From 9754f472c76b57b555552d7f1034ce98bff3cea8 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Nov 01 2010 18:37:25 +0000 Subject: - Allow NetworkManager to read openvpn_etc_t - Dontaudit hplip to write of /usr dirs - Allow system_mail_t to create /root/dead.letter as mail_home_t - Add vdagent policy for spice agent daemon --- diff --git a/modules-targeted.conf b/modules-targeted.conf index 97df528..06360e6 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1735,9 +1735,16 @@ unconfined = module ulogd = module # Layer: services +# Module: vdagent +# +# vdagent +# +vdagent = module + +# Layer: services # Module: vhostmd # -# vhostmd - A metrics gathering daemon +# vhostmd - spice guest agent daemon. # vhostmd = module diff --git a/policy-F14.patch b/policy-F14.patch index 4a79637..6454d83 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -2045,10 +2045,10 @@ index 7fd0900..899e234 100644 dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc new file mode 100644 -index 0000000..9bd4f45 +index 0000000..278b3a3 --- /dev/null +++ b/policy/modules/apps/execmem.fc -@@ -0,0 +1,48 @@ +@@ -0,0 +1,49 @@ + +/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/compiz -- gen_context(system_u:object_r:execmem_exec_t,s0) @@ -2080,7 +2080,8 @@ index 0000000..9bd4f45 +/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/lib(64)/virtualbox/VirtualBox -- gen_context(system_u:object_r:execmem_exec_t,s0) + -+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/opt/secondlife-install/bin/SLPlugin -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/opt/real/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) + @@ -12265,7 +12266,7 @@ index 0ecc786..dbf2710 100644 userdom_dontaudit_search_user_home_dirs(webadm_t) diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te -index e88b95f..e76f7a7 100644 +index e88b95f..b8b5c15 100644 --- a/policy/modules/roles/xguest.te +++ b/policy/modules/roles/xguest.te @@ -14,7 +14,7 @@ gen_tunable(xguest_mount_media, true) @@ -12326,7 +12327,7 @@ index e88b95f..e76f7a7 100644 ') ') -@@ -76,23 +84,90 @@ optional_policy(` +@@ -76,23 +84,95 @@ optional_policy(` ') optional_policy(` @@ -12345,23 +12346,28 @@ index e88b95f..e76f7a7 100644 + +optional_policy(` + gnomeclock_dontaudit_dbus_chat(xguest_t) + ') + + optional_policy(` +- mozilla_role(xguest_r, xguest_t) ++ java_role_template(xguest, xguest_r, xguest_t) +') + +optional_policy(` -+ java_role_template(xguest, xguest_r, xguest_t) ++ mono_role_template(xguest, xguest_r, xguest_t) +') + +optional_policy(` -+ mono_role_template(xguest, xguest_r, xguest_t) - ') - - optional_policy(` -- mozilla_role(xguest_r, xguest_t) + mozilla_run_plugin(xguest_t, xguest_r) +') + +optional_policy(` + nsplugin_role(xguest_r, xguest_t) ++') ++ ++optional_policy(` ++ pcscd_read_pub_files(xguest_usertype) ++ pcscd_stream_connect(xguest_usertype) ') optional_policy(` @@ -12404,7 +12410,7 @@ index e88b95f..e76f7a7 100644 + corenet_tcp_connect_speech_port(xguest_usertype) + corenet_tcp_sendrecv_transproxy_port(xguest_usertype) + corenet_tcp_connect_transproxy_port(xguest_usertype) - ') ++ ') + + optional_policy(` + telepathy_dbus_session_role(xguest_r, xguest_t) @@ -12414,7 +12420,7 @@ index e88b95f..e76f7a7 100644 +optional_policy(` + gen_require(` + type mozilla_t; -+ ') + ') + + allow xguest_t mozilla_t:process transition; + role xguest_r types mozilla_t; @@ -13281,7 +13287,7 @@ index 9e39aa5..8603d4d 100644 +/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if -index c9e1a44..6918ff2 100644 +index c9e1a44..ef353c7 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -13,17 +13,13 @@ @@ -13305,7 +13311,7 @@ index c9e1a44..6918ff2 100644 typealias httpd_$1_content_t alias httpd_$1_script_ro_t; files_type(httpd_$1_content_t) -@@ -36,25 +32,25 @@ template(`apache_content_template',` +@@ -36,32 +32,32 @@ template(`apache_content_template',` domain_type(httpd_$1_script_t) role system_r types httpd_$1_script_t; @@ -13336,6 +13342,14 @@ index c9e1a44..6918ff2 100644 allow httpd_$1_script_t self:fifo_file rw_file_perms; allow httpd_$1_script_t self:unix_stream_socket connectto; + + allow httpd_$1_script_t httpd_t:fifo_file write; + # apache should set close-on-exec +- dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write }; ++ apache_dontaudit_leaks(httpd_$1_script_t) + + # Allow the script process to search the cgi directory, and users directory + allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms; @@ -86,7 +82,6 @@ template(`apache_content_template',` manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) @@ -13799,7 +13813,7 @@ index c9e1a44..6918ff2 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1200,14 +1367,41 @@ interface(`apache_admin',` +@@ -1200,14 +1367,43 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -13839,12 +13853,14 @@ index c9e1a44..6918ff2 100644 +interface(`apache_dontaudit_leaks',` + gen_require(` + type httpd_t; ++ type httpd_tmp_t; + ') + + dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms; + dontaudit $1 httpd_t:tcp_socket { read write }; + dontaudit $1 httpd_t:unix_dgram_socket { read write }; + dontaudit $1 httpd_t:unix_stream_socket { read write }; ++ dontaudit $1 httpd_tmp_t:file { read write }; ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index 08dfa0c..b9fc802 100644 @@ -16202,10 +16218,18 @@ index 7a6e5ba..d664be8 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te -index 1a65b5e..5595c96 100644 +index 1a65b5e..e281c74 100644 --- a/policy/modules/services/certmonger.te +++ b/policy/modules/services/certmonger.te -@@ -32,7 +32,7 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms; +@@ -24,6 +24,7 @@ files_type(certmonger_var_lib_t) + # + + allow certmonger_t self:capability { kill sys_nice }; ++dontaudit certmonger_t self:capability sys_tty_config; + allow certmonger_t self:process { getsched setsched sigkill }; + allow certmonger_t self:fifo_file rw_file_perms; + allow certmonger_t self:unix_stream_socket create_stream_socket_perms; +@@ -32,7 +33,7 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms; manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) @@ -16214,7 +16238,16 @@ index 1a65b5e..5595c96 100644 manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) -@@ -58,6 +58,16 @@ miscfiles_manage_generic_cert_files(certmonger_t) +@@ -51,6 +52,8 @@ files_read_etc_files(certmonger_t) + files_read_usr_files(certmonger_t) + files_list_tmp(certmonger_t) + ++auth_rw_cache(certmonger_t) ++ + logging_send_syslog_msg(certmonger_t) + + miscfiles_read_localization(certmonger_t) +@@ -58,6 +61,16 @@ miscfiles_manage_generic_cert_files(certmonger_t) sysnet_dns_name_resolve(certmonger_t) @@ -16231,8 +16264,11 @@ index 1a65b5e..5595c96 100644 optional_policy(` dbus_system_bus_client(certmonger_t) dbus_connect_system_bus(certmonger_t) -@@ -70,3 +80,4 @@ optional_policy(` +@@ -68,5 +81,7 @@ optional_policy(` + ') + optional_policy(` ++ pcscd_read_pub_files(certmonger_t) pcscd_stream_connect(certmonger_t) ') + @@ -18434,7 +18470,7 @@ index 305ddf4..777091a 100644 admin_pattern($1, ptal_etc_t) diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te -index 0f28095..b3ab30f 100644 +index 0f28095..cf33683 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) @@ -18564,6 +18600,14 @@ index 0f28095..b3ab30f 100644 manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) +@@ -685,6 +703,7 @@ domain_use_interactive_fds(hplip_t) + files_read_etc_files(hplip_t) + files_read_etc_runtime_files(hplip_t) + files_read_usr_files(hplip_t) ++files_dontaudit_write_usr_dirs(hplip_t) + + logging_send_syslog_msg(hplip_t) + diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if index c43ff4c..5bf3e60 100644 --- a/policy/modules/services/cvs.if @@ -21956,7 +22000,7 @@ index 6fd0b4c..b733e45 100644 - ') diff --git a/policy/modules/services/ksmtuned.te b/policy/modules/services/ksmtuned.te -index a73b7a1..01adbed 100644 +index a73b7a1..83a4f38 100644 --- a/policy/modules/services/ksmtuned.te +++ b/policy/modules/services/ksmtuned.te @@ -9,6 +9,9 @@ type ksmtuned_t; @@ -21980,7 +22024,7 @@ index a73b7a1..01adbed 100644 manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t) files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file) -@@ -31,9 +38,14 @@ kernel_read_system_state(ksmtuned_t) +@@ -31,9 +38,16 @@ kernel_read_system_state(ksmtuned_t) dev_rw_sysfs(ksmtuned_t) domain_read_all_domains_state(ksmtuned_t) @@ -21994,6 +22038,8 @@ index a73b7a1..01adbed 100644 + +term_use_all_terms(ksmtuned_t) + ++logging_send_syslog_msg(ksmtuned_t) ++ miscfiles_read_localization(ksmtuned_t) diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc index c62f23e..335fda1 100644 @@ -23822,7 +23868,7 @@ index 343cee3..2f948ad 100644 + ') +') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te -index 64268e4..7521b9e 100644 +index 64268e4..1acd149 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -20,8 +20,8 @@ files_type(etc_aliases_t) @@ -23859,17 +23905,18 @@ index 64268e4..7521b9e 100644 dev_read_sysfs(system_mail_t) dev_read_rand(system_mail_t) dev_read_urand(system_mail_t) -@@ -82,6 +69,9 @@ init_use_script_ptys(system_mail_t) +@@ -82,6 +69,10 @@ init_use_script_ptys(system_mail_t) userdom_use_user_terminals(system_mail_t) userdom_dontaudit_search_user_home_dirs(system_mail_t) +userdom_dontaudit_list_admin_dir(system_mail_t) ++userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file) + +logging_append_all_logs(system_mail_t) optional_policy(` apache_read_squirrelmail_data(system_mail_t) -@@ -92,17 +82,28 @@ optional_policy(` +@@ -92,17 +83,28 @@ optional_policy(` apache_dontaudit_rw_stream_sockets(system_mail_t) apache_dontaudit_rw_tcp_sockets(system_mail_t) apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) @@ -23899,7 +23946,7 @@ index 64268e4..7521b9e 100644 clamav_stream_connect(system_mail_t) clamav_append_log(system_mail_t) ') -@@ -111,6 +112,8 @@ optional_policy(` +@@ -111,6 +113,8 @@ optional_policy(` cron_read_system_job_tmp_files(system_mail_t) cron_dontaudit_write_pipes(system_mail_t) cron_rw_system_job_stream_sockets(system_mail_t) @@ -23908,7 +23955,7 @@ index 64268e4..7521b9e 100644 ') optional_policy(` -@@ -124,12 +127,8 @@ optional_policy(` +@@ -124,12 +128,8 @@ optional_policy(` ') optional_policy(` @@ -23922,7 +23969,7 @@ index 64268e4..7521b9e 100644 ') optional_policy(` -@@ -146,6 +145,10 @@ optional_policy(` +@@ -146,6 +146,10 @@ optional_policy(` ') optional_policy(` @@ -23933,7 +23980,7 @@ index 64268e4..7521b9e 100644 nagios_read_tmp_files(system_mail_t) ') -@@ -158,18 +161,6 @@ optional_policy(` +@@ -158,18 +162,6 @@ optional_policy(` files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) domain_use_interactive_fds(system_mail_t) @@ -23952,7 +23999,7 @@ index 64268e4..7521b9e 100644 ') optional_policy(` -@@ -189,6 +180,10 @@ optional_policy(` +@@ -189,6 +181,10 @@ optional_policy(` ') optional_policy(` @@ -23963,7 +24010,7 @@ index 64268e4..7521b9e 100644 smartmon_read_tmp_files(system_mail_t) ') -@@ -199,7 +194,7 @@ optional_policy(` +@@ -199,7 +195,7 @@ optional_policy(` arpwatch_search_data(mailserver_delivery) arpwatch_manage_tmp_files(mta_user_agent) @@ -23972,7 +24019,7 @@ index 64268e4..7521b9e 100644 arpwatch_dontaudit_rw_packet_sockets(mta_user_agent) ') -@@ -220,7 +215,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -220,7 +216,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -23982,7 +24029,7 @@ index 64268e4..7521b9e 100644 read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) -@@ -249,11 +245,16 @@ optional_policy(` +@@ -249,11 +246,16 @@ optional_policy(` mailman_read_data_symlinks(mailserver_delivery) ') @@ -23999,7 +24046,7 @@ index 64268e4..7521b9e 100644 domain_use_interactive_fds(user_mail_t) userdom_use_user_terminals(user_mail_t) -@@ -292,3 +293,44 @@ optional_policy(` +@@ -292,3 +294,44 @@ optional_policy(` postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -24727,7 +24774,7 @@ index 2324d9e..8069487 100644 + append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) +') diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te -index 0619395..a074153 100644 +index 0619395..4898ef8 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -12,6 +12,12 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) @@ -24844,7 +24891,15 @@ index 0619395..a074153 100644 iptables_domtrans(NetworkManager_t) ') -@@ -263,6 +298,7 @@ optional_policy(` +@@ -219,6 +254,7 @@ optional_policy(` + ') + + optional_policy(` ++ openvpn_read_config(NetworkManager_t) + openvpn_domtrans(NetworkManager_t) + openvpn_kill(NetworkManager_t) + openvpn_signal(NetworkManager_t) +@@ -263,6 +299,7 @@ optional_policy(` vpn_kill(NetworkManager_t) vpn_signal(NetworkManager_t) vpn_signull(NetworkManager_t) @@ -32299,10 +32354,10 @@ index 93fe7bf..4a15633 100644 allow $1 soundd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc -index 6b3abf9..540981f 100644 +index 6b3abf9..d445f78 100644 --- a/policy/modules/services/spamassassin.fc +++ b/policy/modules/services/spamassassin.fc -@@ -1,15 +1,26 @@ +@@ -1,15 +1,27 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) +/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) @@ -32317,6 +32372,7 @@ index 6b3abf9..540981f 100644 /usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) /usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) ++/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0) +/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0) /var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) @@ -34643,6 +34699,105 @@ index 1cc80e8..c6bf70e 100644 manage_dirs_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t) manage_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t) +diff --git a/policy/modules/services/vdagent.fc b/policy/modules/services/vdagent.fc +new file mode 100644 +index 0000000..bb0a79c +--- /dev/null ++++ b/policy/modules/services/vdagent.fc +@@ -0,0 +1,4 @@ ++ ++/sbin/vdagent -- gen_context(system_u:object_r:vdagent_exec_t,s0) ++ ++/var/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0) +diff --git a/policy/modules/services/vdagent.if b/policy/modules/services/vdagent.if +new file mode 100644 +index 0000000..35020c8 +--- /dev/null ++++ b/policy/modules/services/vdagent.if +@@ -0,0 +1,39 @@ ++## The spice guest agent daemon. ++ ++ ++######################################## ++## ++## Execute a domain transition to run vdagent. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`vdagent_domtrans',` ++ gen_require(` ++ type vdagent_t, vdagent_exec_t; ++ ') ++ ++ domtrans_pattern($1, vdagent_exec_t, vdagent_t) ++') ++ ++######################################## ++## ++## Connect to vdagent over an unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`vdagent_stream_connect',` ++ gen_require(` ++ type vdagent_t, vdagent_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t) ++') +diff --git a/policy/modules/services/vdagent.te b/policy/modules/services/vdagent.te +new file mode 100644 +index 0000000..87d5c8c +--- /dev/null ++++ b/policy/modules/services/vdagent.te +@@ -0,0 +1,38 @@ ++policy_module(vdagent,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type vdagent_t; ++type vdagent_exec_t; ++udev_system_domain(vdagent_t, vdagent_exec_t) ++ ++type vdagent_var_run_t; ++files_pid_file(vdagent_var_run_t) ++ ++permissive vdagent_t; ++ ++######################################## ++# ++# vdagent local policy ++# ++allow vdagent_t self:process { fork }; ++ ++allow vdagent_t self:fifo_file rw_fifo_file_perms; ++allow vdagent_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) ++manage_dirs_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) ++manage_sock_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) ++manage_lnk_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t) ++files_pid_filetrans(vdagent_t, vdagent_var_run_t, { file dir sock_file }) ++ ++domain_use_interactive_fds(vdagent_t) ++ ++files_read_etc_files(vdagent_t) ++ ++miscfiles_read_localization(vdagent_t) ++ ++userdom_use_user_ptys(vdagent_t) diff --git a/policy/modules/services/vhostmd.if b/policy/modules/services/vhostmd.if index 1f872b5..da605ba 100644 --- a/policy/modules/services/vhostmd.if @@ -38483,7 +38638,7 @@ index 1c4b1e7..2997dd7 100644 /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index bea0ade..a1069bf 100644 +index bea0ade..6f47773 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -38530,7 +38685,18 @@ index bea0ade..a1069bf 100644 manage_files_pattern($1, var_auth_t, var_auth_t) manage_dirs_pattern($1, auth_cache_t, auth_cache_t) -@@ -126,6 +137,8 @@ interface(`auth_login_pgm_domain',` +@@ -119,6 +130,10 @@ interface(`auth_login_pgm_domain',` + # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 + kernel_rw_afs_state($1) + ++ tunable_policy(`authlogin_radius',` ++ corenet_udp_bind_all_unreserved_ports($1) ++ ') ++ + # for fingerprint readers + dev_rw_input_dev($1) + dev_rw_generic_usb_dev($1) +@@ -126,6 +141,8 @@ interface(`auth_login_pgm_domain',` files_read_etc_files($1) fs_list_auto_mountpoints($1) @@ -38539,7 +38705,7 @@ index bea0ade..a1069bf 100644 selinux_get_fs_mount($1) selinux_validate_context($1) -@@ -141,6 +154,7 @@ interface(`auth_login_pgm_domain',` +@@ -141,6 +158,7 @@ interface(`auth_login_pgm_domain',` mls_process_set_level($1) mls_fd_share_all_levels($1) @@ -38547,7 +38713,7 @@ index bea0ade..a1069bf 100644 auth_use_pam($1) init_rw_utmp($1) -@@ -151,8 +165,39 @@ interface(`auth_login_pgm_domain',` +@@ -151,8 +169,39 @@ interface(`auth_login_pgm_domain',` seutil_read_config($1) seutil_read_default_contexts($1) @@ -38589,7 +38755,7 @@ index bea0ade..a1069bf 100644 ') ') -@@ -365,13 +410,15 @@ interface(`auth_domtrans_chk_passwd',` +@@ -365,13 +414,15 @@ interface(`auth_domtrans_chk_passwd',` ') optional_policy(` @@ -38606,7 +38772,7 @@ index bea0ade..a1069bf 100644 ') ######################################## -@@ -418,6 +465,7 @@ interface(`auth_run_chk_passwd',` +@@ -418,6 +469,7 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -38614,7 +38780,7 @@ index bea0ade..a1069bf 100644 ') ######################################## -@@ -694,7 +742,7 @@ interface(`auth_relabel_shadow',` +@@ -694,7 +746,7 @@ interface(`auth_relabel_shadow',` ') files_search_etc($1) @@ -38623,7 +38789,7 @@ index bea0ade..a1069bf 100644 typeattribute $1 can_relabelto_shadow_passwords; ') -@@ -736,6 +784,25 @@ interface(`auth_rw_faillog',` +@@ -736,6 +788,25 @@ interface(`auth_rw_faillog',` allow $1 faillog_t:file rw_file_perms; ') @@ -38649,7 +38815,7 @@ index bea0ade..a1069bf 100644 ####################################### ## ## Read the last logins log. -@@ -874,6 +941,26 @@ interface(`auth_exec_pam',` +@@ -874,6 +945,26 @@ interface(`auth_exec_pam',` ######################################## ## @@ -38676,7 +38842,7 @@ index bea0ade..a1069bf 100644 ## Manage var auth files. Used by various other applications ## and pam applets etc. ## -@@ -896,6 +983,26 @@ interface(`auth_manage_var_auth',` +@@ -896,6 +987,26 @@ interface(`auth_manage_var_auth',` ######################################## ## @@ -38703,7 +38869,7 @@ index bea0ade..a1069bf 100644 ## Read PAM PID files. ## ## -@@ -1500,6 +1607,8 @@ interface(`auth_manage_login_records',` +@@ -1500,6 +1611,8 @@ interface(`auth_manage_login_records',` # interface(`auth_use_nsswitch',` @@ -38712,7 +38878,7 @@ index bea0ade..a1069bf 100644 files_list_var_lib($1) # read /etc/nsswitch.conf -@@ -1531,7 +1640,15 @@ interface(`auth_use_nsswitch',` +@@ -1531,7 +1644,15 @@ interface(`auth_use_nsswitch',` ') optional_policy(` @@ -38730,10 +38896,20 @@ index bea0ade..a1069bf 100644 optional_policy(` diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 54d122b..ee0fe55 100644 +index 54d122b..87ad058 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te -@@ -8,6 +8,7 @@ policy_module(authlogin, 2.2.0) +@@ -5,9 +5,17 @@ policy_module(authlogin, 2.2.0) + # Declarations + # + ++## ++##

++## Allow users to login using a radius server ++##

++## ++gen_tunable(authlogin_radius, false) ++ attribute can_read_shadow_passwords; attribute can_write_shadow_passwords; attribute can_relabelto_shadow_passwords; @@ -38741,7 +38917,7 @@ index 54d122b..ee0fe55 100644 type auth_cache_t; logging_log_file(auth_cache_t) -@@ -83,7 +84,7 @@ logging_log_file(wtmp_t) +@@ -83,7 +91,7 @@ logging_log_file(wtmp_t) allow chkpwd_t self:capability { dac_override setuid }; dontaudit chkpwd_t self:capability sys_tty_config; @@ -38750,7 +38926,7 @@ index 54d122b..ee0fe55 100644 allow chkpwd_t shadow_t:file read_file_perms; files_list_etc(chkpwd_t) -@@ -394,3 +395,11 @@ optional_policy(` +@@ -394,3 +402,11 @@ optional_policy(` xserver_use_xdm_fds(utempter_t) xserver_rw_xdm_pipes(utempter_t) ') @@ -40686,7 +40862,7 @@ index 57c645b..7682697 100644 dev_read_framebuffer(kdump_t) dev_read_sysfs(kdump_t) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 9df8c4d..b93f65a 100644 +index 9df8c4d..7a942fc 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -44,6 +44,7 @@ ifdef(`distro_redhat',` @@ -40697,7 +40873,15 @@ index 9df8c4d..b93f65a 100644 ifdef(`distro_debian',` /lib32 -l gen_context(system_u:object_r:lib_t,s0) -@@ -129,15 +130,13 @@ ifdef(`distro_redhat',` +@@ -90,6 +91,7 @@ ifdef(`distro_gentoo',` + ') + + ifdef(`distro_redhat',` ++/opt/Adobe.*/libcurl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0) +@@ -129,15 +131,13 @@ ifdef(`distro_redhat',` /usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40716,7 +40900,7 @@ index 9df8c4d..b93f65a 100644 /usr/lib(64)?/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -151,6 +150,7 @@ ifdef(`distro_redhat',` +@@ -151,6 +151,7 @@ ifdef(`distro_redhat',` /usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40724,7 +40908,7 @@ index 9df8c4d..b93f65a 100644 /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -208,6 +208,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t +@@ -208,6 +209,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40732,7 +40916,7 @@ index 9df8c4d..b93f65a 100644 /usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -247,6 +248,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t +@@ -247,6 +249,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t /usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40740,7 +40924,7 @@ index 9df8c4d..b93f65a 100644 /usr/lib(64)?/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame -@@ -302,13 +304,8 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -302,13 +305,8 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -40756,7 +40940,7 @@ index 9df8c4d..b93f65a 100644 ') dnl end distro_redhat # -@@ -319,14 +316,150 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -319,14 +317,150 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -43978,7 +44162,7 @@ index 0291685..44fe366 100644 /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) +/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if -index 025348a..5b277ea 100644 +index 025348a..65971f9 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -34,6 +34,7 @@ interface(`udev_domtrans',` @@ -43999,6 +44183,43 @@ index 025348a..5b277ea 100644 ') ######################################## +@@ -231,3 +231,36 @@ interface(`udev_manage_pid_files',` + files_search_var_lib($1) + manage_files_pattern($1, udev_var_run_t, udev_var_run_t) + ') ++ ++######################################## ++## ++## Create a domain for processes ++## which can be started by udev. ++## ++## ++## ++## Type to be used as a domain. ++## ++## ++## ++## ++## Type of the program to be used as an entry point to this domain. ++## ++## ++# ++interface(`udev_system_domain',` ++ gen_require(` ++ type udev_t; ++ role system_r; ++ ') ++ ++ domain_type($1) ++ domain_entry_file($1, $2) ++ ++ role system_r types $1; ++ ++ domtrans_pattern(udev_t, $2, $1) ++ ++ dontaudit $1 udev_t:unix_dgram_socket { read write }; ++') ++ diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index a054cf5..f24ab6b 100644 --- a/policy/modules/system/udev.te @@ -44123,10 +44344,10 @@ index ce2fbb9..8b34dbc 100644 -/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if -index 416e668..c6e8ffe 100644 +index 416e668..20a28e7 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if -@@ -12,14 +12,13 @@ +@@ -12,27 +12,33 @@ # interface(`unconfined_domain_noaudit',` gen_require(` @@ -44134,15 +44355,20 @@ index 416e668..c6e8ffe 100644 class dbus all_dbus_perms; class nscd all_nscd_perms; class passwd all_passwd_perms; ++ bool secure_mode_insmod; ') # Use any Linux capability. - allow $1 self:capability *; -+ allow $1 self:capability all_capabilities; ++ allow $1 self:capability ~sys_module; allow $1 self:fifo_file manage_fifo_file_perms; ++ if (!secure_mode_insmod) { ++ allow $1 self:capability sys_module; ++ } ++ # Transition to myself, to make get_ordered_context_list happy. -@@ -27,12 +26,14 @@ interface(`unconfined_domain_noaudit',` + allow $1 self:process transition; # Write access is for setting attributes under /proc/self/attr. allow $1 self:file rw_file_perms; @@ -44161,7 +44387,7 @@ index 416e668..c6e8ffe 100644 kernel_unconfined($1) corenet_unconfined($1) -@@ -44,6 +45,12 @@ interface(`unconfined_domain_noaudit',` +@@ -44,6 +50,12 @@ interface(`unconfined_domain_noaudit',` fs_unconfined($1) selinux_unconfined($1) @@ -44174,7 +44400,7 @@ index 416e668..c6e8ffe 100644 tunable_policy(`allow_execheap',` # Allow making the stack executable via mprotect. allow $1 self:process execheap; -@@ -69,6 +76,7 @@ interface(`unconfined_domain_noaudit',` +@@ -69,6 +81,7 @@ interface(`unconfined_domain_noaudit',` optional_policy(` # Communicate via dbusd. dbus_system_bus_unconfined($1) @@ -44182,7 +44408,7 @@ index 416e668..c6e8ffe 100644 ') optional_policy(` -@@ -122,6 +130,10 @@ interface(`unconfined_domain_noaudit',` +@@ -122,6 +135,10 @@ interface(`unconfined_domain_noaudit',` ## # interface(`unconfined_domain',` @@ -44193,7 +44419,7 @@ index 416e668..c6e8ffe 100644 unconfined_domain_noaudit($1) tunable_policy(`allow_execheap',` -@@ -178,412 +190,3 @@ interface(`unconfined_alias_domain',` +@@ -178,412 +195,3 @@ interface(`unconfined_alias_domain',` interface(`unconfined_execmem_alias_program',` refpolicywarn(`$0($1) has been deprecated.') ') diff --git a/selinux-policy.spec b/selinux-policy.spec index b3e6413..161036b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.7 -Release: 7%{?dist} +Release: 8%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -470,6 +470,12 @@ exit 0 %endif %changelog +* Mon Nov 1 2010 Dan Walsh 3.9.7-8 +- Allow NetworkManager to read openvpn_etc_t +- Dontaudit hplip to write of /usr dirs +- Allow system_mail_t to create /root/dead.letter as mail_home_t +- Add vdagent policy for spice agent daemon + * Thu Oct 28 2010 Dan Walsh 3.9.7-7 - Dontaudit sandbox sending sigkill to all user domains - Add policy for rssh_chroot_helper