[selinux-policy: 3/4] - Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Nov 12 16:08:56 UTC 2010
commit 519b05a70f5d9ca89edd3caeda1bdd70b2e2a2b9
Author: Dan Walsh <dwalsh at redhat.com>
Date: Fri Nov 12 10:59:01 2010 -0500
- Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t
policy-F15.patch | 182 +++++++++++++++++++++++++++++++++++++++------------
selinux-policy.spec | 5 +-
2 files changed, 143 insertions(+), 44 deletions(-)
---
diff --git a/policy-F15.patch b/policy-F15.patch
index 2ddc254..e1c2673 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -489,6 +489,18 @@ index 75ce30f..f3347aa 100644
files_getattr_all_file_type_fs(logwatch_t)
')
+diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
+index 5a9cebf..276941d 100644
+--- a/policy/modules/admin/mcelog.te
++++ b/policy/modules/admin/mcelog.te
+@@ -7,6 +7,7 @@ policy_module(mcelog, 1.0.1)
+
+ type mcelog_t;
+ type mcelog_exec_t;
++init_system_domain(mcelog_t, mcelog_exec_t)
+ application_domain(mcelog_t, mcelog_exec_t)
+ cron_system_entry(mcelog_t, mcelog_exec_t)
+
diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te
index 0e19d80..9d58abe 100644
--- a/policy/modules/admin/mrtg.te
@@ -1996,10 +2008,10 @@ index 7fd0900..899e234 100644
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
new file mode 100644
-index 0000000..278b3a3
+index 0000000..4ef897d
--- /dev/null
+++ b/policy/modules/apps/execmem.fc
-@@ -0,0 +1,49 @@
+@@ -0,0 +1,50 @@
+
+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/compiz -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -2049,6 +2061,7 @@ index 0000000..278b3a3
+/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
new file mode 100644
index 0000000..06ed3de
@@ -9391,7 +9404,7 @@ index 59bae6a..2e55e71 100644
+/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/dev/hugepages(/.*)? <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 437a42a..b9e3aa9 100644
+index 437a42a..725b363 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
@@ -9721,7 +9734,33 @@ index 437a42a..b9e3aa9 100644
## Read removable storage symbolic links.
## </summary>
## <param name="domain">
-@@ -2779,6 +2955,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2653,6 +2829,25 @@ interface(`fs_read_removable_symlinks',`
+ read_lnk_files_pattern($1, removable_t, removable_t)
+ ')
+
++######################################
++## <summary>
++## Read block nodes on removable filesystems.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_read_removable_blk_files',`
++ gen_require(`
++ type removable_t;
++ ')
++
++ allow $1 removable_t:dir list_dir_perms;
++ read_blk_files_pattern($1, removable_t, removable_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Read and write block nodes on removable filesystems.
+@@ -2779,6 +2974,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -9729,7 +9768,7 @@ index 437a42a..b9e3aa9 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -2819,6 +2996,7 @@ interface(`fs_manage_nfs_files',`
+@@ -2819,6 +3015,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -9737,7 +9776,7 @@ index 437a42a..b9e3aa9 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2845,7 +3023,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
+@@ -2845,7 +3042,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
#########################################
## <summary>
## Create, read, write, and delete symbolic links
@@ -9746,7 +9785,7 @@ index 437a42a..b9e3aa9 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2859,6 +3037,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -2859,6 +3056,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -9754,7 +9793,7 @@ index 437a42a..b9e3aa9 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3970,6 +4149,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -3970,6 +4168,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -9797,7 +9836,7 @@ index 437a42a..b9e3aa9 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4252,6 +4467,8 @@ interface(`fs_mount_all_fs',`
+@@ -4252,6 +4486,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -9806,7 +9845,7 @@ index 437a42a..b9e3aa9 100644
')
########################################
-@@ -4662,3 +4879,24 @@ interface(`fs_unconfined',`
+@@ -4662,3 +4898,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -19945,7 +19984,7 @@ index e1d7dc5..ee51a19 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index cbe14e4..9e2f6d5 100644
+index cbe14e4..e74c9fe 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -20037,12 +20076,14 @@ index cbe14e4..9e2f6d5 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -253,19 +266,31 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
+@@ -253,19 +266,33 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
allow dovecot_deliver_t dovecot_t:process signull;
-allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
++allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms;
+read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
++
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
+allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
@@ -20071,7 +20112,7 @@ index cbe14e4..9e2f6d5 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -302,4 +327,5 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -302,4 +329,5 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
@@ -22451,7 +22492,7 @@ index 3525d24..e5db539 100644
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
-index 604f67b..8c72504 100644
+index 604f67b..31a6075 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -26,9 +26,9 @@
@@ -22517,8 +22558,31 @@ index 604f67b..8c72504 100644
')
allow $1 kadmind_t:process { ptrace signal_perms };
+@@ -378,3 +376,22 @@ interface(`kerberos_admin',`
+
+ admin_pattern($1, krb5kdc_var_run_t)
+ ')
++
++########################################
++## <summary>
++## Type transition files created in /tmp
++## to the krb5_host_rcache type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mta_tmp_filetrans_host_rcache',`
++ gen_require(`
++ type krb5_host_rcache_t;
++ ')
++
++ files_tmp_filetrans($1, krb5_host_rcache_t, file)
++')
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
-index 8edc29b..744e7d6 100644
+index 8edc29b..ee97d9f 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -6,9 +6,9 @@ policy_module(kerberos, 1.11.0)
@@ -22534,6 +22598,15 @@ index 8edc29b..744e7d6 100644
## </desc>
gen_tunable(allow_kerberos, false)
+@@ -40,7 +40,7 @@ files_type(krb5_conf_t)
+ type krb5_home_t;
+ userdom_user_home_content(krb5_home_t)
+
+-type krb5_host_rcache_t;
++type krb5_host_rcache_t alias saslauthd_tmp_t;
+ files_tmp_file(krb5_host_rcache_t)
+
+ # types for general configuration files in /etc
@@ -93,9 +93,9 @@ allow kadmind_t krb5_conf_t:file read_file_perms;
dontaudit kadmind_t krb5_conf_t:file write;
@@ -32517,12 +32590,27 @@ index f1aea88..c3ffa9d 100644
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
-index 22184ad..687f9ae 100644
+index 22184ad..d87a3f0 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
-@@ -42,13 +42,17 @@ allow saslauthd_t saslauthd_tmp_t:dir setattr;
- manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t)
- files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file)
+@@ -19,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t)
+ type saslauthd_initrc_exec_t;
+ init_script_file(saslauthd_initrc_exec_t)
+
+-type saslauthd_tmp_t;
+-files_tmp_file(saslauthd_tmp_t)
+-
+ type saslauthd_var_run_t;
+ files_pid_file(saslauthd_var_run_t)
+
+@@ -38,17 +35,19 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms;
+ allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
+ allow saslauthd_t self:tcp_socket create_socket_perms;
+
+-allow saslauthd_t saslauthd_tmp_t:dir setattr;
+-manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t)
+-files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file)
++mta_tmp_filetrans_host_rcache(saslauthd_t)
+manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
@@ -32539,7 +32627,7 @@ index 22184ad..687f9ae 100644
corenet_all_recvfrom_unlabeled(saslauthd_t)
corenet_all_recvfrom_netlabel(saslauthd_t)
corenet_tcp_sendrecv_generic_if(saslauthd_t)
-@@ -94,6 +98,7 @@ tunable_policy(`allow_saslauthd_read_shadow',`
+@@ -94,6 +93,7 @@ tunable_policy(`allow_saslauthd_read_shadow',`
optional_policy(`
kerberos_keytab_template(saslauthd, saslauthd_t)
@@ -36778,7 +36866,7 @@ index aa6e5a8..42a0efb 100644
########################################
## <summary>
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 6f1e3c7..6a160b2 100644
+index 6f1e3c7..ecfe665 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,23 @@
@@ -36889,7 +36977,7 @@ index 6f1e3c7..6a160b2 100644
+/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/slim.* -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
-+/var/run/lxdm(/*.)? gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
+/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
@@ -36904,7 +36992,7 @@ index 6f1e3c7..6a160b2 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index da2601a..19018ae 100644
+index da2601a..4b06508 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -37395,7 +37483,7 @@ index da2601a..19018ae 100644
+ type xdm_tmp_t;
+ ')
+
-+ allow initrc_t initrc_tmp_t:dir relabel_dir_perms;
++ allow $1 xdm_tmp_t:dir relabel_dir_perms;
+')
+
+########################################
@@ -40534,7 +40622,7 @@ index df3fa64..73dc579 100644
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 8a105fd..eb0cec2 100644
+index 8a105fd..3f105f0 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@@ -40918,7 +41006,15 @@ index 8a105fd..eb0cec2 100644
selinux_get_enforce_mode(initrc_t)
-@@ -394,13 +568,14 @@ logging_read_audit_config(initrc_t)
+@@ -374,6 +548,7 @@ term_use_all_terms(initrc_t)
+ term_reset_tty_labels(initrc_t)
+
+ auth_rw_login_records(initrc_t)
++auth_manage_faillog(initrc_t)
+ auth_setattr_login_records(initrc_t)
+ auth_rw_lastlog(initrc_t)
+ auth_read_pam_pid(initrc_t)
+@@ -394,13 +569,14 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -40934,7 +41030,7 @@ index 8a105fd..eb0cec2 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -473,7 +648,7 @@ ifdef(`distro_redhat',`
+@@ -473,7 +649,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -40943,7 +41039,7 @@ index 8a105fd..eb0cec2 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -519,6 +694,23 @@ ifdef(`distro_redhat',`
+@@ -519,6 +695,23 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -40967,7 +41063,7 @@ index 8a105fd..eb0cec2 100644
')
optional_policy(`
-@@ -526,10 +718,17 @@ ifdef(`distro_redhat',`
+@@ -526,10 +719,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -40985,7 +41081,7 @@ index 8a105fd..eb0cec2 100644
')
optional_policy(`
-@@ -544,6 +743,35 @@ ifdef(`distro_suse',`
+@@ -544,6 +744,35 @@ ifdef(`distro_suse',`
')
')
@@ -41021,7 +41117,7 @@ index 8a105fd..eb0cec2 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -556,6 +784,8 @@ optional_policy(`
+@@ -556,6 +785,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -41030,7 +41126,7 @@ index 8a105fd..eb0cec2 100644
')
optional_policy(`
-@@ -572,6 +802,7 @@ optional_policy(`
+@@ -572,6 +803,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -41038,7 +41134,7 @@ index 8a105fd..eb0cec2 100644
')
optional_policy(`
-@@ -584,6 +815,11 @@ optional_policy(`
+@@ -584,6 +816,11 @@ optional_policy(`
')
optional_policy(`
@@ -41050,7 +41146,7 @@ index 8a105fd..eb0cec2 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -600,9 +836,13 @@ optional_policy(`
+@@ -600,9 +837,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -41064,7 +41160,7 @@ index 8a105fd..eb0cec2 100644
')
optional_policy(`
-@@ -701,7 +941,13 @@ optional_policy(`
+@@ -701,7 +942,13 @@ optional_policy(`
')
optional_policy(`
@@ -41078,7 +41174,7 @@ index 8a105fd..eb0cec2 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -724,6 +970,10 @@ optional_policy(`
+@@ -724,6 +971,10 @@ optional_policy(`
')
optional_policy(`
@@ -41089,7 +41185,7 @@ index 8a105fd..eb0cec2 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -737,6 +987,10 @@ optional_policy(`
+@@ -737,6 +988,10 @@ optional_policy(`
')
optional_policy(`
@@ -41100,7 +41196,7 @@ index 8a105fd..eb0cec2 100644
quota_manage_flags(initrc_t)
')
-@@ -745,6 +999,10 @@ optional_policy(`
+@@ -745,6 +1000,10 @@ optional_policy(`
')
optional_policy(`
@@ -41111,7 +41207,7 @@ index 8a105fd..eb0cec2 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -766,8 +1024,6 @@ optional_policy(`
+@@ -766,8 +1025,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -41120,7 +41216,7 @@ index 8a105fd..eb0cec2 100644
')
optional_policy(`
-@@ -776,14 +1032,21 @@ optional_policy(`
+@@ -776,14 +1033,21 @@ optional_policy(`
')
optional_policy(`
@@ -41142,7 +41238,7 @@ index 8a105fd..eb0cec2 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,11 +1068,19 @@ optional_policy(`
+@@ -805,11 +1069,19 @@ optional_policy(`
')
optional_policy(`
@@ -41163,7 +41259,7 @@ index 8a105fd..eb0cec2 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -819,6 +1090,25 @@ optional_policy(`
+@@ -819,6 +1091,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -41189,7 +41285,7 @@ index 8a105fd..eb0cec2 100644
')
optional_policy(`
-@@ -844,3 +1134,59 @@ optional_policy(`
+@@ -844,3 +1135,59 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e5b78cd..96cdd5b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.8
-Release: 5%{?dist}
+Release: 6%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,9 @@ exit 0
%endif
%changelog
+* Fri Nov 12 2010 Dan Walsh <dwalsh at redhat.com> 3.9.8-6
+- Remove saslauthd_tmp_t and transition tmp files to krb5_host_rcache_t
+
* Thu Nov 11 2010 Dan Walsh <dwalsh at redhat.com> 3.9.8-5
- kdump leaks kdump_etc_t to ifconfig, add dontaudit
- uux needs to transition to uucpd_t
More information about the scm-commits
mailing list