From 3c498a780b16da506c0ae1dc94ccf9afa7e75164 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Apr 22 2009 19:18:30 +0000 Subject: - Allow sshd to read var_lib symlinks for freenx --- diff --git a/policy-20090105.patch b/policy-20090105.patch index 25cb9db..60f2104 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -459,10 +459,41 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.6.12/policy/modules/admin/dmesg.fc +--- nsaserefpolicy/policy/modules/admin/dmesg.fc 2008-08-07 11:15:13.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/admin/dmesg.fc 2009-04-22 14:17:05.000000000 -0400 +@@ -1,2 +1,4 @@ + + /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0) ++ ++/usr/sbin/mcelog -- gen_context(system_u:object_r:dmesg_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.12/policy/modules/admin/dmesg.te --- nsaserefpolicy/policy/modules/admin/dmesg.te 2009-01-05 15:39:44.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/admin/dmesg.te 2009-04-07 16:01:44.000000000 -0400 -@@ -35,7 +35,7 @@ ++++ serefpolicy-3.6.12/policy/modules/admin/dmesg.te 2009-04-22 14:39:11.000000000 -0400 +@@ -9,6 +9,7 @@ + type dmesg_t; + type dmesg_exec_t; + init_system_domain(dmesg_t, dmesg_exec_t) ++cron_system_entry(dmesg_t, dmesg_exec_t) + + ######################################## + # +@@ -20,12 +21,14 @@ + + allow dmesg_t self:process signal_perms; + ++kernel_read_system_state(dmesg_t) + kernel_read_kernel_sysctls(dmesg_t) + kernel_read_ring_buffer(dmesg_t) + kernel_clear_ring_buffer(dmesg_t) + kernel_change_ring_buffer_level(dmesg_t) + kernel_list_proc(dmesg_t) + kernel_read_proc_symlinks(dmesg_t) ++dev_read_kmsg(dmesg_t) + + dev_read_sysfs(dmesg_t) + +@@ -35,7 +38,7 @@ domain_use_interactive_fds(dmesg_t) @@ -3055,8 +3086,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.12/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te 2009-04-17 11:13:07.000000000 -0400 -@@ -0,0 +1,293 @@ ++++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te 2009-04-22 13:50:31.000000000 -0400 +@@ -0,0 +1,294 @@ + +policy_module(nsplugin, 1.0.0) + @@ -3086,7 +3117,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +application_executable_file(nsplugin_config_exec_t) + +type nsplugin_rw_t; -+files_type(nsplugin_rw_t) ++files_poly_member(nsplugin_rw_t) ++userdom_user_home_content(nsplugin_rw_t) + +type nsplugin_tmp_t; +files_tmp_file(nsplugin_tmp_t) @@ -3611,7 +3643,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.12/policy/modules/apps/pulseaudio.if --- nsaserefpolicy/policy/modules/apps/pulseaudio.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/apps/pulseaudio.if 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/apps/pulseaudio.if 2009-04-22 13:29:00.000000000 -0400 @@ -0,0 +1,148 @@ + +## policy for pulseaudio @@ -5229,7 +5261,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-20 12:17:02.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-22 13:33:02.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -9697,6 +9729,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_legacy_use_shared_libs(bitlbee_t) miscfiles_read_localization(bitlbee_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.12/policy/modules/services/bluetooth.te +--- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-03-23 13:47:11.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/bluetooth.te 2009-04-22 13:29:27.000000000 -0400 +@@ -152,6 +152,10 @@ + optional_policy(` + hal_dbus_chat(bluetooth_t) + ') ++ ++ optional_policy(` ++ pulseaudio_dbus_chat(bluetooth_t) ++ ') + ') + + optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.6.12/policy/modules/services/certmaster.fc --- nsaserefpolicy/policy/modules/services/certmaster.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/certmaster.fc 2009-04-07 16:01:44.000000000 -0400 @@ -10693,7 +10739,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.12/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-04-21 16:03:54.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-04-22 14:41:00.000000000 -0400 @@ -38,6 +38,10 @@ type cron_var_lib_t; files_type(cron_var_lib_t) @@ -10756,7 +10802,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit crond_t self:capability { sys_resource sys_tty_config }; allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow crond_t self:process { setexec setfscreate }; -@@ -146,22 +163,23 @@ +@@ -146,20 +163,20 @@ allow crond_t self:msg { send receive }; allow crond_t self:key { search write link }; @@ -10781,11 +10827,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +kernel_read_fs_sysctls(crond_t) kernel_search_key(crond_t) -+dev_read_kmsg(crond_t) dev_read_sysfs(crond_t) - selinux_get_fs_mount(crond_t) - selinux_validate_context(crond_t) -@@ -174,6 +192,7 @@ +@@ -174,6 +191,7 @@ fs_getattr_all_fs(crond_t) fs_search_auto_mountpoints(crond_t) @@ -10793,7 +10836,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # need auth_chkpwd to check for locked accounts. auth_domtrans_chk_passwd(crond_t) -@@ -183,7 +202,11 @@ +@@ -183,7 +201,11 @@ corecmd_read_bin_symlinks(crond_t) domain_use_interactive_fds(crond_t) @@ -10805,7 +10848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(crond_t) files_read_generic_spool(crond_t) files_list_usr(crond_t) -@@ -192,10 +215,15 @@ +@@ -192,10 +214,15 @@ files_search_default(crond_t) init_rw_utmp(crond_t) @@ -10821,7 +10864,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) -@@ -208,6 +236,7 @@ +@@ -208,6 +235,7 @@ userdom_list_user_home_dirs(crond_t) mta_send_mail(crond_t) @@ -10829,7 +10872,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_debian',` # pam_limits is used -@@ -227,21 +256,44 @@ +@@ -227,21 +255,44 @@ ') ') @@ -10875,7 +10918,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -268,8 +320,8 @@ +@@ -268,8 +319,8 @@ # System cron process domain # @@ -10886,7 +10929,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow system_cronjob_t self:fifo_file rw_fifo_file_perms; allow system_cronjob_t self:passwd rootok; -@@ -283,7 +335,14 @@ +@@ -283,7 +334,14 @@ allow system_cronjob_t cron_var_lib_t:file manage_file_perms; files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) @@ -10901,7 +10944,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that -@@ -303,6 +362,7 @@ +@@ -303,6 +361,7 @@ allow system_cronjob_t crond_t:fd use; allow system_cronjob_t crond_t:fifo_file rw_file_perms; allow system_cronjob_t crond_t:process sigchld; @@ -10909,7 +10952,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Write /var/lock/makewhatis.lock. allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; -@@ -314,9 +374,13 @@ +@@ -314,9 +373,13 @@ filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) @@ -10924,7 +10967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) -@@ -345,6 +409,7 @@ +@@ -345,6 +408,7 @@ fs_getattr_all_symlinks(system_cronjob_t) fs_getattr_all_pipes(system_cronjob_t) fs_getattr_all_sockets(system_cronjob_t) @@ -10932,7 +10975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # quiet other ps operations domain_dontaudit_read_all_domains_state(system_cronjob_t) -@@ -370,7 +435,8 @@ +@@ -370,7 +434,8 @@ init_read_utmp(system_cronjob_t) init_dontaudit_rw_utmp(system_cronjob_t) # prelink tells init to restart it self, we either need to allow or dontaudit @@ -10942,7 +10985,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(system_cronjob_t) -@@ -378,6 +444,7 @@ +@@ -378,6 +443,7 @@ libs_exec_ld_so(system_cronjob_t) logging_read_generic_logs(system_cronjob_t) @@ -10950,7 +10993,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(system_cronjob_t) miscfiles_read_localization(system_cronjob_t) -@@ -418,6 +485,10 @@ +@@ -418,6 +484,10 @@ ') optional_policy(` @@ -10961,7 +11004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ftp_read_log(system_cronjob_t) ') -@@ -428,11 +499,20 @@ +@@ -428,11 +498,20 @@ ') optional_policy(` @@ -10982,7 +11025,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -447,6 +527,7 @@ +@@ -447,6 +526,7 @@ prelink_read_cache(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_delete_cache(system_cronjob_t) @@ -10990,7 +11033,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -460,8 +541,7 @@ +@@ -460,8 +540,7 @@ ') optional_policy(` @@ -11000,7 +11043,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -469,24 +549,17 @@ +@@ -469,24 +548,17 @@ ') optional_policy(` @@ -11028,7 +11071,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cronjob_t self:process { signal_perms setsched }; allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; -@@ -570,6 +643,9 @@ +@@ -570,6 +642,9 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) @@ -21997,7 +22040,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.12/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-04-21 13:22:50.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/ssh.if 2009-04-22 11:47:12.000000000 -0400 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -22065,18 +22108,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_urand($1_ssh_t) -@@ -132,6 +132,10 @@ - files_read_etc_runtime_files($1_ssh_t) +@@ -133,6 +133,8 @@ files_read_etc_files($1_ssh_t) files_read_var_files($1_ssh_t) -+ # Required for FreeNX -+ files_read_var_lib_symlinks($1_t) -+ -+ auth_use_nsswitch($1_ssh_t) ++ auth_use_nsswitch($1_ssh_t) ++ logging_send_syslog_msg($1_ssh_t) logging_read_generic_logs($1_ssh_t) -@@ -140,9 +144,6 @@ + +@@ -140,9 +142,6 @@ seutil_read_config($1_ssh_t) @@ -22086,7 +22127,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`read_default_t',` files_list_default($1_ssh_t) files_read_default_files($1_ssh_t) -@@ -154,14 +155,6 @@ +@@ -154,14 +153,6 @@ optional_policy(` kerberos_use($1_ssh_t) ') @@ -22101,7 +22142,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -194,13 +187,14 @@ +@@ -194,13 +185,14 @@ type $1_var_run_t; files_pid_file($1_var_run_t) @@ -22117,7 +22158,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; term_create_pty($1_t,$1_devpts_t) -@@ -214,6 +208,7 @@ +@@ -214,6 +206,7 @@ allow $1_t sshd_key_t:file read_file_perms; kernel_read_kernel_sysctls($1_t) @@ -22125,7 +22166,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled($1_t) corenet_all_recvfrom_netlabel($1_t) -@@ -229,7 +224,12 @@ +@@ -229,7 +222,12 @@ corenet_udp_bind_generic_node($1_t) corenet_tcp_bind_ssh_port($1_t) corenet_tcp_connect_all_ports($1_t) @@ -22138,6 +22179,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_dontaudit_getattr_all_fs($1_t) +@@ -245,6 +243,8 @@ + + files_read_etc_files($1_t) + files_read_etc_runtime_files($1_t) ++ # Required for FreeNX ++ files_read_var_lib_symlinks($1_t) + + logging_search_logs($1_t) + @@ -254,9 +254,14 @@ userdom_dontaudit_relabelfrom_user_ptys($1_t) @@ -26090,7 +26140,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2009-04-06 12:42:08.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/system/ipsec.te 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/ipsec.te 2009-04-22 14:41:22.000000000 -0400 @@ -1,5 +1,5 @@ -policy_module(ipsec, 1.9.1) @@ -26098,6 +26148,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # +@@ -55,7 +55,7 @@ + + allow ipsec_t self:capability { net_admin dac_override dac_read_search }; + dontaudit ipsec_t self:capability sys_tty_config; +-allow ipsec_t self:process { signal setsched }; ++allow ipsec_t self:process { getsched signal setsched }; + allow ipsec_t self:tcp_socket create_stream_socket_perms; + allow ipsec_t self:udp_socket create_socket_perms; + allow ipsec_t self:key_socket create_socket_perms; +@@ -67,7 +67,7 @@ + read_lnk_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t) + + allow ipsec_t ipsec_key_file_t:dir list_dir_perms; +-read_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t) ++rw_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t) + read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t) + + manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) @@ -103,11 +103,13 @@ corenet_raw_sendrecv_all_nodes(ipsec_t) corenet_tcp_sendrecv_all_ports(ipsec_t) @@ -26113,7 +26181,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_sendrecv_generic_server_packets(ipsec_t) corenet_sendrecv_isakmp_server_packets(ipsec_t) -@@ -167,6 +169,8 @@ +@@ -127,6 +129,8 @@ + domain_use_interactive_fds(ipsec_t) + + files_read_etc_files(ipsec_t) ++files_read_usr_files(ipsec_t) ++files_search_tmp(ipsec_t) + + init_use_fds(ipsec_t) + init_use_script_ptys(ipsec_t) +@@ -167,6 +171,8 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file) @@ -26122,7 +26199,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t) manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t) -@@ -242,8 +246,6 @@ +@@ -242,8 +248,6 @@ init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) @@ -26131,7 +26208,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(ipsec_mgmt_t) modutils_domtrans_insmod(ipsec_mgmt_t) -@@ -298,13 +300,10 @@ +@@ -298,13 +302,10 @@ kernel_read_network_state(racoon_t) corenet_all_recvfrom_unlabeled(racoon_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index a5feca4..a3daa82 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 11%{?dist} +Release: 12%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -446,6 +446,9 @@ exit 0 %endif %changelog +* Wed Apr 22 2009 Dan Walsh 3.6.12-12 +- Allow sshd to read var_lib symlinks for freenx + * Tue Apr 21 2009 Dan Walsh 3.6.12-11 - Allow nsplugin unix_read and write on users shm and sem - Allow sysadm_t to execute su