From e1060e24d554194d2a38d5ce50f6ef742db1ab87 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Feb 01 2008 13:49:05 +0000 Subject: - Allow fail2ban to create a socket in /var/run --- diff --git a/modules-targeted.conf b/modules-targeted.conf index 70f841e..53c55aa 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -970,7 +970,7 @@ pyzor = module # # Policy for qmail # -qmail = base +qmail = module # Layer: admin # Module: quota diff --git a/policy-20071130.patch b/policy-20071130.patch index 694fcff..9461366 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -1495,7 +1495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s ####################################### diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.2.5/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2007-10-02 09:54:52.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/admin/tmpreaper.te 2008-01-21 13:29:12.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/admin/tmpreaper.te 2008-02-01 08:20:58.000000000 -0500 @@ -28,6 +28,7 @@ files_purge_tmp(tmpreaper_t) # why does it need setattr? @@ -1504,10 +1504,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap mls_file_read_all_levels(tmpreaper_t) mls_file_write_all_levels(tmpreaper_t) -@@ -43,5 +44,14 @@ +@@ -42,6 +43,19 @@ + cron_system_entry(tmpreaper_t,tmpreaper_exec_t) - optional_policy(` ++userdom_delete_all_users_home_content_dirs(tmpreaper_t) ++userdom_delete_all_users_home_content_files(tmpreaper_t) ++userdom_delete_all_users_home_content_symlinks(tmpreaper_t) ++ ++optional_policy(` + amavis_manage_spool_files(tmpreaper_t) +') + @@ -1515,7 +1520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap + kismet_manage_log(tmpreaper_t) +') + -+optional_policy(` + optional_policy(` lpd_manage_spool(tmpreaper_t) ') + @@ -10971,12 +10976,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.2.5/policy/modules/services/fail2ban.fc --- nsaserefpolicy/policy/modules/services/fail2ban.fc 2007-10-12 08:56:07.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/services/fail2ban.fc 2008-01-18 12:40:46.000000000 -0500 -@@ -1,3 +1,6 @@ ++++ serefpolicy-3.2.5/policy/modules/services/fail2ban.fc 2008-02-01 07:42:38.000000000 -0500 +@@ -1,3 +1,7 @@ /usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0) +/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) /var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0) /var/run/fail2ban\.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0) ++/var/run/fail2ban\.sock -s gen_context(system_u:object_r:fail2ban_var_run_t,s0) +/etc/rc.d/init.d/fail2ban -- gen_context(system_u:object_r:fail2ban_script_exec_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.2.5/policy/modules/services/fail2ban.if @@ -11053,7 +11059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.2.5/policy/modules/services/fail2ban.te --- nsaserefpolicy/policy/modules/services/fail2ban.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/fail2ban.te 2008-01-21 13:50:35.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/fail2ban.te 2008-02-01 07:40:59.000000000 -0500 @@ -18,6 +18,9 @@ type fail2ban_var_run_t; files_pid_file(fail2ban_var_run_t) @@ -11064,7 +11070,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail ######################################## # # fail2ban local policy -@@ -55,6 +58,8 @@ +@@ -33,8 +36,9 @@ + logging_log_filetrans(fail2ban_t,fail2ban_log_t,file) + + # pid file ++manage_sock_files_pattern(fail2ban_t,fail2ban_var_run_t,fail2ban_var_run_t) + manage_files_pattern(fail2ban_t,fail2ban_var_run_t,fail2ban_var_run_t) +-files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, file) ++files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, { file sock_file }) + + kernel_read_system_state(fail2ban_t) + +@@ -55,6 +59,8 @@ miscfiles_read_localization(fail2ban_t) @@ -17973,7 +17990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.2.5/policy/modules/services/smartmon.te --- nsaserefpolicy/policy/modules/services/smartmon.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/services/smartmon.te 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/services/smartmon.te 2008-02-01 08:41:51.000000000 -0500 @@ -16,6 +16,9 @@ type fsdaemon_tmp_t; files_tmp_file(fsdaemon_tmp_t) @@ -17984,6 +18001,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar ######################################## # # Local policy +@@ -49,6 +52,7 @@ + corenet_udp_sendrecv_all_ports(fsdaemon_t) + + dev_read_sysfs(fsdaemon_t) ++dev_read_urand(fsdaemon_t) + + domain_use_interactive_fds(fsdaemon_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.2.5/policy/modules/services/snmp.fc --- nsaserefpolicy/policy/modules/services/snmp.fc 2007-06-19 16:23:06.000000000 -0400 +++ serefpolicy-3.2.5/policy/modules/services/snmp.fc 2008-01-18 12:40:46.000000000 -0500 @@ -21638,7 +21663,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.2.5/policy/modules/system/fstools.if --- nsaserefpolicy/policy/modules/system/fstools.if 2007-08-22 17:33:53.000000000 -0400 -+++ serefpolicy-3.2.5/policy/modules/system/fstools.if 2008-01-18 12:40:46.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/fstools.if 2008-02-01 08:40:37.000000000 -0500 +@@ -81,10 +81,10 @@ + # + interface(`fstools_read_pipes',` + gen_require(` +- type fsdaemon_t; ++ type fstools_t; + ') + +- allow $1 fsdaemon_t:fifo_file read_fifo_file_perms; ++ allow $1 fstools_t:fifo_file read_fifo_file_perms; + ') + + ######################################## @@ -142,3 +142,20 @@ allow $1 swapfile_t:file getattr; @@ -23561,7 +23599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.2.5/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/selinuxutil.te 2008-01-29 15:11:06.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/selinuxutil.te 2008-01-31 15:54:53.000000000 -0500 @@ -75,7 +75,6 @@ type restorecond_exec_t; init_daemon_domain(restorecond_t,restorecond_exec_t) @@ -24658,7 +24696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-31 08:42:16.000000000 -0500 ++++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-02-01 08:23:22.000000000 -0500 @@ -29,9 +29,14 @@ ') @@ -26692,7 +26730,87 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5109,7 +5265,7 @@ +@@ -4833,6 +4989,26 @@ + + ######################################## + ## ++## delete all directories ++## in all users home directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_delete_all_users_home_content_dirs',` ++ gen_require(` ++ attribute home_type; ++ ') ++ ++ files_list_home($1) ++ delete_dirs_pattern($1, home_type, home_type) ++') ++ ++######################################## ++## + ## Create, read, write, and delete all directories + ## in all users home directories. + ## +@@ -4853,6 +5029,25 @@ + + ######################################## + ## ++## Delete all files ++## in all users home directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_delete_all_users_home_content_files',` ++ gen_require(` ++ attribute home_type; ++ ') ++ ++ delete_files_pattern($1,home_type,home_type) ++') ++ ++######################################## ++## + ## Create, read, write, and delete all files + ## in all users home directories. + ## +@@ -4873,6 +5068,26 @@ + + ######################################## + ## ++## Delete all symlinks ++## in all users home directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_delete_all_users_home_content_symlinks',` ++ gen_require(` ++ attribute home_type; ++ ') ++ ++ files_list_home($1) ++ delete_lnk_files_pattern($1,home_type,home_type) ++') ++ ++######################################## ++## + ## Create, read, write, and delete all symlinks + ## in all users home directories. + ## +@@ -5109,7 +5324,7 @@ # interface(`userdom_relabelto_generic_user_home_dirs',` gen_require(` @@ -26701,7 +26819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5298,6 +5454,49 @@ +@@ -5298,6 +5513,49 @@ ######################################## ## @@ -26751,7 +26869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create, read, write, and delete directories in ## unprivileged users home directories. ## -@@ -5503,6 +5702,42 @@ +@@ -5503,6 +5761,42 @@ ######################################## ## @@ -26794,7 +26912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Read and write unprivileged user ttys. ## ## -@@ -5668,6 +5903,42 @@ +@@ -5668,6 +5962,42 @@ ######################################## ## @@ -26837,7 +26955,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5698,3 +5969,277 @@ +@@ -5698,3 +6028,277 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/selinux-policy.spec b/selinux-policy.spec index b5aaa21..6db481d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.2.5 -Release: 24%{?dist} +Release: 25%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -387,6 +387,9 @@ exit 0 %endif %changelog +* Fri Feb 1 2008 Dan Walsh 3.2.5-25 +- Allow fail2ban to create a socket in /var/run + * Wed Jan 30 2008 Dan Walsh 3.2.5-24 - Allow allow_httpd_mod_auth_pam to work