diff --git a/booleans-targeted.conf b/booleans-targeted.conf index e423c2a..be7ea90 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -262,3 +262,7 @@ allow_postfix_local_write_mail_spool=true # Allow common users to read/write noexattrfile systems # user_rw_noexattrfile=true + +# Allow qemu to connect fully to the network +# +allow_qemu_full_network=true diff --git a/policy-20071130.patch b/policy-20071130.patch index 0053c5b..714ddba 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -1976,7 +1976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s +/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.2.9/policy/modules/apps/gpg.if --- nsaserefpolicy/policy/modules/apps/gpg.if 2007-07-23 10:20:12.000000000 -0400 -+++ serefpolicy-3.2.9/policy/modules/apps/gpg.if 2008-02-20 14:28:23.000000000 -0500 ++++ serefpolicy-3.2.9/policy/modules/apps/gpg.if 2008-02-20 17:37:31.000000000 -0500 @@ -38,6 +38,10 @@ gen_require(` type gpg_exec_t, gpg_helper_exec_t; @@ -1988,7 +1988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s ') ######################################## -@@ -45,275 +49,53 @@ +@@ -45,275 +49,56 @@ # Declarations # @@ -2174,6 +2174,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s - manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t) - manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t) + allow $2 gpg_t:process signal_perms; ++ # Thunderbird leaks descriptors ++ dontaudit gpg_t $2:tcp_socket rw_socket_perms; ++ dontaudit gpg_t $2:udp_socket rw_socket_perms; - # allow gpg to connect to the gpg agent - stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t) @@ -2294,8 +2297,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.2.9/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2007-12-19 05:32:09.000000000 -0500 -+++ serefpolicy-3.2.9/policy/modules/apps/gpg.te 2008-02-20 14:28:23.000000000 -0500 -@@ -7,15 +7,232 @@ ++++ serefpolicy-3.2.9/policy/modules/apps/gpg.te 2008-02-20 17:36:41.000000000 -0500 +@@ -7,15 +7,228 @@ # # Type for gpg or pgp executables. @@ -2373,6 +2376,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s +files_read_usr_files(gpg_t) +files_dontaudit_search_var(gpg_t) + ++auth_use_nsswitch(gpg_t) ++ +libs_use_shared_libs(gpg_t) +libs_use_ld_so(gpg_t) + @@ -2380,12 +2385,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s + +logging_send_syslog_msg(gpg_t) + -+sysnet_read_config(gpg_t) -+ -+optional_policy(` -+ nis_use_ypbind(gpg_t) -+') -+ +######################################## +# +# GPG helper local policy @@ -4848,7 +4847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.9/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-02-01 09:12:53.000000000 -0500 -+++ serefpolicy-3.2.9/policy/modules/kernel/corenetwork.te.in 2008-02-20 14:28:23.000000000 -0500 ++++ serefpolicy-3.2.9/policy/modules/kernel/corenetwork.te.in 2008-02-20 17:15:58.000000000 -0500 @@ -82,6 +82,7 @@ network_port(clockspeed, udp,4041,s0) network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0) @@ -4865,7 +4864,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(ftp_data, tcp,20,s0) network_port(ftp, tcp,21,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) -@@ -122,6 +124,8 @@ +@@ -109,6 +111,7 @@ + network_port(ircd, tcp,6667,s0) + network_port(isakmp, udp,500,s0) + network_port(iscsi, tcp,3260,s0) ++network_port(isns, tcp,3205,s0, udp,3205,s0) + network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) + network_port(jabber_interserver, tcp,5269,s0) + network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) +@@ -122,6 +125,8 @@ network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) @@ -4874,7 +4881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(mysqld, tcp,1186,s0, tcp,3306,s0) portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) network_port(nessus, tcp,1241,s0) -@@ -133,10 +137,12 @@ +@@ -133,10 +138,12 @@ network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) network_port(postfix_policyd, tcp,10031,s0) @@ -4887,7 +4894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pxe, udp,4011,s0) -@@ -148,7 +154,7 @@ +@@ -148,7 +155,7 @@ network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) @@ -4896,7 +4903,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(rsh, tcp,514,s0) network_port(rsync, tcp,873,s0, udp,873,s0) network_port(rwho, udp,513,s0) -@@ -170,7 +176,11 @@ +@@ -170,7 +177,11 @@ network_port(transproxy, tcp,8081,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) @@ -20054,7 +20061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.2.9/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.9/policy/modules/services/squid.te 2008-02-20 16:57:35.000000000 -0500 ++++ serefpolicy-3.2.9/policy/modules/services/squid.te 2008-02-20 17:25:10.000000000 -0500 @@ -31,12 +31,15 @@ type squid_var_run_t; files_pid_file(squid_var_run_t) @@ -22960,6 +22967,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t vmware_read_system_config(initrc_t) vmware_append_system_config(initrc_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.2.9/policy/modules/system/iscsi.te +--- nsaserefpolicy/policy/modules/system/iscsi.te 2008-02-18 14:30:18.000000000 -0500 ++++ serefpolicy-3.2.9/policy/modules/system/iscsi.te 2008-02-20 17:17:56.000000000 -0500 +@@ -63,6 +63,7 @@ + corenet_tcp_sendrecv_all_ports(iscsid_t) + corenet_tcp_connect_http_port(iscsid_t) + corenet_tcp_connect_iscsi_port(iscsid_t) ++corenet_tcp_connect_isns_port(iscsid_t) + + dev_rw_sysfs(iscsid_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.2.9/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2007-12-12 11:35:28.000000000 -0500 +++ serefpolicy-3.2.9/policy/modules/system/libraries.fc 2008-02-20 14:28:23.000000000 -0500 @@ -24318,10 +24336,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.i + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.2.9/policy/modules/system/qemu.te --- nsaserefpolicy/policy/modules/system/qemu.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.9/policy/modules/system/qemu.te 2008-02-20 17:01:56.000000000 -0500 -@@ -0,0 +1,40 @@ ++++ serefpolicy-3.2.9/policy/modules/system/qemu.te 2008-02-20 17:27:29.000000000 -0500 +@@ -0,0 +1,47 @@ +policy_module(qemu,1.0.0) + ++## ++##

++## Allow qemu to connect fully to the network ++##

++##
++gen_tunable(allow_qemu_full_network,false) ++ +######################################## +# +# Declarations @@ -24340,7 +24365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.t +# qemu local policy +# + -+tunable_policy(`qemu_full_network',` ++tunable_policy(`allow_qemu_full_network',` + allow qemu_t self:udp_socket create_socket_perms; + corenet_udp_sendrecv_all_if(qemu_t) + corenet_udp_sendrecv_all_nodes(qemu_t)