deb http://www.coker.com.au wheezy selinux
I've updated my SE Linux repository with a new refpolicy. Below is the
changelog and I've attached the new patches.
Where are we at with Wheezy updates? Is this something we can get into a
Wheezy update? While most of the changes are things people have probably
worked around (although it's a PITA) adding block_suspend is something I'd
really like to do before the release of Jessie.
My aim has always been to have every policy work with the kernels from the
next and previous releases of SE Linux. We need to support the older kernel
(if possible) to make things easier for virtual machines and the newer kernel
for people who want to upgrade the kernel before all the user space.
refpolicy (2:2.20110726-12.2) wheezy; urgency=low
* Allow dhclient dhcpc_t to bind to generic UDP ports port_t.
* new boolean dovecot_shadow_auth to allow Dovecot to directly authenticate
via /etc/shadow.
* Allow asterisk_t to read /dev/random, have file transitions for
sock_file:asterisk_var_run_t, and setattr asterisk_var_run_t:dir. Label
tcp port 2000 as asterisk_port_t for SCCP.
* Add block_suspend to capability2 and allow initrc_t, init_t, and udev_t
access to it - for kernel > 3.2.
* Label /etc/locale.alias as locale_t
* Make var_auth_t a mountpoint directory so /run/user can be mounted
-- Russell Coker <[email protected]> Sun, 08 Dec 2013 00:05:24 +1100
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Description: new boolean to allow dovecot access to /etc/shadow
.
refpolicy (2:2.20110726-12.1) wheezy; urgency=low
.
Author: Russell Coker <[email protected]>
Last-Update: 2013-12-04
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -185,6 +185,19 @@
# dovecot auth local policy
#
+## <desc>
+## <p>
+## Allow Dovecot to read /etc/shadow for authentication, disable if you use
+## database authentication.
+## </p>
+## </desc>
+gen_tunable(dovecot_shadow_auth, false)
+
+auth_can_read_shadow_passwords(dovecot_auth_t)
+tunable_policy(`dovecot_shadow_auth',`
+ auth_tunable_read_shadow(dovecot_auth_t)
+')
+
logging_search_logs(dovecot_auth_t)
allow dovecot_auth_t dovecot_etc_t:dir list_dir_perms;
allow dovecot_auth_t dovecot_etc_t:file read_file_perms;
Description: Add block_suspend to capability2
To support recent kernels such as 3.8+ on Wheezy systems add block_suspend
and wake_alarm to the capability2 access vector and allow init_t, initrc_t,
and udev_t block_suspend access
.
Author: Russell Coker <[email protected]>
Last-Update: 2013-12-07
--- refpolicy-2.20110726.orig/policy/flask/access_vectors
+++ refpolicy-2.20110726/policy/flask/access_vectors
@@ -449,6 +449,8 @@ class capability2
mac_override # unused by SELinux
mac_admin # unused by SELinux
syslog
+ wake_alarm
+ block_suspend
}
#
--- refpolicy-2.20110726.orig/policy/modules/system/init.te
+++ refpolicy-2.20110726/policy/modules/system/init.te
@@ -113,6 +113,7 @@ ifdef(`enable_mls',`
# Use capabilities. old rule:
allow init_t self:capability ~sys_module;
+allow init_t self:capability2 block_suspend;
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
@@ -390,6 +391,7 @@ optional_policy(`
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module };
+allow initrc_t self:capability2 block_suspend;
dontaudit initrc_t self:capability { sys_ptrace sys_module }; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
--- refpolicy-2.20110726.orig/policy/modules/system/udev.te
+++ refpolicy-2.20110726/policy/modules/system/udev.te
@@ -40,6 +40,7 @@ ifdef(`enable_mcs',`
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw sys_module net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
dontaudit udev_t self:capability sys_tty_config;
+allow udev_t self:capability2 block_suspend;
kernel_load_module(udev_t)
allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow udev_t self:process { execmem setfscreate };
Description: Fixes to allow Asterisk to start up
Author: Russell Coker <[email protected]>
Last-Update: 2013-12-07
--- refpolicy-2.20110726.orig/policy/modules/kernel/corenetwork.te.in
+++ refpolicy-2.20110726/policy/modules/kernel/corenetwork.te.in
@@ -76,7 +76,7 @@ network_port(amavisd_send, tcp,10025,s0)
network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
-network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
+network_port(asterisk, tcp,1720,s0, tcp,2000,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
network_port(audit, tcp,60,s0)
network_port(auth, tcp,113,s0)
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
@@ -140,7 +140,7 @@ network_port(ldap, tcp,389,s0, udp,389,s
network_port(lirc, tcp,8765,s0)
network_port(lmtp, tcp,24,s0, udp,24,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
-network_port(mail, tcp,2000,s0, tcp,3905,s0)
+network_port(mail, tcp,3905,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
--- refpolicy-2.20110726.orig/policy/modules/services/asterisk.te
+++ refpolicy-2.20110726/policy/modules/services/asterisk.te
@@ -77,9 +77,10 @@ manage_files_pattern(asterisk_t, asteris
files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file)
manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
+allow asterisk_t asterisk_var_run_t:dir setattr;
manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
-files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
+files_pid_filetrans(asterisk_t, asterisk_var_run_t, { file sock_file })
kernel_read_system_state(asterisk_t)
kernel_read_kernel_sysctls(asterisk_t)
@@ -117,6 +118,7 @@ dev_read_sysfs(asterisk_t)
dev_read_sound(asterisk_t)
dev_write_sound(asterisk_t)
dev_read_urand(asterisk_t)
+dev_read_rand(asterisk_t)
domain_use_interactive_fds(asterisk_t)
Description: Fixes for dhclient and /etc/locale.alias labelling
Author: Russell Coker <[email protected]>
Last-Update: 2013-12-07
Index: refpolicy-2.20110726/policy/modules/system/miscfiles.fc
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/miscfiles.fc 2011-03-29 02:05:16.000000000 +1100
+++ refpolicy-2.20110726/policy/modules/system/miscfiles.fc 2013-12-07 18:15:45.000000000 +1100
@@ -11,6 +11,7 @@
/etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+/etc/locale.alias -- gen_context(system_u:object_r:locale_t,s0)
/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
/etc/timezone -- gen_context(system_u:object_r:locale_t,s0)
Index: refpolicy-2.20110726/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/sysnetwork.te 2013-12-07 18:15:45.000000000 +1100
+++ refpolicy-2.20110726/policy/modules/system/sysnetwork.te 2013-12-07 18:15:45.000000000 +1100
@@ -107,6 +107,10 @@
corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
+# dhclient binds to random UDP ports, not sure why but it aborts if denied
+# needed for Debian/Wheezy, should be removed later
+corenet_udp_bind_generic_port(dhcpc_t)
+
dev_read_sysfs(dhcpc_t)
# for SSP:
dev_read_urand(dhcpc_t)
Index: refpolicy-2.20110726/policy/modules/system/authlogin.te
===================================================================
--- refpolicy-2.20110726.orig/policy/modules/system/authlogin.te 2013-12-07 18:15:45.000000000 +1100
+++ refpolicy-2.20110726/policy/modules/system/authlogin.te 2013-12-07 18:17:52.870790199 +1100
@@ -72,11 +72,13 @@
application_domain(utempter_t, utempter_exec_t)
#
-# var_auth_t is the type of /var/lib/auth, usually
+# var_auth_t is the type of /var/lib/auth and /run/user, usually
# used for auth data in pam_able
#
type var_auth_t;
files_type(var_auth_t)
+# we mount a tmpfs on /run/user
+files_mountpoint(var_auth_t)
optional_policy(`
systemd_tmpfiles_manage_object(var_auth_t, dir)
')
_______________________________________________
SELinux-devel mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
