rpms/selinux-policy/F-11 policy-20090521.patch, 1.11, 1.12 selinux-policy.spec, 1.871, 1.872

Fri Jun 12 18:42:13 UTC 2009

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv27984

Modified Files:
	policy-20090521.patch selinux-policy.spec 
Log Message:
* Fri Jun 12 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-51
- Remove some privs from svirt to tighten the policy


policy-20090521.patch:

Index: policy-20090521.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090521.patch,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -p -r1.11 -r1.12

--- policy-20090521.patch	12 Jun 2009 13:08:56 -0000	1.11
+++ policy-20090521.patch	12 Jun 2009 18:42:12 -0000	1.12
@@ -370,7 +370,7 @@ diff -b -B --ignore-all-space --exclude-
  	optional_policy(`
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/kernel/domain.te	2009-06-04 16:19:45.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/domain.te	2009-06-12 13:29:57.000000000 -0400
 @@ -91,6 +91,9 @@
  kernel_read_proc_symlinks(domain)
  kernel_read_crypto_sysctls(domain)
@@ -381,6 +381,16 @@ diff -b -B --ignore-all-space --exclude-
  # Every domain gets the key ring, so we should default
  # to no one allowed to look at it; afs kernel support creates
  # a keyring
+@@ -152,8 +155,7 @@
+ allow unconfined_domain_type domain:fd use;
+ allow unconfined_domain_type domain:fifo_file rw_file_perms;
+ 
+-allow unconfined_domain_type domain:dbus send_msg;
+-allow domain unconfined_domain_type:dbus send_msg;
++allow unconfined_domain_type unconfined_domain_type:dbus send_msg;
+ 
+ # Act upon any other process.
+ allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2009-05-21 08:27:59.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/kernel/files.if	2009-06-11 14:03:01.000000000 -0400
@@ -844,7 +854,7 @@ diff -b -B --ignore-all-space --exclude-
  logging_send_syslog_msg(uucpd_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/virt.te	2009-06-09 06:54:00.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/virt.te	2009-06-12 13:30:50.000000000 -0400
 @@ -183,6 +183,7 @@
  seutil_read_default_contexts(virtd_t)
  
@@ -853,7 +863,14 @@ diff -b -B --ignore-all-space --exclude-
  term_use_ptmx(virtd_t)
  
  auth_use_nsswitch(virtd_t)
-@@ -323,9 +324,13 @@
+@@ -316,16 +317,17 @@
+ dontaudit svirt_t virt_content_t:file write_file_perms;
+ dontaudit svirt_t virt_content_t:dir write;
+ 
+-storage_raw_write_removable_device(svirt_t)
+-storage_raw_read_removable_device(svirt_t)
+-
+ userdom_search_user_home_content(svirt_t)
  userdom_read_all_users_state(svirt_t)
  
  append_files_pattern(svirt_t, virt_log_t, virt_log_t)
@@ -867,10 +884,29 @@ diff -b -B --ignore-all-space --exclude-
  corenet_udp_sendrecv_generic_if(svirt_t)
  corenet_udp_sendrecv_generic_node(svirt_t)
  corenet_udp_sendrecv_all_ports(svirt_t)
+@@ -353,10 +355,6 @@
+ ')
+ 
+ optional_policy(`
+-	samba_domtrans_smb(svirt_t)
+-')
+-
+-optional_policy(`
+ 	xen_rw_image_files(svirt_t)
+ ')
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/xserver.te	2009-05-26 08:17:11.000000000 -0400
-@@ -538,6 +538,7 @@
++++ serefpolicy-3.6.12/policy/modules/services/xserver.te	2009-06-12 13:40:09.000000000 -0400
+@@ -530,6 +530,7 @@
+ miscfiles_read_localization(xdm_t)
+ miscfiles_read_fonts(xdm_t)
+ miscfiles_manage_localization(xdm_t)
++miscfiles_read_hwdata(xdm_t)
+ 
+ userdom_dontaudit_use_unpriv_user_fds(xdm_t)
+ userdom_create_all_users_keys(xdm_t)
+@@ -538,6 +539,7 @@
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -915,8 +951,64 @@ diff -b -B --ignore-all-space --exclude-
  /etc/X11/prefdm		--	gen_context(system_u:object_r:initrc_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te
 --- nsaserefpolicy/policy/modules/system/ipsec.te	2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/system/ipsec.te	2009-06-08 13:37:16.000000000 -0400
-@@ -163,7 +163,7 @@
++++ serefpolicy-3.6.12/policy/modules/system/ipsec.te	2009-06-12 11:35:19.000000000 -0400
+@@ -1,5 +1,5 @@
+ 
+-policy_module(ipsec, 1.9.0)
++policy_module(ipsec, 1.9.1)
+ 
+ ########################################
+ #
+@@ -53,7 +53,7 @@
+ # ipsec Local policy
+ #
+ 
+-allow ipsec_t self:capability { net_admin dac_override dac_read_search };
++allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice };
+ dontaudit ipsec_t self:capability sys_tty_config;
+ allow ipsec_t self:process { getsched signal setsched };
+ allow ipsec_t self:tcp_socket create_stream_socket_perms;
+@@ -67,7 +67,7 @@
+ read_lnk_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t)
+ 
+ allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
+-rw_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
++manage_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
+ read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
+ 
+ manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
+@@ -103,13 +103,11 @@
+ corenet_raw_sendrecv_all_nodes(ipsec_t)
+ corenet_tcp_sendrecv_all_ports(ipsec_t)
+ corenet_tcp_bind_all_nodes(ipsec_t)
++corenet_udp_bind_all_nodes(ipsec_t)
+ corenet_tcp_bind_reserved_port(ipsec_t)
+ corenet_tcp_bind_isakmp_port(ipsec_t)
+-
+-corenet_udp_bind_all_nodes(ipsec_t)
+ corenet_udp_bind_isakmp_port(ipsec_t)
+ corenet_udp_bind_ipsecnat_port(ipsec_t)
+-
+ corenet_sendrecv_generic_server_packets(ipsec_t)
+ corenet_sendrecv_isakmp_server_packets(ipsec_t)
+ 
+@@ -130,7 +128,7 @@
+ 
+ files_read_etc_files(ipsec_t)
+ files_read_usr_files(ipsec_t)
+-files_search_tmp(ipsec_t)
++files_list_tmp(ipsec_t)
+ 
+ init_use_fds(ipsec_t)
+ init_use_script_ptys(ipsec_t)
+@@ -157,13 +155,13 @@
+ # ipsec_mgmt Local policy
+ #
+ 
+-allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
++allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search ptrace };
+ allow ipsec_mgmt_t self:process { signal setrlimit };
+ allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
  allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
  allow ipsec_mgmt_t self:udp_socket create_socket_perms;
  allow ipsec_mgmt_t self:key_socket create_socket_perms;
@@ -925,7 +1017,25 @@ diff -b -B --ignore-all-space --exclude-
  
  allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
  files_lock_filetrans(ipsec_mgmt_t,ipsec_mgmt_lock_t,file)
-@@ -284,6 +284,7 @@
+@@ -171,8 +169,6 @@
+ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
+ files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file)
+ 
+-logging_send_syslog_msg(ipsec_mgmt_t)
+-
+ manage_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
+ manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
+ 
+@@ -248,6 +244,8 @@
+ init_exec_script_files(ipsec_mgmt_t)
+ init_use_fds(ipsec_mgmt_t)
+ 
++logging_send_syslog_msg(ipsec_mgmt_t)
++
+ miscfiles_read_localization(ipsec_mgmt_t)
+ 
+ modutils_domtrans_insmod(ipsec_mgmt_t)
+@@ -284,6 +282,7 @@
  allow racoon_t self:netlink_selinux_socket { bind create read };
  allow racoon_t self:udp_socket create_socket_perms;
  allow racoon_t self:key_socket create_socket_perms;
@@ -933,7 +1043,7 @@ diff -b -B --ignore-all-space --exclude-
  
  # manage pid file
  manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
-@@ -301,6 +302,13 @@
+@@ -301,11 +300,21 @@
  kernel_read_system_state(racoon_t)
  kernel_read_network_state(racoon_t)
  
@@ -945,9 +1055,18 @@ diff -b -B --ignore-all-space --exclude-
 +sysnet_exec_ifconfig(racoon_t)
 +
  corenet_all_recvfrom_unlabeled(racoon_t)
++corenet_tcp_sendrecv_all_if(racoon_t)
++corenet_udp_sendrecv_all_if(racoon_t)
++corenet_tcp_sendrecv_all_nodes(racoon_t)
++corenet_udp_sendrecv_all_nodes(racoon_t)
  corenet_tcp_bind_all_nodes(racoon_t)
  corenet_udp_bind_all_nodes(racoon_t)
-@@ -348,6 +356,7 @@
+ corenet_udp_bind_isakmp_port(racoon_t)
+-corenet_udp_sendrecv_all_if(racoon_t)
+ corenet_udp_bind_ipsecnat_port(racoon_t)
+ 
+ dev_read_urand(racoon_t)
+@@ -348,6 +357,7 @@
  files_read_etc_files(setkey_t)
  
  init_dontaudit_use_fds(setkey_t)


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.871
retrieving revision 1.872
diff -u -p -r1.871 -r1.872
--- selinux-policy.spec	12 Jun 2009 13:08:57 -0000	1.871
+++ selinux-policy.spec	12 Jun 2009 18:42:12 -0000	1.872
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 50%{?dist}
+Release: 51%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -475,6 +475,9 @@ exit 0
 %endif
 
 %changelog
+* Fri Jun 12 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-51
+- Remove some privs from svirt to tighten the policy
+
 * Fri Jun 12 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-50
 - Allow udev to transition to bluetooth
 


