[selinux-policy/f13/master] - allow chfn_t to check whether rssh_exec_t is executable - Make labeled ipsec work in MLS machines
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Feb 15 16:22:15 UTC 2011
commit e78dd33a2aa6ae6891961c5abfe9560b74da4121
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Feb 15 17:23:07 2011 +0000
- allow chfn_t to check whether rssh_exec_t is executable
- Make labeled ipsec work in MLS machines
- cgred needs fsetid
- Allow cmirrord to create physical disk devices in /dev
- Make NNTP gateway working with mailman
policy-F13.patch | 154 ++++++++++++++++++++++++++++++++++++++++-----------
selinux-policy.spec | 9 +++-
2 files changed, 130 insertions(+), 33 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index b551b50..406c0ca 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -3281,8 +3281,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.19/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/admin/usermanage.te 2011-01-07 09:29:10.000000000 +0000
-@@ -197,8 +197,8 @@
++++ serefpolicy-3.7.19/policy/modules/admin/usermanage.te 2011-02-14 15:06:53.162796002 +0000
+@@ -121,6 +121,10 @@
+ # on user home dir
+ userdom_dontaudit_search_user_home_content(chfn_t)
+
++optional_policy(`
++ rssh_exec(chfn_t)
++')
++
+ ########################################
+ #
+ # Crack local policy
+@@ -197,8 +201,8 @@
selinux_compute_relabel_context(groupadd_t)
selinux_compute_user_contexts(groupadd_t)
@@ -3293,7 +3304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
init_use_fds(groupadd_t)
init_read_utmp(groupadd_t)
-@@ -209,6 +209,7 @@
+@@ -209,6 +213,7 @@
files_manage_etc_files(groupadd_t)
files_relabel_etc_files(groupadd_t)
files_read_etc_runtime_files(groupadd_t)
@@ -3301,7 +3312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
# Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}.
corecmd_exec_bin(groupadd_t)
-@@ -256,7 +257,8 @@
+@@ -256,7 +261,8 @@
# Passwd local policy
#
@@ -3311,7 +3322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow passwd_t self:process { setrlimit setfscreate };
allow passwd_t self:fd use;
-@@ -294,6 +296,8 @@
+@@ -294,6 +300,8 @@
term_use_all_ttys(passwd_t)
term_use_all_ptys(passwd_t)
@@ -3320,7 +3331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
auth_domtrans_chk_passwd(passwd_t)
auth_manage_shadow(passwd_t)
-@@ -303,6 +307,9 @@
+@@ -303,6 +311,9 @@
# allow checking if a shell is executable
corecmd_check_exec_shell(passwd_t)
@@ -3330,7 +3341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
domain_use_interactive_fds(passwd_t)
-@@ -315,6 +322,7 @@
+@@ -315,6 +326,7 @@
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
@@ -3338,7 +3349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
init_use_fds(passwd_t)
logging_send_audit_msgs(passwd_t)
-@@ -333,6 +341,7 @@
+@@ -333,6 +345,7 @@
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -3346,7 +3357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
optional_policy(`
nscd_domtrans(passwd_t)
-@@ -384,6 +393,7 @@
+@@ -384,6 +397,7 @@
term_use_all_ttys(sysadm_passwd_t)
term_use_all_ptys(sysadm_passwd_t)
@@ -3354,7 +3365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
-@@ -427,7 +437,7 @@
+@@ -427,7 +441,7 @@
# Useradd local policy
#
@@ -3363,7 +3374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -450,6 +460,7 @@
+@@ -450,6 +464,7 @@
corecmd_exec_bin(useradd_t)
domain_use_interactive_fds(useradd_t)
@@ -3371,7 +3382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
files_manage_etc_files(useradd_t)
files_search_var_lib(useradd_t)
-@@ -471,6 +482,7 @@
+@@ -471,6 +486,7 @@
term_use_all_ttys(useradd_t)
term_use_all_ptys(useradd_t)
@@ -3379,7 +3390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
auth_domtrans_chk_passwd(useradd_t)
auth_rw_lastlog(useradd_t)
-@@ -498,12 +510,8 @@
+@@ -498,12 +514,8 @@
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
@@ -3393,7 +3404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
mta_manage_spool(useradd_t)
-@@ -527,6 +535,12 @@
+@@ -527,6 +539,12 @@
')
optional_policy(`
@@ -7540,6 +7551,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te
allow unconfined_qemu_t self:process { execstack execmem };
+ allow unconfined_qemu_t qemu_exec_t:file execmod;
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/rssh.if serefpolicy-3.7.19/policy/modules/apps/rssh.if
+--- nsaserefpolicy/policy/modules/apps/rssh.if 2010-04-13 18:44:37.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/apps/rssh.if 2011-02-14 15:05:02.016796002 +0000
+@@ -45,6 +45,25 @@
+ spec_domtrans_pattern($1, rssh_exec_t, rssh_t)
+ ')
+
++#######################################
++## <summary>
++## Execute the rssh program
++## in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rssh_exec',`
++ gen_require(`
++ type rssh_exec_t;
++ ')
++
++ can_exec($1, rssh_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Read all users rssh read-only content.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.7.19/policy/modules/apps/sambagui.fc
--- nsaserefpolicy/policy/modules/apps/sambagui.fc 1970-01-01 00:00:00.000000000 +0000
+++ serefpolicy-3.7.19/policy/modules/apps/sambagui.fc 2010-05-28 07:42:00.000000000 +0000
@@ -10551,7 +10591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.19/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/kernel/domain.te 2011-01-14 13:56:31.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/kernel/domain.te 2011-02-14 14:48:35.612796002 +0000
@@ -5,6 +5,21 @@
#
# Declarations
@@ -10638,7 +10678,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -153,3 +186,79 @@
+@@ -153,3 +186,83 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -10696,7 +10736,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+ifdef(`hide_broken_symptoms',`
+ dontaudit domain self:udp_socket listen;
+ allow domain domain:key { link search };
++ ')
+')
++
++optional_policy(`
++ ipsec_match_default_spd(domain)
+')
+
+optional_policy(`
@@ -19174,7 +19218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.19/policy/modules/services/cgroup.te
--- nsaserefpolicy/policy/modules/services/cgroup.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/cgroup.te 2011-02-07 14:09:12.598796002 +0000
++++ serefpolicy-3.7.19/policy/modules/services/cgroup.te 2011-02-14 15:11:46.398796002 +0000
@@ -0,0 +1,104 @@
+policy_module(cgroup, 1.0.0)
+
@@ -19252,7 +19296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
+# cgred personal policy.
+#
+
-+allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override };
++allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
+allow cgred_t self:netlink_socket { write bind create read };
+allow cgred_t self:unix_dgram_socket { write create connect };
+
@@ -19896,8 +19940,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmirrord.te serefpolicy-3.7.19/policy/modules/services/cmirrord.te
--- nsaserefpolicy/policy/modules/services/cmirrord.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/cmirrord.te 2010-09-15 13:45:43.000000000 +0000
-@@ -0,0 +1,62 @@
++++ serefpolicy-3.7.19/policy/modules/services/cmirrord.te 2011-02-14 15:14:10.351796002 +0000
+@@ -0,0 +1,65 @@
+
+policy_module(cmirrord,1.0.0)
+
@@ -19926,7 +19970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
+
+allow cmirrord_t self:capability { net_admin kill };
+dontaudit cmirrord_t self:capability sys_tty_config;
-+allow cmirrord_t self:process { fork signal };
++allow cmirrord_t self:process { setfscreate signal fork};
+
+allow cmirrord_t self:fifo_file rw_fifo_file_perms;
+
@@ -19947,9 +19991,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir
+
+files_read_etc_files(cmirrord_t)
+
++storage_create_fixed_disk_dev(cmirrord_t)
+storage_raw_read_fixed_disk(cmirrord_t)
+storage_raw_write_fixed_disk(cmirrord_t)
+
++seutil_read_file_contexts(cmirrord_t)
++
+libs_use_ld_so(cmirrord_t)
+libs_use_shared_libs(cmirrord_t)
+
@@ -26234,6 +26281,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.
')
########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.7.19/policy/modules/services/mailman.te
+--- nsaserefpolicy/policy/modules/services/mailman.te 2010-04-13 18:44:37.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/mailman.te 2011-02-14 12:25:43.743796002 +0000
+@@ -70,6 +70,10 @@
+ manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+ manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+
++# make NNTP gateway working
++corenet_tcp_connect_innd_port(mailman_mail_t)
++corenet_tcp_connect_spamd_port(mailman_mail_t)
++
+ files_search_spool(mailman_mail_t)
+
+ fs_rw_anon_inodefs_files(mailman_mail_t)
+@@ -105,6 +109,8 @@
+
+ kernel_read_proc_symlinks(mailman_queue_t)
+
++corenet_tcp_connect_innd_port(mailman_queue_t)
++
+ auth_domtrans_chk_passwd(mailman_queue_t)
+
+ files_dontaudit_search_pids(mailman_queue_t)
+@@ -126,4 +132,4 @@
+
+ optional_policy(`
+ su_exec(mailman_queue_t)
+-')
+\ No newline at end of file
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.if serefpolicy-3.7.19/policy/modules/services/memcached.if
--- nsaserefpolicy/policy/modules/services/memcached.if 2010-04-13 18:44:37.000000000 +0000
+++ serefpolicy-3.7.19/policy/modules/services/memcached.if 2010-09-16 12:51:54.000000000 +0000
@@ -38400,7 +38477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.19/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2011-01-25 15:34:26.829455001 +0000
++++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2011-02-14 14:49:26.196796002 +0000
@@ -34,13 +34,12 @@
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
@@ -38443,7 +38520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -114,6 +111,7 @@
+@@ -114,20 +111,23 @@
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
@@ -38451,7 +38528,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
-@@ -125,9 +123,10 @@
+
+ allow ssh_t sshd_t:unix_stream_socket connectto;
++allow ssh_t sshd_t:peer recv;
+
+ # ssh client can manage the keys and config
+ manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
# ssh servers can read the user keys and config
@@ -38465,7 +38547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
kernel_read_kernel_sysctls(ssh_t)
kernel_read_system_state(ssh_t)
-@@ -139,6 +138,8 @@
+@@ -139,6 +139,8 @@
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
@@ -38474,7 +38556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
dev_read_urand(ssh_t)
-@@ -170,8 +171,10 @@
+@@ -170,8 +172,10 @@
userdom_search_user_home_dirs(ssh_t)
# Write to the user domain tty.
userdom_use_user_terminals(ssh_t)
@@ -38486,7 +38568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
tunable_policy(`allow_ssh_keysign',`
domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-@@ -217,6 +220,9 @@
+@@ -217,6 +221,9 @@
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
@@ -38496,7 +38578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
kernel_read_kernel_sysctls(ssh_keygen_t)
fs_search_auto_mountpoints(ssh_keygen_t)
-@@ -282,36 +288,39 @@
+@@ -282,36 +289,39 @@
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -38545,7 +38627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
optional_policy(`
-@@ -319,10 +328,27 @@
+@@ -319,10 +329,27 @@
')
optional_policy(`
@@ -38573,7 +38655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
rpm_use_script_fds(sshd_t)
')
-@@ -333,10 +359,18 @@
+@@ -333,10 +360,18 @@
')
optional_policy(`
@@ -43234,7 +43316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.19/policy/modules/system/ipsec.if
--- nsaserefpolicy/policy/modules/system/ipsec.if 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/ipsec.if 2010-08-11 09:42:38.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/system/ipsec.if 2011-02-14 14:50:40.413796001 +0000
@@ -18,6 +18,24 @@
domtrans_pattern($1, ipsec_exec_t, ipsec_t)
')
@@ -43260,7 +43342,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
########################################
## <summary>
## Connect to IPSEC using a unix domain stream socket.
-@@ -273,3 +291,78 @@
+@@ -129,6 +147,7 @@
+
+ allow $1 ipsec_spd_t:association polmatch;
+ allow $1 self:association sendto;
++ allow $1 self:peer recv;
+ ')
+
+ ########################################
+@@ -273,3 +292,78 @@
ipsec_domtrans_setkey($1)
role $2 types setkey_t;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9b3eebb..319e060 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 91%{?dist}
+Release: 92%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,13 @@ exit 0
%endif
%changelog
+* Tue Feb 15 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-92
+- allow chfn_t to check whether rssh_exec_t is executable
+- Make labeled ipsec work in MLS machines
+- cgred needs fsetid
+- Allow cmirrord to create physical disk devices in /dev
+- Make NNTP gateway working with mailman
+
* Tue Feb 8 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-91
- Make screen working for sysadm_u
- Add /dev/crash crash_dev_t
More information about the scm-commits
mailing list