From 7414cf0ec58ce8a356575c50fd34984e14414d30 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Aug 14 2009 06:45:12 +0000 Subject: - Add ptchown policy from Dan Walsh --- diff --git a/modules-minimum.conf b/modules-minimum.conf index 84f0848..63ab645 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -556,6 +556,13 @@ hddtemp = module # polkit = module +# Layer: apps +# Module: ptchown +# +# helper function for grantpt(3), changes ownship and permissions of pseudotty +# +ptchown = module + # Layer: services # Module: psad # diff --git a/modules-targeted.conf b/modules-targeted.conf index 0747e96..4ee3418 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -570,6 +570,12 @@ hddtemp = module # polkit = module +# Layer: apps +# Module: ptchown +# +# helper function for grantpt(3), changes ownship and permissions of pseudotty +ptchown = module + # Layer: services # Module: psad # diff --git a/policy-20090521.patch b/policy-20090521.patch index 48eb904..855450a 100644 --- a/policy-20090521.patch +++ b/policy-20090521.patch @@ -822,6 +822,81 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t) read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.fc serefpolicy-3.6.12/policy/modules/apps/ptchown.fc +--- nsaserefpolicy/policy/modules/apps/ptchown.fc 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.6.12/policy/modules/apps/ptchown.fc 2009-08-14 08:31:59.000000000 +0200 +@@ -0,0 +1,2 @@ ++ ++/usr/libexec/pt_chown -- gen_context(system_u:object_r:ptchown_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.6.12/policy/modules/apps/ptchown.if +--- nsaserefpolicy/policy/modules/apps/ptchown.if 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.6.12/policy/modules/apps/ptchown.if 2009-08-14 08:09:22.000000000 +0200 +@@ -0,0 +1,22 @@ ++ ++## helper function for grantpt(3), changes ownship and permissions of pseudotty ++ ++######################################## ++## ++## Execute a domain transition to run ptchown. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ptchown_domtrans',` ++ gen_require(` ++ type ptchown_t; ++ type ptchown_exec_t; ++ ') ++ ++ domtrans_pattern($1,ptchown_exec_t,ptchown_t) ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.te serefpolicy-3.6.12/policy/modules/apps/ptchown.te +--- nsaserefpolicy/policy/modules/apps/ptchown.te 1970-01-01 01:00:00.000000000 +0100 ++++ serefpolicy-3.6.12/policy/modules/apps/ptchown.te 2009-08-14 08:31:55.000000000 +0200 +@@ -0,0 +1,39 @@ ++policy_module(ptchown,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type ptchown_t; ++type ptchown_exec_t; ++application_domain(ptchown_t, ptchown_exec_t) ++role system_r types ptchown_t; ++ ++permissive ptchown_t; ++ ++######################################## ++# ++# ptchown local policy ++# ++ ++allow ptchown_t self:capability { fowner chown setuid }; ++allow ptchown_t self:process { getcap setcap }; ++ ++# Init script handling ++domain_use_interactive_fds(ptchown_t) ++ ++# internal communication is often done using fifo and unix sockets. ++allow ptchown_t self:fifo_file rw_file_perms; ++allow ptchown_t self:unix_stream_socket create_stream_socket_perms; ++ ++files_read_etc_files(ptchown_t) ++ ++fs_rw_anon_inodefs_files(ptchown_t) ++ ++term_use_generic_ptys(ptchown_t) ++term_setattr_generic_ptys(ptchown_t) ++term_setattr_all_user_ptys(ptchown_t) ++ ++miscfiles_read_localization(ptchown_t) ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.12/policy/modules/apps/qemu.fc --- nsaserefpolicy/policy/modules/apps/qemu.fc 2009-06-25 10:19:43.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/apps/qemu.fc 2009-06-25 10:21:01.000000000 +0200 @@ -4048,7 +4123,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(uucpd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-06-25 10:19:44.000000000 +0200 -+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-08-05 20:44:32.000000000 +0200 ++++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-08-14 08:33:53.000000000 +0200 @@ -22,6 +22,13 @@ ## @@ -4125,17 +4200,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_udp_sendrecv_generic_if(svirt_t) corenet_udp_sendrecv_generic_node(svirt_t) corenet_udp_sendrecv_all_ports(svirt_t) -@@ -353,10 +372,6 @@ +@@ -353,7 +372,7 @@ ') optional_policy(` - samba_domtrans_smb(svirt_t) --') -- --optional_policy(` - xen_rw_image_files(svirt_t) ++ ptchown_domtrans(svirt_t) ') + optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.12/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-06-25 10:19:44.000000000 +0200 +++ serefpolicy-3.6.12/policy/modules/services/xserver.fc 2009-07-28 14:14:07.000000000 +0200 diff --git a/selinux-policy.spec b/selinux-policy.spec index 509136f..8489d32 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 77%{?dist} +Release: 78%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -475,6 +475,9 @@ exit 0 %endif %changelog +* Fri Aug 14 2009 Miroslav Grepl 3.6.12-78 +- Add ptchown policy from Dan Walsh + * Thu Aug 13 2009 Miroslav Grepl 3.6.12-77 - Allow fprintd_t to getattr of all persistent filesystems