[selinux-policy/f13/master] - Dontaudit init leaks

Tue Oct 26 09:52:58 UTC 2010

commit b5f115f2fb820d5c1d0f89b8ef825431a6a6c389
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Tue Oct 26 11:52:51 2010 +0200

    - Dontaudit init leaks

 policy-F13.patch    |   92 ++++++++++++++++++++++++++++++++++++---------------
 selinux-policy.spec |    5 ++-
 2 files changed, 69 insertions(+), 28 deletions(-)
---

diff --git a/policy-F13.patch b/policy-F13.patch
index 78717b0..4ea86b4 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -2475,8 +2475,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.7.19/policy/modules/admin/shutdown.te
 --- nsaserefpolicy/policy/modules/admin/shutdown.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te	2010-09-24 14:23:58.850635407 +0200
-@@ -0,0 +1,67 @@
++++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te	2010-10-26 10:35:13.462651140 +0200
+@@ -0,0 +1,68 @@
 +policy_module(shutdown,1.0.0)
 +
 +########################################
@@ -2525,6 +2525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
 +init_read_utmp(shutdown_t)
 +init_rw_utmp(shutdown_t)
 +init_telinit(shutdown_t)
++init_dontaudit_leaks(shutdown_t)
 +
 +logging_search_logs(shutdown_t)
 +logging_send_audit_msgs(shutdown_t)
@@ -2779,7 +2780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  	')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.19/policy/modules/admin/usermanage.te
 --- nsaserefpolicy/policy/modules/admin/usermanage.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/usermanage.te	2010-10-01 15:16:38.939348984 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/usermanage.te	2010-10-26 10:37:40.688650931 +0200
 @@ -199,6 +199,7 @@
  
  term_use_all_ttys(groupadd_t)
@@ -2825,7 +2826,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  domain_use_interactive_fds(passwd_t)
  
-@@ -333,6 +341,7 @@
+@@ -315,6 +323,7 @@
+ # /usr/bin/passwd asks for w access to utmp, but it will operate
+ # correctly without it.  Do not audit write denials to utmp.
+ init_dontaudit_rw_utmp(passwd_t)
++init_dontaudit_leaks(passwd_t)
+ init_use_fds(passwd_t)
+ 
+ logging_send_audit_msgs(passwd_t)
+@@ -333,6 +342,7 @@
  # user generally runs this from their home directory, so do not audit a search
  # on user home dir
  userdom_dontaudit_search_user_home_content(passwd_t)
@@ -2833,7 +2842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  optional_policy(`
  	nscd_domtrans(passwd_t)
-@@ -427,7 +436,7 @@
+@@ -427,7 +437,7 @@
  # Useradd local policy
  #
  
@@ -2842,7 +2851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  dontaudit useradd_t self:capability sys_tty_config;
  allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow useradd_t self:process setfscreate;
-@@ -450,6 +459,7 @@
+@@ -450,6 +460,7 @@
  corecmd_exec_bin(useradd_t)
  
  domain_use_interactive_fds(useradd_t)
@@ -2850,7 +2859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  files_manage_etc_files(useradd_t)
  files_search_var_lib(useradd_t)
-@@ -498,12 +508,8 @@
+@@ -498,12 +509,8 @@
  
  userdom_use_unpriv_users_fds(useradd_t)
  # Add/remove user home directories
@@ -2864,7 +2873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  mta_manage_spool(useradd_t)
  
-@@ -527,6 +533,12 @@
+@@ -527,6 +534,12 @@
  ')
  
  optional_policy(`
@@ -7295,8 +7304,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te
 --- nsaserefpolicy/policy/modules/apps/sandbox.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te	2010-10-18 15:03:16.043900000 +0200
-@@ -0,0 +1,421 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te	2010-10-25 18:09:55.337651301 +0200
+@@ -0,0 +1,425 @@
 +policy_module(sandbox,1.0.0)
 +
 +dbus_stub()
@@ -7661,6 +7670,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +userdom_delete_user_tmpfs_files(sandbox_web_type)
 +
 +optional_policy(`
++	alsa_read_rw_config(sandbox_web_type)
++')
++
++optional_policy(`
 +	bluetooth_dontaudit_dbus_chat(sandbox_web_type)
 +')
 +
@@ -32958,7 +32971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.19/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/samba.te	2010-10-08 10:26:42.307649666 +0200
++++ serefpolicy-3.7.19/policy/modules/services/samba.te	2010-10-26 10:38:39.378650869 +0200
 @@ -66,6 +66,13 @@
  ## </desc>
  gen_tunable(samba_share_nfs, false)
@@ -33174,7 +33187,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  samba_read_config(smbcontrol_t)
  samba_rw_var_files(smbcontrol_t)
  samba_search_var(smbcontrol_t)
-@@ -536,6 +574,8 @@
+@@ -532,10 +570,14 @@
+ 
+ domain_use_interactive_fds(smbcontrol_t)
+ 
++init_dontaudit_leaks(smbcontrol_t)
++
+ files_read_etc_files(smbcontrol_t)
  
  miscfiles_read_localization(smbcontrol_t)
  
@@ -33183,7 +33202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  ########################################
  #
  # smbmount Local policy
-@@ -618,7 +658,7 @@
+@@ -618,7 +660,7 @@
  # SWAT Local policy
  #
  
@@ -33192,7 +33211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  allow swat_t self:process { setrlimit signal_perms };
  allow swat_t self:fifo_file rw_fifo_file_perms;
  allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-@@ -626,23 +666,25 @@
+@@ -626,23 +668,25 @@
  allow swat_t self:udp_socket create_socket_perms;
  allow swat_t self:unix_stream_socket connectto;
  
@@ -33226,7 +33245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  allow swat_t smbd_exec_t:file mmap_file_perms ;
  
  allow swat_t smbd_t:process signull;
-@@ -657,11 +699,14 @@
+@@ -657,11 +701,14 @@
  files_pid_filetrans(swat_t, swat_var_run_t, file)
  
  allow swat_t winbind_exec_t:file mmap_file_perms;
@@ -33242,7 +33261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  kernel_read_kernel_sysctls(swat_t)
  kernel_read_system_state(swat_t)
  kernel_read_network_state(swat_t)
-@@ -700,6 +745,8 @@
+@@ -700,6 +747,8 @@
  
  miscfiles_read_localization(swat_t)
  
@@ -33251,7 +33270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  optional_policy(`
  	cups_read_rw_config(swat_t)
  	cups_stream_connect(swat_t)
-@@ -713,12 +760,23 @@
+@@ -713,12 +762,23 @@
  	kerberos_use(swat_t)
  ')
  
@@ -33276,7 +33295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  dontaudit winbind_t self:capability sys_tty_config;
  allow winbind_t self:process { signal_perms getsched setsched };
  allow winbind_t self:fifo_file rw_fifo_file_perms;
-@@ -763,6 +821,7 @@
+@@ -763,6 +823,7 @@
  
  kernel_read_kernel_sysctls(winbind_t)
  kernel_read_system_state(winbind_t)
@@ -33284,7 +33303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  corecmd_exec_bin(winbind_t)
  
-@@ -779,6 +838,9 @@
+@@ -779,6 +840,9 @@
  corenet_tcp_bind_generic_node(winbind_t)
  corenet_udp_bind_generic_node(winbind_t)
  corenet_tcp_connect_smbd_port(winbind_t)
@@ -33294,7 +33313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  dev_read_sysfs(winbind_t)
  dev_read_urand(winbind_t)
-@@ -788,7 +850,7 @@
+@@ -788,7 +852,7 @@
  
  auth_domtrans_chk_passwd(winbind_t)
  auth_use_nsswitch(winbind_t)
@@ -33303,7 +33322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  domain_use_interactive_fds(winbind_t)
  
-@@ -866,6 +928,18 @@
+@@ -866,6 +930,18 @@
  #
  
  optional_policy(`
@@ -33322,7 +33341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  	type samba_unconfined_script_t;
  	type samba_unconfined_script_exec_t;
  	domain_type(samba_unconfined_script_t)
-@@ -876,9 +950,12 @@
+@@ -876,9 +952,12 @@
  	allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
  	allow smbd_t samba_unconfined_script_exec_t:file ioctl;
  
@@ -38626,7 +38645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
  # /var
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.19/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/init.if	2010-09-13 16:15:23.146085276 +0200
++++ serefpolicy-3.7.19/policy/modules/system/init.if	2010-10-26 10:34:57.510650962 +0200
 @@ -193,8 +193,10 @@
  	gen_require(`
  		attribute direct_run_init, direct_init, direct_init_entry;
@@ -38859,7 +38878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  ')
  
  ########################################
-@@ -1712,3 +1808,74 @@
+@@ -1712,3 +1808,92 @@
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -38918,6 +38937,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +
 +#######################################
 +## <summary>
++##  dontaudit read and write an leaked file descriptors
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain to not audit.
++##  </summary>
++## </param>
++#
++interface(`init_dontaudit_leaks',`
++    gen_require(`
++        type init_t;
++    ')
++
++    dontaudit $1 init_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
++#######################################
++## <summary>
 +## Manage init script
 +## status files.
 +## </summary>
@@ -41896,7 +41933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.19/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.te	2010-10-13 09:09:23.135649707 +0200
++++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.te	2010-10-26 10:36:50.480651251 +0200
 @@ -23,6 +23,9 @@
  type selinux_config_t;
  files_type(selinux_config_t)
@@ -42135,7 +42172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  # netfilter_contexts:
  seutil_manage_default_contexts(semanage_t)
  
-@@ -484,12 +457,23 @@
+@@ -484,12 +457,24 @@
  	files_read_var_lib_symlinks(semanage_t)
  ')
  
@@ -42154,12 +42191,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 +optional_policy(`
 +	#signal mcstrans on reload
 +	init_spec_domtrans_script(semanage_t)
++	init_dontaudit_leaks(semanage_t)
 +')
 +
  # cjp: need a more general way to handle this:
  ifdef(`enable_mls',`
  	# read secadm tmp files
-@@ -499,112 +483,54 @@
+@@ -499,112 +484,54 @@
  	userdom_read_user_tmp_files(semanage_t)
  ')
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 444a548..172d278 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.19
-Release: 68%{?dist}
+Release: 69%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,9 @@ exit 0
 %endif
 
 %changelog
+* Tue Oct 26 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-69
+- Dontaudit init leaks
+
 * Mon Oct 25 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-68
 - Fix httpd_setrlimit boolean to allow sys_resource capability
 - Allow lowatch to use zz-disk_space logwatch script
