diff --git a/policy-F15.patch b/policy-F15.patch index ac104f6..9afa3e2 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -8173,7 +8173,7 @@ index 099f57f..5843cad 100644 +# broken kernel +dontaudit can_change_object_identity can_change_object_identity:key link; diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index 3517db2..bd4c23d 100644 +index 3517db2..4dd4bef 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -8269,12 +8269,14 @@ index 3517db2..bd4c23d 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -258,3 +268,5 @@ ifndef(`distro_redhat',` +@@ -258,3 +268,7 @@ ifndef(`distro_redhat',` ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) ') +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) ++ ++/usr/lib/debug <> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 5302dac..9b828ee 100644 --- a/policy/modules/kernel/files.if @@ -9313,7 +9315,7 @@ index 59bae6a..2e55e71 100644 +/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) +/dev/hugepages(/.*)? <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 437a42a..54a884b 100644 +index 437a42a..b9e3aa9 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',` @@ -9542,7 +9544,23 @@ index 437a42a..54a884b 100644 ') ######################################## -@@ -2395,6 +2514,25 @@ interface(`fs_exec_nfs_files',` +@@ -2331,6 +2450,7 @@ interface(`fs_read_nfs_files',` + type nfs_t; + ') + ++ fs_search_auto_mountpoints($1) + allow $1 nfs_t:dir list_dir_perms; + read_files_pattern($1, nfs_t, nfs_t) + ') +@@ -2369,6 +2489,7 @@ interface(`fs_write_nfs_files',` + type nfs_t; + ') + ++ fs_search_auto_mountpoints($1) + allow $1 nfs_t:dir list_dir_perms; + write_files_pattern($1, nfs_t, nfs_t) + ') +@@ -2395,6 +2516,25 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -9568,7 +9586,7 @@ index 437a42a..54a884b 100644 ## Append files ## on a NFS filesystem. ## -@@ -2435,6 +2573,24 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2435,6 +2575,24 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -9593,7 +9611,7 @@ index 437a42a..54a884b 100644 ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2449,7 +2605,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2449,7 +2607,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -9602,7 +9620,7 @@ index 437a42a..54a884b 100644 ') ######################################## -@@ -2637,6 +2793,24 @@ interface(`fs_dontaudit_read_removable_files',` +@@ -2637,6 +2795,24 @@ interface(`fs_dontaudit_read_removable_files',` ######################################## ## @@ -9627,7 +9645,23 @@ index 437a42a..54a884b 100644 ## Read removable storage symbolic links. ## ## -@@ -2845,7 +3019,7 @@ interface(`fs_dontaudit_manage_nfs_files',` +@@ -2779,6 +2955,7 @@ interface(`fs_manage_nfs_dirs',` + type nfs_t; + ') + ++ fs_search_auto_mountpoints($1) + allow $1 nfs_t:dir manage_dir_perms; + ') + +@@ -2819,6 +2996,7 @@ interface(`fs_manage_nfs_files',` + type nfs_t; + ') + ++ fs_search_auto_mountpoints($1) + manage_files_pattern($1, nfs_t, nfs_t) + ') + +@@ -2845,7 +3023,7 @@ interface(`fs_dontaudit_manage_nfs_files',` ######################################### ## ## Create, read, write, and delete symbolic links @@ -9636,7 +9670,15 @@ index 437a42a..54a884b 100644 ## ## ## -@@ -3970,6 +4144,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -2859,6 +3037,7 @@ interface(`fs_manage_nfs_symlinks',` + type nfs_t; + ') + ++ fs_search_auto_mountpoints($1) + manage_lnk_files_pattern($1, nfs_t, nfs_t) + ') + +@@ -3970,6 +4149,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -9679,7 +9721,7 @@ index 437a42a..54a884b 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4252,6 +4462,8 @@ interface(`fs_mount_all_fs',` +@@ -4252,6 +4467,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -9688,7 +9730,7 @@ index 437a42a..54a884b 100644 ') ######################################## -@@ -4662,3 +4874,24 @@ interface(`fs_unconfined',` +@@ -4662,3 +4879,24 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -14885,6 +14927,19 @@ index 4deca04..0bde225 100644 ') optional_policy(` +diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te +index 5f239ca..29de096 100644 +--- a/policy/modules/services/bitlbee.te ++++ b/policy/modules/services/bitlbee.te +@@ -28,7 +28,7 @@ files_type(bitlbee_var_t) + # + + allow bitlbee_t self:capability { setgid setuid }; +-allow bitlbee_t self:process signal; ++allow bitlbee_t self:process { setsched signal }; + allow bitlbee_t self:udp_socket create_socket_perms; + allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms }; + allow bitlbee_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if index 3e45431..fa57a6f 100644 --- a/policy/modules/services/bluetooth.if @@ -15908,7 +15963,7 @@ index 7a6e5ba..d664be8 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te -index 1a65b5e..e281c74 100644 +index 1a65b5e..1bc0bc7 100644 --- a/policy/modules/services/certmonger.te +++ b/policy/modules/services/certmonger.te @@ -24,6 +24,7 @@ files_type(certmonger_var_lib_t) @@ -15919,7 +15974,7 @@ index 1a65b5e..e281c74 100644 allow certmonger_t self:process { getsched setsched sigkill }; allow certmonger_t self:fifo_file rw_file_perms; allow certmonger_t self:unix_stream_socket create_stream_socket_perms; -@@ -32,7 +33,7 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms; +@@ -32,16 +33,19 @@ allow certmonger_t self:netlink_route_socket r_netlink_socket_perms; manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) @@ -15928,7 +15983,19 @@ index 1a65b5e..e281c74 100644 manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t) -@@ -51,6 +52,8 @@ files_read_etc_files(certmonger_t) + files_pid_filetrans(certmonger_t, certmonger_var_run_t, { file dir }) + ++corecmd_exec_bin(certmonger_t) ++ + corenet_tcp_sendrecv_generic_if(certmonger_t) + corenet_tcp_sendrecv_generic_node(certmonger_t) + corenet_tcp_sendrecv_all_ports(certmonger_t) + corenet_tcp_connect_certmaster_port(certmonger_t) ++corenet_tcp_connect_http_port(certmonger_t) + + dev_read_urand(certmonger_t) + +@@ -51,6 +55,8 @@ files_read_etc_files(certmonger_t) files_read_usr_files(certmonger_t) files_list_tmp(certmonger_t) @@ -15937,7 +16004,7 @@ index 1a65b5e..e281c74 100644 logging_send_syslog_msg(certmonger_t) miscfiles_read_localization(certmonger_t) -@@ -58,6 +61,16 @@ miscfiles_manage_generic_cert_files(certmonger_t) +@@ -58,6 +64,16 @@ miscfiles_manage_generic_cert_files(certmonger_t) sysnet_dns_name_resolve(certmonger_t) @@ -15954,7 +16021,7 @@ index 1a65b5e..e281c74 100644 optional_policy(` dbus_system_bus_client(certmonger_t) dbus_connect_system_bus(certmonger_t) -@@ -68,5 +81,7 @@ optional_policy(` +@@ -68,5 +84,7 @@ optional_policy(` ') optional_policy(` @@ -29139,7 +29206,7 @@ index 2855a44..0456b11 100644 type puppet_tmp_t; ') diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te -index 64c5f95..80c1f5d 100644 +index 64c5f95..76da005 100644 --- a/policy/modules/services/puppet.te +++ b/policy/modules/services/puppet.te @@ -6,10 +6,10 @@ policy_module(puppet, 1.0.0) @@ -29198,7 +29265,7 @@ index 64c5f95..80c1f5d 100644 corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) -@@ -214,13 +219,19 @@ domain_read_all_domains_state(puppetmaster_t) +@@ -214,13 +219,20 @@ domain_read_all_domains_state(puppetmaster_t) files_read_etc_files(puppetmaster_t) files_search_var_lib(puppetmaster_t) @@ -29207,9 +29274,10 @@ index 64c5f95..80c1f5d 100644 logging_send_syslog_msg(puppetmaster_t) miscfiles_read_localization(puppetmaster_t) - -+seutil_read_file_contexts(puppetmaster_t) ++miscfiles_read_certs(puppetmaster_t) + ++seutil_read_file_contexts(puppetmaster_t) + sysnet_dns_name_resolve(puppetmaster_t) sysnet_run_ifconfig(puppetmaster_t, system_r) @@ -29218,6 +29286,15 @@ index 64c5f95..80c1f5d 100644 optional_policy(` hostname_exec(puppetmaster_t) ') +@@ -231,3 +243,8 @@ optional_policy(` + rpm_exec(puppetmaster_t) + rpm_read_db(puppetmaster_t) + ') ++ ++optional_policy(` ++ usermanage_domtrans_groupadd(puppetmaster_t) ++ usermanage_domtrans_useradd(puppetmaster_t) ++') diff --git a/policy/modules/services/pyzor.fc b/policy/modules/services/pyzor.fc index d4a7750..705196e 100644 --- a/policy/modules/services/pyzor.fc @@ -29866,10 +29943,10 @@ index 0000000..c403abc +') diff --git a/policy/modules/services/qpidd.te b/policy/modules/services/qpidd.te new file mode 100644 -index 0000000..43639a0 +index 0000000..d9c56d4 --- /dev/null +++ b/policy/modules/services/qpidd.te -@@ -0,0 +1,59 @@ +@@ -0,0 +1,64 @@ +policy_module(qpidd, 1.0.0) + +######################################## @@ -29929,6 +30006,11 @@ index 0000000..43639a0 +miscfiles_read_localization(qpidd_t) + +sysnet_dns_name_resolve(qpidd_t) ++ ++optional_policy(` ++ corosync_stream_connect(qpidd_t) ++') ++ diff --git a/policy/modules/services/radius.if b/policy/modules/services/radius.if index 9a78598..8f132e7 100644 --- a/policy/modules/services/radius.if @@ -39262,7 +39344,7 @@ index 88df85d..2fa3974 100644 ssh_sigchld(application_domain_type) ssh_rw_stream_sockets(application_domain_type) diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index 1c4b1e7..2997dd7 100644 +index 1c4b1e7..8d326d4 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -10,6 +10,7 @@ @@ -39273,7 +39355,7 @@ index 1c4b1e7..2997dd7 100644 /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ifdef(`distro_suse', ` -@@ -27,6 +28,7 @@ ifdef(`distro_gentoo', ` +@@ -27,12 +28,14 @@ ifdef(`distro_gentoo', ` /var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) @@ -39281,6 +39363,13 @@ index 1c4b1e7..2997dd7 100644 /var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + /var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0) + /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) + /var/log/faillog -- gen_context(system_u:object_r:faillog_t,s0) ++/var/log/faillock(/.*)? gen_context(system_u:object_r:faillog_t,s0) + /var/log/lastlog -- gen_context(system_u:object_r:lastlog_t,s0) + /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0) + /var/log/tallylog -- gen_context(system_u:object_r:faillog_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index bea0ade..6f47773 100644 --- a/policy/modules/system/authlogin.if diff --git a/selinux-policy.spec b/selinux-policy.spec index ab47532..3781100 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.8 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,20 @@ exit 0 %endif %changelog +* Tue Nov 9 2010 Dan Walsh 3.9.8-3 +- Fix up corecommands.fc to match upstream +- Make sure /lib/systemd/* is labeled init_exec_t +- mount wants to setattr on all mountpoints +- dovecot auth wants to read dovecot etc files +- nscd daemon looks at the exe file of the comunicating daemon +- openvpn wants to read utmp file +- postfix apps now set sys_nice and lower limits +- remote_login (telnetd/login) wants to use telnetd_devpts_t and user_devpts_t to work correctly +- Also resolves nsswitch +- Fix labels on /etc/hosts.* +- Cleanup to make upsteam patch work +- allow abrt to read etc_runtime_t + * Fri Nov 5 2010 Dan Walsh 3.9.8-2 - Add conflicts for dirsrv package