rpms/selinux-policy/F-8 modules-targeted.conf, 1.73, 1.74 policy-20070703.patch, 1.184, 1.185 selinux-policy.spec, 1.611, 1.612
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Fri Feb 15 21:41:56 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv5551
Modified Files:
modules-targeted.conf policy-20070703.patch
selinux-policy.spec
Log Message:
* Fri Feb 15 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-86
- Add prelude/audisp policy
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/modules-targeted.conf,v
retrieving revision 1.73
retrieving revision 1.74
diff -u -r1.73 -r1.74
--- modules-targeted.conf 15 Jan 2008 18:55:37 -0000 1.73
+++ modules-targeted.conf 15 Feb 2008 21:41:20 -0000 1.74
@@ -1563,3 +1563,11 @@
# NX Remote Desktop
#
nx = module
+
+# Layer: services
+# Module: prelude
+#
+#
+#
+prelude = module
+
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.184
retrieving revision 1.185
diff -u -r1.184 -r1.185
--- policy-20070703.patch 14 Feb 2008 20:26:00 -0000 1.184
+++ policy-20070703.patch 15 Feb 2008 21:41:20 -0000 1.185
@@ -4185,7 +4185,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2008-02-11 18:25:44.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2008-02-15 16:34:22.000000000 -0500
@@ -55,6 +55,11 @@
type reserved_port_t, port_type, reserved_port_type;
@@ -4240,7 +4240,7 @@
network_port(nessus, tcp,1241,s0)
network_port(netsupport, tcp,5405,s0, udp,5405,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
-@@ -122,6 +134,7 @@
+@@ -122,10 +134,12 @@
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
@@ -4248,7 +4248,12 @@
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postgresql, tcp,5432,s0)
-@@ -137,16 +150,16 @@
+ network_port(postgrey, tcp,60000,s0)
++network_port(prelude, tcp,4690,s0, udp,4690,s0)
+ network_port(printer, tcp,515,s0)
+ network_port(ptal, tcp,5703,s0)
+ network_port(pxe, udp,4011,s0)
+@@ -137,16 +151,16 @@
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -4268,7 +4273,7 @@
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
-@@ -160,13 +173,19 @@
+@@ -160,13 +174,19 @@
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
network_port(vnc, tcp,5900,s0)
@@ -5237,7 +5242,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2008-01-24 15:47:50.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2008-02-15 16:28:22.000000000 -0500
@@ -271,45 +271,6 @@
########################################
@@ -5319,7 +5324,114 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -2139,6 +2119,7 @@
+@@ -1249,6 +1229,106 @@
+
+ ########################################
+ ## <summary>
++## Create, read, write, and delete directories
++## on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_manage_fusefs_dirs',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 fusefs_t:dir manage_dir_perms;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to create, read,
++## write, and delete directories
++## on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`fs_dontaudit_manage_fusefs_dirs',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ dontaudit $1 fusefs_t:dir manage_dir_perms;
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete files
++## on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_manage_fusefs_files',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ manage_files_pattern($1,fusefs_t,fusefs_t)
++')
++
++########################################
++## <summary>
++## Read symbolic links on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_read_fusefs_symlinks',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 fusefs_t:dir list_dir_perms;
++ read_lnk_files_pattern($1,fusefs_t,fusefs_t)
++')
++
++
++########################################
++## <summary>
++## Do not audit attempts to create,
++## read, write, and delete files
++## on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`fs_dontaudit_manage_fusefs_files',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ dontaudit $1 fusefs_t:file manage_file_perms;
++')
++
++########################################
++## <summary>
+ ## Search inotifyfs filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -2139,6 +2219,7 @@
rw_files_pattern($1,nfsd_fs_t,nfsd_fs_t)
')
@@ -5327,7 +5439,7 @@
########################################
## <summary>
## Mount a RAM filesystem.
-@@ -2214,6 +2195,24 @@
+@@ -2214,6 +2295,24 @@
########################################
## <summary>
@@ -5352,7 +5464,7 @@
## Search directories on a ramfs
## </summary>
## <param name="domain">
-@@ -2276,7 +2275,7 @@
+@@ -2276,7 +2375,7 @@
## Domain allowed access.
## </summary>
## </param>
@@ -5361,7 +5473,7 @@
interface(`fs_dontaudit_read_ramfs_files',`
gen_require(`
type ramfs_t;
-@@ -3322,6 +3321,24 @@
+@@ -3322,6 +3421,24 @@
########################################
## <summary>
@@ -5386,7 +5498,7 @@
## List all directories with a filesystem type.
## </summary>
## <param name="domain">
-@@ -3533,3 +3550,62 @@
+@@ -3533,3 +3650,62 @@
relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs)
relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs)
')
@@ -8566,7 +8678,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.8/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2008-01-21 14:38:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2008-02-15 15:41:49.000000000 -0500
@@ -50,6 +50,12 @@
## </param>
#
@@ -8619,7 +8731,7 @@
libs_use_ld_so($1_dbusd_t)
libs_use_shared_libs($1_dbusd_t)
-@@ -193,18 +214,28 @@
+@@ -193,18 +214,23 @@
gen_require(`
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t;
@@ -8629,14 +8741,10 @@
- type $1_dbusd_system_t;
- type_change $2 system_dbusd_t:dbus $1_dbusd_system_t;
-+# type $1_dbusd_system_t;
-+# type_change $2 system_dbusd_t:dbus $1_dbusd_system_t;
++ allow $2 { system_dbusd_t $2 }:dbus send_msg;
- # SE-DBus specific permissions
+- # SE-DBus specific permissions
- allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
-+# allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
-+ allow $2 { system_dbusd_t $2 }:dbus send_msg;
-+
+ read_files_pattern($2,system_dbusd_var_lib_t,system_dbusd_var_lib_t)
+ files_search_var_lib($2)
@@ -8651,7 +8759,7 @@
')
#######################################
-@@ -236,14 +267,16 @@
+@@ -236,14 +262,16 @@
class dbus send_msg;
')
@@ -8671,7 +8779,7 @@
')
########################################
-@@ -271,6 +304,60 @@
+@@ -271,6 +299,60 @@
allow $2 $1_dbusd_t:dbus send_msg;
')
@@ -8732,7 +8840,7 @@
########################################
## <summary>
## Read dbus configuration.
-@@ -286,6 +373,7 @@
+@@ -286,6 +368,7 @@
type dbusd_etc_t;
')
@@ -8740,7 +8848,7 @@
allow $1 dbusd_etc_t:file read_file_perms;
')
-@@ -346,3 +434,55 @@
+@@ -346,3 +429,55 @@
allow $1 system_dbusd_t:dbus *;
')
@@ -12827,6 +12935,302 @@
dontaudit pptp_t self:capability sys_tty_config;
allow pptp_t self:capability net_raw;
allow pptp_t self:fifo_file { read write };
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.0.8/policy/modules/services/prelude.fc
+--- nsaserefpolicy/policy/modules/services/prelude.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/prelude.fc 2008-02-15 15:35:36.000000000 -0500
+@@ -0,0 +1,14 @@
++
++/sbin/audisp-prelude -- gen_context(system_u:object_r:audisp_prelude_exec_t,s0)
++
++/usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0)
++
++/etc/rc.d/init.d/prelude-manager -- gen_context(system_u:object_r:prelude_script_exec_t,s0)
++
++/var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0)
++
++/var/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0)
++/var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0)
++/var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0)
++
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.0.8/policy/modules/services/prelude.if
+--- nsaserefpolicy/policy/modules/services/prelude.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/prelude.if 2008-02-15 15:35:36.000000000 -0500
+@@ -0,0 +1,128 @@
++
++## <summary>policy for prelude</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run prelude.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`prelude_domtrans',`
++ gen_require(`
++ type prelude_t;
++ type prelude_exec_t;
++ ')
++
++ domtrans_pattern($1,prelude_exec_t,prelude_t)
++')
++
++
++########################################
++## <summary>
++## Execute prelude server in the prelude domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`prelude_script_domtrans',`
++ gen_require(`
++ type prelude_script_exec_t;
++ ')
++
++ init_script_domtrans_spec($1,prelude_script_exec_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an prelude environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the syslog domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the user terminal.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`prelude_admin',`
++ gen_require(`
++ type prelude_t;
++ type prelude_spool_t;
++ type prelude_var_run_t;
++ type prelude_var_lib_t;
++ type prelude_script_exec_t;
++ type audisp_prelude_t;
++ type audisp_prelude_var_run_t;
++ ')
++
++ allow $1 prelude_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, prelude_t, prelude_t)
++
++ allow $1 audisp_prelude_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, audisp_prelude_t, audisp_prelude_t)
++
++ # Allow prelude_t to restart the apache service
++ prelude_script_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 prelude_script_exec_t system_r;
++ allow $2 system_r;
++
++ manage_all_pattern($1, prelude_spool_t)
++ manage_all_pattern($1, prelude_var_lib_t)
++ manage_all_pattern($1, prelude_var_run_t)
++ manage_all_pattern($1, audisp_prelude_var_run_t)
++')
++
++########################################
++## <summary>
++## Execute a domain transition to run audisp_prelude.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`audisp_prelude_domtrans',`
++ gen_require(`
++ type audisp_prelude_t;
++ type audisp_prelude_exec_t;
++ ')
++
++ domtrans_pattern($1,audisp_prelude_exec_t,audisp_prelude_t)
++')
++
++########################################
++## <summary>
++## Signal the audisp_prelude domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`audisp_prelude_signal',`
++ gen_require(`
++ type audisp_prelude_t;
++ ')
++
++ allow $1 audisp_prelude_t:process signal;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.0.8/policy/modules/services/prelude.te
+--- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/prelude.te 2008-02-15 15:35:36.000000000 -0500
+@@ -0,0 +1,142 @@
++policy_module(prelude,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type prelude_t;
++type prelude_exec_t;
++domain_type(prelude_t)
++init_daemon_domain(prelude_t, prelude_exec_t)
++
++type prelude_spool_t;
++files_type(prelude_spool_t)
++
++type prelude_var_run_t;
++files_pid_file(prelude_var_run_t)
++
++type prelude_var_lib_t;
++files_type(prelude_var_lib_t)
++
++type prelude_script_exec_t;
++init_script_type(prelude_script_exec_t)
++
++type audisp_prelude_t;
++type audisp_prelude_exec_t;
++domain_type(audisp_prelude_t)
++init_daemon_domain(audisp_prelude_t, audisp_prelude_exec_t)
++
++type audisp_prelude_var_run_t;
++files_pid_file(audisp_prelude_var_run_t)
++
++########################################
++#
++# prelude local policy
++#
++
++# Init script handling
++domain_use_interactive_fds(prelude_t)
++
++allow prelude_t self:capability sys_tty_config;
++
++# internal communication is often done using fifo and unix sockets.
++allow prelude_t self:fifo_file rw_file_perms;
++allow prelude_t self:unix_stream_socket create_stream_socket_perms;
++
++allow prelude_t self:netlink_route_socket r_netlink_socket_perms;
++allow prelude_t self:tcp_socket create_stream_socket_perms;
++
++dev_read_rand(prelude_t)
++dev_read_urand(prelude_t)
++
++manage_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
++manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
++files_pid_filetrans(prelude_t, prelude_var_run_t, file)
++
++files_read_etc_files(prelude_t)
++files_read_usr_files(prelude_t)
++
++files_search_var_lib(prelude_t)
++manage_dirs_pattern(prelude_t,prelude_var_lib_t,prelude_var_lib_t)
++manage_files_pattern(prelude_t,prelude_var_lib_t,prelude_var_lib_t)
++
++files_search_spool(prelude_t)
++manage_dirs_pattern(prelude_t,prelude_spool_t,prelude_spool_t)
++manage_files_pattern(prelude_t,prelude_spool_t,prelude_spool_t)
++
++auth_use_nsswitch(prelude_t)
++
++libs_use_ld_so(prelude_t)
++libs_use_shared_libs(prelude_t)
++
++logging_send_audit_msgs(prelude_t)
++logging_send_syslog_msg(prelude_t)
++
++miscfiles_read_localization(prelude_t)
++
++corenet_all_recvfrom_unlabeled(prelude_t)
++corenet_all_recvfrom_netlabel(prelude_t)
++corenet_tcp_sendrecv_all_if(prelude_t)
++corenet_tcp_sendrecv_all_nodes(prelude_t)
++corenet_tcp_bind_all_nodes(prelude_t)
++corenet_tcp_bind_prelude_port(prelude_t)
++corenet_tcp_connect_prelude_port(prelude_t)
++
++corecmd_search_bin(prelude_t)
++
++optional_policy(`
++ mysql_search_db(prelude_t)
++ mysql_stream_connect(prelude_t)
++')
++
++optional_policy(`
++ postgresql_stream_connect(prelude_t)
++')
++
++########################################
++#
++# audisp_prelude local policy
++#
++
++# Init script handling
++domain_use_interactive_fds(audisp_prelude_t)
++
++# internal communication is often done using fifo and unix sockets.
++allow audisp_prelude_t self:fifo_file rw_file_perms;
++allow audisp_prelude_t self:unix_stream_socket create_stream_socket_perms;
++allow audisp_prelude_t self:netlink_route_socket r_netlink_socket_perms;
++allow audisp_prelude_t self:tcp_socket create_socket_perms;
++
++manage_sock_files_pattern(audisp_prelude_t, audisp_prelude_var_run_t, audisp_prelude_var_run_t)
++files_pid_filetrans(audisp_prelude_t, audisp_prelude_var_run_t, sock_file)
++
++dev_read_rand(audisp_prelude_t)
++dev_read_urand(audisp_prelude_t)
++
++files_read_etc_files(audisp_prelude_t)
++
++libs_use_ld_so(audisp_prelude_t)
++libs_use_shared_libs(audisp_prelude_t)
++
++logging_send_syslog_msg(audisp_prelude_t)
++
++miscfiles_read_localization(audisp_prelude_t)
++
++corecmd_search_bin(audisp_prelude_t)
++allow audisp_prelude_t self:unix_dgram_socket create_socket_perms;
++
++logging_audisp_system_domain(audisp_prelude_t, audisp_prelude_exec_t)
++
++files_search_spool(audisp_prelude_t)
++manage_dirs_pattern(audisp_prelude_t,prelude_spool_t,prelude_spool_t)
++manage_files_pattern(audisp_prelude_t,prelude_spool_t,prelude_spool_t)
++
++corenet_all_recvfrom_unlabeled(audisp_prelude_t)
++corenet_all_recvfrom_netlabel(audisp_prelude_t)
++corenet_tcp_sendrecv_all_if(audisp_prelude_t)
++corenet_tcp_sendrecv_all_nodes(audisp_prelude_t)
++corenet_tcp_bind_all_nodes(audisp_prelude_t)
++corenet_tcp_connect_prelude_port(audisp_prelude_t)
++
++allow audisp_prelude_t audisp_t:unix_stream_socket rw_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.0.8/policy/modules/services/procmail.fc
--- nsaserefpolicy/policy/modules/services/procmail.fc 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/procmail.fc 2008-02-04 13:40:59.000000000 -0500
@@ -14688,8 +15092,23 @@
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te 2008-01-17 09:03:07.000000000 -0500
-@@ -27,8 +27,8 @@
++++ serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te 2008-02-15 15:40:37.000000000 -0500
+@@ -1,5 +1,5 @@
+
+-policy_module(setroubleshoot,1.4.1)
++policy_module(setroubleshoot,1.6.0)
+
+ ########################################
+ #
+@@ -22,13 +22,16 @@
+ type setroubleshoot_var_run_t;
+ files_pid_file(setroubleshoot_var_run_t)
+
++type setroubleshoot_script_exec_t;
++init_script_type(setroubleshoot_script_exec_t)
++
+ ########################################
+ #
# setroubleshootd local policy
#
@@ -14700,16 +15119,17 @@
allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -53,6 +53,8 @@
+@@ -52,7 +55,9 @@
+
kernel_read_kernel_sysctls(setroubleshootd_t)
kernel_read_system_state(setroubleshootd_t)
- kernel_read_network_state(setroubleshootd_t)
+kernel_read_net_sysctls(setroubleshootd_t)
+ kernel_read_network_state(setroubleshootd_t)
+kernel_dontaudit_list_all_proc(setroubleshootd_t)
corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
-@@ -67,13 +69,18 @@
+@@ -67,16 +72,22 @@
corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
dev_read_urand(setroubleshootd_t)
@@ -14729,18 +15149,37 @@
fs_getattr_all_dirs(setroubleshootd_t)
fs_getattr_all_files(setroubleshootd_t)
-@@ -111,3 +118,11 @@
- rpm_dontaudit_manage_db(setroubleshootd_t)
- rpm_use_script_fds(setroubleshootd_t)
- ')
-+
-+optional_policy(`
++fs_read_fusefs_symlinks(setroubleshootd_t)
+
+ selinux_get_enforce_mode(setroubleshootd_t)
+ selinux_validate_context(setroubleshootd_t)
+@@ -96,17 +107,23 @@
+
+ locallogin_dontaudit_use_fds(setroubleshootd_t)
+
++logging_send_audit_msgs(setroubleshootd_t)
+ logging_send_syslog_msg(setroubleshootd_t)
+-logging_stream_connect_auditd(setroubleshootd_t)
++logging_stream_connect_audisp(setroubleshootd_t)
+
+ seutil_read_config(setroubleshootd_t)
+ seutil_read_file_contexts(setroubleshootd_t)
+-
+-sysnet_read_config(setroubleshootd_t)
++seutil_read_bin_policy(setroubleshootd_t)
+
+ userdom_dontaudit_read_sysadm_home_content_files(setroubleshootd_t)
+
+ optional_policy(`
+ dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t)
-+ dbus_send_system_bus(setroubleshootd_t)
+ dbus_connect_system_bus(setroubleshootd_t)
+ dbus_system_domain(setroubleshootd_t,setroubleshootd_exec_t)
+')
+
++optional_policy(`
+ rpm_read_db(setroubleshootd_t)
+ rpm_dontaudit_manage_db(setroubleshootd_t)
+ rpm_use_script_fds(setroubleshootd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.0.8/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/smartmon.te 2008-02-01 08:42:06.000000000 -0500
@@ -18319,8 +18758,8 @@
# Sulogin local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.0.8/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/logging.fc 2008-01-17 09:03:07.000000000 -0500
-@@ -1,12 +1,15 @@
++++ serefpolicy-3.0.8/policy/modules/system/logging.fc 2008-02-15 15:37:52.000000000 -0500
+@@ -1,12 +1,16 @@
-
/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
@@ -18328,38 +18767,52 @@
+/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
++/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
-+/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
++/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-@@ -32,7 +35,10 @@
+@@ -26,12 +30,22 @@
+
+ /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+ /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
++/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
++/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
++/var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
++/var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
++/var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
++/var/log/syslog-ng(/.*)? -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
+
+ ifndef(`distro_gentoo',`
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
')
++ifdef(`distro_redhat',`
+/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
++')
+
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
-+/var/run/audispd_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0)
- /var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
-@@ -43,3 +49,8 @@
+@@ -43,3 +57,9 @@
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
-+/var/log/syslog-ng(/.*)? -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
-+
+/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_script_exec_t,s0)
+/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0)
++
++
++/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.8/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/logging.if 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/logging.if 2008-02-15 15:38:14.000000000 -0500
@@ -34,6 +34,51 @@
#
interface(`logging_send_audit_msgs',`
@@ -18412,7 +18865,21 @@
allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
')
-@@ -219,6 +264,25 @@
+@@ -168,12 +213,7 @@
+ ## </param>
+ #
+ interface(`logging_stream_connect_auditd',`
+- gen_require(`
+- type auditd_t, auditd_var_run_t;
+- ')
+-
+- files_search_pids($1)
+- stream_connect_pattern($1,auditd_var_run_t,auditd_var_run_t,auditd_t)
++ logging_stream_connect_audisp($1)
+ ')
+
+ ########################################
+@@ -219,6 +259,25 @@
########################################
## <summary>
@@ -18438,7 +18905,7 @@
## Execute syslogd in the syslog domain.
## </summary>
## <param name="domain">
-@@ -465,12 +529,11 @@
+@@ -465,12 +524,11 @@
interface(`logging_read_all_logs',`
gen_require(`
attribute logfile;
@@ -18453,7 +18920,7 @@
')
########################################
-@@ -514,6 +577,8 @@
+@@ -514,6 +572,8 @@
files_search_var($1)
manage_files_pattern($1,logfile,logfile)
read_lnk_files_pattern($1,logfile,logfile)
@@ -18462,7 +18929,7 @@
')
########################################
-@@ -597,3 +662,183 @@
+@@ -597,3 +657,270 @@
files_search_var($1)
manage_files_pattern($1,var_log_t,var_log_t)
')
@@ -18646,13 +19113,100 @@
+ init_script_domtrans_spec($1,auditd_script_exec_t)
+')
+
++########################################
++## <summary>
++## Execute a domain transition to run audisp.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`logging_domtrans_audisp',`
++ gen_require(`
++ type audisp_t;
++ type audisp_exec_t;
++ ')
++
++ domtrans_pattern($1,audisp_exec_t,audisp_t)
++')
++
++########################################
++## <summary>
++## Signal the audisp domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`logging_audisp_signal',`
++ gen_require(`
++ type audisp_t;
++ ')
++
++ allow $1 audisp_t:process signal;
++')
++
++########################################
++## <summary>
++## Create a domain for processes
++## which can be started by the system audisp
++## </summary>
++## <param name="domain">
++## <summary>
++## Type to be used as a domain.
++## </summary>
++## </param>
++## <param name="entry_point">
++## <summary>
++## Type of the program to be used as an entry point to this domain.
++## </summary>
++## </param>
++#
++interface(`logging_audisp_system_domain',`
++ gen_require(`
++ type audisp_t;
++ role system_r;
++ ')
++
++ domain_type($1)
++ domain_entry_file($1,$2)
++
++ role system_r types $1;
++
++ domtrans_pattern(audisp_t,$2,$1)
++
++ allow audisp_t $2:file getattr;
++')
++
++########################################
++## <summary>
++## Connect to auditdstored over an unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`logging_stream_connect_audisp',`
++ gen_require(`
++ type audisp_t, audisp_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1,audisp_var_run_t,audisp_var_run_t,audisp_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.8/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/logging.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/logging.te 2008-02-15 15:38:47.000000000 -0500
@@ -1,5 +1,5 @@
-policy_module(logging,1.7.3)
-+policy_module(logging,1.8.2)
++policy_module(logging,1.9.0)
########################################
#
@@ -18676,7 +19230,7 @@
type syslogd_var_run_t;
files_pid_file(syslogd_var_run_t)
-@@ -55,23 +61,30 @@
+@@ -55,23 +61,37 @@
logging_log_file(var_log_t)
files_mountpoint(var_log_t)
@@ -18690,6 +19244,13 @@
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
')
++type audisp_t;
++type audisp_exec_t;
++init_system_domain(audisp_t, audisp_exec_t)
++
++type audisp_var_run_t;
++files_pid_file(audisp_var_run_t)
++
########################################
#
-# Auditd local policy
@@ -18710,7 +19271,7 @@
files_read_etc_files(auditctl_t)
kernel_read_kernel_sysctls(auditctl_t)
-@@ -91,6 +104,7 @@
+@@ -91,6 +111,7 @@
locallogin_dontaudit_use_fds(auditctl_t)
@@ -18718,7 +19279,7 @@
logging_send_syslog_msg(auditctl_t)
########################################
-@@ -98,16 +112,15 @@
+@@ -98,16 +119,15 @@
# Auditd local policy
#
@@ -18737,7 +19298,7 @@
manage_files_pattern(auditd_t,auditd_log_t,auditd_log_t)
manage_lnk_files_pattern(auditd_t,auditd_log_t,auditd_log_t)
-@@ -141,6 +154,7 @@
+@@ -141,6 +161,7 @@
init_telinit(auditd_t)
@@ -18745,18 +19306,24 @@
logging_send_syslog_msg(auditd_t)
libs_use_ld_so(auditd_t)
-@@ -157,6 +171,10 @@
+@@ -156,6 +177,16 @@
+ userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
- optional_policy(`
-+ mta_send_mail(auditd_t)
++ifdef(`distro_ubuntu',`
++ optional_policy(`
++ unconfined_domain(auditd_t)
++ ')
+')
+
+optional_policy(`
++ mta_send_mail(auditd_t)
++')
++
+ optional_policy(`
seutil_sigchld_newrole(auditd_t)
')
-
-@@ -194,6 +212,7 @@
+@@ -194,6 +225,7 @@
fs_getattr_all_fs(klogd_t)
fs_search_auto_mountpoints(klogd_t)
@@ -18764,7 +19331,20 @@
domain_use_interactive_fds(klogd_t)
-@@ -241,12 +260,16 @@
+@@ -212,6 +244,12 @@
+
+ userdom_dontaudit_search_sysadm_home_dirs(klogd_t)
+
++ifdef(`distro_ubuntu',`
++ optional_policy(`
++ unconfined_domain(klogd_t)
++ ')
++')
++
+ optional_policy(`
+ udev_read_db(klogd_t)
+ ')
+@@ -241,12 +279,16 @@
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
@@ -18781,7 +19361,7 @@
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -255,6 +278,9 @@
+@@ -255,6 +297,9 @@
manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file })
@@ -18791,7 +19371,7 @@
allow syslogd_t syslogd_var_run_t:file manage_file_perms;
files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
-@@ -312,6 +338,7 @@
+@@ -312,6 +357,7 @@
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
@@ -18799,6 +19379,60 @@
files_read_etc_runtime_files(syslogd_t)
# /initrd is not umounted before minilog starts
files_dontaudit_search_isid_type_dirs(syslogd_t)
+@@ -341,6 +387,12 @@
+ files_var_lib_filetrans(syslogd_t,devlog_t,sock_file)
+ ')
+
++ifdef(`distro_ubuntu',`
++ optional_policy(`
++ unconfined_domain(syslogd_t)
++ ')
++')
++
+ optional_policy(`
+ inn_manage_log(syslogd_t)
+ ')
+@@ -365,3 +417,40 @@
+ # log to the xconsole
+ xserver_rw_console(syslogd_t)
+ ')
++
++########################################
++#
++# audisp local policy
++#
++
++# Init script handling
++domain_use_interactive_fds(audisp_t)
++
++## internal communication is often done using fifo and unix sockets.
++allow audisp_t self:fifo_file rw_file_perms;
++allow audisp_t self:unix_stream_socket create_stream_socket_perms;
++allow audisp_t auditd_t:unix_stream_socket rw_file_perms;
++
++manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
++files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
++
++files_read_etc_files(audisp_t)
++
++libs_use_ld_so(audisp_t)
++libs_use_shared_libs(audisp_t)
++
++logging_send_syslog_msg(audisp_t)
++
++miscfiles_read_localization(audisp_t)
++
++corecmd_search_bin(audisp_t)
++allow audisp_t self:unix_dgram_socket create_socket_perms;
++
++logging_domtrans_audisp(auditd_t)
++logging_audisp_signal(auditd_t)
++
++#gen_require(`
++# type zos_remote_exec_t, zos_remote_t;
++#')
++
++#logging_audisp_system_domain(zos_remote_t, zos_remote_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.0.8/policy/modules/system/lvm.fc
--- nsaserefpolicy/policy/modules/system/lvm.fc 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/lvm.fc 2008-01-17 09:03:07.000000000 -0500
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.611
retrieving revision 1.612
diff -u -r1.611 -r1.612
--- selinux-policy.spec 14 Feb 2008 20:26:01 -0000 1.611
+++ selinux-policy.spec 15 Feb 2008 21:41:20 -0000 1.612
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 85%{?dist}
+Release: 86%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,9 @@
%endif
%changelog
+* Fri Feb 15 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-86
+- Add prelude/audisp policy
+
* Tue Feb 12 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-85
- Fix cups executables labeling
More information about the fedora-extras-commits
mailing list