[selinux-policy/f13/master] - allow chfn_t to check whether rssh_exec_t is executable - Make labeled ipsec work in MLS machines

Miroslav Grepl mgrepl at fedoraproject.org
Tue Feb 15 16:22:15 UTC 2011 

commit e78dd33a2aa6ae6891961c5abfe9560b74da4121
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Tue Feb 15 17:23:07 2011 +0000

    - allow chfn_t to check whether rssh_exec_t is executable
    - Make labeled ipsec work in MLS machines
    - cgred needs fsetid
    - Allow cmirrord to create physical disk devices in /dev
    - Make NNTP gateway working with mailman

 policy-F13.patch    |  154 ++++++++++++++++++++++++++++++++++++++++-----------
 selinux-policy.spec |    9 +++-
 2 files changed, 130 insertions(+), 33 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index b551b50..406c0ca 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -3281,8 +3281,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  	')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.19/policy/modules/admin/usermanage.te
 --- nsaserefpolicy/policy/modules/admin/usermanage.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/admin/usermanage.te	2011-01-07 09:29:10.000000000 +0000
-@@ -197,8 +197,8 @@
++++ serefpolicy-3.7.19/policy/modules/admin/usermanage.te	2011-02-14 15:06:53.162796002 +0000
+@@ -121,6 +121,10 @@
+ # on user home dir
+ userdom_dontaudit_search_user_home_content(chfn_t)
+ 
++optional_policy(`
++	rssh_exec(chfn_t)
++')
++
+ ########################################
+ #
+ # Crack local policy
+@@ -197,8 +201,8 @@
  selinux_compute_relabel_context(groupadd_t)
  selinux_compute_user_contexts(groupadd_t)
  
@@ -3293,7 +3304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  init_use_fds(groupadd_t)
  init_read_utmp(groupadd_t)
-@@ -209,6 +209,7 @@
+@@ -209,6 +213,7 @@
  files_manage_etc_files(groupadd_t)
  files_relabel_etc_files(groupadd_t)
  files_read_etc_runtime_files(groupadd_t)
@@ -3301,7 +3312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  # Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}.
  corecmd_exec_bin(groupadd_t)
-@@ -256,7 +257,8 @@
+@@ -256,7 +261,8 @@
  # Passwd local policy
  #
  
@@ -3311,7 +3322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow passwd_t self:process { setrlimit setfscreate };
  allow passwd_t self:fd use;
-@@ -294,6 +296,8 @@
+@@ -294,6 +300,8 @@
  
  term_use_all_ttys(passwd_t)
  term_use_all_ptys(passwd_t)
@@ -3320,7 +3331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  auth_domtrans_chk_passwd(passwd_t)
  auth_manage_shadow(passwd_t)
-@@ -303,6 +307,9 @@
+@@ -303,6 +311,9 @@
  
  # allow checking if a shell is executable
  corecmd_check_exec_shell(passwd_t)
@@ -3330,7 +3341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  domain_use_interactive_fds(passwd_t)
  
-@@ -315,6 +322,7 @@
+@@ -315,6 +326,7 @@
  # /usr/bin/passwd asks for w access to utmp, but it will operate
  # correctly without it.  Do not audit write denials to utmp.
  init_dontaudit_rw_utmp(passwd_t)
@@ -3338,7 +3349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  init_use_fds(passwd_t)
  
  logging_send_audit_msgs(passwd_t)
-@@ -333,6 +341,7 @@
+@@ -333,6 +345,7 @@
  # user generally runs this from their home directory, so do not audit a search
  # on user home dir
  userdom_dontaudit_search_user_home_content(passwd_t)
@@ -3346,7 +3357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  optional_policy(`
  	nscd_domtrans(passwd_t)
-@@ -384,6 +393,7 @@
+@@ -384,6 +397,7 @@
  
  term_use_all_ttys(sysadm_passwd_t)
  term_use_all_ptys(sysadm_passwd_t)
@@ -3354,7 +3365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  auth_manage_shadow(sysadm_passwd_t)
  auth_relabel_shadow(sysadm_passwd_t)
-@@ -427,7 +437,7 @@
+@@ -427,7 +441,7 @@
  # Useradd local policy
  #
  
@@ -3363,7 +3374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  dontaudit useradd_t self:capability sys_tty_config;
  allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow useradd_t self:process setfscreate;
-@@ -450,6 +460,7 @@
+@@ -450,6 +464,7 @@
  corecmd_exec_bin(useradd_t)
  
  domain_use_interactive_fds(useradd_t)
@@ -3371,7 +3382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  files_manage_etc_files(useradd_t)
  files_search_var_lib(useradd_t)
-@@ -471,6 +482,7 @@
+@@ -471,6 +486,7 @@
  
  term_use_all_ttys(useradd_t)
  term_use_all_ptys(useradd_t)
@@ -3379,7 +3390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  auth_domtrans_chk_passwd(useradd_t)
  auth_rw_lastlog(useradd_t)
-@@ -498,12 +510,8 @@
+@@ -498,12 +514,8 @@
  
  userdom_use_unpriv_users_fds(useradd_t)
  # Add/remove user home directories
@@ -3393,7 +3404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  mta_manage_spool(useradd_t)
  
-@@ -527,6 +535,12 @@
+@@ -527,6 +539,12 @@
  ')
  
  optional_policy(`
@@ -7540,6 +7551,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te
  	allow unconfined_qemu_t self:process { execstack execmem };
 +	allow unconfined_qemu_t qemu_exec_t:file execmod;
  ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/rssh.if serefpolicy-3.7.19/policy/modules/apps/rssh.if
+--- nsaserefpolicy/policy/modules/apps/rssh.if	2010-04-13 18:44:37.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/apps/rssh.if	2011-02-14 15:05:02.016796002 +0000
+@@ -45,6 +45,25 @@
+ 	spec_domtrans_pattern($1, rssh_exec_t, rssh_t)
+ ')
+ 
++#######################################
++## <summary>
++##  Execute the rssh program
++##  in the caller domain.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`rssh_exec',`
++    gen_require(`
++        type rssh_exec_t;
++    ')
++
++    can_exec($1, rssh_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ##	Read all users rssh read-only content.
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.7.19/policy/modules/apps/sambagui.fc
 --- nsaserefpolicy/policy/modules/apps/sambagui.fc	1970-01-01 00:00:00.000000000 +0000
 +++ serefpolicy-3.7.19/policy/modules/apps/sambagui.fc	2010-05-28 07:42:00.000000000 +0000
@@ -10551,7 +10591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.19/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/kernel/domain.te	2011-01-14 13:56:31.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/kernel/domain.te	2011-02-14 14:48:35.612796002 +0000
 @@ -5,6 +5,21 @@
  #
  # Declarations
@@ -10638,7 +10678,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
  # Act upon any other process.
  allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
  
-@@ -153,3 +186,79 @@
+@@ -153,3 +186,83 @@
  
  # receive from all domains over labeled networking
  domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -10696,7 +10736,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +ifdef(`hide_broken_symptoms',`
 +	dontaudit domain self:udp_socket listen;
 +	allow domain domain:key { link search };
++	')
 +')
++
++optional_policy(`
++    ipsec_match_default_spd(domain)
 +')
 +
 +optional_policy(`
@@ -19174,7 +19218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.19/policy/modules/services/cgroup.te
 --- nsaserefpolicy/policy/modules/services/cgroup.te	1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/cgroup.te	2011-02-07 14:09:12.598796002 +0000
++++ serefpolicy-3.7.19/policy/modules/services/cgroup.te	2011-02-14 15:11:46.398796002 +0000
 @@ -0,0 +1,104 @@
 +policy_module(cgroup, 1.0.0)
 +
@@ -19252,7 +19296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
 +# cgred personal policy.
 +#
 +
-+allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override };
++allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
 +allow cgred_t self:netlink_socket { write bind create read };
 +allow cgred_t self:unix_dgram_socket { write create connect };
 +
@@ -19896,8 +19940,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.te serefpolicy-3.7.19/policy/modules/services/cmirrord.te
 --- nsaserefpolicy/policy/modules/services/cmirrord.te	1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/cmirrord.te	2010-09-15 13:45:43.000000000 +0000
-@@ -0,0 +1,62 @@
++++ serefpolicy-3.7.19/policy/modules/services/cmirrord.te	2011-02-14 15:14:10.351796002 +0000
+@@ -0,0 +1,65 @@
 +
 +policy_module(cmirrord,1.0.0)
 +
@@ -19926,7 +19970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
 +
 +allow cmirrord_t self:capability { net_admin kill };
 +dontaudit cmirrord_t self:capability sys_tty_config;
-+allow cmirrord_t self:process { fork signal };
++allow cmirrord_t self:process { setfscreate signal fork};
 +
 +allow cmirrord_t self:fifo_file rw_fifo_file_perms;
 +
@@ -19947,9 +19991,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
 +
 +files_read_etc_files(cmirrord_t)
 +
++storage_create_fixed_disk_dev(cmirrord_t)
 +storage_raw_read_fixed_disk(cmirrord_t)
 +storage_raw_write_fixed_disk(cmirrord_t)
 +
++seutil_read_file_contexts(cmirrord_t)
++
 +libs_use_ld_so(cmirrord_t)
 +libs_use_shared_libs(cmirrord_t)
 +
@@ -26234,6 +26281,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.
  ')
  
  ########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.7.19/policy/modules/services/mailman.te
+--- nsaserefpolicy/policy/modules/services/mailman.te	2010-04-13 18:44:37.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/mailman.te	2011-02-14 12:25:43.743796002 +0000
+@@ -70,6 +70,10 @@
+ manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+ manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+ 
++# make NNTP gateway working
++corenet_tcp_connect_innd_port(mailman_mail_t)
++corenet_tcp_connect_spamd_port(mailman_mail_t)
++
+ files_search_spool(mailman_mail_t)
+ 
+ fs_rw_anon_inodefs_files(mailman_mail_t)
+@@ -105,6 +109,8 @@
+ 
+ kernel_read_proc_symlinks(mailman_queue_t)
+ 
++corenet_tcp_connect_innd_port(mailman_queue_t)
++
+ auth_domtrans_chk_passwd(mailman_queue_t)
+ 
+ files_dontaudit_search_pids(mailman_queue_t)
+@@ -126,4 +132,4 @@
+ 
+ optional_policy(`
+ 	su_exec(mailman_queue_t)
+-')
+\ No newline at end of file
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.if serefpolicy-3.7.19/policy/modules/services/memcached.if
 --- nsaserefpolicy/policy/modules/services/memcached.if	2010-04-13 18:44:37.000000000 +0000
 +++ serefpolicy-3.7.19/policy/modules/services/memcached.if	2010-09-16 12:51:54.000000000 +0000
@@ -38400,7 +38477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.19/policy/modules/services/ssh.te
 --- nsaserefpolicy/policy/modules/services/ssh.te	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.te	2011-01-25 15:34:26.829455001 +0000
++++ serefpolicy-3.7.19/policy/modules/services/ssh.te	2011-02-14 14:49:26.196796002 +0000
 @@ -34,13 +34,12 @@
  ssh_server_template(sshd)
  init_daemon_domain(sshd_t, sshd_exec_t)
@@ -38443,7 +38520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
  manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
  manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -114,6 +111,7 @@
+@@ -114,20 +111,23 @@
  manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
  manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
  userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
@@ -38451,7 +38528,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  # Allow the ssh program to communicate with ssh-agent.
  stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
-@@ -125,9 +123,10 @@
+ 
+ allow ssh_t sshd_t:unix_stream_socket connectto;
++allow ssh_t sshd_t:peer recv;
+ 
+ # ssh client can manage the keys and config
+ manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
  read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
  
  # ssh servers can read the user keys and config
@@ -38465,7 +38547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  kernel_read_kernel_sysctls(ssh_t)
  kernel_read_system_state(ssh_t)
-@@ -139,6 +138,8 @@
+@@ -139,6 +139,8 @@
  corenet_tcp_sendrecv_all_ports(ssh_t)
  corenet_tcp_connect_ssh_port(ssh_t)
  corenet_sendrecv_ssh_client_packets(ssh_t)
@@ -38474,7 +38556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  dev_read_urand(ssh_t)
  
-@@ -170,8 +171,10 @@
+@@ -170,8 +172,10 @@
  userdom_search_user_home_dirs(ssh_t)
  # Write to the user domain tty.
  userdom_use_user_terminals(ssh_t)
@@ -38486,7 +38568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  tunable_policy(`allow_ssh_keysign',`
  	domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-@@ -217,6 +220,9 @@
+@@ -217,6 +221,9 @@
  allow ssh_keygen_t sshd_key_t:file manage_file_perms;
  files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
  
@@ -38496,7 +38578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  kernel_read_kernel_sysctls(ssh_keygen_t)
  
  fs_search_auto_mountpoints(ssh_keygen_t)
-@@ -282,36 +288,39 @@
+@@ -282,36 +289,39 @@
  allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
  allow sshd_t self:key { search link write };
  
@@ -38545,7 +38627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ')
  
  optional_policy(`
-@@ -319,10 +328,27 @@
+@@ -319,10 +329,27 @@
  ')
  
  optional_policy(`
@@ -38573,7 +38655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  	rpm_use_script_fds(sshd_t)
  ')
  
-@@ -333,10 +359,18 @@
+@@ -333,10 +360,18 @@
  ')
  
  optional_policy(`
@@ -43234,7 +43316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  /var/run/pluto(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.19/policy/modules/system/ipsec.if
 --- nsaserefpolicy/policy/modules/system/ipsec.if	2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/ipsec.if	2010-08-11 09:42:38.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/system/ipsec.if	2011-02-14 14:50:40.413796001 +0000
 @@ -18,6 +18,24 @@
  	domtrans_pattern($1, ipsec_exec_t, ipsec_t)
  ')
@@ -43260,7 +43342,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  ########################################
  ## <summary>
  ##	Connect to IPSEC using a unix domain stream socket.
-@@ -273,3 +291,78 @@
+@@ -129,6 +147,7 @@
+ 
+ 	allow $1 ipsec_spd_t:association polmatch;
+ 	allow $1 self:association sendto;
++	allow $1 self:peer recv;
+ ')
+ 
+ ########################################
+@@ -273,3 +292,78 @@
  	ipsec_domtrans_setkey($1)
  	role $2 types setkey_t;
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9b3eebb..319e060 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.19
-Release: 91%{?dist}
+Release: 92%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,13 @@ exit 0
 %endif
 
 %changelog
+* Tue Feb 15 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-92
+- allow chfn_t to check whether rssh_exec_t is executable
+- Make labeled ipsec work in MLS machines
+- cgred needs fsetid
+- Allow cmirrord to create physical disk devices in /dev
+- Make NNTP gateway working with mailman
+
 * Tue Feb 8 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-91
 - Make screen working for sysadm_u
 - Add /dev/crash crash_dev_t

More information about the scm-commits mailing list