[selinux-policy/f18] - Allow also sealert to read the policy from the kernel - Dontaudit listing of users homedir by send

Miroslav Grepl mgrepl at fedoraproject.org
Mon May 20 12:57:36 UTC 2013 

commit ba48650d2520c06a5d4250157bca534d2be40454
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Mon May 20 14:57:22 2013 +0200

    - Allow also sealert to read the policy from the kernel
    - Dontaudit listing of users homedir by sendmail Seems like a leak
    - Allow postfix domains to manage postfix_var_run_t
    - Allow mount to append to the ssh_home_t when using sshfs

 policy-f18-base.patch    |   30 ++++++++++++++++++++++----
 policy-f18-contrib.patch |   51 ++++++++++++++++++++-------------------------
 selinux-policy.spec      |    8 ++++++-
 3 files changed, 55 insertions(+), 34 deletions(-)
---
diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index 5dc1518..d9fcece 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -127458,7 +127458,7 @@ index 078bcd7..72e7b08 100644
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +/root/\.shosts				gen_context(system_u:object_r:ssh_home_t,s0)
 diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..2e18809 100644
+index fe0c682..871b8fd 100644
 --- a/policy/modules/services/ssh.if
 +++ b/policy/modules/services/ssh.if
 @@ -32,10 +32,11 @@
@@ -127978,16 +127978,35 @@ index fe0c682..2e18809 100644
  ##	Read ssh server keys
  ## </summary>
  ## <param name="domain">
-@@ -714,7 +814,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -714,7 +814,26 @@ interface(`ssh_dontaudit_read_server_keys',`
  		type sshd_key_t;
  	')
  
 -	dontaudit $1 sshd_key_t:file { getattr read };
 +	dontaudit $1 sshd_key_t:file read_file_perms;
++')
++
++######################################
++## <summary>
++##	Append ssh home directory content
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ssh_append_home_files',`
++	gen_require(`
++		type ssh_home_t;
++	')
++
++	append_files_pattern($1, ssh_home_t, ssh_home_t)
++	userdom_search_user_home_dirs($1)
  ')
  
  ######################################
-@@ -754,3 +854,124 @@ interface(`ssh_delete_tmp',`
+@@ -754,3 +873,124 @@ interface(`ssh_delete_tmp',`
  	files_search_tmp($1)
  	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
  ')
@@ -139740,7 +139759,7 @@ index 4584457..0755e25 100644
 +        domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
  ')
 diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 63931f6..0e08b2d 100644
+index 63931f6..6c0574a 100644
 --- a/policy/modules/system/mount.te
 +++ b/policy/modules/system/mount.te
 @@ -10,35 +10,60 @@ policy_module(mount, 1.15.0)
@@ -140049,7 +140068,7 @@ index 63931f6..0e08b2d 100644
  	ifdef(`hide_broken_symptoms',`
  		# for a bug in the X server
  		rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -193,21 +299,125 @@ optional_policy(`
+@@ -193,21 +299,126 @@ optional_policy(`
  	')
  ')
  
@@ -140101,6 +140120,7 @@ index 63931f6..0e08b2d 100644
 -#
 +optional_policy(`
 +	ssh_exec(mount_t)
++	ssh_append_home_files(mount_t)
 +')
 +
 +optional_policy(`
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index 0816c95..18eeb05 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -367,7 +367,7 @@ index 0b827c5..cce58bb 100644
 +	dontaudit $1 abrt_t:sock_file write;
  ')
 diff --git a/abrt.te b/abrt.te
-index 30861ec..d9c83c2 100644
+index 30861ec..1246994 100644
 --- a/abrt.te
 +++ b/abrt.te
 @@ -5,13 +5,33 @@ policy_module(abrt, 1.2.0)
@@ -418,7 +418,7 @@ index 30861ec..d9c83c2 100644
  type abrt_var_cache_t;
  files_type(abrt_var_cache_t)
 +files_tmp_file(abrt_var_cache_t)
-+userdom_user_tmp_file(abrt_var_cache_t)
++userdom_user_tmp_content(abrt_var_cache_t)
  
  # pid files
  type abrt_var_run_t;
@@ -37939,7 +37939,7 @@ index 4e2a5ba..7d1522c 100644
 +	mta_filetrans_admin_home_content($1)
 +')
 diff --git a/mta.te b/mta.te
-index 84a7d66..61f95e2 100644
+index 84a7d66..6ed167b 100644
 --- a/mta.te
 +++ b/mta.te
 @@ -20,14 +20,19 @@ files_type(etc_aliases_t)
@@ -37998,15 +37998,16 @@ index 84a7d66..61f95e2 100644
  
  init_use_script_ptys(system_mail_t)
 +init_dontaudit_rw_stream_socket(system_mail_t)
- 
--userdom_use_user_terminals(system_mail_t)
++
 +userdom_use_inherited_user_terminals(system_mail_t)
- userdom_dontaudit_search_user_home_dirs(system_mail_t)
++userdom_dontaudit_list_user_home_dirs(system_mail_t)
 +userdom_dontaudit_list_admin_dir(system_mail_t)
 +
 +manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
 +manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
-+
+ 
+-userdom_use_user_terminals(system_mail_t)
+-userdom_dontaudit_search_user_home_dirs(system_mail_t)
 +allow system_mail_t mail_home_t:file manage_file_perms;
 +userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
 +
@@ -50948,7 +50949,7 @@ index 46bee12..20a3ccd 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
 +')
 diff --git a/postfix.te b/postfix.te
-index a1e0f60..7308619 100644
+index a1e0f60..18be613 100644
 --- a/postfix.te
 +++ b/postfix.te
 @@ -5,6 +5,15 @@ policy_module(postfix, 1.14.0)
@@ -51380,15 +51381,7 @@ index a1e0f60..7308619 100644
  
  corecmd_exec_bin(postfix_qmgr_t)
  
-@@ -532,6 +617,7 @@ allow postfix_showq_t self:capability { setuid setgid };
- allow postfix_showq_t self:tcp_socket create_socket_perms;
- 
- allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
-+rw_files_pattern(postfix_showq_t, postfix_var_run_t, postfix_var_run_t)
- 
- allow postfix_showq_t postfix_spool_t:file read_file_perms;
- 
-@@ -539,7 +625,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +624,9 @@ postfix_list_spool(postfix_showq_t)
  
  allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
  allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -51399,7 +51392,7 @@ index a1e0f60..7308619 100644
  
  # to write the mailq output, it really should not need read access!
  term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +646,12 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+@@ -558,6 +645,12 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
  
  allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
  
@@ -51412,7 +51405,7 @@ index a1e0f60..7308619 100644
  files_search_all_mountpoints(postfix_smtp_t)
  
  optional_policy(`
-@@ -565,6 +659,14 @@ optional_policy(`
+@@ -565,6 +658,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -51427,7 +51420,7 @@ index a1e0f60..7308619 100644
  	milter_stream_connect_all(postfix_smtp_t)
  ')
  
-@@ -581,17 +683,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
+@@ -581,17 +682,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
  corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
  
  # for prng_exch
@@ -51454,7 +51447,7 @@ index a1e0f60..7308619 100644
  ')
  
  optional_policy(`
-@@ -599,6 +709,11 @@ optional_policy(`
+@@ -599,6 +708,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -51466,7 +51459,7 @@ index a1e0f60..7308619 100644
  	postgrey_stream_connect(postfix_smtpd_t)
  ')
  
-@@ -611,7 +726,6 @@ optional_policy(`
+@@ -611,7 +725,6 @@ optional_policy(`
  # Postfix virtual local policy
  #
  
@@ -51474,7 +51467,7 @@ index a1e0f60..7308619 100644
  allow postfix_virtual_t self:process { setsched setrlimit };
  
  allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -622,7 +736,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
+@@ -622,7 +735,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
  corecmd_exec_shell(postfix_virtual_t)
  corecmd_exec_bin(postfix_virtual_t)
  
@@ -51482,7 +51475,7 @@ index a1e0f60..7308619 100644
  files_read_usr_files(postfix_virtual_t)
  
  mta_read_aliases(postfix_virtual_t)
-@@ -630,3 +743,80 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +742,80 @@ mta_delete_spool(postfix_virtual_t)
  # For reading spamassasin
  mta_read_config(postfix_virtual_t)
  mta_manage_spool(postfix_virtual_t)
@@ -51518,7 +51511,7 @@ index a1e0f60..7308619 100644
 +
 +allow postfix_domain postfix_spool_t:dir list_dir_perms;
 +
-+manage_files_pattern(postfix_t, postfix_var_run_t, postfix_var_run_t)
++manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t)
 +files_pid_filetrans(postfix_domain, postfix_var_run_t, file)
 +
 +kernel_read_network_state(postfix_domain)
@@ -64924,7 +64917,7 @@ index bcdd16c..039b0c8 100644
  	files_list_var_lib($1)
  	admin_pattern($1, setroubleshoot_var_lib_t)
 diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 086cd5f..ff1b021 100644
+index 086cd5f..f52b26d 100644
 --- a/setroubleshoot.te
 +++ b/setroubleshoot.te
 @@ -12,7 +12,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
@@ -65052,7 +65045,7 @@ index 086cd5f..ff1b021 100644
  	rpm_signull(setroubleshootd_t)
  	rpm_read_db(setroubleshootd_t)
  	rpm_dontaudit_manage_db(setroubleshootd_t)
-@@ -150,11 +176,16 @@ kernel_read_system_state(setroubleshoot_fixit_t)
+@@ -150,11 +176,18 @@ kernel_read_system_state(setroubleshoot_fixit_t)
  
  corecmd_exec_bin(setroubleshoot_fixit_t)
  corecmd_exec_shell(setroubleshoot_fixit_t)
@@ -65060,6 +65053,8 @@ index 086cd5f..ff1b021 100644
 +
 +dev_read_sysfs(setroubleshoot_fixit_t)
 +dev_read_urand(setroubleshoot_fixit_t)
++
++selinux_read_policy(setroubleshoot_fixit_t)
  
  seutil_domtrans_setfiles(setroubleshoot_fixit_t)
 +seutil_domtrans_setsebool(setroubleshoot_fixit_t)
@@ -65070,7 +65065,7 @@ index 086cd5f..ff1b021 100644
  files_list_tmp(setroubleshoot_fixit_t)
  
  auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -162,9 +193,19 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -162,9 +195,19 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
  logging_send_audit_msgs(setroubleshoot_fixit_t)
  logging_send_syslog_msg(setroubleshoot_fixit_t)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e201775..17a171e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.11.1
-Release: 95%{?dist}
+Release: 96%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,12 @@ SELinux Reference policy mls base module.
 %endif
 
 %Changelog
+* Mon May 20 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-96
+- Allow also sealert to read the policy from the kernel
+- Dontaudit listing of users homedir by sendmail Seems like a leak
+- Allow postfix domains to manage postfix_var_run_t
+- Allow mount to append to the ssh_home_t when using sshfs
+
 * Fri May 17 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-95
 - Fix pegasus_openlmi_domain_template()
 - Remove pulseaudio filetrans pulseaudio_manage_home_dirs which is a part of pulseaudio_manage_home_files

More information about the scm-commits mailing list