[selinux-policy/f16] - We need to treat port_t and unreserved_port_t as generic_port types
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Nov 17 10:50:12 UTC 2011
commit 2447e7e2838955b08e3f9a2073ffd8e9df227e3e
Author: Miroslav <mgrepl at redhat.com>
Date: Thu Nov 17 11:49:58 2011 +0100
- We need to treat port_t and unreserved_port_t as generic_port types
policy-F16.patch | 293 +++++++++++++++++++++++++++++++++++++--------------
selinux-policy.spec | 5 +-
2 files changed, 216 insertions(+), 82 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 88721bd..173c034 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -7944,10 +7944,31 @@ index 0000000..6d0c9e3
+')
+
diff --git a/policy/modules/apps/kdumpgui.te b/policy/modules/apps/kdumpgui.te
-index 2dde73a..8ebd16b 100644
+index 2dde73a..1b16fa4 100644
--- a/policy/modules/apps/kdumpgui.te
+++ b/policy/modules/apps/kdumpgui.te
-@@ -36,6 +36,8 @@ files_manage_etc_runtime_files(kdumpgui_t)
+@@ -9,6 +9,9 @@ type kdumpgui_t;
+ type kdumpgui_exec_t;
+ dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
+
++type kdumpgui_tmp_t;
++files_tmp_file(kdumpgui_tmp_t)
++
+ ######################################
+ #
+ # system-config-kdump local policy
+@@ -18,6 +21,10 @@ allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio };
+ allow kdumpgui_t self:fifo_file rw_fifo_file_perms;
+ allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms;
+
++manage_dirs_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t)
++manage_files_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t)
++files_tmp_filetrans(kdumpgui_t, kdumpgui_tmp_t, { dir file })
++
+ kernel_read_system_state(kdumpgui_t)
+ kernel_read_network_state(kdumpgui_t)
+
+@@ -36,6 +43,8 @@ files_manage_etc_runtime_files(kdumpgui_t)
files_etc_filetrans_etc_runtime(kdumpgui_t, file)
files_read_usr_files(kdumpgui_t)
@@ -7956,20 +7977,28 @@ index 2dde73a..8ebd16b 100644
storage_raw_read_fixed_disk(kdumpgui_t)
storage_raw_write_fixed_disk(kdumpgui_t)
-@@ -47,6 +49,12 @@ miscfiles_read_localization(kdumpgui_t)
+@@ -45,8 +54,20 @@ logging_send_syslog_msg(kdumpgui_t)
+
+ miscfiles_read_localization(kdumpgui_t)
++mount_exec(kdumpgui_t)
++
init_dontaudit_read_all_script_files(kdumpgui_t)
+userdom_dontaudit_search_admin_dir(kdumpgui_t)
+
+optional_policy(`
++ bootloader_exec(kdumpgui_t)
++')
++
++optional_policy(`
+ consoletype_exec(kdumpgui_t)
+')
+
optional_policy(`
consoletype_exec(kdumpgui_t)
')
-@@ -58,6 +66,7 @@ optional_policy(`
+@@ -58,6 +79,7 @@ optional_policy(`
optional_policy(`
kdump_manage_config(kdumpgui_t)
kdump_initrc_domtrans(kdumpgui_t)
@@ -12963,7 +12992,7 @@ index 9e9263a..650e796 100644
manage_lnk_files_pattern($1, bin_t, bin_t)
')
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index 4f3b542..cf422f4 100644
+index 4f3b542..f4e36ee 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -615,6 +615,24 @@ interface(`corenet_raw_sendrecv_all_if',`
@@ -13080,10 +13109,10 @@ index 4f3b542..cf422f4 100644
+#
+interface(`corenet_dccp_sendrecv_generic_port',`
+ gen_require(`
-+ type port_t;
++ type port_t, unreserved_port_t;
+ ')
+
-+ allow $1 port_t:dccp_socket { send_msg recv_msg };
++ allow $1 { port_t unreserved_port_t }:dccp_socket { send_msg recv_msg };
+')
+
+########################################
@@ -13091,10 +13120,19 @@ index 4f3b542..cf422f4 100644
## Send and receive TCP network traffic on generic ports.
## </summary>
## <param name="domain">
-@@ -1175,6 +1265,26 @@ interface(`corenet_tcp_sendrecv_generic_port',`
-
- ########################################
- ## <summary>
+@@ -1167,10 +1257,30 @@ interface(`corenet_raw_bind_all_nodes',`
+ #
+ interface(`corenet_tcp_sendrecv_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t;
++ ')
++
++ allow $1 { port_t unreserved_port_t }:tcp_socket { send_msg recv_msg };
++')
++
++########################################
++## <summary>
+## Do not audit attempts to send and
+## receive DCCP network traffic on
+## generic ports.
@@ -13107,17 +13145,53 @@ index 4f3b542..cf422f4 100644
+#
+interface(`corenet_dontaudit_dccp_sendrecv_generic_port',`
+ gen_require(`
-+ type port_t;
-+ ')
-+
-+ dontaudit $1 port_t:dccp_socket { send_msg recv_msg };
-+')
-+
-+########################################
-+## <summary>
- ## Do not audit send and receive TCP network traffic on generic ports.
- ## </summary>
- ## <param name="domain">
++ type port_t, unreserved_port_t;
+ ')
+
+- allow $1 port_t:tcp_socket { send_msg recv_msg };
++ dontaudit $1 { port_t unreserved_port_t }:dccp_socket { send_msg recv_msg };
+ ')
+
+ ########################################
+@@ -1185,10 +1295,10 @@ interface(`corenet_tcp_sendrecv_generic_port',`
+ #
+ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t;
+ ')
+
+- dontaudit $1 port_t:tcp_socket { send_msg recv_msg };
++ dontaudit $1 { port_t unreserved_port_t }:tcp_socket { send_msg recv_msg };
+ ')
+
+ ########################################
+@@ -1203,10 +1313,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
+ #
+ interface(`corenet_udp_send_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t;
+ ')
+
+- allow $1 port_t:udp_socket send_msg;
++ allow $1 { port_t unreserved_port_t }:udp_socket send_msg;
+ ')
+
+ ########################################
+@@ -1221,10 +1331,10 @@ interface(`corenet_udp_send_generic_port',`
+ #
+ interface(`corenet_udp_receive_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t;
+ ')
+
+- allow $1 port_t:udp_socket recv_msg;
++ allow $1 { port_t unreserved_port_t }:udp_socket recv_msg;
+ ')
+
+ ########################################
@@ -1244,6 +1354,26 @@ interface(`corenet_udp_sendrecv_generic_port',`
########################################
@@ -13132,11 +13206,11 @@ index 4f3b542..cf422f4 100644
+#
+interface(`corenet_dccp_bind_generic_port',`
+ gen_require(`
-+ type port_t;
++ type port_t, unreserved_port_t;
+ attribute defined_port_type;
+ ')
+
-+ allow $1 port_t:dccp_socket name_bind;
++ allow $1 { port_t unreserved_port_t }:dccp_socket name_bind;
+ dontaudit $1 defined_port_type:dccp_socket name_bind;
+')
+
@@ -13145,16 +13219,17 @@ index 4f3b542..cf422f4 100644
## Bind TCP sockets to generic ports.
## </summary>
## <param name="domain">
-@@ -1255,11 +1385,30 @@ interface(`corenet_udp_sendrecv_generic_port',`
+@@ -1254,12 +1384,31 @@ interface(`corenet_udp_sendrecv_generic_port',`
+ #
interface(`corenet_tcp_bind_generic_port',`
gen_require(`
- type port_t;
+- type port_t;
- attribute port_type;
++ type port_t, unreserved_port_t;
+ attribute defined_port_type;
- ')
-
- allow $1 port_t:tcp_socket name_bind;
-- dontaudit $1 { port_type -port_t }:tcp_socket name_bind;
++ ')
++
++ allow $1 { port_t unreserved_port_t }:tcp_socket name_bind;
+ dontaudit $1 defined_port_type:tcp_socket name_bind;
+')
+
@@ -13171,23 +13246,39 @@ index 4f3b542..cf422f4 100644
+#
+interface(`corenet_dontaudit_dccp_bind_generic_port',`
+ gen_require(`
-+ type port_t;
-+ ')
-+
-+ dontaudit $1 port_t:dccp_socket name_bind;
++ type port_t, unreserved_port_t;
+ ')
+
+- allow $1 port_t:tcp_socket name_bind;
+- dontaudit $1 { port_type -port_t }:tcp_socket name_bind;
++ dontaudit $1 { port_t unreserved_port_t }:dccp_socket name_bind;
+ ')
+
+ ########################################
+@@ -1274,10 +1423,10 @@ interface(`corenet_tcp_bind_generic_port',`
+ #
+ interface(`corenet_dontaudit_tcp_bind_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t;
+ ')
+
+- dontaudit $1 port_t:tcp_socket name_bind;
++ dontaudit $1 { port_t unreserved_port_t }:tcp_socket name_bind;
')
########################################
-@@ -1293,11 +1442,29 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',`
+@@ -1292,12 +1441,30 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',`
+ #
interface(`corenet_udp_bind_generic_port',`
gen_require(`
- type port_t;
+- type port_t;
- attribute port_type;
++ type port_t, unreserved_port_t;
+ attribute defined_port_type;
- ')
-
- allow $1 port_t:udp_socket name_bind;
-- dontaudit $1 { port_type -port_t }:udp_socket name_bind;
++ ')
++
++ allow $1 { port_t unreserved_port_t }:udp_socket name_bind;
+ dontaudit $1 defined_port_type:udp_socket name_bind;
+')
+
@@ -13203,17 +13294,28 @@ index 4f3b542..cf422f4 100644
+#
+interface(`corenet_dccp_connect_generic_port',`
+ gen_require(`
-+ type port_t;
-+ ')
-+
-+ allow $1 port_t:dccp_socket name_connect;
- ')
++ type port_t, unreserved_port_t;
+ ')
- ########################################
-@@ -1320,6 +1487,24 @@ interface(`corenet_tcp_connect_generic_port',`
+- allow $1 port_t:udp_socket name_bind;
+- dontaudit $1 { port_type -port_t }:udp_socket name_bind;
++ allow $1 { port_t unreserved_port_t }:dccp_socket name_connect;
+ ')
########################################
- ## <summary>
+@@ -1312,10 +1479,28 @@ interface(`corenet_udp_bind_generic_port',`
+ #
+ interface(`corenet_tcp_connect_generic_port',`
+ gen_require(`
+- type port_t;
++ type port_t, unreserved_port_t;
++ ')
++
++ allow $1 { port_t unreserved_port_t }:tcp_socket name_connect;
++')
++
++########################################
++## <summary>
+## Send and receive DCCP network traffic on all ports.
+## </summary>
+## <param name="domain">
@@ -13225,16 +13327,13 @@ index 4f3b542..cf422f4 100644
+interface(`corenet_dccp_sendrecv_all_ports',`
+ gen_require(`
+ attribute port_type;
-+ ')
-+
+ ')
+
+- allow $1 port_t:tcp_socket name_connect;
+ allow $1 port_type:dccp_socket { send_msg recv_msg };
-+')
-+
-+########################################
-+## <summary>
- ## Send and receive TCP network traffic on all ports.
- ## </summary>
- ## <desc>
+ ')
+
+ ########################################
@@ -1439,6 +1624,25 @@ interface(`corenet_udp_sendrecv_all_ports',`
########################################
@@ -13459,7 +13558,7 @@ index 4f3b542..cf422f4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1729,9 +2007,63 @@ interface(`corenet_tcp_sendrecv_all_reserved_ports',`
+@@ -1729,17 +2007,17 @@ interface(`corenet_tcp_sendrecv_all_reserved_ports',`
## </summary>
## </param>
#
@@ -13468,14 +13567,36 @@ index 4f3b542..cf422f4 100644
gen_require(`
- attribute reserved_port_type;
+ type reserved_port_t;
-+ ')
-+
+ ')
+
+- allow $1 reserved_port_type:udp_socket send_msg;
+ allow $1 reserved_port_t:tcp_socket name_connect;
+ ')
+
+ ########################################
+ ## <summary>
+-## Receive UDP network traffic on all reserved ports.
++## Send and receive DCCP network traffic on all reserved ports.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -1747,12 +2025,66 @@ interface(`corenet_udp_send_all_reserved_ports',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`corenet_udp_receive_all_reserved_ports',`
++interface(`corenet_dccp_sendrecv_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+- allow $1 reserved_port_type:udp_socket recv_msg;
++ allow $1 reserved_port_type:dccp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
-+## Send and receive DCCP network traffic on all reserved ports.
++## Send and receive TCP network traffic on all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -13483,17 +13604,17 @@ index 4f3b542..cf422f4 100644
+## </summary>
+## </param>
+#
-+interface(`corenet_dccp_sendrecv_all_reserved_ports',`
++interface(`corenet_tcp_sendrecv_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
-+ allow $1 reserved_port_type:dccp_socket { send_msg recv_msg };
++ allow $1 reserved_port_type:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
-+## Send and receive TCP network traffic on all reserved ports.
++## Send UDP network traffic on all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -13501,17 +13622,17 @@ index 4f3b542..cf422f4 100644
+## </summary>
+## </param>
+#
-+interface(`corenet_tcp_sendrecv_all_reserved_ports',`
++interface(`corenet_udp_send_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
-+ allow $1 reserved_port_type:tcp_socket { send_msg recv_msg };
++ allow $1 reserved_port_type:udp_socket send_msg;
+')
+
+########################################
+## <summary>
-+## Send UDP network traffic on all reserved ports.
++## Receive UDP network traffic on all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -13519,12 +13640,15 @@ index 4f3b542..cf422f4 100644
+## </summary>
+## </param>
+#
-+interface(`corenet_udp_send_all_reserved_ports',`
++interface(`corenet_udp_receive_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
- ')
++ ')
++
++ allow $1 reserved_port_type:udp_socket recv_msg;
+ ')
- allow $1 reserved_port_type:udp_socket send_msg;
+ ########################################
@@ -1772,6 +2104,25 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
########################################
@@ -13620,9 +13744,8 @@ index 4f3b542..cf422f4 100644
gen_require(`
- attribute port_type, reserved_port_type;
+ attribute unreserved_port_type;
- ')
-
-- allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
++ ')
++
+ allow $1 unreserved_port_type:udp_socket name_bind;
+')
+
@@ -13675,8 +13798,9 @@ index 4f3b542..cf422f4 100644
+interface(`corenet_dccp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
-+ ')
-+
+ ')
+
+- allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
+ allow $1 reserved_port_type:dccp_socket name_connect;
')
@@ -14465,7 +14589,7 @@ index 35fed4f..51ad69a 100644
#
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 6cf8784..12bd6fc 100644
+index 6cf8784..b48524e 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -15,11 +15,13 @@
@@ -14493,7 +14617,7 @@ index 6cf8784..12bd6fc 100644
/dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -126,6 +130,7 @@ ifdef(`distro_suse', `
+@@ -126,12 +130,14 @@ ifdef(`distro_suse', `
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/watchdog -c gen_context(system_u:object_r:watchdog_device_t,s0)
@@ -14501,7 +14625,14 @@ index 6cf8784..12bd6fc 100644
/dev/winradio. -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0)
/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
-@@ -187,8 +192,6 @@ ifdef(`distro_suse', `
+
+ /dev/bus/usb/.*/[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0)
+
++/dev/ati/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0)
+
+@@ -187,8 +193,6 @@ ifdef(`distro_suse', `
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -14510,7 +14641,7 @@ index 6cf8784..12bd6fc 100644
ifdef(`distro_redhat',`
# originally from named.fc
/var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
-@@ -196,3 +199,8 @@ ifdef(`distro_redhat',`
+@@ -196,3 +200,8 @@ ifdef(`distro_redhat',`
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
')
@@ -70017,9 +70148,9 @@ index 808ba93..4ff705d 100644
+ ')
+
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache")
-+ #files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~")
++ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~")
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload")
-+ #files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
++ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index e5836d3..eae9427 100644
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2a15390..cf6329d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 56%{?dist}
+Release: 57%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Nov 16 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-57
+- We need to treat port_t and unreserved_port_t as generic_port types
+
* Wed Nov 16 2011 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-56
- Add ssh_dontaudit_search_home_dir
- Changes to allow namespace_init_t to work
More information about the scm-commits
mailing list