From aa7b9cbc5e0408315ad7d711125896c0d693507c Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jun 10 2009 17:50:55 +0000 Subject: - Allow setroubleshoot to run mlocate --- diff --git a/policy-F12.patch b/policy-F12.patch index df0fbcd..b379d63 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -4281,8 +4281,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.14/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.14/policy/modules/apps/qemu.te 2009-06-08 21:43:15.000000000 -0400 -@@ -13,28 +13,96 @@ ++++ serefpolicy-3.6.14/policy/modules/apps/qemu.te 2009-06-09 06:55:51.000000000 -0400 +@@ -13,28 +13,97 @@ ## gen_tunable(qemu_full_network, false) @@ -4374,6 +4374,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +optional_policy(` + virt_manage_images(qemu_t) ++ virt_append_log(qemu_t) +') + +optional_policy(` @@ -4387,7 +4388,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # qemu_unconfined local policy -@@ -44,6 +112,9 @@ +@@ -44,6 +113,9 @@ type qemu_unconfined_t; domain_type(qemu_unconfined_t) unconfined_domain_noaudit(qemu_unconfined_t) @@ -4479,8 +4480,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# No types are sandbox_exec_t diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.14/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.14/policy/modules/apps/sandbox.if 2009-06-08 21:43:15.000000000 -0400 -@@ -0,0 +1,75 @@ ++++ serefpolicy-3.6.14/policy/modules/apps/sandbox.if 2009-06-09 15:35:31.000000000 -0400 +@@ -0,0 +1,105 @@ + +## policy for sandbox + @@ -4556,25 +4557,53 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ps_process_pattern($2, sandbox_t) + allow $2 sandbox_t:process signal; +') ++ ++######################################## ++## ++## Creates types and rules for a basic ++## qemu process domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`sandbox_domain_template',` ++ ++ gen_require(` ++ attribute sandbox_domain; ++ ') ++ ++ type $1_t, sandbox_domain; ++ domain_type($1_t) ++ ++ type $1_file_t; ++ files_type($1_file_t) ++ ++ manage_dirs_pattern($1_t, $1_file_t, $1_file_t) ++ manage_files_pattern($1_t, $1_file_t, $1_file_t) ++ manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t) ++ manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t) ++ manage_sock_files_pattern($1_t, $1_file_t, $1_file_t) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.14/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.14/policy/modules/apps/sandbox.te 2009-06-08 21:43:15.000000000 -0400 -@@ -0,0 +1,43 @@ ++++ serefpolicy-3.6.14/policy/modules/apps/sandbox.te 2009-06-09 15:31:22.000000000 -0400 +@@ -0,0 +1,32 @@ +policy_module(sandbox,1.0.0) + ++attribute sandbox_domain; ++ +######################################## +# +# Declarations +# + -+type sandbox_t; -+type sandbox_exec_t; -+application_domain(sandbox_t, sandbox_exec_t) -+init_daemon_domain(sandbox_t, sandbox_exec_t) ++sandbox_domain_template(sandbox) ++sandbox_domain_template(sandbox_x) +role system_r types sandbox_t; -+ -+type sandbox_file_t; -+files_type(sandbox_file_t) ++role system_r types sandbox_x_t; + +######################################## +# @@ -4582,27 +4611,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# + +## internal communication is often done using fifo and unix sockets. -+allow sandbox_t self:fifo_file rw_file_perms; -+allow sandbox_t self:unix_stream_socket create_stream_socket_perms; -+ -+manage_dirs_pattern(sandbox_t, sandbox_file_t, sandbox_file_t) -+manage_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t) -+manage_lnk_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t) -+manage_fifo_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t) -+manage_sock_files_pattern(sandbox_t, sandbox_file_t, sandbox_file_t) -+ -+files_rw_all_inherited_files(sandbox_t) -+files_entrypoint_all_files(sandbox_t) ++allow sandbox_domain self:fifo_file rw_file_perms; ++allow sandbox_domain self:unix_stream_socket create_stream_socket_perms; + -+libs_use_ld_so(sandbox_t) -+libs_use_shared_libs(sandbox_t) ++files_rw_all_inherited_files(sandbox_domain) ++files_entrypoint_all_files(sandbox_domain) + -+miscfiles_read_localization(sandbox_t) ++miscfiles_read_localization(sandbox_domain) + -+userdom_use_user_ptys(sandbox_t) ++userdom_use_user_ptys(sandbox_domain) + -+kernel_dontaudit_read_system_state(sandbox_t) -+corecmd_exec_all_executables(sandbox_t) ++kernel_dontaudit_read_system_state(sandbox_domain) ++corecmd_exec_all_executables(sandbox_domain) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.14/policy/modules/apps/screen.if --- nsaserefpolicy/policy/modules/apps/screen.if 2009-01-19 11:03:28.000000000 -0500 +++ serefpolicy-3.6.14/policy/modules/apps/screen.if 2009-06-08 21:43:15.000000000 -0400 @@ -8678,6 +8698,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +logging_send_syslog_msg(afs_t) + +permissive afs_t; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.6.14/policy/modules/services/amavis.te +--- nsaserefpolicy/policy/modules/services/amavis.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.14/policy/modules/services/amavis.te 2009-06-09 07:17:07.000000000 -0400 +@@ -103,6 +103,8 @@ + kernel_dontaudit_read_proc_symlinks(amavis_t) + kernel_dontaudit_read_system_state(amavis_t) + ++fs_getattr_xattr_fs(amavis_t) ++ + # find perl + corecmd_exec_bin(amavis_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.14/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2008-11-11 16:13:46.000000000 -0500 +++ serefpolicy-3.6.14/policy/modules/services/apache.fc 2009-06-08 21:43:15.000000000 -0400 @@ -12056,16 +12088,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.14/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.14/policy/modules/services/dbus.if 2009-06-08 21:43:15.000000000 -0400 -@@ -44,6 +44,7 @@ ++++ serefpolicy-3.6.14/policy/modules/services/dbus.if 2009-06-09 17:09:56.000000000 -0400 +@@ -42,8 +42,10 @@ + gen_require(` + class dbus { send_msg acquire_svc }; ++ attribute dbusd_unconfined; attribute session_bus_type; type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t; + type $1_t; ') ############################## -@@ -76,7 +77,7 @@ +@@ -76,7 +78,7 @@ allow $3 $1_dbusd_t:unix_stream_socket connectto; # SE-DBus specific permissions @@ -12074,7 +12109,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms; -@@ -91,7 +92,7 @@ +@@ -91,7 +93,7 @@ allow $3 $1_dbusd_t:process { sigkill signal }; # cjp: this seems very broken @@ -12083,7 +12118,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1_dbusd_t $3:process sigkill; allow $3 $1_dbusd_t:fd use; allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; -@@ -117,6 +118,7 @@ +@@ -117,6 +119,7 @@ dev_read_urand($1_dbusd_t) domain_use_interactive_fds($1_dbusd_t) @@ -12091,7 +12126,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files($1_dbusd_t) files_list_home($1_dbusd_t) -@@ -145,7 +147,10 @@ +@@ -145,7 +148,10 @@ seutil_read_config($1_dbusd_t) seutil_read_default_contexts($1_dbusd_t) @@ -12102,7 +12137,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`hide_broken_symptoms', ` dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; -@@ -160,6 +165,10 @@ +@@ -160,6 +166,10 @@ ') optional_policy(` @@ -12113,7 +12148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hal_dbus_chat($1_dbusd_t) ') -@@ -169,6 +178,26 @@ +@@ -169,6 +179,26 @@ ') ') @@ -12140,7 +12175,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ####################################### ## ## Template for creating connections to -@@ -185,10 +214,12 @@ +@@ -185,10 +215,12 @@ type system_dbusd_t, system_dbusd_t; type system_dbusd_var_run_t, system_dbusd_var_lib_t; class dbus send_msg; @@ -12154,7 +12189,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($1) -@@ -197,6 +228,10 @@ +@@ -197,6 +229,10 @@ files_search_pids($1) stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) dbus_read_config($1) @@ -12165,7 +12200,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -244,6 +279,35 @@ +@@ -244,6 +280,35 @@ ######################################## ## @@ -12201,7 +12236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read dbus configuration. ## ## -@@ -318,3 +382,79 @@ +@@ -318,3 +383,79 @@ allow $1 system_dbusd_t:dbus *; ') @@ -12426,6 +12461,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0) /var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.14/policy/modules/services/dcc.te +--- nsaserefpolicy/policy/modules/services/dcc.te 2009-05-21 08:43:08.000000000 -0400 ++++ serefpolicy-3.6.14/policy/modules/services/dcc.te 2009-06-09 07:22:03.000000000 -0400 +@@ -130,11 +130,13 @@ + + # Access files in /var/dcc. The map file can be updated + allow dcc_client_t dcc_var_t:dir list_dir_perms; +-read_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) ++manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) + read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t) + + kernel_read_system_state(dcc_client_t) + ++fs_getattr_all_fs(dcc_client_t) ++ + corenet_all_recvfrom_unlabeled(dcc_client_t) + corenet_all_recvfrom_netlabel(dcc_client_t) + corenet_udp_sendrecv_generic_if(dcc_client_t) +@@ -154,6 +156,10 @@ + userdom_use_user_terminals(dcc_client_t) + + optional_policy(` ++ amavis_read_spool_files(dcc_client_t) ++') ++ ++optional_policy(` + spamassassin_read_spamd_tmp_files(dcc_client_t) + ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.14/policy/modules/services/devicekit.fc --- nsaserefpolicy/policy/modules/services/devicekit.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.14/policy/modules/services/devicekit.fc 2009-06-08 21:43:15.000000000 -0400 @@ -18747,7 +18811,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.14/policy/modules/services/pyzor.te --- nsaserefpolicy/policy/modules/services/pyzor.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.14/policy/modules/services/pyzor.te 2009-06-08 21:43:15.000000000 -0400 ++++ serefpolicy-3.6.14/policy/modules/services/pyzor.te 2009-06-09 07:10:36.000000000 -0400 @@ -6,6 +6,38 @@ # Declarations # @@ -18795,7 +18859,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -@@ -83,6 +116,8 @@ +@@ -77,12 +110,16 @@ + + dev_read_urand(pyzor_t) + ++fs_getattr_xattr_fs(pyzor_t) ++ + files_read_etc_files(pyzor_t) + + auth_use_nsswitch(pyzor_t) miscfiles_read_localization(pyzor_t) @@ -20573,7 +20645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.14/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.14/policy/modules/services/setroubleshoot.te 2009-06-08 21:43:15.000000000 -0400 ++++ serefpolicy-3.6.14/policy/modules/services/setroubleshoot.te 2009-06-10 11:22:43.000000000 -0400 @@ -11,6 +11,9 @@ domain_type(setroubleshootd_t) init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) @@ -20633,7 +20705,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) -@@ -94,22 +109,24 @@ +@@ -94,22 +109,28 @@ locallogin_dontaudit_use_fds(setroubleshootd_t) @@ -20650,6 +20722,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_read_user_home_content_files(setroubleshootd_t) optional_policy(` ++ locate_read_lib_files(setroubleshootd_t) ++') ++ ++optional_policy(` dbus_system_bus_client(setroubleshootd_t) dbus_connect_system_bus(setroubleshootd_t) + dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) @@ -22762,7 +22838,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.14/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.14/policy/modules/services/virt.if 2009-06-08 21:43:15.000000000 -0400 ++++ serefpolicy-3.6.14/policy/modules/services/virt.if 2009-06-09 15:26:36.000000000 -0400 @@ -2,28 +2,6 @@ ######################################## diff --git a/selinux-policy.spec b/selinux-policy.spec index 2ba5746..f013916 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.14 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -473,6 +473,9 @@ exit 0 %endif %changelog +* Wed Jun 10 2009 Dan Walsh 3.6.14-2 +- Allow setroubleshoot to run mlocate + * Mon Jun 8 2009 Dan Walsh 3.6.14-1 - Update to upstream