diff --git a/policy-F15.patch b/policy-F15.patch index 2ddc254..e1c2673 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -489,6 +489,18 @@ index 75ce30f..f3347aa 100644 files_getattr_all_file_type_fs(logwatch_t) ') +diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te +index 5a9cebf..276941d 100644 +--- a/policy/modules/admin/mcelog.te ++++ b/policy/modules/admin/mcelog.te +@@ -7,6 +7,7 @@ policy_module(mcelog, 1.0.1) + + type mcelog_t; + type mcelog_exec_t; ++init_system_domain(mcelog_t, mcelog_exec_t) + application_domain(mcelog_t, mcelog_exec_t) + cron_system_entry(mcelog_t, mcelog_exec_t) + diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te index 0e19d80..9d58abe 100644 --- a/policy/modules/admin/mrtg.te @@ -1996,10 +2008,10 @@ index 7fd0900..899e234 100644 dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc new file mode 100644 -index 0000000..278b3a3 +index 0000000..4ef897d --- /dev/null +++ b/policy/modules/apps/execmem.fc -@@ -0,0 +1,49 @@ +@@ -0,0 +1,50 @@ + +/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/compiz -- gen_context(system_u:object_r:execmem_exec_t,s0) @@ -2049,6 +2061,7 @@ index 0000000..278b3a3 +/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0) +/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:execmem_exec_t,s0) +/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0) diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if new file mode 100644 index 0000000..06ed3de @@ -9391,7 +9404,7 @@ index 59bae6a..2e55e71 100644 +/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) +/dev/hugepages(/.*)? <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 437a42a..b9e3aa9 100644 +index 437a42a..725b363 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',` @@ -9721,7 +9734,33 @@ index 437a42a..b9e3aa9 100644 ## Read removable storage symbolic links. ## ## -@@ -2779,6 +2955,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2653,6 +2829,25 @@ interface(`fs_read_removable_symlinks',` + read_lnk_files_pattern($1, removable_t, removable_t) + ') + ++###################################### ++## ++## Read block nodes on removable filesystems. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_read_removable_blk_files',` ++ gen_require(` ++ type removable_t; ++ ') ++ ++ allow $1 removable_t:dir list_dir_perms; ++ read_blk_files_pattern($1, removable_t, removable_t) ++') ++ + ######################################## + ## + ## Read and write block nodes on removable filesystems. +@@ -2779,6 +2974,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -9729,7 +9768,7 @@ index 437a42a..b9e3aa9 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -2819,6 +2996,7 @@ interface(`fs_manage_nfs_files',` +@@ -2819,6 +3015,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -9737,7 +9776,7 @@ index 437a42a..b9e3aa9 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -2845,7 +3023,7 @@ interface(`fs_dontaudit_manage_nfs_files',` +@@ -2845,7 +3042,7 @@ interface(`fs_dontaudit_manage_nfs_files',` ######################################### ## ## Create, read, write, and delete symbolic links @@ -9746,7 +9785,7 @@ index 437a42a..b9e3aa9 100644 ## ## ## -@@ -2859,6 +3037,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -2859,6 +3056,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -9754,7 +9793,7 @@ index 437a42a..b9e3aa9 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3970,6 +4149,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -3970,6 +4168,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -9797,7 +9836,7 @@ index 437a42a..b9e3aa9 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4252,6 +4467,8 @@ interface(`fs_mount_all_fs',` +@@ -4252,6 +4486,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -9806,7 +9845,7 @@ index 437a42a..b9e3aa9 100644 ') ######################################## -@@ -4662,3 +4879,24 @@ interface(`fs_unconfined',` +@@ -4662,3 +4898,24 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -19945,7 +19984,7 @@ index e1d7dc5..ee51a19 100644 admin_pattern($1, dovecot_var_run_t) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te -index cbe14e4..9e2f6d5 100644 +index cbe14e4..e74c9fe 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t; @@ -20037,12 +20076,14 @@ index cbe14e4..9e2f6d5 100644 postfix_search_spool(dovecot_auth_t) ') -@@ -253,19 +266,31 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; +@@ -253,19 +266,33 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; allow dovecot_deliver_t dovecot_t:process signull; -allow dovecot_deliver_t dovecot_etc_t:file read_file_perms; ++allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms; +read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t) ++ allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; +allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; @@ -20071,7 +20112,7 @@ index cbe14e4..9e2f6d5 100644 miscfiles_read_localization(dovecot_deliver_t) -@@ -302,4 +327,5 @@ tunable_policy(`use_samba_home_dirs',` +@@ -302,4 +329,5 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` mta_manage_spool(dovecot_deliver_t) @@ -22451,7 +22492,7 @@ index 3525d24..e5db539 100644 /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if -index 604f67b..8c72504 100644 +index 604f67b..31a6075 100644 --- a/policy/modules/services/kerberos.if +++ b/policy/modules/services/kerberos.if @@ -26,9 +26,9 @@ @@ -22517,8 +22558,31 @@ index 604f67b..8c72504 100644 ') allow $1 kadmind_t:process { ptrace signal_perms }; +@@ -378,3 +376,22 @@ interface(`kerberos_admin',` + + admin_pattern($1, krb5kdc_var_run_t) + ') ++ ++######################################## ++## ++## Type transition files created in /tmp ++## to the krb5_host_rcache type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mta_tmp_filetrans_host_rcache',` ++ gen_require(` ++ type krb5_host_rcache_t; ++ ') ++ ++ files_tmp_filetrans($1, krb5_host_rcache_t, file) ++') diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te -index 8edc29b..744e7d6 100644 +index 8edc29b..ee97d9f 100644 --- a/policy/modules/services/kerberos.te +++ b/policy/modules/services/kerberos.te @@ -6,9 +6,9 @@ policy_module(kerberos, 1.11.0) @@ -22534,6 +22598,15 @@ index 8edc29b..744e7d6 100644 ## gen_tunable(allow_kerberos, false) +@@ -40,7 +40,7 @@ files_type(krb5_conf_t) + type krb5_home_t; + userdom_user_home_content(krb5_home_t) + +-type krb5_host_rcache_t; ++type krb5_host_rcache_t alias saslauthd_tmp_t; + files_tmp_file(krb5_host_rcache_t) + + # types for general configuration files in /etc @@ -93,9 +93,9 @@ allow kadmind_t krb5_conf_t:file read_file_perms; dontaudit kadmind_t krb5_conf_t:file write; @@ -32517,12 +32590,27 @@ index f1aea88..c3ffa9d 100644 init_labeled_script_domtrans($1, saslauthd_initrc_exec_t) diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te -index 22184ad..687f9ae 100644 +index 22184ad..d87a3f0 100644 --- a/policy/modules/services/sasl.te +++ b/policy/modules/services/sasl.te -@@ -42,13 +42,17 @@ allow saslauthd_t saslauthd_tmp_t:dir setattr; - manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t) - files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file) +@@ -19,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t) + type saslauthd_initrc_exec_t; + init_script_file(saslauthd_initrc_exec_t) + +-type saslauthd_tmp_t; +-files_tmp_file(saslauthd_tmp_t) +- + type saslauthd_var_run_t; + files_pid_file(saslauthd_var_run_t) + +@@ -38,17 +35,19 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms; + allow saslauthd_t self:unix_stream_socket create_stream_socket_perms; + allow saslauthd_t self:tcp_socket create_socket_perms; + +-allow saslauthd_t saslauthd_tmp_t:dir setattr; +-manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t) +-files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file) ++mta_tmp_filetrans_host_rcache(saslauthd_t) +manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) @@ -32539,7 +32627,7 @@ index 22184ad..687f9ae 100644 corenet_all_recvfrom_unlabeled(saslauthd_t) corenet_all_recvfrom_netlabel(saslauthd_t) corenet_tcp_sendrecv_generic_if(saslauthd_t) -@@ -94,6 +98,7 @@ tunable_policy(`allow_saslauthd_read_shadow',` +@@ -94,6 +93,7 @@ tunable_policy(`allow_saslauthd_read_shadow',` optional_policy(` kerberos_keytab_template(saslauthd, saslauthd_t) @@ -36778,7 +36866,7 @@ index aa6e5a8..42a0efb 100644 ######################################## ## diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index 6f1e3c7..6a160b2 100644 +index 6f1e3c7..ecfe665 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,23 @@ @@ -36889,7 +36977,7 @@ index 6f1e3c7..6a160b2 100644 +/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/slim.* -- gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) -+/var/run/lxdm(/*.)? gen_context(system_u:object_r:xdm_var_run_t,s0) ++/var/run/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) + +/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0) +/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) @@ -36904,7 +36992,7 @@ index 6f1e3c7..6a160b2 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index da2601a..19018ae 100644 +index da2601a..4b06508 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -37395,7 +37483,7 @@ index da2601a..19018ae 100644 + type xdm_tmp_t; + ') + -+ allow initrc_t initrc_tmp_t:dir relabel_dir_perms; ++ allow $1 xdm_tmp_t:dir relabel_dir_perms; +') + +######################################## @@ -40534,7 +40622,7 @@ index df3fa64..73dc579 100644 + allow $1 init_t:unix_stream_socket rw_stream_socket_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 8a105fd..eb0cec2 100644 +index 8a105fd..3f105f0 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,27 @@ gen_require(` @@ -40918,7 +41006,15 @@ index 8a105fd..eb0cec2 100644 selinux_get_enforce_mode(initrc_t) -@@ -394,13 +568,14 @@ logging_read_audit_config(initrc_t) +@@ -374,6 +548,7 @@ term_use_all_terms(initrc_t) + term_reset_tty_labels(initrc_t) + + auth_rw_login_records(initrc_t) ++auth_manage_faillog(initrc_t) + auth_setattr_login_records(initrc_t) + auth_rw_lastlog(initrc_t) + auth_read_pam_pid(initrc_t) +@@ -394,13 +569,14 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -40934,7 +41030,7 @@ index 8a105fd..eb0cec2 100644 userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such -@@ -473,7 +648,7 @@ ifdef(`distro_redhat',` +@@ -473,7 +649,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -40943,7 +41039,7 @@ index 8a105fd..eb0cec2 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -519,6 +694,23 @@ ifdef(`distro_redhat',` +@@ -519,6 +695,23 @@ ifdef(`distro_redhat',` optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -40967,7 +41063,7 @@ index 8a105fd..eb0cec2 100644 ') optional_policy(` -@@ -526,10 +718,17 @@ ifdef(`distro_redhat',` +@@ -526,10 +719,17 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -40985,7 +41081,7 @@ index 8a105fd..eb0cec2 100644 ') optional_policy(` -@@ -544,6 +743,35 @@ ifdef(`distro_suse',` +@@ -544,6 +744,35 @@ ifdef(`distro_suse',` ') ') @@ -41021,7 +41117,7 @@ index 8a105fd..eb0cec2 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -556,6 +784,8 @@ optional_policy(` +@@ -556,6 +785,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -41030,7 +41126,7 @@ index 8a105fd..eb0cec2 100644 ') optional_policy(` -@@ -572,6 +802,7 @@ optional_policy(` +@@ -572,6 +803,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -41038,7 +41134,7 @@ index 8a105fd..eb0cec2 100644 ') optional_policy(` -@@ -584,6 +815,11 @@ optional_policy(` +@@ -584,6 +816,11 @@ optional_policy(` ') optional_policy(` @@ -41050,7 +41146,7 @@ index 8a105fd..eb0cec2 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -600,9 +836,13 @@ optional_policy(` +@@ -600,9 +837,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -41064,7 +41160,7 @@ index 8a105fd..eb0cec2 100644 ') optional_policy(` -@@ -701,7 +941,13 @@ optional_policy(` +@@ -701,7 +942,13 @@ optional_policy(` ') optional_policy(` @@ -41078,7 +41174,7 @@ index 8a105fd..eb0cec2 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -724,6 +970,10 @@ optional_policy(` +@@ -724,6 +971,10 @@ optional_policy(` ') optional_policy(` @@ -41089,7 +41185,7 @@ index 8a105fd..eb0cec2 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -737,6 +987,10 @@ optional_policy(` +@@ -737,6 +988,10 @@ optional_policy(` ') optional_policy(` @@ -41100,7 +41196,7 @@ index 8a105fd..eb0cec2 100644 quota_manage_flags(initrc_t) ') -@@ -745,6 +999,10 @@ optional_policy(` +@@ -745,6 +1000,10 @@ optional_policy(` ') optional_policy(` @@ -41111,7 +41207,7 @@ index 8a105fd..eb0cec2 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -766,8 +1024,6 @@ optional_policy(` +@@ -766,8 +1025,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -41120,7 +41216,7 @@ index 8a105fd..eb0cec2 100644 ') optional_policy(` -@@ -776,14 +1032,21 @@ optional_policy(` +@@ -776,14 +1033,21 @@ optional_policy(` ') optional_policy(` @@ -41142,7 +41238,7 @@ index 8a105fd..eb0cec2 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,11 +1068,19 @@ optional_policy(` +@@ -805,11 +1069,19 @@ optional_policy(` ') optional_policy(` @@ -41163,7 +41259,7 @@ index 8a105fd..eb0cec2 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -819,6 +1090,25 @@ optional_policy(` +@@ -819,6 +1091,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -41189,7 +41285,7 @@ index 8a105fd..eb0cec2 100644 ') optional_policy(` -@@ -844,3 +1134,59 @@ optional_policy(` +@@ -844,3 +1135,59 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index e5b78cd..96cdd5b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.8 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,9 @@ exit 0 %endif %changelog +* Fri Nov 12 2010 Dan Walsh 3.9.8-6 +- Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t + * Thu Nov 11 2010 Dan Walsh 3.9.8-5 - kdump leaks kdump_etc_t to ifconfig, add dontaudit - uux needs to transition to uucpd_t