdm_xserver_t) -@@ -468,8 +621,19 @@ +@@ -468,8 +622,19 @@ optional_policy(` dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t) @@ -26766,7 +26773,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` resmgr_stream_connect(xdm_t) -@@ -481,8 +645,25 @@ +@@ -481,8 +646,25 @@ ') optional_policy(` @@ -26794,7 +26801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_xserver_t self:process { execheap execmem }; -@@ -491,7 +672,6 @@ +@@ -491,7 +673,6 @@ ifdef(`distro_rhel4',` allow xdm_xserver_t self:process { execheap execmem }; ') @@ -26802,7 +26809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -@@ -512,6 +692,27 @@ +@@ -512,6 +693,27 @@ allow xserver_unconfined_type { x_domain x_server_domain }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -26830,7 +26837,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`TODO',` # Need to further investigate these permissions and # perhaps define derived types. -@@ -544,3 +745,70 @@ +@@ -544,3 +746,70 @@ # allow pam_t xdm_t:fifo_file { getattr ioctl write }; ') dnl end TODO diff --git a/selinux-policy.spec b/selinux-policy.spec index 8479a4b..199349c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.5.13 -Release: 15%{?dist} +Release: 16%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -457,6 +457,9 @@ exit 0 %endif %changelog +* Wed Nov 5 2008 Dan Walsh 3.5.13-16 +- Fix cyphesis file context + * Tue Nov 3 2008 Dan Walsh 3.5.13-15 - Allow hal/pm-utils to look at /var/run/video.rom - Add ulogd policy