From 812781becc653e2382ffbd3f8e068a7c2d224ee6 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Feb 08 2011 22:50:40 +0000 Subject: - Update to ref policy - cgred needs chown capability - Add /dev/crash crash_dev_t --- diff --git a/policy-F15.patch b/policy-F15.patch index 76b346b..422d55e 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -1,14 +1,3 @@ -diff --git a/Changelog b/Changelog -index 0de73bc..27cbe7f 100644 ---- a/Changelog -+++ b/Changelog -@@ -1,3 +1,6 @@ -+- Cron default contexts fix from Harry Ciao. -+- Man page fixes from Justin Mattock. -+- Add syslog capability. - - Support for logging in to /dev/console, from Harry Ciao. - - Database object class updates and associated SEPostgreSQL changes from - KaiGai Kohei. diff --git a/Makefile b/Makefile index b8486a0..bec48d7 100644 --- a/Makefile @@ -22,38 +11,8 @@ index b8486a0..bec48d7 100644 net_contexts := $(builddir)net_contexts all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) -diff --git a/config/appconfig-mcs/default_contexts b/config/appconfig-mcs/default_contexts -index 22aeb67..801d97b 100644 ---- a/config/appconfig-mcs/default_contexts -+++ b/config/appconfig-mcs/default_contexts -@@ -1,4 +1,4 @@ --system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 -+system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 - system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 - system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0 - system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 -diff --git a/config/appconfig-mls/default_contexts b/config/appconfig-mls/default_contexts -index 22aeb67..801d97b 100644 ---- a/config/appconfig-mls/default_contexts -+++ b/config/appconfig-mls/default_contexts -@@ -1,4 +1,4 @@ --system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 -+system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 - system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 - system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0 - system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 -diff --git a/config/appconfig-standard/default_contexts b/config/appconfig-standard/default_contexts -index 6141347..64a0a90 100644 ---- a/config/appconfig-standard/default_contexts -+++ b/config/appconfig-standard/default_contexts -@@ -1,4 +1,4 @@ --system_r:crond_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_crond_t unconfined_r:unconfined_cronjob_t -+system_r:crond_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_cronjob_t unconfined_r:unconfined_cronjob_t - system_r:local_login_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t - system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t - system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8 -index a939a74..87925e6 100644 +index 16e8b13..87925e6 100644 --- a/man/man8/httpd_selinux.8 +++ b/man/man8/httpd_selinux.8 @@ -28,9 +28,9 @@ httpd_sys_script_exec_t @@ -68,43 +27,8 @@ index a939a74..87925e6 100644 .EX httpd_sys_content_ra_t .EE -@@ -57,7 +57,7 @@ setsebool -P allow_httpd_sys_script_anon_write=1 - .EE - - .SH BOOLEANS --SELinux policy is customizable based on least access required. SElinux can be setup to prevent certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible. -+SELinux policy is customizable based on least access required. SELinux can be setup to prevent certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible. - .PP - httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this - -diff --git a/man/man8/named_selinux.8 b/man/man8/named_selinux.8 -index 4dab2e2..fce0b48 100644 ---- a/man/man8/named_selinux.8 -+++ b/man/man8/named_selinux.8 -@@ -15,7 +15,7 @@ Security-Enhanced Linux secures the named server via flexible mandatory access - control. - .SH BOOLEANS - SELinux policy is customizable based on least access required. So by --default SElinux policy does not allow named to write master zone files. If you want to have named update the master zone files you need to set the named_write_master_zones boolean. -+default SELinux policy does not allow named to write master zone files. If you want to have named update the master zone files you need to set the named_write_master_zones boolean. - .EX - setsebool -P named_write_master_zones 1 - .EE -diff --git a/man/man8/samba_selinux.8 b/man/man8/samba_selinux.8 -index 14498e1..ca702c7 100644 ---- a/man/man8/samba_selinux.8 -+++ b/man/man8/samba_selinux.8 -@@ -34,7 +34,7 @@ setsebool -P allow_smbd_anon_write=1 - .SH BOOLEANS - .br - SELinux policy is customizable based on least access required. So by --default SElinux policy turns off SELinux sharing of home directories and -+default SELinux policy turns off SELinux sharing of home directories and - the use of Samba shares from a remote machine as a home directory. - .TP - If you are setting up this machine as a Samba server and wish to share the home directories, you need to set the samba_enable_home_dirs boolean. diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors -index ae29de3..bf24160 100644 +index 0ef9b12..bf24160 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -153,6 +153,8 @@ inherits file @@ -173,14 +97,6 @@ index ae29de3..bf24160 100644 } -@@ -428,6 +444,7 @@ class capability2 - { - mac_override # unused by SELinux - mac_admin # unused by SELinux -+ syslog - } - - # diff --git a/policy/global_booleans b/policy/global_booleans index 111d004..9df7b5e 100644 --- a/policy/global_booleans @@ -8975,7 +8891,7 @@ index 5a07a43..e97e47f 100644 ## ## diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index f12e087..791a227 100644 +index 0757523..791a227 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -16,6 +16,7 @@ attribute rpc_port_type; @@ -9129,7 +9045,7 @@ index f12e087..791a227 100644 network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -177,25 +213,30 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) +@@ -177,24 +213,28 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) @@ -9160,11 +9076,9 @@ index f12e087..791a227 100644 network_port(swat, tcp,901,s0) +network_port(sype, tcp,9911,s0, udp,9911,s0) network_port(syslogd, udp,514,s0) -+network_port(tcs, tcp, 30003, s0) + network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) - network_port(tftp, udp,69,s0) - network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0) -@@ -204,16 +245,17 @@ network_port(transproxy, tcp,8081,s0) +@@ -205,16 +245,17 @@ network_port(transproxy, tcp,8081,s0) network_port(ups, tcp,3493,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) @@ -9185,7 +9099,7 @@ index f12e087..791a227 100644 network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) -@@ -275,5 +317,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn +@@ -276,5 +317,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; # Bind to any network address. @@ -9193,10 +9107,18 @@ index f12e087..791a227 100644 +allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind; allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind; diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index 3b2da10..7c29e17 100644 +index 3b2da10..cb1a128 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc -@@ -159,6 +159,7 @@ ifdef(`distro_suse', ` +@@ -18,6 +18,7 @@ + /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0) + /dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0) ++/dev/crash -c gen_context(system_u:object_r:crash_device_t,mls_systemhigh) + /dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) + /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) +@@ -159,6 +160,7 @@ ifdef(`distro_suse', ` /dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) @@ -9204,12 +9126,12 @@ index 3b2da10..7c29e17 100644 /dev/pts(/.*)? <> /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0) -@@ -176,13 +177,12 @@ ifdef(`distro_suse', ` +@@ -176,13 +178,12 @@ ifdef(`distro_suse', ` /etc/udev/devices -d gen_context(system_u:object_r:device_t,s0) -/lib/udev/devices -d gen_context(system_u:object_r:device_t,s0) -+/lib/udev/devices(/.*) gen_context(system_u:object_r:device_t,s0) ++/lib/udev/devices(/.*)? gen_context(system_u:object_r:device_t,s0) -ifdef(`distro_gentoo',` # used by init scripts to initally populate udev /dev @@ -9220,7 +9142,7 @@ index 3b2da10..7c29e17 100644 ifdef(`distro_redhat',` # originally from named.fc -@@ -191,3 +191,8 @@ ifdef(`distro_redhat',` +@@ -191,3 +192,8 @@ ifdef(`distro_redhat',` /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) ') @@ -9230,7 +9152,7 @@ index 3b2da10..7c29e17 100644 +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 15a7bef..eddb8dc 100644 +index efaf808..79e4ff3 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -146,8 +146,8 @@ interface(`dev_relabel_all_dev_nodes',` @@ -9437,7 +9359,32 @@ index 15a7bef..eddb8dc 100644 ## Do not audit attempts to get the attributes of ## the autofs device node. ## -@@ -1979,6 +2123,24 @@ interface(`dev_read_kmsg',` +@@ -1597,6 +1741,24 @@ interface(`dev_rw_cpu_microcode',` + + ######################################## + ## ++## Read the kernel crash device ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_crash',` ++ gen_require(` ++ type device_t, crash_device_t; ++ ') ++ ++ read_chr_files_pattern($1, device_t, crash_device_t) ++') ++ ++######################################## ++## + ## Read and write the the hardware SSL accelerator. + ## + ## +@@ -1979,6 +2141,24 @@ interface(`dev_read_kmsg',` ######################################## ## @@ -9462,7 +9409,7 @@ index 15a7bef..eddb8dc 100644 ## Write to the kernel messages device ## ## -@@ -3048,24 +3210,6 @@ interface(`dev_rw_printer',` +@@ -3048,24 +3228,6 @@ interface(`dev_rw_printer',` ######################################## ## @@ -9487,7 +9434,7 @@ index 15a7bef..eddb8dc 100644 ## Get the attributes of the QEMU ## microcode and id interfaces. ## -@@ -3613,6 +3757,24 @@ interface(`dev_manage_smartcard',` +@@ -3613,6 +3775,24 @@ interface(`dev_manage_smartcard',` ######################################## ## @@ -9512,7 +9459,7 @@ index 15a7bef..eddb8dc 100644 ## Get the attributes of sysfs directories. ## ## -@@ -3773,6 +3935,60 @@ interface(`dev_rw_sysfs',` +@@ -3773,6 +3953,24 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -9532,48 +9479,12 @@ index 15a7bef..eddb8dc 100644 + manage_dirs_pattern($1, sysfs_t, sysfs_t) +') + -+###################################### -+## -+## Read and write tpm device. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_tpm_dev',` -+ gen_require(` -+ type device_t, tpm_device_t; -+ ') -+ -+ rw_chr_files_pattern($1, device_t, tpm_device_t) -+') -+ +######################################## +## -+## Read and write the TPM device. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_tpm',` -+ gen_require(` -+ type device_t, tpm_device_t; -+ ') -+ -+ rw_chr_files_pattern($1, device_t, tpm_device_t) -+') -+ -+######################################## -+## - ## Read from pseudo random number generator devices (e.g., /dev/urandom). + ## Read and write the TPM device. ## - ## -@@ -3942,6 +4158,24 @@ interface(`dev_read_usbmon_dev',` + ## +@@ -3960,6 +4158,24 @@ interface(`dev_read_usbmon_dev',` ######################################## ## @@ -9598,7 +9509,7 @@ index 15a7bef..eddb8dc 100644 ## Mount a usbfs filesystem. ## ## -@@ -4252,11 +4486,10 @@ interface(`dev_write_video_dev',` +@@ -4270,11 +4486,10 @@ interface(`dev_write_video_dev',` # interface(`dev_rw_vhost',` gen_require(` @@ -9613,10 +9524,23 @@ index 15a7bef..eddb8dc 100644 ######################################## diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 41f892f..cab1bfc 100644 +index 41f892f..5ce9978 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te -@@ -102,6 +102,7 @@ dev_node(ksm_device_t) +@@ -56,6 +56,12 @@ dev_node(clock_device_t) + type cpu_device_t; + dev_node(cpu_device_t) + ++# ++# Type for /dev/crash ++# ++type crash_device_t; ++dev_node(crash_device_t) ++ + # for the IBM zSeries z90crypt hardware ssl accelorator + type crypt_device_t; + dev_node(crypt_device_t) +@@ -102,6 +108,7 @@ dev_node(ksm_device_t) # type kvm_device_t; dev_node(kvm_device_t) @@ -9624,7 +9548,7 @@ index 41f892f..cab1bfc 100644 # # Type for /dev/lirc -@@ -304,5 +305,5 @@ files_associate_tmp(device_node) +@@ -304,5 +311,5 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; @@ -11898,52 +11822,10 @@ index e49c148..4d6bbf4 100644 ######################################## # diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index d7468b3..774ebee 100644 +index 069d36c..774ebee 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if -@@ -442,6 +442,7 @@ interface(`kernel_read_ring_buffer',` - type kernel_t; - ') - -+ allow $1 self:capability2 syslog; - allow $1 kernel_t:system syslog_read; - ') - -@@ -479,7 +480,16 @@ interface(`kernel_change_ring_buffer_level',` - type kernel_t; - ') - -+ allow $1 self:capability2 syslog; - allow $1 kernel_t:system syslog_console; -+ -+ ifdef(`distro_rhel4',` -+ allow $1 self:capability2 sys_admin; -+ ') -+ -+ ifdef(`distro_rhel5',` -+ allow $1 self:capability2 sys_admin; -+ ') - ') - - ######################################## -@@ -498,7 +508,16 @@ interface(`kernel_clear_ring_buffer',` - type kernel_t; - ') - -+ allow $1 self:capability2 syslog; - allow $1 kernel_t:system syslog_mod; -+ -+ ifdef(`distro_rhel4',` -+ allow $1 self:capability2 sys_admin; -+ ') -+ -+ ifdef(`distro_rhel5',` -+ allow $1 self:capability2 sys_admin; -+ ') - ') - - ######################################## -@@ -716,6 +735,26 @@ interface(`kernel_dontaudit_write_debugfs_dirs',` +@@ -735,6 +735,26 @@ interface(`kernel_dontaudit_write_debugfs_dirs',` ######################################## ## @@ -11970,7 +11852,7 @@ index d7468b3..774ebee 100644 ## Mount a kernel VM filesystem. ## ## -@@ -2014,7 +2053,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` +@@ -2033,7 +2053,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -11979,7 +11861,7 @@ index d7468b3..774ebee 100644 ') ######################################## -@@ -2417,6 +2456,24 @@ interface(`kernel_rw_unlabeled_blk_files',` +@@ -2436,6 +2456,24 @@ interface(`kernel_rw_unlabeled_blk_files',` ######################################## ## @@ -12004,7 +11886,7 @@ index d7468b3..774ebee 100644 ## Do not audit attempts by caller to get attributes for ## unlabeled character devices. ## -@@ -2561,7 +2618,7 @@ interface(`kernel_sendrecv_unlabeled_association',` +@@ -2580,7 +2618,7 @@ interface(`kernel_sendrecv_unlabeled_association',` allow $1 unlabeled_t:association { sendto recvfrom }; # temporary hack until labeling on packets is supported @@ -12013,7 +11895,7 @@ index d7468b3..774ebee 100644 ') ######################################## -@@ -2890,6 +2947,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` +@@ -2909,6 +2947,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` ######################################## ## @@ -12038,7 +11920,7 @@ index d7468b3..774ebee 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2905,3 +2980,23 @@ interface(`kernel_unconfined',` +@@ -2924,3 +2980,23 @@ interface(`kernel_unconfined',` typeattribute $1 kern_unconfined; ') @@ -18654,7 +18536,7 @@ index d020c93..e5cbcef 100644 cgroup_initrc_domtrans_cgconfig($1) domain_system_change_exemption($1) diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te -index 8ca2333..27f8f4d 100644 +index 8ca2333..460f4fd 100644 --- a/policy/modules/services/cgroup.te +++ b/policy/modules/services/cgroup.te @@ -16,14 +16,17 @@ init_daemon_domain(cgred_t, cgred_exec_t) @@ -18696,7 +18578,7 @@ index 8ca2333..27f8f4d 100644 allow cgconfig_t cgconfig_etc_t:file read_file_perms; -@@ -67,6 +69,7 @@ fs_manage_cgroup_dirs(cgconfig_t) +@@ -67,18 +69,22 @@ fs_manage_cgroup_dirs(cgconfig_t) fs_manage_cgroup_files(cgconfig_t) fs_mount_cgroup(cgconfig_t) fs_mounton_cgroup(cgconfig_t) @@ -18704,7 +18586,13 @@ index 8ca2333..27f8f4d 100644 ######################################## # -@@ -79,6 +82,9 @@ allow cgred_t self:unix_dgram_socket { write create connect }; + # cgred personal policy. + # + +-allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override }; ++allow cgred_t self:capability { chown net_admin sys_admin sys_ptrace dac_override }; + allow cgred_t self:netlink_socket { write bind create read }; + allow cgred_t self:unix_dgram_socket { write create connect }; allow cgred_t cgrules_etc_t:file read_file_perms; @@ -20447,7 +20335,7 @@ index 35241ed..b6402c9 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index f35b243..8296aaa 100644 +index f35b243..c6b63be 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -10,18 +10,18 @@ gen_require(` @@ -20585,17 +20473,8 @@ index f35b243..8296aaa 100644 files_read_usr_files(crond_t) files_read_etc_runtime_files(crond_t) -@@ -203,12 +219,18 @@ files_list_usr(crond_t) - files_search_var_lib(crond_t) - files_search_default(crond_t) +@@ -208,7 +224,9 @@ init_spec_domtrans_script(crond_t) -+fs_manage_cgroup_dirs(crond_t) -+fs_manage_cgroup_files(crond_t) -+ - init_rw_utmp(crond_t) - init_spec_domtrans_script(crond_t) - -+auth_manage_var_auth(crond_t) auth_use_nsswitch(crond_t) +logging_send_audit_msgs(crond_t) @@ -20604,7 +20483,7 @@ index f35b243..8296aaa 100644 seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) -@@ -219,8 +241,10 @@ miscfiles_read_localization(crond_t) +@@ -219,8 +237,10 @@ miscfiles_read_localization(crond_t) userdom_use_unpriv_users_fds(crond_t) # Not sure why this is needed userdom_list_user_home_dirs(crond_t) @@ -20615,7 +20494,7 @@ index f35b243..8296aaa 100644 ifdef(`distro_debian',` # pam_limits is used -@@ -232,7 +256,7 @@ ifdef(`distro_debian',` +@@ -232,7 +252,7 @@ ifdef(`distro_debian',` ') ') @@ -20624,7 +20503,7 @@ index f35b243..8296aaa 100644 # Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. optional_policy(` -@@ -240,16 +264,39 @@ ifdef(`distro_redhat', ` +@@ -240,16 +260,39 @@ ifdef(`distro_redhat', ` ') ') @@ -20665,7 +20544,7 @@ index f35b243..8296aaa 100644 amanda_search_var_lib(crond_t) ') -@@ -259,6 +306,8 @@ optional_policy(` +@@ -259,6 +302,8 @@ optional_policy(` optional_policy(` hal_dbus_chat(crond_t) @@ -20674,7 +20553,7 @@ index f35b243..8296aaa 100644 ') optional_policy(` -@@ -284,12 +333,18 @@ optional_policy(` +@@ -284,12 +329,18 @@ optional_policy(` udev_read_db(crond_t) ') @@ -20693,7 +20572,7 @@ index f35b243..8296aaa 100644 allow system_cronjob_t self:process { signal_perms getsched setsched }; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; allow system_cronjob_t self:passwd rootok; -@@ -301,10 +356,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) +@@ -301,10 +352,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) # This is to handle /var/lib/misc directory. Used currently # by prelink var/lib files for cron @@ -20714,7 +20593,7 @@ index f35b243..8296aaa 100644 # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that -@@ -324,6 +388,7 @@ allow crond_t system_cronjob_t:fd use; +@@ -324,6 +384,7 @@ allow crond_t system_cronjob_t:fd use; allow system_cronjob_t crond_t:fd use; allow system_cronjob_t crond_t:fifo_file rw_file_perms; allow system_cronjob_t crond_t:process sigchld; @@ -20722,7 +20601,7 @@ index f35b243..8296aaa 100644 # Write /var/lock/makewhatis.lock. allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; -@@ -335,9 +400,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) +@@ -335,9 +396,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) @@ -20737,7 +20616,7 @@ index f35b243..8296aaa 100644 kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) -@@ -360,6 +429,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) +@@ -360,6 +425,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) dev_getattr_all_blk_files(system_cronjob_t) dev_getattr_all_chr_files(system_cronjob_t) dev_read_urand(system_cronjob_t) @@ -20745,7 +20624,7 @@ index f35b243..8296aaa 100644 fs_getattr_all_fs(system_cronjob_t) fs_getattr_all_files(system_cronjob_t) -@@ -386,6 +456,7 @@ files_dontaudit_search_pids(system_cronjob_t) +@@ -386,6 +452,7 @@ files_dontaudit_search_pids(system_cronjob_t) # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. files_manage_generic_spool(system_cronjob_t) @@ -20753,7 +20632,7 @@ index f35b243..8296aaa 100644 init_use_script_fds(system_cronjob_t) init_read_utmp(system_cronjob_t) -@@ -408,8 +479,10 @@ miscfiles_manage_man_pages(system_cronjob_t) +@@ -408,8 +475,10 @@ miscfiles_manage_man_pages(system_cronjob_t) seutil_read_config(system_cronjob_t) @@ -20765,7 +20644,7 @@ index f35b243..8296aaa 100644 # via redirection of standard out. optional_policy(` rpm_manage_log(system_cronjob_t) -@@ -434,6 +507,8 @@ optional_policy(` +@@ -434,6 +503,8 @@ optional_policy(` apache_read_config(system_cronjob_t) apache_read_log(system_cronjob_t) apache_read_sys_content(system_cronjob_t) @@ -20774,7 +20653,7 @@ index f35b243..8296aaa 100644 ') optional_policy(` -@@ -441,6 +516,14 @@ optional_policy(` +@@ -441,6 +512,14 @@ optional_policy(` ') optional_policy(` @@ -20789,7 +20668,7 @@ index f35b243..8296aaa 100644 ftp_read_log(system_cronjob_t) ') -@@ -451,15 +534,24 @@ optional_policy(` +@@ -451,15 +530,24 @@ optional_policy(` ') optional_policy(` @@ -20814,7 +20693,7 @@ index f35b243..8296aaa 100644 ') optional_policy(` -@@ -475,7 +567,7 @@ optional_policy(` +@@ -475,7 +563,7 @@ optional_policy(` prelink_manage_lib(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_read_cache(system_cronjob_t) @@ -20823,7 +20702,7 @@ index f35b243..8296aaa 100644 ') optional_policy(` -@@ -490,6 +582,7 @@ optional_policy(` +@@ -490,6 +578,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -20831,7 +20710,7 @@ index f35b243..8296aaa 100644 ') optional_policy(` -@@ -497,7 +590,13 @@ optional_policy(` +@@ -497,7 +586,13 @@ optional_policy(` ') optional_policy(` @@ -20845,7 +20724,7 @@ index f35b243..8296aaa 100644 userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -@@ -590,9 +689,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) +@@ -590,9 +685,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) @@ -38824,24 +38703,22 @@ index 7038b55..4e84f23 100644 type tcpd_tmp_t; files_tmp_file(tcpd_tmp_t) diff --git a/policy/modules/services/tcsd.fc b/policy/modules/services/tcsd.fc -new file mode 100644 -index 0000000..7fdda14 ---- /dev/null +index 8a473e7..7fdda14 100644 +--- a/policy/modules/services/tcsd.fc +++ b/policy/modules/services/tcsd.fc -@@ -0,0 +1,6 @@ +@@ -1,3 +1,6 @@ +/etc/rc\.d/init\.d/tcsd -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0) + -+/usr/sbin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0) -+ -+/var/lib/tpm(/.*)? gen_context(system_u:object_r:tcsd_var_lib_t,s0) + /usr/sbin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0) + + /var/lib/tpm(/.*)? gen_context(system_u:object_r:tcsd_var_lib_t,s0) + diff --git a/policy/modules/services/tcsd.if b/policy/modules/services/tcsd.if -new file mode 100644 -index 0000000..41ebccf ---- /dev/null +index e814f69..f7d6fa3 100644 +--- a/policy/modules/services/tcsd.if +++ b/policy/modules/services/tcsd.if -@@ -0,0 +1,153 @@ -+## policy for tcsd +@@ -1 +1,153 @@ + ## TSS Core Services (TCS) daemon (tcsd) policy + +######################################## +## @@ -38995,61 +38872,49 @@ index 0000000..41ebccf + +') diff --git a/policy/modules/services/tcsd.te b/policy/modules/services/tcsd.te -new file mode 100644 -index 0000000..7b74540 ---- /dev/null +index f17dafd..30d2c75 100644 +--- a/policy/modules/services/tcsd.te +++ b/policy/modules/services/tcsd.te -@@ -0,0 +1,51 @@ -+policy_module(tcsd, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type tcsd_t; -+type tcsd_exec_t; -+init_daemon_domain(tcsd_t, tcsd_exec_t) -+ -+permissive tcsd_t; -+ +@@ -10,7 +10,9 @@ type tcsd_exec_t; + domain_type(tcsd_t) + init_daemon_domain(tcsd_t, tcsd_exec_t) + +-# /var/lib/tpm +type tcsd_initrc_exec_t; +init_script_file(tcsd_initrc_exec_t) + -+type tcsd_var_lib_t; -+files_type(tcsd_var_lib_t) -+ -+######################################## -+# -+# tcsd local policy -+# -+ -+allow tcsd_t self:capability { dac_override setuid }; -+allow tcsd_t self:process { signal sigkill }; -+allow tcsd_t self:tcp_socket create_stream_socket_perms; -+ -+# Access /dev/tpm0. -+dev_rw_tpm(tcsd_t) -+ -+manage_dirs_pattern(tcsd_t,tcsd_var_lib_t,tcsd_var_lib_t) -+manage_files_pattern(tcsd_t,tcsd_var_lib_t,tcsd_var_lib_t) -+files_var_lib_filetrans(tcsd_t,tcsd_var_lib_t,{ file dir }) -+ -+corenet_all_recvfrom_unlabeled(tcsd_t) -+corenet_tcp_bind_generic_node(tcsd_t) -+corenet_tcp_bind_tcs_port(tcsd_t) -+ -+dev_read_urand(tcsd_t) -+ -+files_read_etc_files(tcsd_t) -+files_read_usr_files(tcsd_t) -+ + type tcsd_var_lib_t; + files_type(tcsd_var_lib_t) + +@@ -23,26 +25,24 @@ allow tcsd_t self:capability { dac_override setuid }; + allow tcsd_t self:process { signal sigkill }; + allow tcsd_t self:tcp_socket create_stream_socket_perms; + +-# var/lib files for tcsd + manage_dirs_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t) + manage_files_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t) + files_var_lib_filetrans(tcsd_t, tcsd_var_lib_t, { file dir }) + +-# Accept connections on the TCS port over loopback. + corenet_all_recvfrom_unlabeled(tcsd_t) + corenet_tcp_bind_generic_node(tcsd_t) + corenet_tcp_bind_tcs_port(tcsd_t) + + dev_read_urand(tcsd_t) +-# Access /dev/tpm0. + dev_rw_tpm(tcsd_t) + + files_read_etc_files(tcsd_t) + files_read_usr_files(tcsd_t) + +-# Log messages via syslog. +auth_use_nsswitch(tcsd_t) + -+logging_send_syslog_msg(tcsd_t) -+ -+miscfiles_read_localization(tcsd_t) -+ + logging_send_syslog_msg(tcsd_t) + + miscfiles_read_localization(tcsd_t) + +-sysnet_read_config(tcsd_t) +sysnet_dns_name_resolve(tcsd_t) diff --git a/policy/modules/services/telnet.if b/policy/modules/services/telnet.if index 58e7ec0..cf4cc85 100644 @@ -44659,7 +44524,7 @@ index 6fed22c..06e5395 100644 # # /var diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index ed152c4..e96b7b1 100644 +index cc83689..e96b7b1 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -79,6 +79,40 @@ interface(`init_script_domain',` @@ -44914,7 +44779,7 @@ index ed152c4..e96b7b1 100644 ') ') -@@ -800,23 +914,45 @@ interface(`init_spec_domtrans_script',` +@@ -800,19 +914,41 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -44937,11 +44802,11 @@ index ed152c4..e96b7b1 100644 ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; - ') - ') - - ######################################## - ## ++ ') ++') ++ ++######################################## ++## +## Execute a file in a bin directory +## in the initrc_t domain +## @@ -44954,16 +44819,12 @@ index ed152c4..e96b7b1 100644 +interface(`init_bin_domtrans_spec',` + gen_require(` + type initrc_t; -+ ') + ') + + corecmd_bin_domtrans($1, initrc_t) -+') -+ -+######################################## -+## - ## Execute a init script in a specified domain. - ## - ## + ') + + ######################################## @@ -868,9 +1004,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` @@ -44979,24 +44840,6 @@ index ed152c4..e96b7b1 100644 files_search_etc($1) ') -@@ -937,7 +1078,7 @@ interface(`init_run_daemon',` - # - interface(`init_read_state',` - gen_require(` -- attribute init_t; -+ type init_t; - ') - - allow $1 init_t:dir search_dir_perms; -@@ -958,7 +1099,7 @@ interface(`init_read_state',` - # - interface(`init_ptrace',` - gen_require(` -- attribute init_t; -+ type init_t; - ') - - allow $1 init_t:process ptrace; @@ -1130,12 +1271,7 @@ interface(`init_read_script_state',` ') @@ -47343,15 +47186,15 @@ index 58bc27f..b95f0c0 100644 + allow $1 clvmd_tmpfs_t:file unlink; +') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index 86ef2da..8de48db 100644 +index 74e38b4..a5d465f 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) type clvmd_initrc_exec_t; init_script_file(clvmd_initrc_exec_t) -+type clvmd_tmpfs_t alias clmvd_tmpfs_t; -+files_tmpfs_file(clvmd_tmpfs_t) ++type clmvd_tmpfs_t; ++files_tmpfs_file(clmvd_tmpfs_t) + type clvmd_var_run_t; files_pid_file(clvmd_var_run_t) @@ -47369,9 +47212,9 @@ index 86ef2da..8de48db 100644 allow clvmd_t self:tcp_socket create_stream_socket_perms; allow clvmd_t self:udp_socket create_socket_perms; -+manage_dirs_pattern(clvmd_t, clvmd_tmpfs_t, clvmd_tmpfs_t) -+manage_files_pattern(clvmd_t, clvmd_tmpfs_t,clvmd_tmpfs_t) -+fs_tmpfs_filetrans(clvmd_t, clvmd_tmpfs_t, { dir file }) ++manage_dirs_pattern(clvmd_t, clmvd_tmpfs_t, clmvd_tmpfs_t) ++manage_files_pattern(clvmd_t, clmvd_tmpfs_t,clmvd_tmpfs_t) ++fs_tmpfs_filetrans(clvmd_t, clmvd_tmpfs_t, { dir file }) + manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t) files_pid_filetrans(clvmd_t, clvmd_var_run_t, file) @@ -47463,18 +47306,6 @@ index 86ef2da..8de48db 100644 selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) -@@ -274,9 +294,9 @@ storage_relabel_fixed_disk(lvm_t) - storage_dontaudit_read_removable_device(lvm_t) - # LVM creates block devices in /dev/mapper or /dev/ - # depending on its version --# LVM(2) needs to create directores (/dev/mapper, /dev/) -+# LVM(2) needs to create directories (/dev/mapper, /dev/) - # and links from /dev/ to /dev/mapper/- --# cjp: need create interface here for fixed disk create -+# cjp: needs to create an interface here for fixed disk create - storage_dev_filetrans_fixed_disk(lvm_t) - # Access raw devices and old /dev/lvm (c 109,0). Is this needed? - storage_manage_fixed_disk(lvm_t) @@ -309,6 +329,11 @@ ifdef(`distro_redhat',` ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 5eb8214..5b210af 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,8 +20,8 @@ %define CHECKPOLICYVER 2.0.21-1 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.9.13 -Release: 10%{?dist} +Version: 3.9.14 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -472,6 +472,11 @@ exit 0 %endif %changelog +* Tue Feb 8 2011 Dan Walsh 3.9.14-1 +- Update to ref policy +- cgred needs chown capability +- Add /dev/crash crash_dev_t + * Tue Feb 8 2011 Miroslav Grepl 3.9.13-10 - New labeling for postfmulti #675654 - dontaudit xdm_t listing noxattr file systems diff --git a/sources b/sources index c1b1cb9..af1ec0f 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 409b40c8102b1617681ba17c31032e66 config.tgz -7133b9fde2dd7620e2985afaf4e3b00e serefpolicy-3.9.13.tgz +a55f0c692416d73f7805e52fd6511825 serefpolicy-3.9.14.tgz