[selinux-policy/f14/master] - Fixes for iscsi policy - Allow dmesg to read system state - squid apache script connects to the sq
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Jan 4 16:16:34 UTC 2011
commit 65458bb0cc4e69692f128e0335fe11aaed4b28e9
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Jan 4 17:16:18 2011 +0000
- Fixes for iscsi policy
- Allow dmesg to read system state
- squid apache script connects to the squid port
- /var/stockmaniac/templates_cache contains log files
- Allow radius to communicate with postgresql
- Add transition from unconfined_java_t to wine_t
modules-targeted.conf | 7 +
policy-F14.patch | 326 ++++++++++++++++++++++++++++++++++++-------------
selinux-policy.spec | 10 ++-
3 files changed, 256 insertions(+), 87 deletions(-)
---
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 3cbe055..b96d8ad 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1323,6 +1323,13 @@ pulseaudio = module
pyzor = module
# Layer: services
+# Module: razor
+#
+# Spam Blocker
+#
+razor = module
+
+# Layer: services
# Module: qmail
#
# Policy for qmail
diff --git a/policy-F14.patch b/policy-F14.patch
index 6659588..d4abbec 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -477,8 +477,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.9.7/policy/modules/admin/dmesg.te
--- nsaserefpolicy/policy/modules/admin/dmesg.te 2010-10-12 22:42:51.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/admin/dmesg.te 2010-11-05 14:02:26.404649494 +0100
-@@ -50,6 +50,12 @@
++++ serefpolicy-3.9.7/policy/modules/admin/dmesg.te 2011-01-03 08:59:37.987042463 +0100
+@@ -23,6 +23,7 @@
+ kernel_read_ring_buffer(dmesg_t)
+ kernel_clear_ring_buffer(dmesg_t)
+ kernel_change_ring_buffer_level(dmesg_t)
++kernel_read_system_state(dmesg_t)
+ kernel_list_proc(dmesg_t)
+ kernel_read_proc_symlinks(dmesg_t)
+
+@@ -50,6 +51,12 @@
userdom_use_user_terminals(dmesg_t)
optional_policy(`
@@ -1422,6 +1430,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.9.7/policy/modules/admin/shorewall.fc
+--- nsaserefpolicy/policy/modules/admin/shorewall.fc 2010-10-12 22:42:51.000000000 +0200
++++ serefpolicy-3.9.7/policy/modules/admin/shorewall.fc 2011-01-04 15:04:51.055041119 +0100
+@@ -11,4 +11,6 @@
+ /var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+ /var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+
++/var/lock/subsys/shorewall -- gen_context(system_u:object_r:shorewall_lock_t,s0)
++
+ /var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.9.7/policy/modules/admin/shorewall.if
--- nsaserefpolicy/policy/modules/admin/shorewall.if 2010-10-12 22:42:51.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/admin/shorewall.if 2010-11-05 14:02:26.419649700 +0100
@@ -3266,8 +3284,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.9.7/policy/modules/apps/gpg.if
--- nsaserefpolicy/policy/modules/apps/gpg.if 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/apps/gpg.if 2010-11-05 14:02:26.441651683 +0100
-@@ -54,6 +54,8 @@
++++ serefpolicy-3.9.7/policy/modules/apps/gpg.if 2011-01-04 15:08:59.889043195 +0100
+@@ -43,6 +43,8 @@
+ # Allow the user shell to signal the gpg-agent program.
+ allow $2 gpg_agent_t:process { signal sigkill };
+
++ allow $2 gpg_agent_t:unix_stream_socket { rw_socket_perms connectto };
++
+ manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
+@@ -54,6 +56,8 @@
manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
@@ -3276,7 +3303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
optional_policy(`
gpg_pinentry_dbus_chat($2)
')
-@@ -85,6 +87,43 @@
+@@ -85,6 +89,43 @@
domtrans_pattern($1, gpg_exec_t, gpg_t)
')
@@ -3707,7 +3734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.9.7/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/apps/java.te 2010-11-05 14:02:26.449658144 +0100
++++ serefpolicy-3.9.7/policy/modules/apps/java.te 2011-01-04 14:45:51.987042778 +0100
@@ -82,12 +82,12 @@
dev_read_rand(java_t)
dev_dontaudit_append_rand(java_t)
@@ -3722,7 +3749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te
fs_getattr_xattr_fs(java_t)
fs_dontaudit_rw_tmpfs_files(java_t)
-@@ -143,12 +143,15 @@
+@@ -143,14 +143,21 @@
# execheap is needed for itanium/BEA jrocket
allow unconfined_java_t self:process { execstack execmem execheap };
@@ -3738,6 +3765,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te
optional_policy(`
rpm_domtrans(unconfined_java_t)
+ ')
++
++ optional_policy(`
++ wine_domtrans(unconfined_java_t)
++ ')
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.9.7/policy/modules/apps/kdumpgui.te
--- nsaserefpolicy/policy/modules/apps/kdumpgui.te 2010-10-12 22:42:51.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/apps/kdumpgui.te 2010-11-05 14:02:26.450649838 +0100
@@ -7379,6 +7412,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.9.7/policy/modules/apps/webalizer.te
+--- nsaserefpolicy/policy/modules/apps/webalizer.te 2010-10-12 22:42:50.000000000 +0200
++++ serefpolicy-3.9.7/policy/modules/apps/webalizer.te 2011-01-03 14:33:54.725041758 +0100
+@@ -103,3 +103,8 @@
+ optional_policy(`
+ nscd_socket_use(webalizer_t)
+ ')
++
++optional_policy(`
++ squid_manage_logs(webalizer_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.9.7/policy/modules/apps/wine.fc
--- nsaserefpolicy/policy/modules/apps/wine.fc 2010-10-12 22:42:50.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/apps/wine.fc 2010-11-05 14:02:26.503653075 +0100
@@ -7750,7 +7795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
+/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.9.7/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/kernel/corenetwork.te.in 2010-11-05 14:02:26.516901283 +0100
++++ serefpolicy-3.9.7/policy/modules/kernel/corenetwork.te.in 2011-01-03 14:29:15.002042415 +0100
@@ -24,6 +24,7 @@
#
type tun_tap_device_t;
@@ -7926,6 +7971,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
+@@ -274,5 +300,5 @@
+ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
+
+ # Bind to any network address.
+-allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
++allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
+ allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.9.7/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2010-10-12 22:42:50.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/kernel/devices.fc 2010-11-05 14:02:26.519917011 +0100
@@ -15498,8 +15550,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitl
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.9.7/policy/modules/services/bitlbee.te
--- nsaserefpolicy/policy/modules/services/bitlbee.te 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/bitlbee.te 2010-11-10 09:41:49.192148101 +0100
-@@ -26,13 +26,14 @@
++++ serefpolicy-3.9.7/policy/modules/services/bitlbee.te 2011-01-04 17:03:31.450291694 +0100
+@@ -26,19 +26,22 @@
#
# Local policy
#
@@ -15513,10 +15565,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitl
allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
allow bitlbee_t self:fifo_file rw_fifo_file_perms;
-allow bitlbee_t self:process signal;
++allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms;
bitlbee_read_config(bitlbee_t)
-@@ -80,6 +81,10 @@
+ # tmp files
+ manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
+-files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, file)
++manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
++files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file })
+
+ # user account information is read and edited at runtime; give the usual
+ # r/w access to bitlbee_var_t
+@@ -52,6 +55,7 @@
+ corenet_udp_sendrecv_generic_node(bitlbee_t)
+ corenet_tcp_sendrecv_generic_if(bitlbee_t)
+ corenet_tcp_sendrecv_generic_node(bitlbee_t)
++corenet_tcp_bind_generic_node(bitlbee_t)
+ # Allow bitlbee to connect to jabber servers
+ corenet_tcp_connect_jabber_client_port(bitlbee_t)
+ corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
+@@ -80,6 +84,10 @@
libs_legacy_use_shared_libs(bitlbee_t)
@@ -18980,8 +19049,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.9.7/policy/modules/services/cvs.if
--- nsaserefpolicy/policy/modules/services/cvs.if 2010-10-12 22:42:48.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/cvs.if 2010-11-05 14:02:26.627900099 +0100
-@@ -58,9 +58,8 @@
++++ serefpolicy-3.9.7/policy/modules/services/cvs.if 2011-01-04 13:27:09.653042014 +0100
+@@ -1,5 +1,23 @@
+ ## <summary>Concurrent versions system</summary>
+
++#######################################
++## <summary>
++## Dontaudit Attempts to list the CVS data and metadata.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cvs_dontaudit_list_data',`
++ gen_require(`
++ type cvs_data_t;
++ ')
++
++ dontaudit $1 cvs_data_t:dir list_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Read the CVS data and metadata.
+@@ -58,9 +76,8 @@
#
interface(`cvs_admin',`
gen_require(`
@@ -24787,8 +24880,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.te serefpolicy-3.9.7/policy/modules/services/mpd.te
--- nsaserefpolicy/policy/modules/services/mpd.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.9.7/policy/modules/services/mpd.te 2010-12-16 10:26:54.914042379 +0100
-@@ -0,0 +1,126 @@
++++ serefpolicy-3.9.7/policy/modules/services/mpd.te 2011-01-03 09:01:26.100042370 +0100
+@@ -0,0 +1,127 @@
+policy_module(mpd, 1.0.0)
+
+########################################
@@ -24842,6 +24935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mpd.
+
+manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t)
+manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
++manage_lnk_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
+
+manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
+manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
@@ -25189,7 +25283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.9.7/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2010-10-12 22:42:48.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/mta.te 2010-11-15 17:19:29.663148347 +0100
++++ serefpolicy-3.9.7/policy/modules/services/mta.te 2011-01-04 15:53:28.091041224 +0100
@@ -20,8 +20,8 @@
type etc_mail_t;
files_config_file(etc_mail_t)
@@ -25201,13 +25295,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
type mqueue_spool_t;
files_mountpoint(mqueue_spool_t)
-@@ -50,21 +50,10 @@
+@@ -50,21 +50,11 @@
# newalias required this, not sure if it is needed in 'if' file
allow system_mail_t self:capability { dac_override fowner };
-allow system_mail_t self:fifo_file rw_fifo_file_perms;
-
-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
++allow system_mail_t self:process setsched;
read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
@@ -25224,7 +25319,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
-@@ -82,6 +71,10 @@
+@@ -82,6 +72,10 @@
userdom_use_user_terminals(system_mail_t)
userdom_dontaudit_search_user_home_dirs(system_mail_t)
@@ -25235,11 +25330,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
-@@ -92,17 +85,28 @@
+@@ -92,17 +86,28 @@
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
-+ apache_dontaudit_write_tmp_files(system_mail_t)
++ apache_dontaudit_rw_tmp_files(system_mail_t)
+
+ # apache should set close-on-exec
+ apache_dontaudit_rw_stream_sockets(mta_user_agent)
@@ -25265,7 +25360,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
clamav_stream_connect(system_mail_t)
clamav_append_log(system_mail_t)
')
-@@ -111,6 +115,8 @@
+@@ -111,6 +116,8 @@
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
cron_rw_system_job_stream_sockets(system_mail_t)
@@ -25274,7 +25369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -124,12 +130,8 @@
+@@ -124,12 +131,8 @@
')
optional_policy(`
@@ -25288,7 +25383,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -146,6 +148,10 @@
+@@ -146,6 +149,10 @@
')
optional_policy(`
@@ -25299,7 +25394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
nagios_read_tmp_files(system_mail_t)
')
-@@ -158,18 +164,6 @@
+@@ -158,18 +165,6 @@
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
domain_use_interactive_fds(system_mail_t)
@@ -25318,7 +25413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
optional_policy(`
-@@ -189,6 +183,10 @@
+@@ -189,6 +184,10 @@
')
optional_policy(`
@@ -25329,7 +25424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
smartmon_read_tmp_files(system_mail_t)
')
-@@ -199,7 +197,7 @@
+@@ -199,7 +198,7 @@
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
@@ -25338,7 +25433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
')
-@@ -220,7 +218,8 @@
+@@ -220,7 +219,8 @@
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -25348,7 +25443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -249,11 +248,16 @@
+@@ -249,11 +249,16 @@
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -25365,7 +25460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
domain_use_interactive_fds(user_mail_t)
userdom_use_user_terminals(user_mail_t)
-@@ -292,3 +296,44 @@
+@@ -292,3 +297,44 @@
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -30793,7 +30888,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi
init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.9.7/policy/modules/services/radius.te
--- nsaserefpolicy/policy/modules/services/radius.te 2010-10-12 22:42:48.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/radius.te 2010-11-05 14:02:26.784900375 +0100
++++ serefpolicy-3.9.7/policy/modules/services/radius.te 2011-01-03 10:47:41.242042171 +0100
@@ -36,7 +36,7 @@
# gzip also needs chown access to preserve GID for radwtmp files
allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
@@ -30814,7 +30909,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi
kernel_read_kernel_sysctls(radiusd_t)
kernel_read_system_state(radiusd_t)
-@@ -129,6 +130,7 @@
+@@ -78,6 +79,7 @@
+ corenet_udp_bind_radius_port(radiusd_t)
+ corenet_tcp_connect_mysqld_port(radiusd_t)
+ corenet_tcp_connect_snmp_port(radiusd_t)
++corenet_tcp_connect_postgresql_port(radiusd_t)
+ corenet_sendrecv_radius_server_packets(radiusd_t)
+ corenet_sendrecv_radacct_server_packets(radiusd_t)
+ corenet_sendrecv_mysqld_client_packets(radiusd_t)
+@@ -129,6 +131,7 @@
')
optional_policy(`
@@ -34425,7 +34528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
allow $1 squid_t:process { ptrace signal_perms };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.9.7/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/squid.te 2010-11-05 14:02:26.824900133 +0100
++++ serefpolicy-3.9.7/policy/modules/services/squid.te 2011-01-03 09:56:25.203041423 +0100
@@ -6,17 +6,17 @@
#
@@ -34451,9 +34554,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
## </desc>
gen_tunable(squid_use_tproxy, false)
+@@ -185,6 +185,7 @@
+ corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
+ corenet_all_recvfrom_netlabel(httpd_squid_script_t)
+ corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
++ corenet_tcp_connect_squid_port(httpd_squid_script_t)
+
+ sysnet_dns_name_resolve(httpd_squid_script_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.9.7/policy/modules/services/ssh.fc
--- nsaserefpolicy/policy/modules/services/ssh.fc 2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/ssh.fc 2010-11-05 14:02:26.825899649 +0100
++++ serefpolicy-3.9.7/policy/modules/services/ssh.fc 2011-01-04 16:00:04.335042667 +0100
@@ -1,4 +1,9 @@
HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
@@ -34464,9 +34575,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
-@@ -14,3 +19,7 @@
+@@ -13,4 +18,10 @@
+
/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
++/var/lib/amanda/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++
/var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
+/var/run/sshd\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0)
+
@@ -34762,7 +34876,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.9.7/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/ssh.te 2010-12-01 13:29:36.816042555 +0100
++++ serefpolicy-3.9.7/policy/modules/services/ssh.te 2011-01-04 16:03:00.640041553 +0100
@@ -6,26 +6,32 @@
#
@@ -34971,7 +35085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
dev_read_urand(ssh_keysign_t)
-@@ -232,33 +285,39 @@
+@@ -232,33 +285,44 @@
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -35017,10 +35131,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
-',`
- userdom_spec_domtrans_unpriv_users(sshd_t)
- userdom_signal_unpriv_users(sshd_t)
++')
++
++
++optional_policy(`
++ amanda_search_lib(sshd_t)
')
optional_policy(`
-@@ -266,11 +325,24 @@
+@@ -266,11 +330,24 @@
')
optional_policy(`
@@ -35046,7 +35165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
optional_policy(`
-@@ -284,6 +356,11 @@
+@@ -284,6 +361,11 @@
')
optional_policy(`
@@ -35058,7 +35177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +369,26 @@
+@@ -292,26 +374,26 @@
')
ifdef(`TODO',`
@@ -35104,7 +35223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
') dnl endif TODO
########################################
-@@ -324,7 +401,6 @@
+@@ -324,7 +406,6 @@
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
@@ -35112,7 +35231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
-@@ -353,10 +429,6 @@
+@@ -353,10 +434,6 @@
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
optional_policy(`
@@ -38450,7 +38569,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.9.7/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/xserver.te 2010-12-22 13:21:17.650042380 +0100
++++ serefpolicy-3.9.7/policy/modules/services/xserver.te 2011-01-04 13:27:45.006041467 +0100
@@ -26,27 +26,50 @@
#
@@ -39083,10 +39202,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -516,12 +736,49 @@
+@@ -516,12 +736,53 @@
')
optional_policy(`
++ cvs_dontaudit_list_data(xdm_t)
++')
++
++optional_policy(`
+ # Use dbus to start other processes as xdm_t
+ dbus_role_template(xdm, system_r, xdm_t)
+
@@ -39133,7 +39256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
hostname_exec(xdm_t)
')
-@@ -539,28 +796,63 @@
+@@ -539,28 +800,63 @@
')
optional_policy(`
@@ -39206,7 +39329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -572,6 +864,10 @@
+@@ -572,6 +868,10 @@
')
optional_policy(`
@@ -39217,7 +39340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xdm_t)
')
-@@ -596,7 +892,7 @@
+@@ -596,7 +896,7 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -39226,7 +39349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -610,6 +906,14 @@
+@@ -610,6 +910,14 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -39241,7 +39364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -629,12 +933,19 @@
+@@ -629,12 +937,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -39263,7 +39386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -642,6 +953,7 @@
+@@ -642,6 +957,7 @@
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -39271,7 +39394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -668,7 +980,6 @@
+@@ -668,7 +984,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -39279,7 +39402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -678,11 +989,17 @@
+@@ -678,11 +993,17 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -39297,7 +39420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -693,8 +1010,13 @@
+@@ -693,8 +1014,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -39311,7 +39434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -716,11 +1038,14 @@
+@@ -716,11 +1042,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -39326,7 +39449,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -773,12 +1098,28 @@
+@@ -773,12 +1102,28 @@
')
optional_policy(`
@@ -39356,7 +39479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -787,6 +1128,10 @@
+@@ -787,6 +1132,10 @@
')
optional_policy(`
@@ -39367,7 +39490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xserver_t)
')
-@@ -802,10 +1147,10 @@
+@@ -802,10 +1151,10 @@
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -39381,7 +39504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -813,7 +1158,7 @@
+@@ -813,7 +1162,7 @@
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -39390,7 +39513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -826,6 +1171,9 @@
+@@ -826,6 +1175,9 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -39400,7 +39523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -833,6 +1181,11 @@
+@@ -833,6 +1185,11 @@
fs_manage_nfs_symlinks(xserver_t)
')
@@ -39412,7 +39535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -841,11 +1194,14 @@
+@@ -841,11 +1198,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -39429,7 +39552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -853,6 +1209,10 @@
+@@ -853,6 +1213,10 @@
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -39440,7 +39563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
########################################
#
# Rules common to all X window domains
-@@ -896,7 +1256,7 @@
+@@ -896,7 +1260,7 @@
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -39449,7 +39572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -950,11 +1310,31 @@
+@@ -950,11 +1314,31 @@
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -39481,7 +39604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -976,18 +1356,32 @@
+@@ -976,18 +1360,32 @@
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -42248,8 +42371,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.9.7/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/system/iscsi.te 2010-11-08 16:19:08.966156850 +0100
-@@ -76,9 +76,12 @@
++++ serefpolicy-3.9.7/policy/modules/system/iscsi.te 2011-01-03 08:52:59.886042530 +0100
+@@ -31,6 +31,7 @@
+ #
+
+ allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource };
++dontaudit iscsid_t self:capability { sys_ptrace };
+ allow iscsid_t self:process { setrlimit setsched signal };
+ allow iscsid_t self:fifo_file rw_fifo_file_perms;
+ allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
+@@ -76,9 +77,12 @@
dev_rw_sysfs(iscsid_t)
dev_rw_userio_dev(iscsid_t)
@@ -42262,7 +42393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
files_read_etc_files(iscsid_t)
-@@ -91,5 +94,5 @@
+@@ -91,5 +95,5 @@
miscfiles_read_localization(iscsid_t)
optional_policy(`
@@ -42819,7 +42950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.9.7/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/system/logging.fc 2010-11-05 14:02:26.933900336 +0100
++++ serefpolicy-3.9.7/policy/modules/system/logging.fc 2011-01-03 10:28:51.710042336 +0100
@@ -17,6 +17,10 @@
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
@@ -42839,7 +42970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
/var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
ifdef(`distro_suse', `
-@@ -54,14 +59,16 @@
+@@ -54,18 +59,24 @@
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
')
@@ -42860,9 +42991,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
-@@ -69,3 +76,5 @@
+ /var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0)
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
@@ -43447,7 +43580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.9.7/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/system/mount.if 2010-11-15 17:16:31.348423484 +0100
++++ serefpolicy-3.9.7/policy/modules/system/mount.if 2011-01-03 09:33:07.158042280 +0100
@@ -16,6 +16,16 @@
')
@@ -43465,7 +43598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
########################################
-@@ -45,12 +55,58 @@
+@@ -45,8 +55,54 @@
role $2 types mount_t;
optional_policy(`
@@ -43488,11 +43621,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+
+ optional_policy(`
+ samba_run_smbmount(mount_t, $2)
- ')
- ')
-
- ########################################
- ## <summary>
++ ')
++')
++
++########################################
++## <summary>
+## Execute fusermount in the mount domain, and
+## allow the specified role the mount domain,
+## and use the caller's terminal.
@@ -43512,19 +43645,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+interface(`mount_run_fusermount',`
+ gen_require(`
+ type mount_t;
-+ ')
+ ')
+
+ mount_domtrans_fusermount($1)
+ role $2 types mount_t;
+
+ fstools_run(mount_t, $2)
-+')
-+
-+########################################
-+## <summary>
- ## Execute mount in the caller domain.
- ## </summary>
- ## <param name="domain">
+ ')
+
+ ########################################
@@ -84,9 +140,11 @@
interface(`mount_signal',`
gen_require(`
@@ -43546,7 +43675,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
## </summary>
## </param>
#
-@@ -176,4 +234,109 @@
+@@ -135,6 +193,24 @@
+
+ ########################################
+ ## <summary>
++## Read the mount tmp directory
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mount_list_tmp',`
++ gen_require(`
++ type mount_tmp_t;
++ ')
++
++ allow $1 mount_tmp_t:dir list_dir_perms;
++')
++
++########################################
++## <summary>
+ ## Execute mount in the unconfined mount domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -176,4 +252,109 @@
mount_domtrans_unconfined($1)
role $2 types unconfined_mount_t;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d5b2b38..441f5cc 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.7
-Release: 19%{?dist}
+Release: 20%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,14 @@ exit 0
%endif
%changelog
+* Tue Jan 4 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-20
+- Fixes for iscsi policy
+- Allow dmesg to read system state
+- squid apache script connects to the squid port
+- /var/stockmaniac/templates_cache contains log files
+- Allow radius to communicate with postgresql
+- Add transition from unconfined_java_t to wine_t
+
* Wed Dec 22 2010 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-19
- Fixes for passenger policy
- Allow staff user to execute mysql
More information about the scm-commits
mailing list