diff --git a/policy-20090105.patch b/policy-20090105.patch index 49fb286..553f80c 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -5130,7 +5130,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.3/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/kernel/files.if 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/kernel/files.if 2009-01-21 17:33:03.000000000 -0500 @@ -110,6 +110,11 @@ ## # @@ -5340,7 +5340,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -4921,3 +5036,71 @@ +@@ -4921,3 +5036,95 @@ typeattribute $1 files_unconfined_type; ') @@ -5412,6 +5412,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + manage_lnk_files_pattern($1,var_run_t,var_run_t) +') ++ ++######################################## ++## ++## manage generic symbolic links ++## in the /var/run directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_boot',` ++ gen_require(` ++ type root_t; ++ ') ++ ++ allow $1 root_t:blk_file manage_blk_file_perms; ++ allow $1 root_t:chr_file manage_chr_file_perms; ++ manage_dirs_pattern($1, root_t, root_t) ++ manage_files_pattern($1, root_t, root_t) ++ manage_lnk_files_pattern($1, root_t, root_t) ++ can_exec(kernel_t, root_t) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.3/policy/modules/kernel/files.te --- nsaserefpolicy/policy/modules/kernel/files.te 2009-01-05 15:39:38.000000000 -0500 +++ serefpolicy-3.6.3/policy/modules/kernel/files.te 2009-01-19 13:10:02.000000000 -0500 @@ -5890,7 +5914,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.3/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/kernel/kernel.if 2009-01-20 16:17:37.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/kernel/kernel.if 2009-01-21 17:29:54.000000000 -0500 @@ -1197,6 +1197,7 @@ ') @@ -5997,7 +6021,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.3/policy/modules/kernel/kernel.te --- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/kernel/kernel.te 2009-01-20 17:15:33.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/kernel/kernel.te 2009-01-21 17:46:13.000000000 -0500 @@ -63,6 +63,15 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) @@ -6061,11 +6085,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mcs_process_set_categories(kernel_t) -@@ -267,12 +287,17 @@ +@@ -267,12 +287,18 @@ mls_process_write_down(kernel_t) mls_file_write_all_levels(kernel_t) mls_file_read_all_levels(kernel_t) +mls_socket_write_all_levels(kernel_t) ++mls_fd_share_all_levels(kernel_t) + +logging_manage_generic_logs(kernel_t) @@ -6079,7 +6104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`read_default_t',` files_list_default(kernel_t) files_read_default_files(kernel_t) -@@ -357,6 +382,10 @@ +@@ -357,6 +383,10 @@ unconfined_domain(kernel_t) ') @@ -6090,6 +6115,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Unlabeled process local policy +@@ -386,3 +416,5 @@ + allow kern_unconfined unlabeled_t:association *; + allow kern_unconfined unlabeled_t:packet *; + allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; ++ ++files_boot(kernel_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.3/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-01-19 11:03:28.000000000 -0500 +++ serefpolicy-3.6.3/policy/modules/kernel/selinux.if 2009-01-19 13:32:33.000000000 -0500 @@ -6197,8 +6228,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.6.3/policy/modules/roles/auditadm.te --- nsaserefpolicy/policy/modules/roles/auditadm.te 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/roles/auditadm.te 2009-01-19 13:10:02.000000000 -0500 -@@ -32,158 +32,18 @@ ++++ serefpolicy-3.6.3/policy/modules/roles/auditadm.te 2009-01-21 17:30:16.000000000 -0500 +@@ -17,6 +17,8 @@ + + allow auditadm_t self:capability { dac_read_search dac_override }; + ++kernel_read_ring_buffer(auditadm_t) ++ + corecmd_exec_shell(auditadm_t) + + domain_kill_all_domains(auditadm_t) +@@ -32,158 +34,18 @@ seutil_read_bin_policy(auditadm_t) optional_policy(` @@ -21808,13 +21848,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.3/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/virt.te 2009-01-21 13:00:55.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/virt.te 2009-01-21 16:53:49.000000000 -0500 @@ -53,7 +53,7 @@ # virtd local policy # -allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace }; -+allow virtd_t self:capability { dac_override kill net_admin net_raw setuid setgid sys_nice sys_ptrace }; ++allow virtd_t self:capability { dac_override kill net_admin net_raw setuid setgid sys_admin sys_nice sys_ptrace }; allow virtd_t self:process { getsched sigkill signal execmem }; allow virtd_t self:fifo_file rw_file_perms; allow virtd_t self:unix_stream_socket create_stream_socket_perms; @@ -23974,7 +24014,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.3/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/system/init.te 2009-01-20 17:11:43.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/system/init.te 2009-01-21 17:45:29.000000000 -0500 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart,false) @@ -24077,11 +24117,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol can_exec(initrc_t,initrc_tmp_t) allow initrc_t initrc_tmp_t:file manage_file_perms; -@@ -249,15 +278,18 @@ +@@ -249,15 +278,19 @@ kernel_rw_all_sysctls(initrc_t) # for lsof which is used by alsa shutdown: kernel_dontaudit_getattr_message_if(initrc_t) +kernel_stream_connect(initrc_t) ++files_read_kernel_modules(initrc_t) files_read_kernel_symbol_table(initrc_t) +files_exec_etc_files(initrc_t) @@ -24100,7 +24141,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -274,7 +306,7 @@ +@@ -274,7 +307,7 @@ dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) @@ -24109,7 +24150,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -328,7 +360,7 @@ +@@ -328,7 +361,7 @@ domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -24118,7 +24159,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -367,6 +399,7 @@ +@@ -367,6 +400,7 @@ libs_rw_ld_so_cache(initrc_t) libs_exec_lib_files(initrc_t) @@ -24126,7 +24167,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(initrc_t) logging_manage_generic_logs(initrc_t) logging_read_all_logs(initrc_t) -@@ -498,6 +531,7 @@ +@@ -451,7 +485,7 @@ + + # Red Hat systems seem to have a stray + # fd open from the initrd +- kernel_dontaudit_use_fds(initrc_t) ++ kernel_use_fds(initrc_t) + files_dontaudit_read_root_files(initrc_t) + + selinux_set_enforce_mode(initrc_t) +@@ -498,6 +532,7 @@ optional_policy(` #for /etc/rc.d/init.d/nfs to create /etc/exports rpc_write_exports(initrc_t) @@ -24134,7 +24184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -516,6 +550,31 @@ +@@ -516,6 +551,31 @@ ') ') @@ -24166,7 +24216,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -570,6 +629,10 @@ +@@ -570,6 +630,10 @@ dbus_read_config(initrc_t) optional_policy(` @@ -24177,7 +24227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol networkmanager_dbus_chat(initrc_t) ') ') -@@ -655,12 +718,6 @@ +@@ -655,12 +719,6 @@ mta_read_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') @@ -24190,7 +24240,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ifdef(`distro_redhat',` -@@ -721,6 +778,9 @@ +@@ -721,6 +779,9 @@ # why is this needed: rpm_manage_db(initrc_t) @@ -24200,7 +24250,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -733,10 +793,12 @@ +@@ -733,10 +794,12 @@ squid_manage_logs(initrc_t) ') @@ -24213,7 +24263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -754,6 +816,11 @@ +@@ -754,6 +817,11 @@ uml_setattr_util_sockets(initrc_t) ') @@ -24225,7 +24275,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` unconfined_domain(initrc_t) -@@ -768,6 +835,10 @@ +@@ -768,6 +836,10 @@ ') optional_policy(` @@ -24236,7 +24286,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol vmware_read_system_config(initrc_t) vmware_append_system_config(initrc_t) ') -@@ -790,3 +861,11 @@ +@@ -790,3 +862,11 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -25246,7 +25296,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.3/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/system/mount.te 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/system/mount.te 2009-01-21 17:47:52.000000000 -0500 @@ -18,17 +18,18 @@ init_system_domain(mount_t,mount_exec_t) role system_r types mount_t; @@ -25279,7 +25329,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow mount_t mount_loopback_t:file read_file_perms; -@@ -47,12 +49,18 @@ +@@ -47,12 +49,19 @@ files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir }) @@ -25291,6 +25341,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_dontaudit_getattr_core_if(mount_t) +kernel_search_debugfs(mount_t) +kernel_setsched(mount_t) ++kernel_use_fds(mount_t) dev_getattr_all_blk_files(mount_t) dev_list_all_dev_nodes(mount_t) @@ -25298,7 +25349,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_rw_lvm_control(mount_t) dev_dontaudit_getattr_all_chr_files(mount_t) dev_dontaudit_getattr_memory_dev(mount_t) -@@ -62,16 +70,19 @@ +@@ -62,16 +71,19 @@ storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) @@ -25321,7 +25372,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_all_terms(mount_t) -@@ -79,6 +90,7 @@ +@@ -79,6 +91,7 @@ corecmd_exec_bin(mount_t) domain_use_interactive_fds(mount_t) @@ -25329,7 +25380,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_all(mount_t) files_read_etc_files(mount_t) -@@ -87,7 +99,7 @@ +@@ -87,7 +100,7 @@ files_mounton_all_mountpoints(mount_t) files_unmount_rootfs(mount_t) # These rules need to be generalized. Only admin, initrc should have it: @@ -25338,7 +25389,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_mount_all_file_type_fs(mount_t) files_unmount_all_file_type_fs(mount_t) # for when /etc/mtab loses its type -@@ -100,6 +112,8 @@ +@@ -100,6 +113,8 @@ init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -25347,7 +25398,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(mount_t) -@@ -116,6 +130,7 @@ +@@ -116,6 +131,7 @@ seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -25355,7 +25406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_redhat',` optional_policy(` -@@ -133,7 +148,7 @@ +@@ -133,7 +149,7 @@ tunable_policy(`allow_mount_anyfile',` auth_read_all_dirs_except_shadow(mount_t) @@ -25364,7 +25415,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_mounton_non_security(mount_t) ') -@@ -141,16 +156,16 @@ +@@ -141,16 +157,16 @@ # for nfs corenet_all_recvfrom_unlabeled(mount_t) corenet_all_recvfrom_netlabel(mount_t) @@ -25389,7 +25440,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port(mount_t) corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) -@@ -164,6 +179,8 @@ +@@ -164,6 +180,8 @@ fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -25398,7 +25449,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -171,6 +188,15 @@ +@@ -171,6 +189,15 @@ ') optional_policy(` @@ -25414,7 +25465,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -178,6 +204,11 @@ +@@ -178,6 +205,11 @@ ') ') @@ -25426,7 +25477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -185,6 +216,7 @@ +@@ -185,6 +217,7 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -25434,7 +25485,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -195,4 +227,26 @@ +@@ -195,4 +228,26 @@ optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t,file) unconfined_domain(unconfined_mount_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 9ea2280..4a8d7b3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.3 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -445,7 +445,7 @@ exit 0 %endif %changelog -* Wed Jan 21 2009 Dan Walsh 3.6.3-5 +* Wed Jan 21 2009 Dan Walsh 3.6.3-6 - Add wm policy - Make mls work in graphics mode