From dc57e68effe664072882c04836807dc83102e662 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mar 05 2008 23:11:52 +0000 Subject: - Fixes for libvirt --- diff --git a/policy-20071130.patch b/policy-20071130.patch index bc10dad..993eab3 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -6227,7 +6227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-02-01 09:12:53.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-03-04 15:06:28.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.te.in 2008-03-04 16:33:16.000000000 -0500 @@ -82,6 +82,7 @@ network_port(clockspeed, udp,4041,s0) network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0) @@ -6274,7 +6274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pxe, udp,4011,s0) -@@ -148,7 +155,7 @@ +@@ -148,11 +155,11 @@ network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) @@ -6283,6 +6283,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(rsh, tcp,514,s0) network_port(rsync, tcp,873,s0, udp,873,s0) network_port(rwho, udp,513,s0) +-network_port(smbd, tcp,139,s0, tcp,445,s0) ++network_port(smbd, tcp,137-139,s0, tcp,445,s0) + network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) + network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0) + network_port(spamd, tcp,783,s0) @@ -170,7 +177,12 @@ network_port(transproxy, tcp,8081,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon @@ -6878,7 +6883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.3.1/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-03-04 16:23:38.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-03-04 17:23:42.000000000 -0500 @@ -1266,6 +1266,24 @@ ######################################## @@ -7550,7 +7555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag /dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.3.1/policy/modules/kernel/storage.if --- nsaserefpolicy/policy/modules/kernel/storage.if 2008-02-26 08:17:43.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/kernel/storage.if 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/kernel/storage.if 2008-03-04 17:41:15.000000000 -0500 @@ -81,6 +81,26 @@ ######################################## @@ -7783,7 +7788,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.3.1/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-02-29 14:20:00.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-03-05 15:44:05.000000000 -0500 @@ -13,21 +13,16 @@ # template(`apache_content_template',` @@ -12788,8 +12793,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm +/etc/rc.d/init.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.3.1/policy/modules/services/dnsmasq.if --- nsaserefpolicy/policy/modules/services/dnsmasq.if 2006-11-16 17:15:21.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/dnsmasq.if 2008-02-26 08:29:22.000000000 -0500 -@@ -1 +1,106 @@ ++++ serefpolicy-3.3.1/policy/modules/services/dnsmasq.if 2008-03-05 14:40:55.000000000 -0500 +@@ -1 +1,125 @@ ## dnsmasq DNS forwarder and DHCP server + +######################################## @@ -12853,6 +12858,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm + +######################################## +## ++## Send dnsmasq a sigkill ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++# ++interface(`dnsmasq_sigkill',` ++ gen_require(` ++ type dnsmasq_t; ++ ') ++ ++ allow $1 dnsmasq_t:process sigkill; ++') ++ ++######################################## ++## +## All of the rules required to administrate +## an dnsmasq environment +## @@ -23011,7 +23035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-04 14:49:58.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-05 14:36:29.000000000 -0500 @@ -12,9 +12,15 @@ ## ## @@ -23745,7 +23769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + # X Protocol Extensions + allow $3 std_xext_t:x_extension { use }; + allow $3 shmem_xext_t:x_extension { use }; -+ dontaudit $3 xextension_type:x_extension query; ++ allow $3 xextension_type:x_extension query; + + # X Properties + # can read and write client properties @@ -24303,7 +24327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-02-28 16:46:06.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-03-05 18:07:11.000000000 -0500 @@ -8,6 +8,14 @@ ## @@ -24543,7 +24567,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser fs_getattr_all_fs(xdm_t) fs_search_auto_mountpoints(xdm_t) -@@ -245,6 +357,7 @@ +@@ -237,6 +349,7 @@ + storage_dontaudit_raw_write_removable_device(xdm_t) + storage_dontaudit_setattr_removable_dev(xdm_t) + storage_dontaudit_rw_scsi_generic(xdm_t) ++storage_rw_fuse(xdm_t) + + term_setattr_console(xdm_t) + term_use_unallocated_ttys(xdm_t) +@@ -245,6 +358,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -24551,7 +24583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -256,12 +369,11 @@ +@@ -256,12 +370,11 @@ libs_exec_lib_files(xdm_t) logging_read_generic_logs(xdm_t) @@ -24565,7 +24597,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_dontaudit_search_sysadm_home_dirs(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -270,8 +382,13 @@ +@@ -270,8 +383,13 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -24579,7 +24611,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_t) -@@ -304,7 +421,11 @@ +@@ -304,7 +422,11 @@ ') optional_policy(` @@ -24592,7 +24624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -312,6 +433,23 @@ +@@ -312,6 +434,23 @@ ') optional_policy(` @@ -24616,7 +24648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Talk to the console mouse server. gpm_stream_connect(xdm_t) gpm_setattr_gpmctl(xdm_t) -@@ -322,6 +460,10 @@ +@@ -322,6 +461,10 @@ ') optional_policy(` @@ -24627,7 +24659,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser loadkeys_exec(xdm_t) ') -@@ -335,6 +477,11 @@ +@@ -335,6 +478,11 @@ ') optional_policy(` @@ -24639,7 +24671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser seutil_sigchld_newrole(xdm_t) ') -@@ -343,8 +490,8 @@ +@@ -343,8 +491,8 @@ ') optional_policy(` @@ -24649,7 +24681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -380,7 +527,7 @@ +@@ -380,7 +528,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -24658,7 +24690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) -@@ -392,6 +539,15 @@ +@@ -392,6 +540,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -24674,7 +24706,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -404,9 +560,17 @@ +@@ -404,9 +561,17 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_unpriv_users_home_content_files(xdm_xserver_t) @@ -24692,7 +24724,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_xserver_t) fs_manage_nfs_files(xdm_xserver_t) -@@ -420,6 +584,22 @@ +@@ -420,6 +585,22 @@ ') optional_policy(` @@ -24715,7 +24747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser resmgr_stream_connect(xdm_t) ') -@@ -429,47 +609,138 @@ +@@ -429,47 +610,138 @@ ') optional_policy(` @@ -25285,7 +25317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.3.1/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2008-02-19 17:24:26.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/authlogin.te 2008-03-05 15:46:36.000000000 -0500 @@ -59,6 +59,9 @@ type utempter_exec_t; application_domain(utempter_t,utempter_exec_t) @@ -25319,7 +25351,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(pam_t) -@@ -297,8 +309,10 @@ +@@ -282,6 +294,11 @@ + ') + ') + ++optional_policy(` ++ # apache leaks file descriptors ++ apache_dontaudit_rw_tcp_sockets(system_chkpwd_t) ++') ++ + ######################################## + # + # updpwd local policy +@@ -297,8 +314,10 @@ files_manage_etc_files(updpwd_t) term_dontaudit_use_console(updpwd_t) @@ -25331,7 +25375,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo auth_manage_shadow(updpwd_t) auth_use_nsswitch(updpwd_t) -@@ -359,11 +373,6 @@ +@@ -359,11 +378,6 @@ ') optional_policy(` @@ -28372,7 +28416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.3.1/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2007-11-16 15:30:49.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/unconfined.if 2008-02-26 08:29:22.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/unconfined.if 2008-03-04 17:26:54.000000000 -0500 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -28407,7 +28451,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf kernel_unconfined($1) corenet_unconfined($1) -@@ -70,6 +70,7 @@ +@@ -40,6 +40,7 @@ + domain_unconfined($1) + domain_dontaudit_read_all_domains_state($1) + domain_dontaudit_ptrace_all_domains($1) ++ domain_mmap_low($1) + files_unconfined($1) + fs_unconfined($1) + selinux_unconfined($1) +@@ -70,6 +71,7 @@ optional_policy(` # Communicate via dbusd. dbus_system_bus_unconfined($1) @@ -28415,7 +28467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -95,6 +96,10 @@ +@@ -95,6 +97,10 @@ optional_policy(` storage_unconfined($1) ') @@ -28426,7 +28478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -581,7 +586,6 @@ +@@ -581,7 +587,6 @@ interface(`unconfined_dbus_connect',` gen_require(` type unconfined_t; @@ -28434,7 +28486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') allow $1 unconfined_t:dbus acquire_svc; -@@ -589,7 +593,139 @@ +@@ -589,7 +594,139 @@ ######################################## ## @@ -28575,7 +28627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ## ## ## -@@ -597,41 +733,43 @@ +@@ -597,41 +734,43 @@ ## ## # @@ -28633,7 +28685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ## ## ## -@@ -639,10 +777,10 @@ +@@ -639,10 +778,10 @@ ## ## # @@ -28974,7 +29026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-03 16:30:45.000000000 -0500 ++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-05 18:06:38.000000000 -0500 @@ -29,9 +29,14 @@ ') @@ -32328,8 +32380,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te --- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-02-26 08:29:22.000000000 -0500 -@@ -0,0 +1,159 @@ ++++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-03-05 18:05:21.000000000 -0500 +@@ -0,0 +1,162 @@ + +policy_module(virt,1.0.0) + @@ -32385,8 +32437,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t +# +# virtd local policy +# -+allow virtd_t self:capability { dac_override kill net_admin setgid }; -+allow virtd_t self:process sigkill; ++allow virtd_t self:capability { sys_module dac_override kill net_admin setgid }; ++allow virtd_t self:process { sigkill signal }; +allow virtd_t self:fifo_file rw_file_perms; +allow virtd_t self:unix_stream_socket create_stream_socket_perms; +allow virtd_t self:tcp_socket create_stream_socket_perms; @@ -32412,6 +32464,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t +manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) + ++corecmd_exec_bin(virtd_t) ++ +corenet_all_recvfrom_unlabeled(virtd_t) +corenet_all_recvfrom_netlabel(virtd_t) +corenet_tcp_sendrecv_all_if(virtd_t) @@ -32467,6 +32521,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t +optional_policy(` + dnsmasq_domtrans(virtd_t) + dnsmasq_signal(virtd_t) ++ dnsmasq_sigkill(virtd_t) +') + +optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 997be30..03f719a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 10%{?dist} +Release: 11%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -388,6 +388,9 @@ exit 0 %endif %changelog +* Mon Mar 3 2008 Dan Walsh 3.3.1-11 +- Fixes for libvirt + * Mon Mar 3 2008 Dan Walsh 3.3.1-10 - Allow bitlebee to read locale_t