From b96903aaa0af8fb22e14e0ba9dc510784485826b Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Dec 28 2010 20:41:30 +0000 Subject: - Gnome apps list config_home_t - mpd creates lnk files in homedir - apache leaks write to mail apps on tmp files - /var/stockmaniac/templates_cache contains log files - Abrt list the connects of mount_tmp_t dirs - passwd agent reads files under /dev and reads utmp file - squid apache script connects to the squid port - fix name of plymouth log file - teamviewer is a wine app - allow dmesg to read system state - Stop labeling files under /var/lib/mock so restorecon will not go into this - nsplugin needs to read network state for google talk --- diff --git a/booleans-targeted.conf b/booleans-targeted.conf index 71778d6..cb2771d 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -178,6 +178,10 @@ spamd_enable_home_dirs = false # user_direct_mouse = false +# Allow all X apps to use /dev/dri +# +user_direct_dri = true + # Allow users to read system messages. # user_dmesg = false @@ -279,3 +283,7 @@ fenced_can_network_connect=false ## allow sshd to forward port connections # sshd_forward_ports=true + +## On upgrades we want this true, Want it false on fresh installs +# +authlogin_nsswitch_use_ldap=true diff --git a/modules-targeted.conf b/modules-targeted.conf index d9919b0..5f04812 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1371,6 +1371,13 @@ radius = module # radvd = module +# Layer: services +# Module: razor +# +# A distributed, collaborative, spam detection and filtering network. +# +razor = module + # Layer: admin # Module: readahead # diff --git a/policy-F15.patch b/policy-F15.patch index b540d76..a692a3a 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -451,10 +451,18 @@ index cd5e005..7f3f992 100644 optional_policy(` diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te -index 72bc6d8..5421065 100644 +index 72bc6d8..ed02103 100644 --- a/policy/modules/admin/dmesg.te +++ b/policy/modules/admin/dmesg.te -@@ -50,6 +50,12 @@ userdom_dontaudit_use_unpriv_user_fds(dmesg_t) +@@ -19,6 +19,7 @@ dontaudit dmesg_t self:capability sys_tty_config; + + allow dmesg_t self:process signal_perms; + ++kernel_read_system_state(dmesg_t) + kernel_read_kernel_sysctls(dmesg_t) + kernel_read_ring_buffer(dmesg_t) + kernel_clear_ring_buffer(dmesg_t) +@@ -50,6 +51,12 @@ userdom_dontaudit_use_unpriv_user_fds(dmesg_t) userdom_use_user_terminals(dmesg_t) optional_policy(` @@ -2670,7 +2678,7 @@ index 00a19e3..46db5ff 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) + diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..2c8f94a 100644 +index f5afe78..c4df4b9 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -37,8 +37,7 @@ interface(`gnome_role',` @@ -3092,7 +3100,7 @@ index f5afe78..2c8f94a 100644 ') ######################################## -@@ -151,40 +453,173 @@ interface(`gnome_setattr_config_dirs',` +@@ -151,40 +453,174 @@ interface(`gnome_setattr_config_dirs',` ######################################## ## @@ -3219,6 +3227,7 @@ index f5afe78..2c8f94a 100644 + type config_home_t; + ') + ++ list_dirs_pattern($1, config_home_t, config_home_t) + read_files_pattern($1, config_home_t, config_home_t) +') + @@ -4157,7 +4166,7 @@ index 93ac529..aafece7 100644 /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib(64)?/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if -index 9a6d67d..b0c1197 100644 +index 9a6d67d..5ac3ea5 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -29,6 +29,8 @@ interface(`mozilla_role',` @@ -4216,7 +4225,7 @@ index 9a6d67d..b0c1197 100644 ## Execmod mozilla home directory content. ## ## -@@ -168,6 +194,70 @@ interface(`mozilla_domtrans',` +@@ -168,6 +194,71 @@ interface(`mozilla_domtrans',` ######################################## ## @@ -4261,7 +4270,8 @@ index 9a6d67d..b0c1197 100644 + + mozilla_domtrans_plugin($1) + role $2 types mozilla_plugin_t; -+ allow $1 mozilla_plugin_t:unix_stream_socket connectto; ++ allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms }; ++ allow $1 mozilla_plugin_t:process { signal sigkill }; +') + +######################################## @@ -5109,10 +5119,10 @@ index 0000000..4f9cb05 +') diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te new file mode 100644 -index 0000000..ae1d09b +index 0000000..a353718 --- /dev/null +++ b/policy/modules/apps/nsplugin.te -@@ -0,0 +1,316 @@ +@@ -0,0 +1,317 @@ +policy_module(nsplugin, 1.0.0) + +######################################## @@ -5234,6 +5244,7 @@ index 0000000..ae1d09b + +kernel_read_kernel_sysctls(nsplugin_t) +kernel_read_system_state(nsplugin_t) ++kernel_read_network_state(nsplugin_t) + +files_dontaudit_getattr_lost_found_dirs(nsplugin_t) +files_dontaudit_list_home(nsplugin_t) @@ -7149,10 +7160,10 @@ index 0000000..46368cc +') diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te new file mode 100644 -index 0000000..2ace399 +index 0000000..24f8037 --- /dev/null +++ b/policy/modules/apps/telepathy.te -@@ -0,0 +1,328 @@ +@@ -0,0 +1,329 @@ + +policy_module(telepathy, 1.0.0) + @@ -7401,6 +7412,7 @@ index 0000000..2ace399 + +corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t) +corenet_tcp_connect_sip_port(telepathy_sofiasip_t) ++corenet_udp_bind_all_ports(telepathy_sofiasip_t) + +kernel_request_load_module(telepathy_sofiasip_t) + @@ -7690,7 +7702,7 @@ index c76ceb2..d7df452 100644 optional_policy(` diff --git a/policy/modules/apps/wine.fc b/policy/modules/apps/wine.fc -index 9d24449..9782698 100644 +index 9d24449..2666317 100644 --- a/policy/modules/apps/wine.fc +++ b/policy/modules/apps/wine.fc @@ -2,6 +2,7 @@ HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0) @@ -7701,6 +7713,14 @@ index 9d24449..9782698 100644 /opt/google/picasa(/.*)?/bin/msiexec -- gen_context(system_u:object_r:wine_exec_t,s0) /opt/google/picasa(/.*)?/bin/notepad -- gen_context(system_u:object_r:wine_exec_t,s0) /opt/google/picasa(/.*)?/bin/progman -- gen_context(system_u:object_r:wine_exec_t,s0) +@@ -10,6 +11,7 @@ HOME_DIR/cxoffice/bin/wine.+ -- gen_context(system_u:object_r:wine_exec_t,s0) + /opt/google/picasa(/.*)?/bin/uninstaller -- gen_context(system_u:object_r:wine_exec_t,s0) + /opt/google/picasa(/.*)?/bin/wdi -- gen_context(system_u:object_r:wine_exec_t,s0) + /opt/google/picasa(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) ++/opt/teamviewer(/.*)?/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) + + /opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) + diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if index 0440b4c..4b055c1 100644 --- a/policy/modules/apps/wine.if @@ -20526,6 +20546,21 @@ index f231f17..4ecd4b7 100644 +optional_policy(` vbetool_domtrans(devicekit_power_t) ') +diff --git a/policy/modules/services/dhcp.fc b/policy/modules/services/dhcp.fc +index 767e0c7..7956248 100644 +--- a/policy/modules/services/dhcp.fc ++++ b/policy/modules/services/dhcp.fc +@@ -1,8 +1,8 @@ +-/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) + + /usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0) + + /var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0) + /var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0) + +-/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) ++/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if index 5e2cea8..7e129ff 100644 --- a/policy/modules/services/dhcp.if @@ -25041,15 +25076,15 @@ index 47e3612..ece07ab 100644 # The milter runs from /var/lib/spamass-milter diff --git a/policy/modules/services/mock.fc b/policy/modules/services/mock.fc new file mode 100644 -index 0000000..42bb2a3 +index 0000000..68ad33f --- /dev/null +++ b/policy/modules/services/mock.fc @@ -0,0 +1,6 @@ + +/usr/sbin/mock -- gen_context(system_u:object_r:mock_exec_t,s0) + -+/var/lib/mock(/.*)? gen_context(system_u:object_r:mock_var_lib_t,s0) -+ ++/var/lib/mock -d gen_context(system_u:object_r:mock_var_lib_t,s0) ++/var/lib/mock(/.*)? <> +/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0) diff --git a/policy/modules/services/mock.if b/policy/modules/services/mock.if new file mode 100644 @@ -25815,10 +25850,10 @@ index 0000000..311aaed +') diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te new file mode 100644 -index 0000000..f2e8836 +index 0000000..92e86a2 --- /dev/null +++ b/policy/modules/services/mpd.te -@@ -0,0 +1,126 @@ +@@ -0,0 +1,127 @@ +policy_module(mpd, 1.0.0) + +######################################## @@ -25872,6 +25907,7 @@ index 0000000..f2e8836 + +manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t) +manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t) ++manage_lnk_files_pattern(mpd_t, mpd_data_t, mpd_data_t) + +manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) +manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t) @@ -26220,7 +26256,7 @@ index 343cee3..2f948ad 100644 + ') +') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te -index 64268e4..ce7924b 100644 +index 64268e4..8974c28 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -20,8 +20,8 @@ files_type(etc_aliases_t) @@ -26275,7 +26311,7 @@ index 64268e4..ce7924b 100644 apache_dontaudit_rw_stream_sockets(system_mail_t) apache_dontaudit_rw_tcp_sockets(system_mail_t) apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) -+ apache_dontaudit_write_tmp_files(system_mail_t) ++ apache_dontaudit_rw_tmp_files(system_mail_t) + + # apache should set close-on-exec + apache_dontaudit_rw_stream_sockets(mta_user_agent) @@ -29053,7 +29089,7 @@ index 5702ca4..5df5316 100644 + +/var/log/boot\.log -- gen_context(system_u:object_r:plymouthd_var_log_t,s0) diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if -index 9759ed8..07dd3ff 100644 +index 9759ed8..48a5431 100644 --- a/policy/modules/services/plymouthd.if +++ b/policy/modules/services/plymouthd.if @@ -5,12 +5,12 @@ @@ -29192,7 +29228,56 @@ index 9759ed8..07dd3ff 100644 gen_require(` type plymouthd_var_run_t; ') -@@ -243,18 +243,20 @@ interface(`plymouthd_read_pid_files', ` +@@ -228,6 +228,48 @@ interface(`plymouthd_read_pid_files', ` + + ######################################## + ## ++## Allow the specified domain to read ++## to plymouthd log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`plymouthd_read_log',` ++ gen_require(` ++ type plymouthd_var_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t) ++') ++ ++######################################## ++## ++## Allow the specified domain to manage ++## to plymouthd log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`plymouthd_manage_log',` ++ gen_require(` ++ type plymouthd_var_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t) ++ manage_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t) ++ read_lnk_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t) ++') ++ ++######################################## ++## + ## All of the rules required to administrate + ## an plymouthd environment + ## +@@ -243,18 +285,20 @@ interface(`plymouthd_read_pid_files', ` ## ## # @@ -31885,6 +31970,18 @@ index 0000000..d9c56d4 + corosync_stream_connect(qpidd_t) +') + +diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te +index b1ed1bf..21e2d95 100644 +--- a/policy/modules/services/radius.te ++++ b/policy/modules/services/radius.te +@@ -77,6 +77,7 @@ corenet_udp_sendrecv_all_ports(radiusd_t) + corenet_udp_bind_generic_node(radiusd_t) + corenet_udp_bind_radacct_port(radiusd_t) + corenet_udp_bind_radius_port(radiusd_t) ++corenet_tcp_connect_postgresql_port(radiusd_t) + corenet_tcp_connect_mysqld_port(radiusd_t) + corenet_tcp_connect_snmp_port(radiusd_t) + corenet_sendrecv_radius_server_packets(radiusd_t) diff --git a/policy/modules/services/radvd.if b/policy/modules/services/radvd.if index be05bff..2bd662a 100644 --- a/policy/modules/services/radvd.if @@ -35559,7 +35656,7 @@ index d2496bd..1d0c078 100644 allow $1 squid_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te -index 4b2230e..a8fa2a0 100644 +index 4b2230e..d45dc67 100644 --- a/policy/modules/services/squid.te +++ b/policy/modules/services/squid.te @@ -6,17 +6,17 @@ policy_module(squid, 1.10.0) @@ -35606,6 +35703,14 @@ index 4b2230e..a8fa2a0 100644 ') tunable_policy(`squid_use_tproxy',` +@@ -185,6 +186,7 @@ optional_policy(` + corenet_all_recvfrom_unlabeled(httpd_squid_script_t) + corenet_all_recvfrom_netlabel(httpd_squid_script_t) + corenet_tcp_connect_http_cache_port(httpd_squid_script_t) ++ corenet_tcp_connect_squid_port(httpd_squid_script_t) + + sysnet_dns_name_resolve(httpd_squid_script_t) + diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc index 078bcd7..06da5f7 100644 --- a/policy/modules/services/ssh.fc @@ -39595,7 +39700,7 @@ index da2601a..6b12229 100644 + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 145fc4b..05cbefe 100644 +index 145fc4b..d1f5057 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -40286,7 +40391,7 @@ index 145fc4b..05cbefe 100644 hostname_exec(xdm_t) ') -@@ -539,28 +796,63 @@ optional_policy(` +@@ -539,28 +796,64 @@ optional_policy(` ') optional_policy(` @@ -40305,6 +40410,7 @@ index 145fc4b..05cbefe 100644 + plymouthd_search_spool(xdm_t) + plymouthd_exec_plymouth(xdm_t) + plymouthd_stream_connect(xdm_t) ++ plymouthd_read_log(xdm_t) +') + +optional_policy(` @@ -40359,7 +40465,7 @@ index 145fc4b..05cbefe 100644 ') optional_policy(` -@@ -572,6 +864,10 @@ optional_policy(` +@@ -572,6 +865,10 @@ optional_policy(` ') optional_policy(` @@ -40370,7 +40476,7 @@ index 145fc4b..05cbefe 100644 xfs_stream_connect(xdm_t) ') -@@ -596,7 +892,7 @@ allow xserver_t input_xevent_t:x_event send; +@@ -596,7 +893,7 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -40379,7 +40485,7 @@ index 145fc4b..05cbefe 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -610,6 +906,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -610,6 +907,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -40394,7 +40500,7 @@ index 145fc4b..05cbefe 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -629,12 +933,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -629,12 +934,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -40416,7 +40522,7 @@ index 145fc4b..05cbefe 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -642,6 +953,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -642,6 +954,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -40424,7 +40530,7 @@ index 145fc4b..05cbefe 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -668,7 +980,6 @@ dev_rw_apm_bios(xserver_t) +@@ -668,7 +981,6 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -40432,7 +40538,7 @@ index 145fc4b..05cbefe 100644 dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -678,11 +989,17 @@ dev_wx_raw_memory(xserver_t) +@@ -678,11 +990,17 @@ dev_wx_raw_memory(xserver_t) dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -40450,7 +40556,7 @@ index 145fc4b..05cbefe 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -693,8 +1010,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -693,8 +1011,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -40464,7 +40570,7 @@ index 145fc4b..05cbefe 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -716,11 +1038,14 @@ logging_send_audit_msgs(xserver_t) +@@ -716,11 +1039,14 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -40479,7 +40585,7 @@ index 145fc4b..05cbefe 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -773,12 +1098,28 @@ optional_policy(` +@@ -773,12 +1099,28 @@ optional_policy(` ') optional_policy(` @@ -40509,7 +40615,7 @@ index 145fc4b..05cbefe 100644 unconfined_domtrans(xserver_t) ') -@@ -787,6 +1128,10 @@ optional_policy(` +@@ -787,6 +1129,10 @@ optional_policy(` ') optional_policy(` @@ -40520,7 +40626,7 @@ index 145fc4b..05cbefe 100644 xfs_stream_connect(xserver_t) ') -@@ -802,10 +1147,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -802,10 +1148,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -40534,7 +40640,7 @@ index 145fc4b..05cbefe 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -813,7 +1158,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -813,7 +1159,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -40543,7 +40649,7 @@ index 145fc4b..05cbefe 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -826,6 +1171,9 @@ init_use_fds(xserver_t) +@@ -826,6 +1172,9 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -40553,7 +40659,7 @@ index 145fc4b..05cbefe 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -833,6 +1181,11 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -833,6 +1182,11 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_symlinks(xserver_t) ') @@ -40565,7 +40671,7 @@ index 145fc4b..05cbefe 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(xserver_t) fs_manage_cifs_files(xserver_t) -@@ -841,11 +1194,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -841,11 +1195,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -40582,7 +40688,7 @@ index 145fc4b..05cbefe 100644 ') optional_policy(` -@@ -853,6 +1209,10 @@ optional_policy(` +@@ -853,6 +1210,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -40593,7 +40699,7 @@ index 145fc4b..05cbefe 100644 ######################################## # # Rules common to all X window domains -@@ -896,7 +1256,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -896,7 +1257,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -40602,7 +40708,7 @@ index 145fc4b..05cbefe 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -950,11 +1310,31 @@ allow x_domain self:x_resource { read write }; +@@ -950,11 +1311,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -40634,7 +40740,7 @@ index 145fc4b..05cbefe 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -976,18 +1356,32 @@ tunable_policy(`! xserver_object_manager',` +@@ -976,18 +1357,32 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -44287,7 +44393,7 @@ index 3fb1915..26e9f79 100644 - nscd_socket_use(sulogin_t) -') diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index 571599b..17dd196 100644 +index 571599b..3644f0f 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -17,6 +17,10 @@ @@ -44309,7 +44415,7 @@ index 571599b..17dd196 100644 /var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) ifdef(`distro_suse', ` -@@ -54,14 +59,16 @@ ifdef(`distro_redhat',` +@@ -54,18 +59,24 @@ ifdef(`distro_redhat',` /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0) ') @@ -44330,9 +44436,11 @@ index 571599b..17dd196 100644 /var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0) /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0) -@@ -69,3 +76,5 @@ ifdef(`distro_redhat',` + /var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0) /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) ++/var/stockmaniac/templates_cache gen_context(system_u:object_r:var_log_t,s0) ++ /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) @@ -44476,7 +44584,7 @@ index c7cfb62..ee9809d 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 9b5a9ed..2b30dd6 100644 +index 9b5a9ed..d3fb3f6 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -55,11 +55,12 @@ type klogd_var_run_t; @@ -44588,7 +44696,18 @@ index 9b5a9ed..2b30dd6 100644 domain_use_interactive_fds(syslogd_t) -@@ -488,6 +519,10 @@ optional_policy(` +@@ -480,6 +511,10 @@ optional_policy(` + ') + + optional_policy(` ++ plymouthd_manage_log(syslogd_t) ++') ++ ++optional_policy(` + postgresql_stream_connect(syslogd_t) + ') + +@@ -488,6 +523,10 @@ optional_policy(` ') optional_policy(` @@ -45042,7 +45161,7 @@ index 72c746e..e3d06fd 100644 +/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if -index 8b5c196..b195f9d 100644 +index 8b5c196..83107f9 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if @@ -16,6 +16,16 @@ interface(`mount_domtrans',` @@ -45062,7 +45181,7 @@ index 8b5c196..b195f9d 100644 ') ######################################## -@@ -45,12 +55,58 @@ interface(`mount_run',` +@@ -45,8 +55,54 @@ interface(`mount_run',` role $2 types mount_t; optional_policy(` @@ -45085,11 +45204,11 @@ index 8b5c196..b195f9d 100644 + + optional_policy(` + samba_run_smbmount(mount_t, $2) - ') - ') - - ######################################## - ## ++ ') ++') ++ ++######################################## ++## +## Execute fusermount in the mount domain, and +## allow the specified role the mount domain, +## and use the caller's terminal. @@ -45109,19 +45228,15 @@ index 8b5c196..b195f9d 100644 +interface(`mount_run_fusermount',` + gen_require(` + type mount_t; -+ ') + ') + + mount_domtrans_fusermount($1) + role $2 types mount_t; + + fstools_run(mount_t, $2) -+') -+ -+######################################## -+## - ## Execute mount in the caller domain. - ## - ## + ') + + ######################################## @@ -84,9 +140,11 @@ interface(`mount_exec',` interface(`mount_signal',` gen_require(` @@ -45143,7 +45258,32 @@ index 8b5c196..b195f9d 100644 ## ## # -@@ -176,4 +234,109 @@ interface(`mount_run_unconfined',` +@@ -135,6 +193,24 @@ interface(`mount_send_nfs_client_request',` + + ######################################## + ## ++## Read the mount tmp directory ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mount_list_tmp',` ++ gen_require(` ++ type mount_tmp_t; ++ ') ++ ++ allow $1 mount_tmp_t:dir list_dir_perms; ++') ++ ++######################################## ++## + ## Execute mount in the unconfined mount domain. + ## + ## +@@ -176,4 +252,109 @@ interface(`mount_run_unconfined',` mount_domtrans_unconfined($1) role $2 types unconfined_mount_t; @@ -46519,12 +46659,17 @@ index 1447687..cdc0223 100644 type setrans_initrc_exec_t; init_script_file(setrans_initrc_exec_t) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc -index 726619b..36426f7 100644 +index 726619b..ece1edf 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc -@@ -13,7 +13,7 @@ - /etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) - /etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) +@@ -10,10 +10,10 @@ + /etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) + /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) + /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) +-/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) +-/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) ++/etc/dhcpd(6)?\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) ++/etc/dhcp/dhcpd(6)?\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0) -/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0) +/etc/hosts[^/]* -- gen_context(system_u:object_r:net_conf_t,s0) @@ -47094,10 +47239,10 @@ index 0000000..5f0352b + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..24f8c6f +index 0000000..52a952b --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,98 @@ +@@ -0,0 +1,101 @@ + +policy_module(systemd, 1.0.0) + @@ -47141,9 +47286,12 @@ index 0000000..24f8c6f +files_read_etc_files(systemd_passwd_agent_t) + +dev_create_generic_dirs(systemd_passwd_agent_t) ++dev_read_generic_files(systemd_passwd_agent_t) + +auth_use_nsswitch(systemd_passwd_agent_t) + ++init_read_utmp(systemd_passwd_agent_t) ++ +miscfiles_read_localization(systemd_passwd_agent_t) + +####################################### diff --git a/selinux-policy.spec b/selinux-policy.spec index 9be8f73..7002d79 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.12 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -333,7 +333,7 @@ if [ $1 -eq 1 ]; then %loadpolicy targeted $packages restorecon -R /root /var/log /var/run /var/lib 2> /dev/null else - semodule -n -s targeted -r pyzor -r razor -r moilscanner mailscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal 2>/dev/null + semodule -n -s targeted -r moilscanner mailscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal 2>/dev/null %loadpolicy targeted $packages %relabel targeted fi @@ -452,7 +452,7 @@ SELinux Reference policy mls base module. %saveFileContext mls %post mls -semodule -n -s mls -r pyzor -r razor -r mailscanner polkit ModemManager telepathysofiasip ethereal 2>/dev/null +semodule -n -s mls -r mailscanner polkit ModemManager telepathysofiasip ethereal 2>/dev/null packages=`cat /usr/share/selinux/mls/modules.lst` %loadpolicy mls $packages @@ -471,6 +471,25 @@ exit 0 %endif %changelog +* Tue Dec 28 2010 Dan Walsh 3.9.12-4 +- Gnome apps list config_home_t +- mpd creates lnk files in homedir +- apache leaks write to mail apps on tmp files +- /var/stockmaniac/templates_cache contains log files +- Abrt list the connects of mount_tmp_t dirs +- passwd agent reads files under /dev and reads utmp file +- squid apache script connects to the squid port +- fix name of plymouth log file +- teamviewer is a wine app +- allow dmesg to read system state +- Stop labeling files under /var/lib/mock so restorecon will not go into this +- nsplugin needs to read network state for google talk + +* Thu Dec 23 2010 Dan Walsh 3.9.12-3 +- Allow xdm and syslog to use /var/log/boot.log +- Allow users to communicate with mozilla_plugin and kill it +- Add labeling for ipv6 and dhcp + * Tue Dec 21 2010 Dan Walsh 3.9.12-2 - New labels for ghc http content - nsplugin_config needs to read urand, lvm now calls setfscreate to create dev