From 5dbda5558aff1f98f8d99a601e790a1baf778e59 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Sep 04 2006 15:15:35 +0000 Subject: patch from dan Fri, 01 Sep 2006 15:45:24 -0400 --- diff --git a/Changelog b/Changelog index 812cdec..13813bd 100644 --- a/Changelog +++ b/Changelog @@ -65,6 +65,7 @@ Wed, 26 Jul 2006 Wed, 23 Aug 2006 Thu, 31 Aug 2006 + Fri, 01 Sep 2006 - Added modules: afs amavis (Erich Schubert) diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc index b2a3c36..4caaa8f 100644 --- a/policy/modules/admin/amanda.fc +++ b/policy/modules/admin/amanda.fc @@ -11,61 +11,11 @@ /usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0) /usr/lib(64)?/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0) /usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) -/usr/lib(64)?/amanda/amcat\.awk -- gen_context(system_u:object_r:amanda_script_exec_t,s0) -/usr/lib(64)?/amanda/amcleanupdisk -- gen_context(system_u:object_r:amanda_exec_t,s0) /usr/lib(64)?/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) /usr/lib(64)?/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) -/usr/lib(64)?/amanda/amlogroll -- gen_context(system_u:object_r:amanda_exec_t,s0) -/usr/lib(64)?/amanda/amplot\.awk -- gen_context(system_u:object_r:amanda_script_exec_t,s0) -/usr/lib(64)?/amanda/amplot\.g -- gen_context(system_u:object_r:amanda_script_exec_t,s0) -/usr/lib(64)?/amanda/amplot\.gp -- gen_context(system_u:object_r:amanda_script_exec_t,s0) -/usr/lib(64)?/amanda/amtrmidx -- gen_context(system_u:object_r:amanda_exec_t,s0) -/usr/lib(64)?/amanda/amtrmlog -- gen_context(system_u:object_r:amanda_exec_t,s0) -/usr/lib(64)?/amanda/calcsize -- gen_context(system_u:object_r:amanda_exec_t,s0) -/usr/lib(64)?/amanda/chg-chio -- gen_context(system_u:object_r:amanda_exec_t,s0) -/usr/lib(64)?/amanda/chg-chs -- gen_context(system_u:object_r:amanda_exec_t,s0) -/usr/lib(64)?/amanda/chg-manual -- gen_context(system_u:object_r:amanda_exec_t,s0) -/usr/lib(64)?/amanda/chg-mtx -- gen_context(system_u:object_r:amanda_exec_t,s0) -/usr/lib(64)?/amanda/chg-multi -- gen_context(system_u:object_r:amanda_exec_t,s0) -/usr/lib(64)?/amanda/chg-rth -- gen_context(system_u:object_r:amanda_exec_t,s0) -/usr/lib(64)?/amanda/chg-scsi -- gen_context(system_u:object_r:amanda_exec_t,s0) -/usr/lib(64)?/amanda/chg-zd-mtx -- gen_context(system_u:object_r:amanda_exec_t,s0) -/usr/lib(64)?/amanda/driver -- gen_context(system_u:object_r:amanda_exec_t,s0) -/usr/lib(64)?/amanda/dumper -- gen_context(system_u:object_r:amanda_exec_t,s0) -/usr/lib(64)?/amanda/killpgrp -- gen_context(system_u:object_r:amanda_exec_t,s0) -/usr/lib(64)?/amanda/patch-system -- gen_context(system_u:object_r:amanda_exec_t,s0) -/usr/lib(64)?/amanda/planner -- gen_context(system_u:object_r:amanda_exec_t,s0) -/usr/lib(64)?/amanda/rundump -- gen_context(system_u:object_r:amanda_exec_t,s0) -/usr/lib(64)?/amanda/runtar -- gen_context(system_u:object_r:amanda_exec_t,s0) -/usr/lib(64)?/amanda/selfcheck -- gen_context(system_u:object_r:amanda_exec_t,s0) -/usr/lib(64)?/amanda/sendbackup -- gen_context(system_u:object_r:amanda_exec_t,s0) -/usr/lib(64)?/amanda/sendsize -- gen_context(system_u:object_r:amanda_exec_t,s0) -/usr/lib(64)?/amanda/taper -- gen_context(system_u:object_r:amanda_exec_t,s0) -/usr/lib(64)?/amanda/versionsuffix -- gen_context(system_u:object_r:amanda_exec_t,s0) - -/usr/sbin/amadmin -- gen_context(system_u:object_r:amanda_user_exec_t,s0) -/usr/sbin/amcheck -- gen_context(system_u:object_r:amanda_user_exec_t,s0) -/usr/sbin/amcheckdb -- gen_context(system_u:object_r:amanda_user_exec_t,s0) -/usr/sbin/amcleanup -- gen_context(system_u:object_r:amanda_user_exec_t,s0) -/usr/sbin/amdump -- gen_context(system_u:object_r:amanda_user_exec_t,s0) -/usr/sbin/amflush -- gen_context(system_u:object_r:amanda_user_exec_t,s0) -/usr/sbin/amgetconf -- gen_context(system_u:object_r:amanda_user_exec_t,s0) -/usr/sbin/amlabel -- gen_context(system_u:object_r:amanda_user_exec_t,s0) -/usr/sbin/amoverview -- gen_context(system_u:object_r:amanda_user_exec_t,s0) -/usr/sbin/amplot -- gen_context(system_u:object_r:amanda_user_exec_t,s0) /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) -/usr/sbin/amreport -- gen_context(system_u:object_r:amanda_user_exec_t,s0) -/usr/sbin/amrestore -- gen_context(system_u:object_r:amanda_user_exec_t,s0) -/usr/sbin/amrmtape -- gen_context(system_u:object_r:amanda_user_exec_t,s0) -/usr/sbin/amstatus -- gen_context(system_u:object_r:amanda_user_exec_t,s0) -/usr/sbin/amtape -- gen_context(system_u:object_r:amanda_user_exec_t,s0) -/usr/sbin/amtoc -- gen_context(system_u:object_r:amanda_user_exec_t,s0) -/usr/sbin/amverify -- gen_context(system_u:object_r:amanda_user_exec_t,s0) - /var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0) /var/lib/amanda/\.amandahosts -- gen_context(system_u:object_r:amanda_config_t,s0) -/var/lib/amanda/\.bashrc -- gen_context(system_u:object_r:amanda_shellconfig_t,s0) -/var/lib/amanda/\.profile -- gen_context(system_u:object_r:amanda_shellconfig_t,s0) /var/lib/amanda/disklist -- gen_context(system_u:object_r:amanda_data_t,s0) /var/lib/amanda/gnutar-lists(/.*)? gen_context(system_u:object_r:amanda_gnutarlists_t,s0) /var/lib/amanda/index gen_context(system_u:object_r:amanda_data_t,s0) diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te index 4632176..b07c612 100644 --- a/policy/modules/admin/amanda.te +++ b/policy/modules/admin/amanda.te @@ -1,5 +1,5 @@ -policy_module(amanda,1.3.5) +policy_module(amanda,1.3.6) ####################################### # @@ -33,18 +33,6 @@ files_type(amanda_var_lib_t) type amanda_gnutarlists_t; files_type(amanda_gnutarlists_t) -# type for user startable files -type amanda_user_exec_t; -corecmd_executable_file(amanda_user_exec_t) - -# type for same awk and other scripts -type amanda_script_exec_t; -corecmd_executable_file(amanda_script_exec_t) - -# type for the shell configuration files -type amanda_shellconfig_t; -files_type(amanda_shellconfig_t) - type amanda_tmp_t; files_tmp_file(amanda_tmp_t) diff --git a/policy/modules/admin/firstboot.fc b/policy/modules/admin/firstboot.fc index ab57cde..ba614e4 100644 --- a/policy/modules/admin/firstboot.fc +++ b/policy/modules/admin/firstboot.fc @@ -1,5 +1,3 @@ -# firstboot /usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0) -/usr/share/firstboot gen_context(system_u:object_r:firstboot_rw_t,s0) /usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0) diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te index 36f2154..d7faf80 100644 --- a/policy/modules/admin/firstboot.te +++ b/policy/modules/admin/firstboot.te @@ -1,5 +1,5 @@ -policy_module(firstboot,1.1.4) +policy_module(firstboot,1.1.5) gen_require(` class passwd rootok; @@ -20,9 +20,6 @@ role system_r types firstboot_t; type firstboot_etc_t; files_config_file(firstboot_etc_t) -type firstboot_rw_t; -files_type(firstboot_rw_t) - ######################################## # # Local policy @@ -38,10 +35,6 @@ allow firstboot_t self:passwd rootok; allow firstboot_t firstboot_etc_t:file { getattr read }; -allow firstboot_t firstboot_rw_t:dir create_dir_perms; -allow firstboot_t firstboot_rw_t:file create_file_perms; -files_etc_filetrans(firstboot_t,firstboot_rw_t,file) - # The big hammer unconfined_domain(firstboot_t) @@ -68,7 +61,8 @@ corecmd_exec_all_executables(firstboot_t) files_exec_etc_files(firstboot_t) files_manage_etc_files(firstboot_t) -files_read_etc_runtime_files(firstboot_t) +files_manage_etc_runtime_files(firstboot_t) +files_etc_filetrans_etc_runtime(firstboot_t, { file dir }) files_read_usr_files(firstboot_t) files_manage_var_dirs(firstboot_t) files_manage_var_files(firstboot_t) @@ -122,6 +116,7 @@ optional_policy(` usermanage_domtrans_groupadd(firstboot_t) usermanage_domtrans_passwd(firstboot_t) usermanage_domtrans_useradd(firstboot_t) + usermanage_domtrans_admin_passwd(firstboot_t) ') ifdef(`TODO',` diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if index 5aa646e..1514fde 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -950,6 +950,7 @@ interface(`corecmd_manage_all_executables',` allow $1 exec_type:file manage_file_perms; allow $1 { bin_t sbin_t }:dir rw_dir_perms; + allow $1 { bin_t sbin_t }:lnk_file create_lnk_perms; ') ######################################## diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index 3952087..13945b9 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,5 +1,5 @@ -policy_module(corecommands,1.3.13) +policy_module(corecommands,1.3.14) ######################################## # diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if index 5e65156..ddc3042 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -886,7 +886,7 @@ interface(`term_dontaudit_use_unallocated_ttys',` type tty_device_t; ') - dontaudit $1 tty_device_t:chr_file { read write }; + dontaudit $1 tty_device_t:chr_file rw_file_perms; ') ######################################## diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te index 273d72e..885f01c 100644 --- a/policy/modules/kernel/terminal.te +++ b/policy/modules/kernel/terminal.te @@ -1,5 +1,5 @@ -policy_module(terminal,1.1.6) +policy_module(terminal,1.1.7) ######################################## # diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index c9996e2..9e0e150 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -141,7 +141,6 @@ allow httpd_t self:msgq create_msgq_perms; allow httpd_t self:msg { send receive }; allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow httpd_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; allow httpd_t self:tcp_socket create_stream_socket_perms; allow httpd_t self:udp_socket create_socket_perms; diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index 3032a63..d6de082 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -54,6 +54,9 @@ template(`cron_per_userdomain_template',` domain_entry_file($1_crontab_t,crontab_exec_t) role $3 types $1_crontab_t; + type $1_crontab_tmp_t; + files_tmp_file($1_crontab_tmp_t) + ############################## # # $1_crond_t local policy @@ -175,6 +178,10 @@ template(`cron_per_userdomain_template',` # $1_crontab_t local policy # + # dac_override is to create the file in the directory under /tmp + allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override }; + allow $1_crontab_t self:process signal_perms; + # Transition from the user domain to the derived domain. domain_auto_trans($2, crontab_exec_t, $1_crontab_t) allow $2 $1_crontab_t:fd use; @@ -193,9 +200,8 @@ template(`cron_per_userdomain_template',` # Allow crond to read those crontabs in cron spool. allow crond_t $1_cron_spool_t:file create_file_perms; - # dac_override is to create the file in the directory under /tmp - allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override }; - allow $1_crontab_t self:process signal_perms; + allow $1_crontab_t $1_crontab_tmp_t:file manage_file_perms; + files_tmp_filetrans($1_crontab_t,$1_crontab_tmp_t,file) # create files in /var/spool/cron allow $1_crontab_t cron_spool_t:dir rw_dir_perms; @@ -250,9 +256,6 @@ template(`cron_per_userdomain_template',` ') ifdef(`TODO',` - allow $1_crond_t tmp_t:dir rw_dir_perms; - type_transition $1_crond_t $1_tmp_t:{ file dir } $1_tmp_t; - # Read user crontabs dontaudit $1_crontab_t $1_home_dir_t:dir write; ') dnl endif TODO diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index 05c3cea..803ab2d 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -1,5 +1,5 @@ -policy_module(cron,1.3.11) +policy_module(cron,1.3.12) gen_require(` class passwd rootok; diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te index de78a50..93d02c7 100644 --- a/policy/modules/services/cyrus.te +++ b/policy/modules/services/cyrus.te @@ -1,5 +1,5 @@ -policy_module(cyrus,1.1.5) +policy_module(cyrus,1.1.6) ######################################## # @@ -93,6 +93,7 @@ domain_use_interactive_fds(cyrus_t) files_list_var_lib(cyrus_t) files_read_etc_files(cyrus_t) files_read_etc_runtime_files(cyrus_t) +files_read_usr_files(cyrus_t) init_use_fds(cyrus_t) init_use_script_ptys(cyrus_t) diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 5f47c5f..a062730 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -38,7 +38,6 @@ allow system_dbusd_t self:dbus { send_msg acquire_svc }; allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; allow system_dbusd_t self:unix_dgram_socket create_socket_perms; allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -allow system_dbusd_t self:netlink_route_socket r_netlink_socket_perms; # Receive notifications of policy reloads and enforcing status changes. allow system_dbusd_t self:netlink_selinux_socket { create bind read }; diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te index 4c862e6..36ec84e 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te @@ -50,7 +50,6 @@ allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms }; allow ftpd_t self:unix_stream_socket create_stream_socket_perms; allow ftpd_t self:tcp_socket create_stream_socket_perms; allow ftpd_t self:udp_socket create_socket_perms; -allow ftpd_t self:netlink_route_socket r_netlink_socket_perms; allow ftpd_t ftpd_etc_t:file r_file_perms; diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te index 71b1ab9..e2adeef 100644 --- a/policy/modules/services/hal.te +++ b/policy/modules/services/hal.te @@ -1,5 +1,5 @@ -policy_module(hal,1.3.11) +policy_module(hal,1.3.12) ######################################## # @@ -28,7 +28,6 @@ allow hald_t self:process signal_perms; allow hald_t self:fifo_file rw_file_perms; allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow hald_t self:unix_dgram_socket create_socket_perms; -allow hald_t self:netlink_route_socket r_netlink_socket_perms; allow hald_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow hald_t self:netlink_kobject_uevent_socket create_socket_perms; allow hald_t self:tcp_socket create_stream_socket_perms; @@ -78,6 +77,7 @@ dev_setattr_usbfs_files(hald_t) dev_rw_sysfs(hald_t) domain_use_interactive_fds(hald_t) +domain_read_all_domains_state(hald_t) files_exec_etc_files(hald_t) files_read_etc_files(hald_t) diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te index f5b2c81..fb1482b 100644 --- a/policy/modules/services/ldap.te +++ b/policy/modules/services/ldap.te @@ -1,5 +1,5 @@ -policy_module(ldap,1.2.5) +policy_module(ldap,1.2.6) ######################################## # @@ -70,9 +70,10 @@ allow slapd_t slapd_tmp_t:dir create_dir_perms; allow slapd_t slapd_tmp_t:file create_file_perms; files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir }) -allow slapd_t slapd_var_run_t:file create_file_perms; +allow slapd_t slapd_var_run_t:file manage_file_perms; +allow slapd_t slapd_var_run_t:sock_file manage_file_perms; allow slapd_t slapd_var_run_t:dir rw_dir_perms; -files_pid_filetrans(slapd_t,slapd_var_run_t,file) +files_pid_filetrans(slapd_t,slapd_var_run_t,{ file sock_file }) kernel_read_system_state(slapd_t) kernel_read_kernel_sysctls(slapd_t) diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te index 418ba83..a9de827 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -1,5 +1,5 @@ -policy_module(networkmanager,1.3.6) +policy_module(networkmanager,1.3.7) ######################################## # @@ -18,9 +18,11 @@ files_pid_file(NetworkManager_var_run_t) # Local policy # +# networkmanager will ptrace itself if gdb is installed +# and it receives a unexpected signal (rh bug #204161) allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock}; dontaudit NetworkManager_t self:capability sys_tty_config; -allow NetworkManager_t self:process { setcap getsched signal_perms }; +allow NetworkManager_t self:process { ptrace setcap getsched signal_perms }; allow NetworkManager_t self:fifo_file rw_file_perms; allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te index d68749a..534d219 100644 --- a/policy/modules/services/ntp.te +++ b/policy/modules/services/ntp.te @@ -38,7 +38,6 @@ allow ntpd_t self:process { signal_perms setcap setsched setrlimit }; allow ntpd_t self:fifo_file { read write getattr }; allow ntpd_t self:unix_dgram_socket create_socket_perms; allow ntpd_t self:unix_stream_socket create_socket_perms; -allow ntpd_t self:netlink_route_socket r_netlink_socket_perms; allow ntpd_t self:tcp_socket create_stream_socket_perms; allow ntpd_t self:udp_socket create_socket_perms; diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te index 59ebed0..2931b2a 100644 --- a/policy/modules/services/stunnel.te +++ b/policy/modules/services/stunnel.te @@ -1,5 +1,5 @@ -policy_module(stunnel,1.1.2) +policy_module(stunnel,1.1.3) ######################################## # @@ -38,6 +38,7 @@ allow stunnel_t self:process signal_perms; allow stunnel_t self:fifo_file rw_file_perms; allow stunnel_t self:tcp_socket create_stream_socket_perms; allow stunnel_t self:udp_socket create_socket_perms; +allow stunnel_t self:netlink_route_socket r_netlink_socket_perms; allow stunnel_t stunnel_etc_t:dir { getattr read search }; allow stunnel_t stunnel_etc_t:file { read getattr }; @@ -63,7 +64,7 @@ corenet_udp_sendrecv_all_nodes(stunnel_t) corenet_tcp_sendrecv_all_ports(stunnel_t) corenet_udp_sendrecv_all_ports(stunnel_t) corenet_tcp_bind_all_nodes(stunnel_t) -#corenet_tcp_bind_stunnel_port(stunnel_t) +corenet_tcp_connect_all_ports(stunnel_t) fs_getattr_all_fs(stunnel_t) diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc index 1a7e566..1d5d4d2 100644 --- a/policy/modules/system/selinuxutil.fc +++ b/policy/modules/system/selinuxutil.fc @@ -23,6 +23,7 @@ # /sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0) /sbin/restorecon -- gen_context(system_u:object_r:restorecon_exec_t,s0) +/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0) # # /usr diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 6808918..02e30cb 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -1,5 +1,5 @@ -policy_module(selinuxutil,1.2.13) +policy_module(selinuxutil,1.2.14) ifdef(`strict_policy',` gen_require(`