diff --git a/policy-20080710.patch b/policy-20080710.patch index de4c705..aa38757 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -559,10 +559,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console term_use_all_terms(consoletype_t) init_use_fds(consoletype_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.5.13/policy/modules/admin/kismet.if +--- nsaserefpolicy/policy/modules/admin/kismet.if 2008-10-17 14:49:14.000000000 +0200 ++++ serefpolicy-3.5.13/policy/modules/admin/kismet.if 2009-02-18 10:16:20.000000000 +0100 +@@ -16,6 +16,7 @@ + ') + + domtrans_pattern($1, kismet_exec_t, kismet_t) ++ allow kismet_t $1:process signull; + ') + + ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.5.13/policy/modules/admin/kismet.te --- nsaserefpolicy/policy/modules/admin/kismet.te 2008-10-17 14:49:14.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/admin/kismet.te 2009-02-10 15:07:15.000000000 +0100 -@@ -25,11 +25,13 @@ ++++ serefpolicy-3.5.13/policy/modules/admin/kismet.te 2009-02-18 10:11:52.000000000 +0100 +@@ -20,16 +20,24 @@ + type kismet_log_t; + logging_log_file(kismet_log_t) + ++type kismet_tmpfs_t; ++files_tmpfs_file(kismet_tmpfs_t) ++ ++type kismet_tmp_t; ++files_tmp_file(kismet_tmp_t) ++ + ######################################## + # # kismet local policy # @@ -578,12 +600,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t) allow kismet_t kismet_log_t:dir setattr; -@@ -43,15 +45,35 @@ +@@ -43,15 +51,50 @@ allow kismet_t kismet_var_run_t:dir manage_dir_perms; files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir }) -kernel_search_debugfs(kismet_t) -- ++manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t) ++manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t) ++fs_tmpfs_filetrans(kismet_t, kismet_tmpfs_t, { dir file }) ++ ++manage_dirs_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) ++manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t) ++files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir }) + corecmd_exec_bin(kismet_t) +corecmd_exec_shell(kismet_t) + @@ -595,6 +624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. +corenet_tcp_bind_all_nodes(kismet_t) +corenet_tcp_bind_kismet_port(kismet_t) +corenet_tcp_connect_kismet_port(kismet_t) ++corenet_tcp_connect_pulseaudio_port(kismet_t) + +kernel_search_debugfs(kismet_t) +kernel_read_system_state(kismet_t) @@ -603,12 +633,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. files_read_etc_files(kismet_t) +files_read_usr_files(kismet_t) ++ ++fs_getattr_tmpfs(kismet_t) libs_use_ld_so(kismet_t) libs_use_shared_libs(kismet_t) miscfiles_read_localization(kismet_t) + ++userdom_read_generic_user_tmpfs_files(kismet_t) ++ ++sysadm_dontaudit_manage_home_files(kismet_t) ++ +optional_policy(` + dbus_system_bus_client_template(kismet, kismet_t) + @@ -8689,6 +8725,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy + + dontaudit $1 fusefs_t:file manage_file_perms; +') +Binary files nsaserefpolicy/policy/modules/kernel/.filesystem.if.swp and serefpolicy-3.5.13/policy/modules/kernel/.filesystem.if.swp differ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.5.13/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-10-17 14:49:14.000000000 +0200 +++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te 2009-02-10 15:07:15.000000000 +0100 @@ -9396,7 +9433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.5.13/policy/modules/roles/sysadm.if --- nsaserefpolicy/policy/modules/roles/sysadm.if 2008-10-17 14:49:14.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/roles/sysadm.if 2009-02-10 15:07:15.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/roles/sysadm.if 2009-02-18 10:14:24.000000000 +0100 @@ -334,10 +334,10 @@ # interface(`sysadm_getattr_home_dirs',` @@ -9537,7 +9574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. ') ######################################## -@@ -516,13 +534,33 @@ +@@ -516,12 +534,52 @@ # interface(`sysadm_dontaudit_read_home_content_files',` gen_require(` @@ -9551,7 +9588,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. + dontaudit $1 admin_home_t:dir list_dir_perms; + dontaudit $1 admin_home_t:file read_file_perms; + - ') ++') +######################################## +## +## Do not audit attempts to read sym links in the sysadm @@ -9572,10 +9609,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. + +') + ++###################################### ++## ++## Do not audit attempts to manage files in the sysadm ++## home directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`sysadm_dontaudit_manage_home_files',` ++ gen_require(` ++ type admin_home_t; ++ ') ++ ++ dontaudit $1 admin_home_t:dir manage_dir_perms; ++ dontaudit $1 admin_home_t:file manage_file_perms; ++ dontaudit $1 admin_home_t:lnk_file manage_lnk_file_perms; + ') ######################################## - ## -@@ -536,12 +574,12 @@ +@@ -536,12 +594,12 @@ # interface(`sysadm_read_tmp_files',` gen_require(` @@ -11488,7 +11544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2009-02-10 15:08:27.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/services/apache.te 2009-02-18 10:20:44.000000000 +0100 @@ -20,6 +20,8 @@ # Declarations # @@ -11715,7 +11771,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +## +gen_tunable(allow_httpd_mod_auth_pam, false) + -+tunable_policy(`allow_httpd_mod_auth_pam',` + tunable_policy(`allow_httpd_mod_auth_pam',` +- auth_domtrans_chk_passwd(httpd_t) + auth_domtrans_chkpwd(httpd_t) +') + @@ -11726,13 +11783,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +## +gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false) +optional_policy(` - tunable_policy(`allow_httpd_mod_auth_pam',` -- auth_domtrans_chk_passwd(httpd_t) ++tunable_policy(`allow_httpd_mod_auth_pam',` + samba_domtrans_winbind_helper(httpd_t) ') ') -@@ -370,20 +450,69 @@ +@@ -370,20 +450,68 @@ corenet_tcp_connect_all_ports(httpd_t) ') @@ -11768,7 +11824,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +tunable_policy(`httpd_enable_cgi && httpd_unified',` + + allow httpd_user_script_t httpdcontent:file entrypoint; -+ + manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t,httpd_user_content_t) + manage_files_pattern(httpd_user_script_t, httpd_user_content_t,httpd_user_content_t) + manage_files_pattern(httpd_user_script_t, httpd_user_script_ra_t,httpd_user_script_ra_t) @@ -11803,7 +11858,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -@@ -394,20 +523,28 @@ +@@ -394,20 +522,28 @@ corenet_tcp_bind_ftp_port(httpd_t) ') @@ -11836,7 +11891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -441,8 +578,13 @@ +@@ -441,8 +577,13 @@ ') optional_policy(` @@ -11852,7 +11907,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -454,18 +596,13 @@ +@@ -454,18 +595,13 @@ ') optional_policy(` @@ -11872,7 +11927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') optional_policy(` -@@ -475,6 +612,12 @@ +@@ -475,6 +611,12 @@ openca_kill(httpd_t) ') @@ -11885,7 +11940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac optional_policy(` # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) -@@ -482,6 +625,7 @@ +@@ -482,6 +624,7 @@ tunable_policy(`httpd_can_network_connect_db',` postgresql_tcp_connect(httpd_t) @@ -11893,7 +11948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ') -@@ -490,6 +634,7 @@ +@@ -490,6 +633,7 @@ ') optional_policy(` @@ -11901,7 +11956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -519,9 +664,28 @@ +@@ -519,9 +663,28 @@ logging_send_syslog_msg(httpd_helper_t) tunable_policy(`httpd_tty_comm',` @@ -11930,7 +11985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ######################################## # # Apache PHP script local policy -@@ -551,22 +715,30 @@ +@@ -551,22 +714,30 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -11965,7 +12020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -584,12 +756,14 @@ +@@ -584,12 +755,14 @@ append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) @@ -11981,7 +12036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac kernel_read_kernel_sysctls(httpd_suexec_t) kernel_list_proc(httpd_suexec_t) kernel_read_proc_symlinks(httpd_suexec_t) -@@ -597,10 +771,9 @@ +@@ -597,10 +770,9 @@ dev_read_urand(httpd_suexec_t) fs_search_auto_mountpoints(httpd_suexec_t) @@ -11994,7 +12049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -616,6 +789,7 @@ +@@ -616,6 +788,7 @@ logging_send_syslog_msg(httpd_suexec_t) miscfiles_read_localization(httpd_suexec_t) @@ -12002,7 +12057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; -@@ -633,12 +807,21 @@ +@@ -633,12 +806,21 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -12014,20 +12069,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +domain_entry_file(httpd_sys_script_t, httpd_sys_content_t) tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t) --') - --tunable_policy(`httpd_enable_homedirs',` -- userdom_read_unpriv_users_home_content_files(httpd_suexec_t) ++ allow httpd_sys_script_t httpdcontent:file entrypoint; + manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) + manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) + manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent) -+') + ') +- +-tunable_policy(`httpd_enable_homedirs',` +- userdom_read_unpriv_users_home_content_files(httpd_suexec_t) +tunable_policy(`httpd_enable_cgi',` + domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t) ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -647,6 +830,12 @@ +@@ -647,6 +829,12 @@ fs_exec_nfs_files(httpd_suexec_t) ') @@ -12040,7 +12095,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_suexec_t) fs_read_cifs_symlinks(httpd_suexec_t) -@@ -664,20 +853,20 @@ +@@ -664,20 +852,20 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -12066,7 +12121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t) -@@ -691,12 +880,27 @@ +@@ -691,12 +879,27 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -12096,7 +12151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -704,6 +908,31 @@ +@@ -704,6 +907,31 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -12128,7 +12183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -716,10 +945,10 @@ +@@ -716,10 +944,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -12143,7 +12198,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -727,6 +956,8 @@ +@@ -727,6 +955,8 @@ # httpd_rotatelogs local policy # @@ -12152,7 +12207,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -741,3 +972,66 @@ +@@ -741,3 +971,66 @@ logging_search_logs(httpd_rotatelogs_t) miscfiles_read_localization(httpd_rotatelogs_t) @@ -19058,7 +19113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.13/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te 2009-02-10 15:07:15.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te 2009-02-12 23:07:03.000000000 +0100 @@ -19,6 +19,9 @@ type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) @@ -35247,7 +35302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2009-02-10 15:07:15.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2009-02-18 10:13:15.000000000 +0100 @@ -28,10 +28,14 @@ class context contains; ') @@ -37467,7 +37522,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5513,3 +5700,601 @@ +@@ -5513,3 +5700,622 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -37812,6 +37867,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + +####################################### +## ++## Read user tmpfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_read_generic_user_tmpfs_files',` ++ gen_require(` ++ type user_tmpfs_t; ++ ') ++ ++ read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) ++ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) ++ allow $1 user_tmpfs_t:dir list_dir_perms; ++ fs_search_tmpfs($1) ++') ++ ++####################################### ++## +## The template for creating a unprivileged user roughly +## equivalent to a regular linux user. +##