[selinux-policy/f18] - Allow also sealert to read the policy from the kernel - Dontaudit listing of users homedir by send
Miroslav Grepl
mgrepl at fedoraproject.org
Mon May 20 12:57:36 UTC 2013
commit ba48650d2520c06a5d4250157bca534d2be40454
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon May 20 14:57:22 2013 +0200
- Allow also sealert to read the policy from the kernel
- Dontaudit listing of users homedir by sendmail Seems like a leak
- Allow postfix domains to manage postfix_var_run_t
- Allow mount to append to the ssh_home_t when using sshfs
policy-f18-base.patch | 30 ++++++++++++++++++++++----
policy-f18-contrib.patch | 51 ++++++++++++++++++++-------------------------
selinux-policy.spec | 8 ++++++-
3 files changed, 55 insertions(+), 34 deletions(-)
---
diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index 5dc1518..d9fcece 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -127458,7 +127458,7 @@ index 078bcd7..72e7b08 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..2e18809 100644
+index fe0c682..871b8fd 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@@ -127978,16 +127978,35 @@ index fe0c682..2e18809 100644
## Read ssh server keys
## </summary>
## <param name="domain">
-@@ -714,7 +814,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -714,7 +814,26 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
- dontaudit $1 sshd_key_t:file { getattr read };
+ dontaudit $1 sshd_key_t:file read_file_perms;
++')
++
++######################################
++## <summary>
++## Append ssh home directory content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ssh_append_home_files',`
++ gen_require(`
++ type ssh_home_t;
++ ')
++
++ append_files_pattern($1, ssh_home_t, ssh_home_t)
++ userdom_search_user_home_dirs($1)
')
######################################
-@@ -754,3 +854,124 @@ interface(`ssh_delete_tmp',`
+@@ -754,3 +873,124 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -139740,7 +139759,7 @@ index 4584457..0755e25 100644
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 63931f6..0e08b2d 100644
+index 63931f6..6c0574a 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -10,35 +10,60 @@ policy_module(mount, 1.15.0)
@@ -140049,7 +140068,7 @@ index 63931f6..0e08b2d 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -193,21 +299,125 @@ optional_policy(`
+@@ -193,21 +299,126 @@ optional_policy(`
')
')
@@ -140101,6 +140120,7 @@ index 63931f6..0e08b2d 100644
-#
+optional_policy(`
+ ssh_exec(mount_t)
++ ssh_append_home_files(mount_t)
+')
+
+optional_policy(`
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index 0816c95..18eeb05 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -367,7 +367,7 @@ index 0b827c5..cce58bb 100644
+ dontaudit $1 abrt_t:sock_file write;
')
diff --git a/abrt.te b/abrt.te
-index 30861ec..d9c83c2 100644
+index 30861ec..1246994 100644
--- a/abrt.te
+++ b/abrt.te
@@ -5,13 +5,33 @@ policy_module(abrt, 1.2.0)
@@ -418,7 +418,7 @@ index 30861ec..d9c83c2 100644
type abrt_var_cache_t;
files_type(abrt_var_cache_t)
+files_tmp_file(abrt_var_cache_t)
-+userdom_user_tmp_file(abrt_var_cache_t)
++userdom_user_tmp_content(abrt_var_cache_t)
# pid files
type abrt_var_run_t;
@@ -37939,7 +37939,7 @@ index 4e2a5ba..7d1522c 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index 84a7d66..61f95e2 100644
+index 84a7d66..6ed167b 100644
--- a/mta.te
+++ b/mta.te
@@ -20,14 +20,19 @@ files_type(etc_aliases_t)
@@ -37998,15 +37998,16 @@ index 84a7d66..61f95e2 100644
init_use_script_ptys(system_mail_t)
+init_dontaudit_rw_stream_socket(system_mail_t)
-
--userdom_use_user_terminals(system_mail_t)
++
+userdom_use_inherited_user_terminals(system_mail_t)
- userdom_dontaudit_search_user_home_dirs(system_mail_t)
++userdom_dontaudit_list_user_home_dirs(system_mail_t)
+userdom_dontaudit_list_admin_dir(system_mail_t)
+
+manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
+manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
-+
+
+-userdom_use_user_terminals(system_mail_t)
+-userdom_dontaudit_search_user_home_dirs(system_mail_t)
+allow system_mail_t mail_home_t:file manage_file_perms;
+userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
+
@@ -50948,7 +50949,7 @@ index 46bee12..20a3ccd 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/postfix.te b/postfix.te
-index a1e0f60..7308619 100644
+index a1e0f60..18be613 100644
--- a/postfix.te
+++ b/postfix.te
@@ -5,6 +5,15 @@ policy_module(postfix, 1.14.0)
@@ -51380,15 +51381,7 @@ index a1e0f60..7308619 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -532,6 +617,7 @@ allow postfix_showq_t self:capability { setuid setgid };
- allow postfix_showq_t self:tcp_socket create_socket_perms;
-
- allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
-+rw_files_pattern(postfix_showq_t, postfix_var_run_t, postfix_var_run_t)
-
- allow postfix_showq_t postfix_spool_t:file read_file_perms;
-
-@@ -539,7 +625,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +624,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -51399,7 +51392,7 @@ index a1e0f60..7308619 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +646,12 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+@@ -558,6 +645,12 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -51412,7 +51405,7 @@ index a1e0f60..7308619 100644
files_search_all_mountpoints(postfix_smtp_t)
optional_policy(`
-@@ -565,6 +659,14 @@ optional_policy(`
+@@ -565,6 +658,14 @@ optional_policy(`
')
optional_policy(`
@@ -51427,7 +51420,7 @@ index a1e0f60..7308619 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -581,17 +683,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
+@@ -581,17 +682,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
# for prng_exch
@@ -51454,7 +51447,7 @@ index a1e0f60..7308619 100644
')
optional_policy(`
-@@ -599,6 +709,11 @@ optional_policy(`
+@@ -599,6 +708,11 @@ optional_policy(`
')
optional_policy(`
@@ -51466,7 +51459,7 @@ index a1e0f60..7308619 100644
postgrey_stream_connect(postfix_smtpd_t)
')
-@@ -611,7 +726,6 @@ optional_policy(`
+@@ -611,7 +725,6 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -51474,7 +51467,7 @@ index a1e0f60..7308619 100644
allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -622,7 +736,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
+@@ -622,7 +735,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
corecmd_exec_shell(postfix_virtual_t)
corecmd_exec_bin(postfix_virtual_t)
@@ -51482,7 +51475,7 @@ index a1e0f60..7308619 100644
files_read_usr_files(postfix_virtual_t)
mta_read_aliases(postfix_virtual_t)
-@@ -630,3 +743,80 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +742,80 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -51518,7 +51511,7 @@ index a1e0f60..7308619 100644
+
+allow postfix_domain postfix_spool_t:dir list_dir_perms;
+
-+manage_files_pattern(postfix_t, postfix_var_run_t, postfix_var_run_t)
++manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t)
+files_pid_filetrans(postfix_domain, postfix_var_run_t, file)
+
+kernel_read_network_state(postfix_domain)
@@ -64924,7 +64917,7 @@ index bcdd16c..039b0c8 100644
files_list_var_lib($1)
admin_pattern($1, setroubleshoot_var_lib_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 086cd5f..ff1b021 100644
+index 086cd5f..f52b26d 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -12,7 +12,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
@@ -65052,7 +65045,7 @@ index 086cd5f..ff1b021 100644
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
-@@ -150,11 +176,16 @@ kernel_read_system_state(setroubleshoot_fixit_t)
+@@ -150,11 +176,18 @@ kernel_read_system_state(setroubleshoot_fixit_t)
corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
@@ -65060,6 +65053,8 @@ index 086cd5f..ff1b021 100644
+
+dev_read_sysfs(setroubleshoot_fixit_t)
+dev_read_urand(setroubleshoot_fixit_t)
++
++selinux_read_policy(setroubleshoot_fixit_t)
seutil_domtrans_setfiles(setroubleshoot_fixit_t)
+seutil_domtrans_setsebool(setroubleshoot_fixit_t)
@@ -65070,7 +65065,7 @@ index 086cd5f..ff1b021 100644
files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -162,9 +193,19 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -162,9 +195,19 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
logging_send_audit_msgs(setroubleshoot_fixit_t)
logging_send_syslog_msg(setroubleshoot_fixit_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e201775..17a171e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 95%{?dist}
+Release: 96%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,12 @@ SELinux Reference policy mls base module.
%endif
%Changelog
+* Mon May 20 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-96
+- Allow also sealert to read the policy from the kernel
+- Dontaudit listing of users homedir by sendmail Seems like a leak
+- Allow postfix domains to manage postfix_var_run_t
+- Allow mount to append to the ssh_home_t when using sshfs
+
* Fri May 17 2013 Miroslav Grepl <mgrepl at redhat.com> 3.11.1-95
- Fix pegasus_openlmi_domain_template()
- Remove pulseaudio filetrans pulseaudio_manage_home_dirs which is a part of pulseaudio_manage_home_files
More information about the scm-commits
mailing list