diff --git a/policy-20070703.patch b/policy-20070703.patch index df09305..4ed9300 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -1754,7 +1754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.3/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-07-03 07:05:43.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/apps/mozilla.if 2007-07-24 10:14:15.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/apps/mozilla.if 2007-07-24 15:39:13.000000000 -0400 @@ -36,6 +36,8 @@ gen_require(` type mozilla_conf_t, mozilla_exec_t; @@ -1824,7 +1824,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. # Unrestricted inheritance from the caller. allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh }; -@@ -171,6 +203,8 @@ +@@ -116,8 +148,9 @@ + kernel_read_kernel_sysctls($1_mozilla_t) + kernel_read_network_state($1_mozilla_t) + # Access /proc, sysctl +- kernel_read_system_state($1_mozilla_t) +- kernel_read_net_sysctls($1_mozilla_t) ++ kernel_dontaudit_read_system_state($1_mozilla_t) ++# kernel_read_system_state($1_mozilla_t) ++# kernel_read_net_sysctls($1_mozilla_t) + + # Look for plugins + corecmd_list_bin($1_mozilla_t) +@@ -166,11 +199,20 @@ + files_read_var_files($1_mozilla_t) + files_read_var_symlinks($1_mozilla_t) + files_dontaudit_getattr_boot_dirs($1_mozilla_t) ++ files_dontaudit_list_non_security($1_mozilla_t) ++ files_dontaudit_getattr_non_security_files($1_mozilla_t) ++ files_dontaudit_getattr_non_security_symlinks($1_mozilla_t) ++ files_dontaudit_getattr_non_security_pipes($1_mozilla_t) ++ files_dontaudit_getattr_non_security_sockets($1_mozilla_t) ++ files_dontaudit_getattr_non_security_blk_files($1_mozilla_t) ++ files_dontaudit_getattr_non_security_chr_files($1_mozilla_t) + + fs_search_auto_mountpoints($1_mozilla_t) fs_list_inotifyfs($1_mozilla_t) fs_rw_tmpfs_files($1_mozilla_t) @@ -1833,7 +1857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. term_dontaudit_getattr_pty_dirs($1_mozilla_t) libs_use_ld_so($1_mozilla_t) -@@ -186,12 +220,9 @@ +@@ -186,16 +228,14 @@ sysnet_dns_name_resolve($1_mozilla_t) sysnet_read_config($1_mozilla_t) @@ -1849,7 +1873,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t) xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t) -@@ -213,131 +244,8 @@ + xserver_dontaudit_getattr_xdm_tmp_sockets($1_mozilla_t) ++ xserver_xdm_sigchld($1_mozilla_t) + + tunable_policy(`allow_execmem',` + allow $1_mozilla_t self:process { execmem execstack }; +@@ -213,131 +253,8 @@ fs_manage_cifs_symlinks($1_mozilla_t) ') @@ -1983,7 +2012,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') optional_policy(` -@@ -352,21 +260,28 @@ +@@ -352,21 +269,28 @@ optional_policy(` cups_read_rw_config($1_mozilla_t) cups_dbus_chat($1_mozilla_t) @@ -2015,7 +2044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') optional_policy(` -@@ -386,25 +301,6 @@ +@@ -386,25 +310,6 @@ thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t) ') @@ -2041,7 +2070,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') ######################################## -@@ -577,3 +473,27 @@ +@@ -577,3 +482,27 @@ allow $2 $1_mozilla_t:tcp_socket rw_socket_perms; ') @@ -2424,7 +2453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.3/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2007-07-03 07:05:38.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/kernel/files.if 2007-07-17 15:46:25.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/kernel/files.if 2007-07-24 13:47:36.000000000 -0400 @@ -343,8 +343,7 @@ ######################################## @@ -2563,16 +2592,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # Need sys_admin capability for mounting allow $1 self:capability { chown fsetid sys_admin }; -@@ -4582,6 +4618,8 @@ +@@ -4582,6 +4618,11 @@ # Default type for mountpoints allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) + corecmd_exec_bin($1) ++ seutil_domtrans_setfiles($1) ++ fs_mount_tmpfs($1) ++ fs_unmount_tmpfs($1) + ') ######################################## -@@ -4619,3 +4657,28 @@ +@@ -4619,3 +4660,28 @@ allow $1 { file_type -security_file_type }:dir manage_dir_perms; ') @@ -2603,7 +2635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.3/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-07-03 07:05:38.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/kernel/filesystem.te 2007-07-23 10:44:40.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/kernel/filesystem.te 2007-07-24 13:44:42.000000000 -0400 @@ -43,6 +43,12 @@ # # Non-persistent/pseudo filesystems @@ -2617,9 +2649,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy type bdev_t; fs_type(bdev_t) genfscon bdev / gen_context(system_u:object_r:bdev_t,s0) +@@ -139,6 +145,7 @@ + fs_type(tmpfs_t) + files_type(tmpfs_t) + files_mountpoint(tmpfs_t) ++files_poly_parent(tmpfs_t) + + # Use a transition SID based on the allocating task SID and the + # filesystem SID to label inodes in the following filesystem types, diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.3/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-07-03 07:05:38.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/kernel/kernel.if 2007-07-17 15:46:25.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/kernel/kernel.if 2007-07-24 13:50:13.000000000 -0400 @@ -1848,6 +1848,27 @@ ######################################## @@ -3871,7 +3911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.0.3/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2007-05-29 14:10:57.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/services/consolekit.te 2007-07-17 15:46:25.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/services/consolekit.te 2007-07-24 15:38:28.000000000 -0400 @@ -10,7 +10,6 @@ type consolekit_exec_t; init_daemon_domain(consolekit_t, consolekit_exec_t) @@ -4354,7 +4394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.3/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2007-07-03 07:06:27.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/services/cups.te 2007-07-20 09:22:00.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/services/cups.te 2007-07-24 15:38:39.000000000 -0400 @@ -81,12 +81,11 @@ # /usr/lib/cups/backend/serial needs sys_admin(?!) allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config }; @@ -4396,6 +4436,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups auth_dontaudit_read_pam_pid(cupsd_t) # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp +@@ -189,7 +192,7 @@ + # read python modules + files_read_usr_files(cupsd_t) + # for /var/lib/defoma +-files_search_var_lib(cupsd_t) ++files_read_var_lib(cupsd_t) + files_list_world_readable(cupsd_t) + files_read_world_readable_files(cupsd_t) + files_read_world_readable_symlinks(cupsd_t) @@ -223,21 +226,45 @@ sysnet_read_config(cupsd_t) @@ -5379,7 +5428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail +files_type(mailscanner_spool_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.3/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2007-07-03 07:06:27.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/services/mta.if 2007-07-17 15:46:25.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/services/mta.if 2007-07-24 15:41:08.000000000 -0400 @@ -393,6 +393,7 @@ allow $1 mail_spool_t:dir list_dir_perms; create_files_pattern($1,mail_spool_t,mail_spool_t) @@ -7114,7 +7163,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.3/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/services/xserver.if 2007-07-23 11:02:03.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/services/xserver.if 2007-07-24 13:48:58.000000000 -0400 @@ -353,12 +353,6 @@ # allow ps to show xauth ps_process_pattern($2,$1_xauth_t) @@ -7326,13 +7375,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1325,3 +1431,44 @@ +@@ -1325,3 +1431,62 @@ files_search_tmp($1) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') + +######################################## +## ++## Sigchld XDM ++## ++## ++## ++## Domain to not audit ++## ++## ++# ++interface(`xserver_xdm_sigchld',` ++ gen_require(` ++ type xdm_t; ++ ') ++ ++ allow $1 xdm_t:process sigchld; ++') ++ ++######################################## ++## +## Connect to apmd over an unix stream socket. +## +## @@ -10422,7 +10489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +corecmd_exec_all_executables(unconfined_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.3/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-07-03 07:06:32.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/system/userdomain.if 2007-07-24 10:14:54.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/system/userdomain.if 2007-07-24 15:42:37.000000000 -0400 @@ -62,6 +62,10 @@ allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; @@ -10781,7 +10848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') optional_policy(` -@@ -908,45 +838,170 @@ +@@ -908,45 +838,176 @@ ') optional_policy(` @@ -10900,6 +10967,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + dev_read_sysfs($1_t) + dev_read_urand($1_t) + ++ kernel_dontaudit_read_system_state($1_t) ++ + domain_use_interactive_fds($1_t) + # Command completion can fire hundreds of denials + domain_dontaudit_exec_all_entry_files($1_t) @@ -10948,6 +11017,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` - usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) ++ mta_dontaudit_read_spool_symlinks($1_t) ++ ') ++ ++ optional_policy(` + quota_dontaudit_getattr_db($1_t) + ') + @@ -10965,7 +11038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ##

-@@ -962,11 +1017,58 @@ +@@ -962,11 +1023,58 @@ ## ## # @@ -11026,7 +11099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # -@@ -976,25 +1078,11 @@ +@@ -976,25 +1084,11 @@ # Inherit rules for ordinary users. userdom_common_user_template($1) @@ -11052,7 +11125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # port access is audited even if dac would not have allowed it, so dontaudit it here corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) # Need the following rule to allow users to run vpnc -@@ -1033,14 +1121,6 @@ +@@ -1033,14 +1127,6 @@ ') optional_policy(` @@ -11067,7 +11140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) ') -@@ -1054,17 +1134,6 @@ +@@ -1054,17 +1140,6 @@ setroubleshoot_stream_connect($1_t) ') @@ -11085,7 +11158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1102,6 +1171,8 @@ +@@ -1102,6 +1177,8 @@ class passwd { passwd chfn chsh rootok crontab }; ') @@ -11094,7 +11167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # # Declarations -@@ -1127,7 +1198,7 @@ +@@ -1127,7 +1204,7 @@ # $1_t local policy # @@ -11103,7 +11176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1_t self:process { setexec setfscreate }; # Set password information for other users. -@@ -1139,7 +1210,11 @@ +@@ -1139,7 +1216,11 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -11116,7 +11189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1902,6 +1977,41 @@ +@@ -1902,6 +1983,41 @@ ######################################## ##

@@ -11158,7 +11231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -3078,7 +3188,7 @@ +@@ -3078,7 +3194,7 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -11167,7 +11240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_tmp_filetrans($2,$1_tmp_t,$3) -@@ -5323,7 +5433,7 @@ +@@ -5323,7 +5439,7 @@ attribute user_tmpfile; ') @@ -11176,7 +11249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5548,6 +5658,26 @@ +@@ -5548,6 +5664,26 @@ ######################################## ## @@ -11203,7 +11276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Unconfined access to user domains. (Deprecated) ## ## -@@ -5559,3 +5689,233 @@ +@@ -5559,3 +5695,233 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ')