diff --git a/policy-20080710.patch b/policy-20080710.patch index 4e8a4be..fea3976 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -218,6 +218,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:sshd_t xguest_r:xguest_t +system_r:crond_t xguest_r:xguest_crond_t +system_r:xdm_t xguest_r:xguest_t +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.5.8/policy/flask/access_vectors +--- nsaserefpolicy/policy/flask/access_vectors 2008-08-07 11:15:00.000000000 -0400 ++++ serefpolicy-3.5.8/policy/flask/access_vectors 2008-09-22 13:22:25.000000000 -0400 +@@ -616,6 +616,7 @@ + nlmsg_write + nlmsg_relay + nlmsg_readpriv ++ nlmsg_tty_audit + } + + class netlink_ip6fw_socket diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.5.8/policy/global_tunables --- nsaserefpolicy/policy/global_tunables 2008-08-07 11:15:13.000000000 -0400 +++ serefpolicy-3.5.8/policy/global_tunables 2008-09-17 08:49:08.000000000 -0400 @@ -870,7 +881,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_suse', ` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.5.8/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.5.8/policy/modules/admin/rpm.if 2008-09-17 08:49:08.000000000 -0400 ++++ serefpolicy-3.5.8/policy/modules/admin/rpm.if 2008-09-22 09:09:03.000000000 -0400 @@ -152,6 +152,24 @@ ######################################## @@ -8049,7 +8060,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.5.8/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-08-07 11:15:01.000000000 -0400 -+++ serefpolicy-3.5.8/policy/modules/kernel/kernel.if 2008-09-17 08:49:08.000000000 -0400 ++++ serefpolicy-3.5.8/policy/modules/kernel/kernel.if 2008-09-22 12:18:03.000000000 -0400 @@ -1198,6 +1198,7 @@ ') @@ -8058,7 +8069,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1768,6 +1769,7 @@ +@@ -1234,6 +1235,7 @@ + interface(`kernel_read_sysctl',` + gen_require(` + type sysctl_t; ++ type proc_t; + ') + + list_dirs_pattern($1, proc_t, sysctl_t) +@@ -1768,6 +1770,7 @@ ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -8066,7 +8085,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2582,6 +2584,24 @@ +@@ -2582,6 +2585,24 @@ ######################################## ## @@ -8271,6 +8290,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy; neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce; neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.5.8/policy/modules/kernel/storage.fc +--- nsaserefpolicy/policy/modules/kernel/storage.fc 2008-08-07 11:15:01.000000000 -0400 ++++ serefpolicy-3.5.8/policy/modules/kernel/storage.fc 2008-09-22 12:22:40.000000000 -0400 +@@ -27,6 +27,7 @@ + /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0) + /dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0) + /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0) ++/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0) + /dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0) + /dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0) +@@ -65,6 +66,7 @@ + + /dev/md/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/mapper/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) ++/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0) + + /dev/raw/raw[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.fc serefpolicy-3.5.8/policy/modules/roles/guest.fc --- nsaserefpolicy/policy/modules/roles/guest.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.5.8/policy/modules/roles/guest.fc 2008-09-17 08:49:08.000000000 -0400 @@ -19377,7 +19415,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.8/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-09-11 11:28:34.000000000 -0400 -+++ serefpolicy-3.5.8/policy/modules/services/networkmanager.te 2008-09-17 08:49:08.000000000 -0400 ++++ serefpolicy-3.5.8/policy/modules/services/networkmanager.te 2008-09-22 09:09:30.000000000 -0400 @@ -29,9 +29,9 @@ # networkmanager will ptrace itself if gdb is installed @@ -19470,7 +19508,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -168,9 +184,16 @@ +@@ -168,9 +184,17 @@ ') optional_policy(` @@ -19483,6 +19521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` ++ rpm_exec(NetworkManager_t) + rpm_read_db(NetworkManager_t) + rpm_dontaudit_manage_db(NetworkManager_t) ') @@ -22006,7 +22045,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.5.8/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.8/policy/modules/services/prelude.te 2008-09-19 10:06:36.000000000 -0400 ++++ serefpolicy-3.5.8/policy/modules/services/prelude.te 2008-09-22 09:13:31.000000000 -0400 @@ -13,18 +13,56 @@ type prelude_spool_t; files_type(prelude_spool_t) @@ -22074,7 +22113,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_search_bin(prelude_t) corenet_all_recvfrom_unlabeled(prelude_t) -@@ -56,6 +97,9 @@ +@@ -56,15 +97,23 @@ corenet_tcp_sendrecv_all_if(prelude_t) corenet_tcp_sendrecv_all_nodes(prelude_t) corenet_tcp_bind_all_nodes(prelude_t) @@ -22084,14 +22123,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_rand(prelude_t) dev_read_urand(prelude_t) -@@ -65,6 +109,11 @@ + ++kernel_read_sysctl(prelude_t) ++ + # Init script handling + domain_use_interactive_fds(prelude_t) files_read_etc_files(prelude_t) files_read_usr_files(prelude_t) +files_search_tmp(prelude_t) + -+files_search_tmp(prelude_t) -+ +fs_rw_anon_inodefs_files(prelude_t) auth_use_nsswitch(prelude_t) @@ -22104,7 +22145,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_rand(prelude_audisp_t) dev_read_urand(prelude_audisp_t) -@@ -123,9 +173,122 @@ +@@ -117,15 +167,129 @@ + # Init script handling + domain_use_interactive_fds(prelude_audisp_t) + ++kernel_read_sysctl(prelude_audisp_t) ++ + files_read_etc_files(prelude_audisp_t) + + libs_use_ld_so(prelude_audisp_t) libs_use_shared_libs(prelude_audisp_t) logging_send_syslog_msg(prelude_audisp_t) @@ -22216,7 +22265,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +miscfiles_read_localization(prelude_lml_t) + -+# if prelude_lml wants to relay to a remote prelude-manager using dns +sysnet_dns_name_resolve(prelude_lml_t) + +optional_policy(` @@ -22227,7 +22275,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # prewikka_cgi Declarations -@@ -133,8 +296,19 @@ +@@ -133,8 +297,19 @@ optional_policy(` apache_content_template(prewikka) @@ -28730,7 +28778,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.8/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.8/policy/modules/services/xserver.te 2008-09-17 08:49:09.000000000 -0400 ++++ serefpolicy-3.5.8/policy/modules/services/xserver.te 2008-09-22 09:10:33.000000000 -0400 @@ -8,6 +8,14 @@ ## @@ -29035,7 +29083,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Talk to the console mouse server. gpm_stream_connect(xdm_t) gpm_setattr_gpmctl(xdm_t) -@@ -382,16 +485,32 @@ +@@ -382,16 +485,33 @@ ') optional_policy(` @@ -29045,6 +29093,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +# On crash gdm execs gdb to dump stack +optional_policy(` ++ rpm_exec(xdm_t) + rpm_read_db(xdm_t) + rpm_dontaudit_manage_db(xdm_t) +') @@ -29069,7 +29118,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -427,7 +546,7 @@ +@@ -427,7 +547,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -29078,7 +29127,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -439,6 +558,15 @@ +@@ -439,6 +559,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -29094,7 +29143,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -450,10 +578,19 @@ +@@ -450,10 +579,19 @@ # xdm_xserver_t may no longer have any reason # to read ROLE_home_t - examine this in more detail # (xauth?) @@ -29115,7 +29164,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_xserver_t) fs_manage_nfs_files(xdm_xserver_t) -@@ -468,8 +605,19 @@ +@@ -468,8 +606,19 @@ optional_policy(` dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t) @@ -29135,7 +29184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` resmgr_stream_connect(xdm_t) -@@ -481,8 +629,25 @@ +@@ -481,8 +630,25 @@ ') optional_policy(` @@ -29163,7 +29212,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_xserver_t self:process { execheap execmem }; -@@ -491,7 +656,6 @@ +@@ -491,7 +657,6 @@ ifdef(`distro_rhel4',` allow xdm_xserver_t self:process { execheap execmem }; ') @@ -29171,7 +29220,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -@@ -544,3 +708,56 @@ +@@ -544,3 +709,56 @@ # allow pam_t xdm_t:fifo_file { getattr ioctl write }; ') dnl end TODO diff --git a/selinux-policy.spec b/selinux-policy.spec index 40e06fb..e8bd192 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.5.8 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -381,6 +381,9 @@ exit 0 %endif %changelog +* Mon Sep 22 2008 Dan Walsh 3.5.8-5 +- Add file context for /dev/mspblk.* + * Sun Sep 21 2008 Dan Walsh 3.5.8-4 - Fix transition to nsplugin '