From 9c038630bf36c370e5106b072d968192d971db95 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jul 27 2007 18:21:35 +0000 Subject: - Add context for dbus machine id --- diff --git a/policy-20070703.patch b/policy-20070703.patch index 9928244..77ccf48 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -143,6 +143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 sere .TP chcon -t public_content_rw_t /var/ftp/incoming .TP +Binary files nsaserefpolicy/myaudit.pp and serefpolicy-3.0.4/myaudit.pp differ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.0.4/policy/flask/access_vectors --- nsaserefpolicy/policy/flask/access_vectors 2007-07-25 10:37:36.000000000 -0400 +++ serefpolicy-3.0.4/policy/flask/access_vectors 2007-07-25 13:27:51.000000000 -0400 @@ -1616,7 +1617,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.0.4/policy/modules/apps/loadkeys.te --- nsaserefpolicy/policy/modules/apps/loadkeys.te 2007-05-29 14:10:48.000000000 -0400 -+++ serefpolicy-3.0.4/policy/modules/apps/loadkeys.te 2007-07-25 13:27:51.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/apps/loadkeys.te 2007-07-27 11:58:52.000000000 -0400 +@@ -30,7 +30,7 @@ + files_read_etc_runtime_files(loadkeys_t) + + term_dontaudit_use_console(loadkeys_t) +-term_dontaudit_use_unallocated_ttys(loadkeys_t) ++term_use_unallocated_ttys(loadkeys_t) + + init_dontaudit_use_script_ptys(loadkeys_t) + @@ -40,3 +40,8 @@ locallogin_use_fds(loadkeys_t) @@ -2926,7 +2936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.0.4/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2007-05-29 14:10:57.000000000 -0400 -+++ serefpolicy-3.0.4/policy/modules/services/apache.fc 2007-07-25 13:27:51.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/services/apache.fc 2007-07-26 14:42:51.000000000 -0400 @@ -16,7 +16,6 @@ /usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) @@ -2935,8 +2945,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac /usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) /usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) /usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) -@@ -73,3 +72,11 @@ +@@ -71,5 +70,14 @@ + + /var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) ++/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + @@ -3248,7 +3261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.4/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.4/policy/modules/services/apache.te 2007-07-26 10:06:52.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/services/apache.te 2007-07-26 13:46:18.000000000 -0400 @@ -30,6 +30,13 @@ ## @@ -3277,6 +3290,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac gen_tunable(httpd_can_network_connect,false) ## +@@ -97,7 +111,7 @@ + ## Allow http daemon to communicate with the TTY + ##

+ ## +-gen_tunable(httpd_tty_comm,false) ++gen_tunable(httpd_tty_comm,true) + + ## + ##

@@ -106,6 +120,27 @@ ## gen_tunable(httpd_unified,false) @@ -4632,9 +4654,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs. miscfiles_read_localization(cvs_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.0.4/policy/modules/services/dbus.fc +--- nsaserefpolicy/policy/modules/services/dbus.fc 2007-05-29 14:10:57.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/services/dbus.fc 2007-07-26 15:13:25.000000000 -0400 +@@ -5,6 +5,8 @@ + /bin/dbus-daemon -- gen_context(system_u:object_r:system_dbusd_exec_t,s0) + /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) + ++/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) ++ + ifdef(`distro_redhat',` + /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.4/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2007-07-03 07:06:27.000000000 -0400 -+++ serefpolicy-3.0.4/policy/modules/services/dbus.if 2007-07-25 13:27:51.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/services/dbus.if 2007-07-26 15:16:07.000000000 -0400 @@ -50,6 +50,12 @@ ## # @@ -4676,7 +4710,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus auth_read_pam_console_data($1_dbusd_t) libs_use_ld_so($1_dbusd_t) -@@ -205,6 +225,7 @@ +@@ -193,6 +213,7 @@ + gen_require(` + type system_dbusd_t, system_dbusd_t; + type system_dbusd_var_run_t; ++ type system_dbusd_var_lib_t; + class dbus send_msg; + ') + +@@ -202,9 +223,12 @@ + # SE-DBus specific permissions + allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg; + ++ read_files_pattern($2,system_dbusd_var_lib_t,system_dbusd_var_lib_t) ++ # For connecting to the bus files_search_pids($2) stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t) @@ -4684,7 +4731,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ') ####################################### -@@ -271,6 +292,32 @@ +@@ -271,6 +295,32 @@ allow $2 $1_dbusd_t:dbus send_msg; ') @@ -4717,7 +4764,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ######################################## ##

## Read dbus configuration. -@@ -286,6 +333,7 @@ +@@ -286,6 +336,7 @@ type dbusd_etc_t; ') @@ -4725,7 +4772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus allow $1 dbusd_etc_t:file read_file_perms; ') -@@ -346,3 +394,23 @@ +@@ -346,3 +397,23 @@ allow $1 system_dbusd_t:dbus *; ') @@ -4749,6 +4796,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus +') + + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.0.4/policy/modules/services/dbus.te +--- nsaserefpolicy/policy/modules/services/dbus.te 2007-07-25 10:37:42.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/services/dbus.te 2007-07-26 15:12:13.000000000 -0400 +@@ -23,6 +23,9 @@ + type system_dbusd_var_run_t; + files_pid_file(system_dbusd_var_run_t) + ++type system_dbusd_var_lib_t; ++files_pid_file(system_dbusd_var_lib_t) ++ + ############################## + # + # Local policy +@@ -48,6 +51,8 @@ + manage_files_pattern(system_dbusd_t,system_dbusd_tmp_t,system_dbusd_tmp_t) + files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) + ++read_files_pattern(system_dbusd_t,system_dbusd_var_lib_t,system_dbusd_var_lib_t) ++ + manage_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t) + manage_sock_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t) + files_pid_filetrans(system_dbusd_t,system_dbusd_var_run_t,file) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.0.4/policy/modules/services/dhcp.te --- nsaserefpolicy/policy/modules/services/dhcp.te 2007-07-25 10:37:42.000000000 -0400 +++ serefpolicy-3.0.4/policy/modules/services/dhcp.te 2007-07-25 13:27:51.000000000 -0400 @@ -7663,7 +7732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.4/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.4/policy/modules/system/authlogin.if 2007-07-26 10:17:19.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/system/authlogin.if 2007-07-27 13:58:33.000000000 -0400 @@ -26,7 +26,8 @@ type $1_chkpwd_t, can_read_shadow_passwords; application_domain($1_chkpwd_t,chkpwd_exec_t) @@ -7823,7 +7892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo files_list_var_lib($1) miscfiles_read_certs($1) -@@ -1381,3 +1437,166 @@ +@@ -1381,3 +1437,163 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -7899,10 +7968,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + type updpwd_t, updpwd_exec_t; + ') + -+ domain_auto_trans($1,updpwd_exec_t,updpwd_t) -+ allow updpwd_t $1:fd use; -+ allow updpwd_t $1:fifo_file rw_file_perms; -+ allow updpwd_t $1:process sigchld; ++ domtrans_pattern($1,updpwd_exec_t,updpwd_t) + auth_dontaudit_read_shadow($1) + +') @@ -7992,7 +8058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.4/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.4/policy/modules/system/authlogin.te 2007-07-25 13:27:51.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/system/authlogin.te 2007-07-27 13:45:53.000000000 -0400 @@ -9,6 +9,13 @@ attribute can_read_shadow_passwords; attribute can_write_shadow_passwords; @@ -8007,7 +8073,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo type chkpwd_exec_t; application_executable_file(chkpwd_exec_t) -@@ -159,6 +166,8 @@ +@@ -67,6 +74,10 @@ + authlogin_common_auth_domain_template(system) + role system_r types system_chkpwd_t; + ++# Read only version of updpwd ++domain_entry_file(system_chkpwd_t,updpwd_exec_t) ++ ++ + ######################################## + # + # PAM local policy +@@ -159,6 +170,8 @@ dev_setattr_mouse_dev(pam_console_t) dev_getattr_power_mgmt_dev(pam_console_t) dev_setattr_power_mgmt_dev(pam_console_t) @@ -8016,7 +8093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo dev_getattr_scanner_dev(pam_console_t) dev_setattr_scanner_dev(pam_console_t) dev_getattr_sound_dev(pam_console_t) -@@ -236,7 +245,7 @@ +@@ -236,7 +249,7 @@ optional_policy(` xserver_read_xdm_pid(pam_console_t) @@ -8025,7 +8102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -302,3 +311,30 @@ +@@ -302,3 +315,30 @@ xserver_use_xdm_fds(utempter_t) xserver_rw_xdm_pipes(utempter_t) ') @@ -8093,7 +8170,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-3.0.4/policy/modules/system/brctl.te --- nsaserefpolicy/policy/modules/system/brctl.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.0.4/policy/modules/system/brctl.te 2007-07-25 16:13:13.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/system/brctl.te 2007-07-27 13:35:00.000000000 -0400 @@ -0,0 +1,50 @@ +policy_module(brctl,1.0.0) + @@ -8117,7 +8194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl. +allow brctl_t self:tcp_socket create_socket_perms; +allow brctl_t self:unix_dgram_socket create_socket_perms; + -+dev_list_sysfs(brctl_t) ++dev_read_sysfs(brctl_t) + +# Init script handling +domain_use_interactive_fds(brctl_t) @@ -8353,7 +8430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.0.4/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.4/policy/modules/system/init.if 2007-07-25 13:27:51.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/system/init.if 2007-07-26 13:45:02.000000000 -0400 @@ -194,9 +194,13 @@ gen_require(` type initrc_t; @@ -8982,7 +9059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.4/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.4/policy/modules/system/logging.te 2007-07-25 13:27:51.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/system/logging.te 2007-07-26 14:57:10.000000000 -0400 @@ -7,10 +7,15 @@ # @@ -9015,7 +9092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin type syslogd_var_run_t; files_pid_file(syslogd_var_run_t) -@@ -59,19 +70,23 @@ +@@ -59,19 +70,25 @@ init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh) ') @@ -9027,12 +9104,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin + ######################################## # - # Auditd local policy +-# Auditd local policy ++# Auditctl local policy # -allow auditctl_t self:capability { audit_write audit_control }; -allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv }; -- ++allow auditctl_t self:capability { fsetid dac_read_search dac_override }; + read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t) allow auditctl_t auditd_etc_t:dir list_dir_perms; @@ -9042,7 +9121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin files_read_etc_files(auditctl_t) kernel_read_kernel_sysctls(auditctl_t) -@@ -91,6 +106,7 @@ +@@ -91,6 +108,7 @@ locallogin_dontaudit_use_fds(auditctl_t) @@ -9050,7 +9129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin logging_send_syslog_msg(auditctl_t) ######################################## -@@ -98,12 +114,11 @@ +@@ -98,12 +116,11 @@ # Auditd local policy # @@ -9064,7 +9143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin allow auditd_t self:fifo_file rw_file_perms; allow auditd_t auditd_etc_t:dir list_dir_perms; -@@ -141,6 +156,7 @@ +@@ -141,6 +158,7 @@ init_telinit(auditd_t) @@ -9072,7 +9151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin logging_send_syslog_msg(auditd_t) libs_use_ld_so(auditd_t) -@@ -157,6 +173,8 @@ +@@ -157,6 +175,8 @@ userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_search_sysadm_home_dirs(auditd_t) @@ -9081,7 +9160,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin optional_policy(` seutil_sigchld_newrole(auditd_t) -@@ -243,12 +261,18 @@ +@@ -243,12 +263,18 @@ allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; @@ -9100,7 +9179,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; -@@ -257,6 +281,9 @@ +@@ -257,6 +283,9 @@ manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t) files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file }) @@ -9110,7 +9189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin allow syslogd_t syslogd_var_run_t:file manage_file_perms; files_pid_filetrans(syslogd_t,syslogd_var_run_t,file) -@@ -314,6 +341,7 @@ +@@ -314,6 +343,7 @@ domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) @@ -9344,7 +9423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.4/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.4/policy/modules/system/mount.te 2007-07-25 13:27:51.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/system/mount.te 2007-07-26 13:15:01.000000000 -0400 @@ -8,6 +8,13 @@ ## @@ -9428,7 +9507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -201,4 +219,53 @@ +@@ -201,4 +219,54 @@ optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t,file) unconfined_domain(unconfined_mount_t) @@ -9450,6 +9529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +corecmd_exec_shell(mount_ntfs_t) + +files_read_etc_files(mount_ntfs_t) ++files_search_all(mount_ntfs_t) + +libs_use_ld_so(mount_ntfs_t) +libs_use_shared_libs(mount_ntfs_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 87b2716..f260ac2 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.4 -Release: 1%{?dist} +Release: 2%{?dist} License: GPL Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -359,6 +359,9 @@ exit 0 %endif %changelog +* Tue Jul 23 2007 Dan Walsh 3.0.4-2 +- Add context for dbus machine id + * Tue Jul 23 2007 Dan Walsh 3.0.4-1 - Update with latest changes from upstream