From a50819e6dd96c83882d5098459610aede8f87dde Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Apr 07 2009 11:29:08 +0000 Subject: - Dontaudit binds to ports < 1024 for named - Upgrade to latest upstream --- diff --git a/policy-20090105.patch b/policy-20090105.patch index c1508ad..d70a9e5 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -5392,7 +5392,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.11/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.11/policy/modules/kernel/kernel.if 2009-04-06 12:59:54.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/kernel/kernel.if 2009-04-07 07:25:16.000000000 -0400 @@ -1197,6 +1197,26 @@ ') @@ -10869,7 +10869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.11/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.11/policy/modules/services/devicekit.te 2009-04-06 12:59:54.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/devicekit.te 2009-04-07 07:01:32.000000000 -0400 @@ -0,0 +1,211 @@ +policy_module(devicekit,1.0.0) + @@ -11019,7 +11019,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# DeviceKit disk local policy +# + -+allow devicekit_disk_t self:capability sys_nice; ++allow devicekit_disk_t self:capability { sys_nice sys_ptrace }; + +allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; + @@ -18331,7 +18331,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ccs_read_config(ricci_modstorage_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.11/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2009-03-20 12:39:39.000000000 -0400 -+++ serefpolicy-3.6.11/policy/modules/services/rpc.te 2009-04-06 15:25:10.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/services/rpc.te 2009-04-07 07:27:16.000000000 -0400 @@ -23,7 +23,7 @@ gen_tunable(allow_nfsd_anon_write, false) @@ -18341,7 +18341,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpc_domain_template(gssd) -@@ -141,6 +141,7 @@ +@@ -79,16 +79,25 @@ + fs_read_rpc_symlinks(rpcd_t) + fs_rw_rpc_sockets(rpcd_t) + ++kernel_signal(rpcd_t) ++ + selinux_dontaudit_read_fs(rpcd_t) + + miscfiles_read_certs(rpcd_t) + + seutil_dontaudit_search_config(rpcd_t) + ++userdom_signal_unpriv_users(rpcd_t) ++ + optional_policy(` + nis_read_ypserv_config(rpcd_t) + ') + ++optional_policy(` ++ unconfined_execmem_signal(rpcd_t) ++ unconfined_signal(rpcd_t) ++') ++ + ######################################## + # + # NFSD local policy +@@ -141,6 +150,7 @@ fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) ') @@ -18349,7 +18375,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`nfs_export_all_ro',` dev_getattr_all_blk_files(nfsd_t) -@@ -183,9 +184,12 @@ +@@ -183,9 +193,12 @@ files_read_usr_symlinks(gssd_t) auth_use_nsswitch(gssd_t) @@ -26803,7 +26829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.11/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.11/policy/modules/system/unconfined.if 2009-04-06 12:59:54.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/unconfined.if 2009-04-07 07:26:40.000000000 -0400 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -26879,7 +26905,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -367,6 +374,24 @@ +@@ -367,6 +374,42 @@ ######################################## ## @@ -26901,10 +26927,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## ++## Send a signal to the unconfined execmem domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_execmem_signal',` ++ gen_require(` ++ type unconfined_execmem_t; ++ ') ++ ++ allow $1 unconfined_execmem_t:process signal; ++') ++ ++######################################## ++## ## Send generic signals to the unconfined domain. ## ## -@@ -458,6 +483,25 @@ +@@ -458,6 +501,25 @@ ######################################## ## @@ -26930,7 +26974,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Connect to the unconfined domain using ## a unix domain stream socket. ## -@@ -581,3 +625,150 @@ +@@ -581,3 +643,150 @@ allow $1 unconfined_t:dbus acquire_svc; ') @@ -27460,7 +27504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.11/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.11/policy/modules/system/userdomain.if 2009-04-06 12:59:54.000000000 -0400 ++++ serefpolicy-3.6.11/policy/modules/system/userdomain.if 2009-04-07 07:23:04.000000000 -0400 @@ -30,8 +30,9 @@ ')