gentoo diffs

[petre rodan <kaiowas@gentoo.org>]

[-- Attachment #1.1: Type: text/plain, Size: 467 bytes --]


Hi,

here is the short version of the gentoo policy patches:

* named: changed one file label
* daemontools: policy cleanup, added support for 2 more services
* dante: policy tweaks needed for latest versions
* gnupg: support for gnupg-1.9.x
* kerberos: gentoo file locations
* postfix: gentoo file locations for 64bit systems
* ucspi-tcp: patch from Andy Dustman to support rblsmtp

bye,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #1.2: selinux-bind.diff --]
[-- Type: text/plain, Size: 619 bytes --]

--- /root/public_html/policy/nsa/file_contexts/program/named.fc	2005-04-17 00:36:16.000000000 +0300
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/bind/named.fc	2005-05-07 10:47:59.000000000 +0300
@@ -43,7 +43,7 @@
 ifdef(`distro_gentoo', `
 /etc/bind(/.*)?         system_u:object_r:named_zone_t
 /etc/bind/named\.conf   --  system_u:object_r:named_conf_t
-/etc/bind/rndc\.key    --  system_u:object_r:named_conf_t
+/etc/bind/rndc\.key    --  system_u:object_r:dnssec_t
 /var/bind(/.*)?             system_u:object_r:named_cache_t
 /var/bind/pri(/.*)?         system_u:object_r:named_zone_t
 ') dnl distro_gentoo

[-- Attachment #1.3: selinux-daemontools.diff --]
[-- Type: text/plain, Size: 3391 bytes --]

--- /root/public_html/policy/nsa/macros/program/daemontools_macros.te	2005-03-15 19:54:55.000000000 +0200
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/daemontools/daemontools_macros.te	2005-03-16 20:33:50.000000000 +0200
@@ -1,10 +1,10 @@
 ifdef(`daemontools.te', `
 
 define(`svc_ipc_domain',`
-allow $1 svc_start_t:process { sigchld };
-allow $1 svc_start_t:fd { use };
-allow $1 svc_start_t:fifo_file { read write };
-allow svc_start_t $1:process { signal }; 
+allow $1 svc_start_t:process sigchld;
+allow $1 svc_start_t:fd use;
+allow $1 svc_start_t:fifo_file { read write getattr };
+allow svc_start_t $1:process signal; 
 ')
 
 ') dnl ifdef daemontools
--- /root/public_html/policy/nsa/file_contexts/program/daemontools.fc	2005-03-15 19:54:54.000000000 +0200
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/daemontools/daemontools.fc	2005-03-16 20:08:01.000000000 +0200
@@ -22,7 +22,6 @@
 /usr/bin/svscan		--	system_u:object_r:svc_start_exec_t
 /usr/bin/svscanboot	--	system_u:object_r:svc_start_exec_t
 /usr/bin/svok		--	system_u:object_r:svc_start_exec_t
-#/usr/bin/svstat		--	system_u:object_r:svc_start_exec_t
 /usr/bin/supervise	--	system_u:object_r:svc_start_exec_t
 
 # starting scripts
--- /root/public_html/policy/nsa/domains/program/unused/daemontools.te	2005-03-15 19:54:54.000000000 +0200
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/daemontools/daemontools.te	2005-03-16 20:39:52.000000000 +0200
@@ -27,18 +27,16 @@
 file_type_auto_trans($1, svc_svc_t, svc_svc_t);
 ')
 
-define(`svc_base_domain', `
-daemon_base_domain($1)
-svc_filedir_domain(`$1_t')
-')
-
 ##############################################################
 # the domains
+daemon_base_domain(svc_script)
+svc_filedir_domain(svc_script_t)
 
 # part started by initrc_t
-svc_base_domain(svc_start)
+daemon_base_domain(svc_start)
+domain_auto_trans(init_t, svc_start_exec_t, svc_start_t)
+svc_filedir_domain(svc_start_t)
 
-svc_base_domain(svc_script)
 # also get here from svc_script_t
 domain_auto_trans(svc_script_t, svc_start_exec_t, svc_start_t)
 
@@ -65,12 +63,18 @@
 # svc_start_t
 allow svc_start_t self:fifo_file rw_file_perms;
 allow svc_start_t self:capability kill;
+allow svc_start_t self:unix_stream_socket create_socket_perms;
+
 allow svc_start_t { bin_t sbin_t etc_t }:dir r_dir_perms;
 allow svc_start_t { bin_t sbin_t etc_t }:lnk_file r_file_perms;
+allow svc_start_t { etc_t etc_runtime_t }:file r_file_perms;
 allow svc_start_t { var_t var_run_t }:dir search;
+can_exec(svc_start_t, bin_t)
 can_exec(svc_start_t, shell_exec_t)
 allow svc_start_t svc_start_exec_t:file { rx_file_perms execute_no_trans };
 allow svc_start_t svc_run_t:process signal;
+dontaudit svc_start_t proc_t:file r_file_perms;
+dontaudit svc_start_t devtty_t:chr_file { read write };
 
 # svc script
 allow svc_script_t self:capability sys_admin;
@@ -140,6 +144,11 @@
 dontaudit httpd_t svc_svc_t:dir { search };
 ')
 
+ifdef(`clamav.te', `
+domain_auto_trans(svc_run_t, clamd_exec_t, clamd_t)
+svc_ipc_domain(clamd_t)
+')
+
 ifdef(`clockspeed.te', `
 domain_auto_trans( svc_run_t, clockspeed_exec_t, clockspeed_t)
 svc_ipc_domain(clockspeed_t)
@@ -171,6 +180,11 @@
 svc_ipc_domain(rsyncd_t)
 ')
 
+ifdef(`spamd.te', `
+domain_auto_trans(svc_run_t, spamd_exec_t, spamd_t)
+svc_ipc_domain(spamd_t)
+')
+
 ifdef(`ssh.te', `
 domain_auto_trans(svc_run_t, sshd_exec_t, sshd_t)
 svc_ipc_domain(sshd_t)

[-- Attachment #1.4: selinux-dante.diff --]
[-- Type: text/plain, Size: 783 bytes --]

--- /root/public_html/policy/nsa/domains/program/unused/dante.te	2004-12-06 21:01:25.000000000 +0200
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/dante/dante.te	2005-03-08 12:59:22.000000000 +0200
@@ -10,11 +10,16 @@
 can_network_server(dante_t)
 
 allow dante_t self:fifo_file { read write };
-allow dante_t self:capability { setuid };
+allow dante_t self:capability { setuid setgid };
 allow dante_t self:unix_dgram_socket { connect create write };
 allow dante_t self:unix_stream_socket { connect create read setopt write };
+allow dante_t self:tcp_socket connect;
 
 allow dante_t socks_port_t:tcp_socket name_bind;
 
 allow dante_t { etc_t etc_runtime_t }:file r_file_perms;
 r_dir_file(dante_t, dante_conf_t)
+
+allow dante_t initrc_var_run_t:file { getattr write };
+

[-- Attachment #1.5: selinux-gnupg.diff --]
[-- Type: text/plain, Size: 612 bytes --]

--- /root/public_html/policy/nsa/file_contexts/program/gpg.fc	2005-01-26 09:01:01.000000000 +0200
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/gnupg/gpg.fc	2005-04-08 12:24:21.000000000 +0300
@@ -1,5 +1,7 @@
 # gpg
 HOME_DIR/\.gnupg(/.+)?	system_u:object_r:ROLE_gpg_secret_t
-/usr/bin/gpg		--	system_u:object_r:gpg_exec_t
+/usr/bin/gpg(2)?		--	system_u:object_r:gpg_exec_t
 /usr/bin/kgpg		--	system_u:object_r:gpg_exec_t
-/usr/lib/gnupg/gpgkeys.*	--	system_u:object_r:gpg_helper_exec_t
+/usr/lib/gnupg/.*	--	system_u:object_r:gpg_exec_t
+/usr/lib/gnupg/gpgkeys.*	--  system_u:object_r:gpg_helper_exec_t
+

[-- Attachment #1.6: selinux-kerberos.diff --]
[-- Type: text/plain, Size: 784 bytes --]

--- /root/public_html/policy/nsa/file_contexts/program/kerberos.fc	2005-01-12 20:52:11.000000000 +0200
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/kerberos/kerberos.fc	2005-02-26 22:59:34.000000000 +0200
@@ -9,3 +9,12 @@
 /var/log/krb5kdc\.log			system_u:object_r:krb5kdc_log_t
 /var/log/kadmind\.log			system_u:object_r:kadmind_log_t
 /usr(/local)?/bin/ksu		--	system_u:object_r:su_exec_t
+
+# gentoo file locations
+/usr/sbin/krb5kdc			--	system_u:object_r:krb5kdc_exec_t
+/usr/sbin/kadmind			--	system_u:object_r:kadmind_exec_t
+/etc/krb5kdc(/.*)?				system_u:object_r:krb5kdc_conf_t
+/etc/krb5kdc/principal.*		system_u:object_r:krb5kdc_principal_t
+/etc/krb5kdc/kadm5.keytab 	--	system_u:object_r:krb5_keytab_t
+/var/log/kadmin.log			--	system_u:object_r:kadmind_log_t
+

[-- Attachment #1.7: selinux-postfix.diff --]
[-- Type: text/plain, Size: 2208 bytes --]

--- /root/public_html/policy/nsa/file_contexts/program/postfix.fc	2005-02-17 13:58:35.000000000 +0200
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/postfix/postfix.fc	2005-04-17 00:34:20.000000000 +0300
@@ -5,17 +5,17 @@
 ')
 /etc/postfix/postfix-script.* -- system_u:object_r:postfix_exec_t
 /etc/postfix/prng_exch	--	system_u:object_r:postfix_prng_t
-/usr/lib(exec)?/postfix/.*	--	system_u:object_r:postfix_exec_t
-/usr/lib(exec)?/postfix/cleanup --	system_u:object_r:postfix_cleanup_exec_t
-/usr/lib(exec)?/postfix/local	--	system_u:object_r:postfix_local_exec_t
-/usr/lib(exec)?/postfix/master	--	system_u:object_r:postfix_master_exec_t
-/usr/lib(exec)?/postfix/pickup	--	system_u:object_r:postfix_pickup_exec_t
-/usr/lib(exec)?/postfix/(n)?qmgr --	system_u:object_r:postfix_qmgr_exec_t
-/usr/lib(exec)?/postfix/showq	--	system_u:object_r:postfix_showq_exec_t
-/usr/lib(exec)?/postfix/smtp	--	system_u:object_r:postfix_smtp_exec_t
-/usr/lib(exec)?/postfix/smtpd	--	system_u:object_r:postfix_smtpd_exec_t
-/usr/lib(exec)?/postfix/bounce	--	system_u:object_r:postfix_bounce_exec_t
-/usr/lib(exec)?/postfix/pipe	--	system_u:object_r:postfix_pipe_exec_t
+/usr/lib(exec)?(64)?/postfix/.*	--	system_u:object_r:postfix_exec_t
+/usr/lib(exec)?(64)?/postfix/cleanup --	system_u:object_r:postfix_cleanup_exec_t
+/usr/lib(exec)?(64)?/postfix/local	--	system_u:object_r:postfix_local_exec_t
+/usr/lib(exec)?(64)?/postfix/master	--	system_u:object_r:postfix_master_exec_t
+/usr/lib(exec)?(64)?/postfix/pickup	--	system_u:object_r:postfix_pickup_exec_t
+/usr/lib(exec)?(64)?/postfix/(n)?qmgr --	system_u:object_r:postfix_qmgr_exec_t
+/usr/lib(exec)?(64)?/postfix/showq	--	system_u:object_r:postfix_showq_exec_t
+/usr/lib(exec)?(64)?/postfix/smtp	--	system_u:object_r:postfix_smtp_exec_t
+/usr/lib(exec)?(64)?/postfix/smtpd	--	system_u:object_r:postfix_smtpd_exec_t
+/usr/lib(exec)?(64)?/postfix/bounce	--	system_u:object_r:postfix_bounce_exec_t
+/usr/lib(exec)?(64)?/postfix/pipe	--	system_u:object_r:postfix_pipe_exec_t
 /usr/sbin/postalias	--	system_u:object_r:postfix_master_exec_t
 /usr/sbin/postcat	--	system_u:object_r:postfix_master_exec_t
 /usr/sbin/postdrop	--	system_u:object_r:postfix_postdrop_exec_t

[-- Attachment #1.8: selinux-ucspi-tcp.diff --]
[-- Type: text/plain, Size: 2214 bytes --]

--- /root/public_html/policy/nsa/file_contexts/program/ucspi-tcp.fc	2005-03-15 19:54:54.000000000 +0200
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/ucspi-tcp/ucspi-tcp.fc	2005-03-16 19:57:48.000000000 +0200
@@ -1,2 +1,3 @@
 #ucspi-tcp
 /usr/bin/tcpserver	--	system_u:object_r:utcpserver_exec_t
+/usr/bin/rblsmtpd	--	system_u:object_r:rblsmtpd_exec_t
--- /root/public_html/policy/nsa/domains/program/unused/ucspi-tcp.te	2005-04-17 00:36:16.000000000 +0300
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/ucspi-tcp/ucspi-tcp.te	2005-05-07 12:41:02.000000000 +0300
@@ -1,6 +1,7 @@
 #DESC ucspi-tcp - TCP Server and Client Tools
 #
 # Author Petre Rodan <kaiowas@gentoo.org>
+#			Andy Dustman (rblsmtp-related policy)
 #
 
 # http://cr.yp.to/ucspi-tcp.html
@@ -9,18 +10,16 @@
 
 daemon_base_domain(utcpserver)
 can_network(utcpserver_t)
-allow utcpserver_t port_type:tcp_socket name_connect;
 
-#reads /etc/nsswitch.conf and resolv.conf
-allow utcpserver_t etc_t:file { getattr read };
-allow utcpserver_t net_conf_t:file { read };
-
-allow utcpserver_t { bin_t var_t }:dir { search };
+allow utcpserver_t etc_t:file r_file_perms;
+allow utcpserver_t { bin_t sbin_t var_t }:dir search;
 
 allow utcpserver_t self:capability { net_bind_service setgid setuid };
 allow utcpserver_t self:fifo_file { read write };
 allow utcpserver_t self:process { fork sigchld };
 
+allow utcpserver_t port_t:udp_socket name_bind;
+
 ifdef(`qmail.te', `
 domain_auto_trans(utcpserver_t, qmail_smtpd_exec_t, qmail_smtpd_t)
 allow utcpserver_t smtp_port_t:tcp_socket name_bind;
@@ -29,3 +28,24 @@
 allow utcpserver_t qmail_etc_t:file r_file_perms;
 ')
 
+daemon_base_domain(rblsmtpd)
+can_network(rblsmtpd_t)
+
+allow rblsmtpd_t self:process { fork sigchld };
+
+allow rblsmtpd_t etc_t:file r_file_perms;
+allow rblsmtpd_t { bin_t var_t }:dir search;
+allow rblsmtpd_t port_t:udp_socket name_bind;
+allow rblsmtpd_t utcpserver_t:tcp_socket { read write getattr };
+
+ifdef(`qmail.te', `
+domain_auto_trans(rblsmtpd_t, qmail_smtpd_exec_t, qmail_smtpd_t)
+allow qmail_queue_t rblsmtpd_t:fd use;
+')
+
+ifdef(`daemontools.te', `
+svc_ipc_domain(rblsmtpd_t)
+')
+
+domain_auto_trans(utcpserver_t, rblsmtpd_exec_t, rblsmtpd_t)
+

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 265 bytes --]