policy patch against subversion tree

policy patch against subversion tree

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 590 bytes --]

Allow unconfined processes to see unlabeled processes in ps.

Removed a redundant rule in samba.te, and some inappropriate permissions in 
amavis.te.

Removed support for the pre-Fedora Red Hat code to create sym-links in /boot.

Removed support for devpts_t files in /tmp (there is no way that would ever 
work).

Allowed postgrey to create socket files.

Made the specs for the /lib and /lib64 directories better support stem 
compression.

-- 
russell@coker.com.au
http://etbe.blogspot.com/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 6947 bytes --]

diff -ru policy.orig/modules/kernel/files.if policy/modules/kernel/files.if
--- policy.orig/modules/kernel/files.if	2006-10-05 22:30:53.000000000 +1000
+++ policy/modules/kernel/files.if	2006-10-05 22:33:15.000000000 +1000
@@ -1390,26 +1390,6 @@
 
 ########################################
 ## <summary>
-##	Read and write symbolic links
-##	in the /boot directory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`files_rw_boot_symlinks',`
-	gen_require(`
-		type boot_t;
-	')
-
-	allow $1 boot_t:dir r_dir_perms;
-	allow $1 boot_t:lnk_file rw_file_perms;
-')
-
-########################################
-## <summary>
 ##	Create, read, write, and delete symbolic links
 ##	in the /boot directory.
 ## </summary>
diff -ru policy.orig/modules/kernel/kernel.if policy/modules/kernel/kernel.if
--- policy.orig/modules/kernel/kernel.if	2006-10-05 22:30:53.000000000 +1000
+++ policy/modules/kernel/kernel.if	2006-10-05 22:33:15.000000000 +1000
@@ -2060,6 +2060,24 @@
 
 ########################################
 ## <summary>
+##	Allow caller to stat unlabeled processes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_getattr_unlabeled_procs',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:process getattr;
+')
+
+########################################
+## <summary>
 ##	Allow caller to relabel unlabeled files.
 ## </summary>
 ## <param name="domain">
diff -ru policy.orig/modules/kernel/terminal.te policy/modules/kernel/terminal.te
--- policy.orig/modules/kernel/terminal.te	2006-10-05 22:30:53.000000000 +1000
+++ policy/modules/kernel/terminal.te	2006-10-05 22:33:15.000000000 +1000
@@ -28,7 +28,6 @@
 type devpts_t;
 files_mountpoint(devpts_t)
 fs_associate_tmpfs(devpts_t)
-files_associate_tmp(devpts_t)
 fs_type(devpts_t)
 fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
 
diff -ru policy.orig/modules/services/amavis.te policy/modules/services/amavis.te
--- policy.orig/modules/services/amavis.te	2006-10-05 22:31:08.000000000 +1000
+++ policy/modules/services/amavis.te	2006-10-05 22:33:15.000000000 +1000
@@ -50,6 +50,7 @@
 allow amavis_t self:unix_stream_socket create_stream_socket_perms;
 allow amavis_t self:unix_dgram_socket create_socket_perms;
 allow amavis_t self:tcp_socket { listen accept };
+kernel_read_proc_symlinks(amavis_t)
 
 # configuration files
 allow amavis_t amavis_etc_t:dir r_dir_perms;
@@ -66,7 +67,6 @@
 allow amavis_t amavis_spool_t:dir manage_dir_perms;
 allow amavis_t amavis_spool_t:file manage_file_perms;
 allow amavis_t amavis_spool_t:sock_file manage_file_perms;
-files_spool_filetrans(amavis_t,amavis_spool_t,{ dir file })
 type_transition amavis_t amavis_spool_t:sock_file amavis_var_run_t;
 
 # tmp files
@@ -78,8 +78,6 @@
 allow amavis_t amavis_var_lib_t:file create_file_perms;
 allow amavis_t amavis_var_lib_t:sock_file create_file_perms;
 allow amavis_t amavis_var_lib_t:dir create_dir_perms;
-files_var_filetrans(amavis_t,amavis_var_lib_t,{ file dir sock_file })
-files_var_lib_filetrans(amavis_t,amavis_var_lib_t,file)
 
 # log files
 allow amavis_t amavis_var_log_t:file create_file_perms;
diff -ru policy.orig/modules/services/mailman.te policy/modules/services/mailman.te
--- policy.orig/modules/services/mailman.te	2006-10-05 22:31:08.000000000 +1000
+++ policy/modules/services/mailman.te	2006-10-05 22:33:15.000000000 +1000
@@ -40,6 +40,9 @@
 
 	dev_read_urand(mailman_cgi_t)
 
+# for python pre-compile foolishness
+	dontaudit mailman_cgi_t lib_t:dir write;
+
 	allow mailman_cgi_t mailman_archive_t:dir create_dir_perms;
 	allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
 	allow mailman_cgi_t mailman_archive_t:file create_file_perms;
diff -ru policy.orig/modules/services/postgrey.te policy/modules/services/postgrey.te
--- policy.orig/modules/services/postgrey.te	2006-10-05 22:31:08.000000000 +1000
+++ policy/modules/services/postgrey.te	2006-10-05 22:33:15.000000000 +1000
@@ -18,6 +18,8 @@
 
 type postgrey_var_run_t;
 files_pid_file(postgrey_var_run_t)
+files_pid_filetrans(postgrey_t, postgrey_var_run_t, sock_file)
+allow postgrey_t postgrey_var_run_t:sock_file manage_file_perms;
 
 ########################################
 #
diff -ru policy.orig/modules/services/samba.te policy/modules/services/samba.te
--- policy.orig/modules/services/samba.te	2006-10-05 22:31:09.000000000 +1000
+++ policy/modules/services/samba.te	2006-10-05 22:33:15.000000000 +1000
@@ -501,10 +501,6 @@
 userdom_use_sysadm_ttys(smbmount_t)
 
 optional_policy(`
-	cups_read_rw_config(smbd_t)
-')
-
-optional_policy(`
 	nis_use_ypbind(smbmount_t)
 ')
 
diff -ru policy.orig/modules/system/init.te policy/modules/system/init.te
--- policy.orig/modules/system/init.te	2006-10-05 22:31:10.000000000 +1000
+++ policy/modules/system/init.te	2006-10-05 22:33:15.000000000 +1000
@@ -430,11 +430,6 @@
 
 	selinux_set_enforce_mode(initrc_t)
 
-	# Create and read /boot/kernel.h and /boot/System.map.
-	# Redhat systems typically create this file at boot time.
-	bootloader_create_runtime_file(initrc_t)
-	files_rw_boot_symlinks(initrc_t)
-
 	# These seem to be from the initrd
 	# during device initialization:
 	dev_create_generic_dirs(initrc_t)
diff -ru policy.orig/modules/system/libraries.fc policy/modules/system/libraries.fc
--- policy.orig/modules/system/libraries.fc	2006-10-05 22:31:10.000000000 +1000
+++ policy/modules/system/libraries.fc	2006-10-05 22:33:15.000000000 +1000
@@ -41,8 +41,10 @@
 #
 # /lib(64)?
 #
-/lib(/.*)?					gen_context(system_u:object_r:lib_t,s0)
-/lib64(/.*)?					gen_context(system_u:object_r:lib_t,s0)
+/lib					-d	gen_context(system_u:object_r:lib_t,s0)
+/lib/.*						gen_context(system_u:object_r:lib_t,s0)
+/lib64					-d	gen_context(system_u:object_r:lib_t,s0)
+/lib64/.*					gen_context(system_u:object_r:lib_t,s0)
 /lib/.+\.so(\.[^/]*)*			--	gen_context(system_u:object_r:shlib_t,s0)
 /lib64/.+\.so(\.[^/]*)*			--	gen_context(system_u:object_r:shlib_t,s0)
 /lib/ld-[^/]*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:ld_so_t,s0)
@@ -57,7 +59,8 @@
 ')
 
 ifdef(`distro_gentoo',`
-/lib32(/.*)?					gen_context(system_u:object_r:lib_t,s0)
+/lib32					-d	gen_context(system_u:object_r:lib_t,s0)
+/lib32/.*					gen_context(system_u:object_r:lib_t,s0)
 /lib32/.+\.so(\.[^/]*)*			--	gen_context(system_u:object_r:shlib_t,s0)
 /lib32/ld-[^/]*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:ld_so_t,s0)
 ')
diff -ru policy.orig/modules/system/unconfined.if policy/modules/system/unconfined.if
--- policy.orig/modules/system/unconfined.if	2006-10-05 22:31:10.000000000 +1000
+++ policy/modules/system/unconfined.if	2006-10-05 22:33:15.000000000 +1000
@@ -88,6 +88,11 @@
 	optional_policy(`
 		storage_unconfined($1)
 	')
+
+	optional_policy(`
+		kernel_getattr_unlabeled_procs($1)
+		kernel_kill_unlabeled($1)
+	')
 ')
 
 ########################################

Re: policy patch against subversion tree

[Christopher J. PeBenito]

Merged, with some notes:

On Thu, 2006-10-05 at 22:44 +1000, Russell Coker wrote:
> Allow unconfined processes to see unlabeled processes in ps.

Enhanced the kern_unconfined rules in kernel.te instead.

> Removed a redundant rule in samba.te, and some inappropriate permissions in 
> amavis.te.

This amavis removals were added from Dan from August, so there needs to
be some discussion on this.  Dan?

> Removed support for the pre-Fedora Red Hat code to create sym-links in /boot.

Kept the interface, in case there are 3rd party callers of this
interface.

> Removed support for devpts_t files in /tmp (there is no way that would ever 
> work).
> 
> Allowed postgrey to create socket files.

Moved this hunk down.

> Made the specs for the /lib and /lib64 directories better support stem 
> compression.

Fixed the mailman addition to use an interface.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy patch against subversion tree

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> Merged, with some notes:
>
> On Thu, 2006-10-05 at 22:44 +1000, Russell Coker wrote:
>   
>> Allow unconfined processes to see unlabeled processes in ps.
>>     
>
> Enhanced the kern_unconfined rules in kernel.te instead.
>
>   
>> Removed a redundant rule in samba.te, and some inappropriate permissions in 
>> amavis.te.
>>     
>
> This amavis removals were added from Dan from August, so there needs to
> be some discussion on this.  Dan?
>
>   
Go with Russells changes, I believe the input for some of my changes 
came from him.
>> Removed support for the pre-Fedora Red Hat code to create sym-links in /boot.
>>     
>
> Kept the interface, in case there are 3rd party callers of this
> interface.
>
>   
>> Removed support for devpts_t files in /tmp (there is no way that would ever 
>> work).
>>
>> Allowed postgrey to create socket files.
>>     
>
> Moved this hunk down.
>
>   
>> Made the specs for the /lib and /lib64 directories better support stem 
>> compression.
>>     
>
> Fixed the mailman addition to use an interface.
>
>   


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.