rpms/selinux-policy/F-8 policy-20070703.patch,1.117,1.118

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Wed Oct 31 01:12:48 UTC 2007


Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17020

Modified Files:
	policy-20070703.patch 
Log Message:
* Tue Oct 30 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-42
- Make tcbdomain 
- Allow domain domain:fd use
- Dontaudit rpm_rw_pipes


policy-20070703.patch:

Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.117
retrieving revision 1.118
diff -u -r1.117 -r1.118
--- policy-20070703.patch	31 Oct 2007 00:12:56 -0000	1.117
+++ policy-20070703.patch	31 Oct 2007 01:12:45 -0000	1.118
@@ -1003,15 +1003,15 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-3.0.8/policy/modules/admin/bootloader.te
 --- nsaserefpolicy/policy/modules/admin/bootloader.te	2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/bootloader.te	2007-10-30 16:10:10.000000000 -0400
-@@ -18,6 +18,7 @@
- type bootloader_exec_t;
- application_domain(bootloader_t,bootloader_exec_t)
- role system_r types bootloader_t;
-+domain_trusted_type(bootloader_t)
- 
- #
- # bootloader_etc_t is the configuration file,
++++ serefpolicy-3.0.8/policy/modules/admin/bootloader.te	2007-10-30 20:38:12.000000000 -0400
+@@ -215,3 +215,7 @@
+ 	userdom_dontaudit_search_staff_home_dirs(bootloader_t)
+ 	userdom_dontaudit_search_sysadm_home_dirs(bootloader_t)
+ ')
++
++optional_policy(`
++	unconfined_domain(bootloader_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.if serefpolicy-3.0.8/policy/modules/admin/brctl.if
 --- nsaserefpolicy/policy/modules/admin/brctl.if	2007-10-22 13:21:42.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/admin/brctl.if	2007-10-29 23:59:29.000000000 -0400
@@ -3754,8 +3754,8 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.8/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/domain.te	2007-10-30 16:16:10.000000000 -0400
-@@ -6,9 +6,28 @@
++++ serefpolicy-3.0.8/policy/modules/kernel/domain.te	2007-10-30 20:49:39.000000000 -0400
+@@ -6,6 +6,22 @@
  # Declarations
  #
  
@@ -3778,13 +3778,7 @@
  # Mark process types as domains
  attribute domain;
  
-+# Mark process types as Trusted Computer Base domains
-+attribute tcbdomain;
-+
- # Transitions only allowed from domains to other domains
- neverallow domain ~domain:process { transition dyntransition };
- 
-@@ -80,9 +99,13 @@
+@@ -80,9 +96,13 @@
  allow domain self:lnk_file r_file_perms;
  allow domain self:file rw_file_perms;
  kernel_read_proc_symlinks(domain)
@@ -3798,7 +3792,7 @@
  
  # Use trusted objects in /dev
  dev_rw_null(domain)
-@@ -134,3 +157,32 @@
+@@ -134,3 +154,28 @@
  
  # act on all domains keys
  allow unconfined_domain_type domain:key *;
@@ -3827,10 +3821,6 @@
 +optional_policy(`
 +	rpm_dontaudit_rw_pipes(domain)
 +')
-+
-+optional_policy(`
-+	unconfined_domain(tcbdomain)
-+')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.0.8/policy/modules/kernel/files.fc
 --- nsaserefpolicy/policy/modules/kernel/files.fc	2007-10-22 13:21:41.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/kernel/files.fc	2007-10-29 23:59:29.000000000 -0400
@@ -6015,6 +6005,113 @@
  corenet_sendrecv_rndc_client_packets(ndc_t)
  
  fs_getattr_xattr_fs(ndc_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.fc serefpolicy-3.0.8/policy/modules/services/bitlbee.fc
+--- nsaserefpolicy/policy/modules/services/bitlbee.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/bitlbee.fc	2007-10-30 20:45:17.000000000 -0400
+@@ -0,0 +1,3 @@
++/usr/sbin/bitlbee	--	gen_context(system_u:object_r:bitlbee_exec_t,s0)
++/etc/bitlbee(/.*)?		gen_context(system_u:object_r:bitlbee_conf_t,s0)
++/var/lib/bitlbee(/.*)?		gen_context(system_u:object_r:bitlbee_var_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.if serefpolicy-3.0.8/policy/modules/services/bitlbee.if
+--- nsaserefpolicy/policy/modules/services/bitlbee.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/bitlbee.if	2007-10-30 20:45:17.000000000 -0400
+@@ -0,0 +1,22 @@
++## <summary>Bitlbee service</summary>
++
++########################################
++## <summary>
++##     Read bitlbee configuration files
++## </summary>
++## <param name="domain">
++##     <summary>
++##         Domain allowed accesss.
++##     </summary>
++## </param>
++#
++interface(`bitlbee_read_config',`
++	gen_require(`
++		type bitlbee_conf_t;
++	')
++
++	files_search_etc($1)
++	allow $1 bitlbee_conf_t:dir { getattr read search };
++	allow $1 bitlbee_conf_t:file { read getattr };
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.0.8/policy/modules/services/bitlbee.te
+--- nsaserefpolicy/policy/modules/services/bitlbee.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/bitlbee.te	2007-10-30 20:45:17.000000000 -0400
+@@ -0,0 +1,70 @@
++
++policy_module(bitlbee, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type bitlbee_t;
++type bitlbee_exec_t;
++init_daemon_domain(bitlbee_t, bitlbee_exec_t)
++inetd_tcp_service_domain(bitlbee_t, bitlbee_exec_t)
++
++type bitlbee_conf_t;
++files_config_file(bitlbee_conf_t)
++
++type bitlbee_var_t;
++files_type(bitlbee_var_t)
++
++########################################
++#
++# Local policy
++#
++#
++
++allow bitlbee_t self:udp_socket create_socket_perms;
++allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
++allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
++
++bitlbee_read_config(bitlbee_t)
++
++# user account information is read and edited at runtime; give the usual
++# r/w access to bitlbee_var_t
++manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
++files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
++
++corenet_all_recvfrom_unlabeled(bitlbee_t)
++corenet_udp_sendrecv_generic_if(bitlbee_t)
++corenet_udp_sendrecv_generic_node(bitlbee_t)
++corenet_udp_sendrecv_lo_node(bitlbee_t)
++corenet_tcp_sendrecv_generic_if(bitlbee_t)
++corenet_tcp_sendrecv_generic_node(bitlbee_t)
++corenet_tcp_sendrecv_lo_node(bitlbee_t)
++# Allow bitlbee to connect to jabber servers
++corenet_tcp_connect_jabber_client_port(bitlbee_t)
++corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
++# to AIM servers:
++corenet_tcp_connect_aol_port(bitlbee_t)
++corenet_tcp_sendrecv_aol_port(bitlbee_t)
++# and to MMCC (Yahoo IM) servers:
++corenet_tcp_connect_mmcc_port(bitlbee_t)
++corenet_tcp_sendrecv_mmcc_port(bitlbee_t)
++# and to MSNP (MSN Messenger) servers:
++corenet_tcp_connect_msnp_port(bitlbee_t)
++corenet_tcp_sendrecv_msnp_port(bitlbee_t)
++
++files_read_etc_files(bitlbee_t)
++files_search_pids(bitlbee_t)
++# grant read-only access to the user help files
++files_read_usr_files(bitlbee_t)
++
++libs_legacy_use_shared_libs(bitlbee_t)
++libs_use_ld_so(bitlbee_t)
++
++sysnet_dns_name_resolve(bitlbee_t)
++
++optional_policy(`
++	# normally started from inetd using tcpwrappers, so use those entry points
++	tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.0.8/policy/modules/services/bluetooth.te
 --- nsaserefpolicy/policy/modules/services/bluetooth.te	2007-10-22 13:21:39.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/bluetooth.te	2007-10-29 23:59:29.000000000 -0400
@@ -10349,7 +10446,7 @@
  manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.0.8/policy/modules/services/rpc.if
 --- nsaserefpolicy/policy/modules/services/rpc.if	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rpc.if	2007-10-30 19:57:15.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/rpc.if	2007-10-30 20:52:50.000000000 -0400
 @@ -89,8 +89,11 @@
  	# bind to arbitary unused ports
  	corenet_tcp_bind_generic_port($1_t)
@@ -10363,6 +10460,31 @@
  
  	fs_rw_rpc_named_pipes($1_t) 
  	fs_search_auto_mountpoints($1_t)
+@@ -214,6 +217,24 @@
+ 
+ ########################################
+ ## <summary>
++##      Execute domain in nfsd domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##      The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`rpc_domtrans_rpcd',`
++	gen_require(`
++		type rpcd_t, rpcd_exec_t;
++	')
++
++	domtrans_pattern($1,rpcd_exec_t,rpcd_t)
++')
++
++########################################
++## <summary>
+ ##      Read NFS exported content.
+ ## </summary>
+ ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.8/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2007-10-22 13:21:39.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/rpc.te	2007-10-29 23:59:29.000000000 -0400
@@ -13390,16 +13512,8 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.0.8/policy/modules/system/hotplug.te
 --- nsaserefpolicy/policy/modules/system/hotplug.te	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/hotplug.te	2007-10-30 16:08:20.000000000 -0400
-@@ -10,6 +10,7 @@
- type hotplug_exec_t;
- kernel_domtrans_to(hotplug_t,hotplug_exec_t)
- init_daemon_domain(hotplug_t,hotplug_exec_t)
-+domain_trusted_type(hotplug_t)
- 
- type hotplug_etc_t;
- files_config_file(hotplug_etc_t)
-@@ -179,6 +180,7 @@
++++ serefpolicy-3.0.8/policy/modules/system/hotplug.te	2007-10-30 20:40:30.000000000 -0400
+@@ -179,6 +179,7 @@
  	sysnet_read_dhcpc_pid(hotplug_t)
  	sysnet_rw_dhcp_config(hotplug_t)
  	sysnet_domtrans_ifconfig(hotplug_t)
@@ -13407,6 +13521,17 @@
  ')
  
  optional_policy(`
+@@ -188,6 +189,10 @@
+ ')
+ 
+ optional_policy(`
++	unconfined_domain(bootloader_t)
++')
++
++optional_policy(`
+ 	updfstab_domtrans(hotplug_t)
+ ')
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.0.8/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2007-10-22 13:21:40.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/system/init.if	2007-10-29 23:59:29.000000000 -0400
@@ -13647,7 +13772,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.8/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/init.te	2007-10-30 19:53:21.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/init.te	2007-10-30 21:08:32.000000000 -0400
 @@ -10,6 +10,20 @@
  # Declarations
  #
@@ -13669,7 +13794,7 @@
  # used for direct running of init scripts
  # by admin domains
  attribute direct_run_init;
-@@ -19,12 +33,13 @@
+@@ -19,6 +33,8 @@
  # Mark process types as daemons
  attribute daemon;
  
@@ -13678,13 +13803,7 @@
  #
  # init_t is the domain of the init process.
  #
- type init_t;
- type init_exec_t;
--domain_type(init_t)
- domain_entry_file(init_t,init_exec_t)
- kernel_domtrans_to(init_t,init_exec_t)
- role system_r types init_t;
-@@ -45,7 +60,7 @@
+@@ -45,7 +61,7 @@
  mls_trusted_object(initctl_t)
  
  type initrc_t;
@@ -13693,7 +13812,7 @@
  domain_type(initrc_t)
  domain_entry_file(initrc_t,initrc_exec_t)
  role system_r types initrc_t;
-@@ -73,7 +88,7 @@
+@@ -73,7 +89,7 @@
  #
  
  # Use capabilities. old rule:
@@ -13702,7 +13821,7 @@
  # is ~sys_module really needed? observed: 
  # sys_boot
  # sys_tty_config
-@@ -171,13 +186,14 @@
+@@ -171,13 +187,14 @@
  	nscd_socket_use(init_t)
  ')
  
@@ -13717,13 +13836,13 @@
  	userdom_shell_domtrans_sysadm(init_t)
 +',`
 +	optional_policy(`
-+		unconfined_domain(init_t)
 +		unconfined_shell_domtrans(init_t)
++		unconfined_domain(init_t)
 +	')
  ')
  
  ########################################
-@@ -186,7 +202,7 @@
+@@ -186,7 +203,7 @@
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -13732,7 +13851,7 @@
  dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
  allow initrc_t self:passwd rootok;
  
-@@ -196,15 +212,13 @@
+@@ -196,15 +213,13 @@
  allow initrc_t self:tcp_socket create_stream_socket_perms;
  allow initrc_t self:udp_socket create_socket_perms;
  allow initrc_t self:fifo_file rw_file_perms;
@@ -13750,7 +13869,7 @@
  
  manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
  manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
-@@ -233,6 +247,8 @@
+@@ -233,6 +248,8 @@
  # for lsof which is used by alsa shutdown:
  kernel_dontaudit_getattr_message_if(initrc_t)
  
@@ -13759,7 +13878,7 @@
  files_read_kernel_symbol_table(initrc_t)
  
  corenet_all_recvfrom_unlabeled(initrc_t)
-@@ -283,7 +299,6 @@
+@@ -283,7 +300,6 @@
  mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
@@ -13767,7 +13886,7 @@
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -365,8 +380,6 @@
+@@ -365,8 +381,6 @@
  
  seutil_read_config(initrc_t)
  
@@ -13776,7 +13895,7 @@
  userdom_read_all_users_home_content_files(initrc_t)
  # Allow access to the sysadm TTYs. Note that this will give access to the 
  # TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -497,6 +510,47 @@
+@@ -497,6 +511,47 @@
  ')
  
  optional_policy(`
@@ -13824,7 +13943,7 @@
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
  ')
-@@ -632,12 +686,6 @@
+@@ -632,12 +687,6 @@
  	mta_read_config(initrc_t)
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
@@ -13837,7 +13956,7 @@
  
  optional_policy(`
  	ifdef(`distro_redhat',`
-@@ -649,15 +697,10 @@
+@@ -649,15 +698,10 @@
  ')
  
  optional_policy(`
@@ -13853,7 +13972,7 @@
  	openvpn_read_config(initrc_t)
  ')
  
-@@ -703,6 +746,9 @@
+@@ -703,6 +747,9 @@
  
  	# why is this needed:
  	rpm_manage_db(initrc_t)
@@ -13863,7 +13982,7 @@
  ')
  
  optional_policy(`
-@@ -750,6 +796,10 @@
+@@ -750,6 +797,10 @@
  ')
  
  optional_policy(`




More information about the fedora-extras-commits mailing list