[selinux-policy/f13/master] - Dontaudit init leaks
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Oct 26 09:52:58 UTC 2010
commit b5f115f2fb820d5c1d0f89b8ef825431a6a6c389
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Oct 26 11:52:51 2010 +0200
- Dontaudit init leaks
policy-F13.patch | 92 ++++++++++++++++++++++++++++++++++++---------------
selinux-policy.spec | 5 ++-
2 files changed, 69 insertions(+), 28 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index 78717b0..4ea86b4 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -2475,8 +2475,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.7.19/policy/modules/admin/shutdown.te
--- nsaserefpolicy/policy/modules/admin/shutdown.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2010-09-24 14:23:58.850635407 +0200
-@@ -0,0 +1,67 @@
++++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te 2010-10-26 10:35:13.462651140 +0200
+@@ -0,0 +1,68 @@
+policy_module(shutdown,1.0.0)
+
+########################################
@@ -2525,6 +2525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
+init_read_utmp(shutdown_t)
+init_rw_utmp(shutdown_t)
+init_telinit(shutdown_t)
++init_dontaudit_leaks(shutdown_t)
+
+logging_search_logs(shutdown_t)
+logging_send_audit_msgs(shutdown_t)
@@ -2779,7 +2780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.19/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/usermanage.te 2010-10-01 15:16:38.939348984 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/usermanage.te 2010-10-26 10:37:40.688650931 +0200
@@ -199,6 +199,7 @@
term_use_all_ttys(groupadd_t)
@@ -2825,7 +2826,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
domain_use_interactive_fds(passwd_t)
-@@ -333,6 +341,7 @@
+@@ -315,6 +323,7 @@
+ # /usr/bin/passwd asks for w access to utmp, but it will operate
+ # correctly without it. Do not audit write denials to utmp.
+ init_dontaudit_rw_utmp(passwd_t)
++init_dontaudit_leaks(passwd_t)
+ init_use_fds(passwd_t)
+
+ logging_send_audit_msgs(passwd_t)
+@@ -333,6 +342,7 @@
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -2833,7 +2842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
optional_policy(`
nscd_domtrans(passwd_t)
-@@ -427,7 +436,7 @@
+@@ -427,7 +437,7 @@
# Useradd local policy
#
@@ -2842,7 +2851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -450,6 +459,7 @@
+@@ -450,6 +460,7 @@
corecmd_exec_bin(useradd_t)
domain_use_interactive_fds(useradd_t)
@@ -2850,7 +2859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
files_manage_etc_files(useradd_t)
files_search_var_lib(useradd_t)
-@@ -498,12 +508,8 @@
+@@ -498,12 +509,8 @@
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
@@ -2864,7 +2873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
mta_manage_spool(useradd_t)
-@@ -527,6 +533,12 @@
+@@ -527,6 +534,12 @@
')
optional_policy(`
@@ -7295,8 +7304,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-10-18 15:03:16.043900000 +0200
-@@ -0,0 +1,421 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-10-25 18:09:55.337651301 +0200
+@@ -0,0 +1,425 @@
+policy_module(sandbox,1.0.0)
+
+dbus_stub()
@@ -7661,6 +7670,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+userdom_delete_user_tmpfs_files(sandbox_web_type)
+
+optional_policy(`
++ alsa_read_rw_config(sandbox_web_type)
++')
++
++optional_policy(`
+ bluetooth_dontaudit_dbus_chat(sandbox_web_type)
+')
+
@@ -32958,7 +32971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.19/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/samba.te 2010-10-08 10:26:42.307649666 +0200
++++ serefpolicy-3.7.19/policy/modules/services/samba.te 2010-10-26 10:38:39.378650869 +0200
@@ -66,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
@@ -33174,7 +33187,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -536,6 +574,8 @@
+@@ -532,10 +570,14 @@
+
+ domain_use_interactive_fds(smbcontrol_t)
+
++init_dontaudit_leaks(smbcontrol_t)
++
+ files_read_etc_files(smbcontrol_t)
miscfiles_read_localization(smbcontrol_t)
@@ -33183,7 +33202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
########################################
#
# smbmount Local policy
-@@ -618,7 +658,7 @@
+@@ -618,7 +660,7 @@
# SWAT Local policy
#
@@ -33192,7 +33211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t self:process { setrlimit signal_perms };
allow swat_t self:fifo_file rw_fifo_file_perms;
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-@@ -626,23 +666,25 @@
+@@ -626,23 +668,25 @@
allow swat_t self:udp_socket create_socket_perms;
allow swat_t self:unix_stream_socket connectto;
@@ -33226,7 +33245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t smbd_exec_t:file mmap_file_perms ;
allow swat_t smbd_t:process signull;
-@@ -657,11 +699,14 @@
+@@ -657,11 +701,14 @@
files_pid_filetrans(swat_t, swat_var_run_t, file)
allow swat_t winbind_exec_t:file mmap_file_perms;
@@ -33242,7 +33261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
kernel_read_network_state(swat_t)
-@@ -700,6 +745,8 @@
+@@ -700,6 +747,8 @@
miscfiles_read_localization(swat_t)
@@ -33251,7 +33270,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -713,12 +760,23 @@
+@@ -713,12 +762,23 @@
kerberos_use(swat_t)
')
@@ -33276,7 +33295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process { signal_perms getsched setsched };
allow winbind_t self:fifo_file rw_fifo_file_perms;
-@@ -763,6 +821,7 @@
+@@ -763,6 +823,7 @@
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
@@ -33284,7 +33303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
corecmd_exec_bin(winbind_t)
-@@ -779,6 +838,9 @@
+@@ -779,6 +840,9 @@
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -33294,7 +33313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
-@@ -788,7 +850,7 @@
+@@ -788,7 +852,7 @@
auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
@@ -33303,7 +33322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
domain_use_interactive_fds(winbind_t)
-@@ -866,6 +928,18 @@
+@@ -866,6 +930,18 @@
#
optional_policy(`
@@ -33322,7 +33341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -876,9 +950,12 @@
+@@ -876,9 +952,12 @@
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -38626,7 +38645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
# /var
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.19/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/init.if 2010-09-13 16:15:23.146085276 +0200
++++ serefpolicy-3.7.19/policy/modules/system/init.if 2010-10-26 10:34:57.510650962 +0200
@@ -193,8 +193,10 @@
gen_require(`
attribute direct_run_init, direct_init, direct_init_entry;
@@ -38859,7 +38878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
')
########################################
-@@ -1712,3 +1808,74 @@
+@@ -1712,3 +1808,92 @@
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -38918,6 +38937,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+
+#######################################
+## <summary>
++## dontaudit read and write an leaked file descriptors
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`init_dontaudit_leaks',`
++ gen_require(`
++ type init_t;
++ ')
++
++ dontaudit $1 init_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
++#######################################
++## <summary>
+## Manage init script
+## status files.
+## </summary>
@@ -41896,7 +41933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.19/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.te 2010-10-13 09:09:23.135649707 +0200
++++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.te 2010-10-26 10:36:50.480651251 +0200
@@ -23,6 +23,9 @@
type selinux_config_t;
files_type(selinux_config_t)
@@ -42135,7 +42172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-@@ -484,12 +457,23 @@
+@@ -484,12 +457,24 @@
files_read_var_lib_symlinks(semanage_t)
')
@@ -42154,12 +42191,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+optional_policy(`
+ #signal mcstrans on reload
+ init_spec_domtrans_script(semanage_t)
++ init_dontaudit_leaks(semanage_t)
+')
+
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -499,112 +483,54 @@
+@@ -499,112 +484,54 @@
userdom_read_user_tmp_files(semanage_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 444a548..172d278 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 68%{?dist}
+Release: 69%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,9 @@ exit 0
%endif
%changelog
+* Tue Oct 26 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-69
+- Dontaudit init leaks
+
* Mon Oct 25 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-68
- Fix httpd_setrlimit boolean to allow sys_resource capability
- Allow lowatch to use zz-disk_space logwatch script
More information about the scm-commits
mailing list