From 3c3c0439f67c7cdef6b675d5d25f975e0fe27312 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Oct 05 2006 19:57:37 +0000 Subject: patch from russell, Thu, 5 Oct 2006 22:44:49 +1000 Allow unconfined processes to see unlabeled processes in ps. Removed a redundant rule in samba.te Removed support for the pre-Fedora Red Hat code to create sym-links in /boot. Removed support for devpts_t files in /tmp (there is no way that would ever work). Allowed postgrey to create socket files. Made the specs for the /lib and /lib64 directories better support stem compression. --- diff --git a/Changelog b/Changelog index 8021b3e..597655e 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Patch from Russell Coker Thu, 5 Oct 2006 - Move range transitions to modules. - Make number of MLS sensitivities, and number of MLS and MCS categories configurable as build options. diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index b343642..6a79f9a 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -1,5 +1,5 @@ -policy_module(kernel,1.3.16) +policy_module(kernel,1.3.17) ######################################## # @@ -351,5 +351,6 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *; allow kern_unconfined unlabeled_t:filesystem *; allow kern_unconfined unlabeled_t:association *; allow kern_unconfined unlabeled_t:packet *; +allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; kernel_rw_all_sysctls(kern_unconfined) diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te index d87def7..13d7b65 100644 --- a/policy/modules/kernel/terminal.te +++ b/policy/modules/kernel/terminal.te @@ -1,5 +1,5 @@ -policy_module(terminal,1.1.9) +policy_module(terminal,1.1.10) ######################################## # @@ -28,7 +28,6 @@ dev_node(console_device_t) type devpts_t; files_mountpoint(devpts_t) fs_associate_tmpfs(devpts_t) -files_associate_tmp(devpts_t) fs_type(devpts_t) fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0); diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te index bbdd562..6557320 100644 --- a/policy/modules/services/mailman.te +++ b/policy/modules/services/mailman.te @@ -1,5 +1,5 @@ -policy_module(mailman,1.1.7) +policy_module(mailman,1.1.8) ######################################## # @@ -44,10 +44,12 @@ optional_policy(` allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms; allow mailman_cgi_t mailman_archive_t:file create_file_perms; + files_search_spool(mailman_cgi_t) term_use_controlling_term(mailman_cgi_t) - files_search_spool(mailman_cgi_t) + # for python pre-compile foolishness + libs_dontaudit_write_lib_dirs(mailman_cgi_t) apache_sigchld(mailman_cgi_t) apache_use_fds(mailman_cgi_t) diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te index 93c7482..2c6e0ba 100644 --- a/policy/modules/services/postgrey.te +++ b/policy/modules/services/postgrey.te @@ -1,5 +1,5 @@ -policy_module(postgrey,1.0.2) +policy_module(postgrey,1.0.3) ######################################## # @@ -40,7 +40,7 @@ files_var_lib_filetrans(postgrey_t,postgrey_var_lib_t,file) allow postgrey_t postgrey_var_run_t:file create_file_perms; allow postgrey_t postgrey_var_run_t:sock_file manage_file_perms; allow postgrey_t postgrey_var_run_t:dir rw_dir_perms; -files_pid_filetrans(postgrey_t,postgrey_var_run_t,file) +files_pid_filetrans(postgrey_t,postgrey_var_run_t,{ file sock_file }) kernel_read_system_state(postgrey_t) kernel_read_kernel_sysctls(postgrey_t) diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te index 6c35428..716d5e1 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -1,5 +1,5 @@ -policy_module(samba,1.2.10) +policy_module(samba,1.2.11) ################################# # @@ -501,10 +501,6 @@ userdom_use_all_users_fds(smbmount_t) userdom_use_sysadm_ttys(smbmount_t) optional_policy(` - cups_read_rw_config(smbd_t) -') - -optional_policy(` nis_use_ypbind(smbmount_t) ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index f699558..b63bcdb 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,5 +1,5 @@ -policy_module(init,1.3.27) +policy_module(init,1.3.28) gen_require(` class passwd rootok; @@ -430,11 +430,6 @@ ifdef(`distro_redhat',` selinux_set_enforce_mode(initrc_t) - # Create and read /boot/kernel.h and /boot/System.map. - # Redhat systems typically create this file at boot time. - bootloader_create_runtime_file(initrc_t) - files_rw_boot_symlinks(initrc_t) - # These seem to be from the initrd # during device initialization: dev_create_generic_dirs(initrc_t) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc index ef686ba..a4e9835 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -41,8 +41,10 @@ ifdef(`distro_redhat',` # # /lib(64)? # -/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) -/lib64(/.*)? gen_context(system_u:object_r:lib_t,s0) +/lib -d gen_context(system_u:object_r:lib_t,s0) +/lib/.* gen_context(system_u:object_r:lib_t,s0) +/lib64 -d gen_context(system_u:object_r:lib_t,s0) +/lib64/.* gen_context(system_u:object_r:lib_t,s0) /lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0) /lib64/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0) /lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -57,7 +59,8 @@ ifdef(`distro_debian',` ') ifdef(`distro_gentoo',` -/lib32(/.*)? gen_context(system_u:object_r:lib_t,s0) +/lib32 -d gen_context(system_u:object_r:lib_t,s0) +/lib32/.* gen_context(system_u:object_r:lib_t,s0) /lib32/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0) /lib32/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) ') diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if index 439f5ea..1be3f4e 100644 --- a/policy/modules/system/libraries.if +++ b/policy/modules/system/libraries.if @@ -203,6 +203,31 @@ interface(`libs_search_lib',` ######################################## ## +## Do not audit attempts to write to library directories. +## +## +##

+## Do not audit attempts to write to library directories. +## Typically this is used to quiet attempts to recompile +## python byte code. +##

+##
+## +## +## Domain allowed access. +## +## +# +interface(`libs_dontaudit_write_lib_dirs',` + gen_require(` + type lib_t; + ') + + dontaudit $1 lib_t:dir write; +') + +######################################## +## ## Create, read, write, and delete library directories. ## ## diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index 634b95c..2f67e70 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -1,5 +1,5 @@ -policy_module(libraries,1.3.14) +policy_module(libraries,1.3.15) ######################################## #