From 269acb5ee86b0dbb9f63fca8281017624a043d34 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jun 26 2007 12:09:30 +0000 Subject: - Remove ifdef strict policy from upstream --- diff --git a/booleans-olpc.conf b/booleans-olpc.conf new file mode 100644 index 0000000..9bac249 --- /dev/null +++ b/booleans-olpc.conf @@ -0,0 +1,51 @@ +# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. +# +allow_execmem = false + +# Allow making a modified private filemapping executable (text relocation). +# +allow_execmod = false + +# Allow making the stack executable via mprotect.Also requires allow_execmem. +# +allow_execstack = false + +# Allow ftp servers to modify public filesused for public file transfer services. +# +allow_ftpd_anon_write = false + +# Allow gssd to read temp directory. +# +allow_gssd_read_tmp = false + +# Allow sysadm to ptrace all processes +# +allow_ptrace = false + +# Allow reading of default_t files. +# +read_default_t = false + +# Allow system cron jobs to relabel filesystemfor restoring file contexts. +# +cron_can_relabel = false + +# Allow staff_r users to search the sysadm homedir and read files (such as ~/.bashrc) +# +staff_read_sysadm_file = false + +# Allow users to read system messages. +# +user_dmesg = false + +# Allow sysadm to ptrace all processes +# +allow_ptrace = false + +## Control users use of ping and traceroute +user_ping = true + +# Allow unlabeled packets to flow +# +allow_unlabeled_packets = true + diff --git a/modules-olpc.conf b/modules-olpc.conf new file mode 100644 index 0000000..9b43e3d --- /dev/null +++ b/modules-olpc.conf @@ -0,0 +1,397 @@ +# +# This file contains a listing of available modules. +# To prevent a module from being used in policy +# creation, set the module name to "off". +# +# For monolithic policies, modules set to "base" and "module" +# will be built into the policy. +# +# For modular policies, modules set to "base" will be +# included in the base module. "module" will be compiled +# as individual loadable modules. +# + +# Layer: admin +# Module: acct +# +# Berkeley process accounting +# +acct = base + +# Layer: admin +# Module: alsa +# +# Ainit ALSA configuration tool +# +alsa = base + +# Layer: apps +# Module: ada +# +# ada executable +# +ada = base + +# Layer: admin +# Module: anaconda +# +# Policy for the Anaconda installer. +# +anaconda = base + +# Layer: system +# Module: application +# Required in base +# +# Defines attributs and interfaces for all user applications +# +application = base + +# Layer: system +# Module: authlogin +# +# Common policy for authentication and user login. +# +authlogin = base + +# Layer: services +# Module: canna +# +# Canna - kana-kanji conversion server +# +canna = base + +# Layer: system +# Module: clock +# +# Policy for reading and setting the hardware clock. +# +clock = base + +# Layer: admin +# Module: consoletype +# +# Determine of the console connected to the controlling terminal. +# +consoletype = base + +# Layer: kernel +# Module: corecommands +# Required in base +# +# Core policy for shells, and generic programs +# in /bin, /sbin, /usr/bin, and /usr/sbin. +# +corecommands = base + +# Layer: kernel +# Module: corenetwork +# Required in base +# +# Policy controlling access to network objects +# +corenetwork = base + +# Layer: services +# Module: cpucontrol +# +# Services for loading CPU microcode and CPU frequency scaling. +# +cpucontrol = base + +# Layer: services +# Module: dbus +# +# Desktop messaging bus +# +dbus = base + +# Layer: kernel +# Module: devices +# Required in base +# +# Device nodes and interfaces for many basic system devices. +# +devices = base + +# Layer: services +# Module: dhcp +# +# Dynamic host configuration protocol (DHCP) server +# +dhcp = base + +# Layer: system +# Module: domain +# Required in base +# +# Core policy for domains. +# +domain = base + +# Layer: kernel +# Module: files +# Required in base +# +# Basic filesystem types and interfaces. +# +files = base + +# Layer: kernel +# Module: filesystem +# Required in base +# +# Policy for filesystems. +# +filesystem = base + +# Layer: system +# Module: fstools +# +# Tools for filesystem management, such as mkfs and fsck. +# +fstools = base + +# Layer: system +# Module: getty +# +# Policy for getty. +# +getty = base + +# Layer: services +# Module: hal +# +# Hardware abstraction layer +# +hal = base + +# Layer: system +# Module: hotplug +# +# Policy for hotplug system, for supporting the +# connection and disconnection of devices at runtime. +# +hotplug = base + +# Layer: system +# Module: init +# +# System initialization programs (init and init scripts). +# +init = base + +# Layer: system +# Module: iptables +# +# Policy for iptables. +# +iptables = base + +# Layer: apps +# Module: java +# +# java executable +# +java = base + +# Layer: kernel +# Module: kernel +# Required in base +# +# Policy for kernel threads, proc filesystem,and unlabeled processes and objects. +# +kernel = base + +# Layer: admin +# Module: kudzu +# +# Hardware detection and configuration tools +# +kudzu = base + +# Layer: system +# Module: libraries +# +# Policy for system libraries. +# +libraries = base + +# Layer: system +# Module: locallogin +# +# Policy for local logins. +# +locallogin = base + +# Layer: system +# Module: logging +# +# Policy for the kernel message logger and system logging daemon. +# +logging = base + +# Layer: kernel +# Module: mcs +# Required in base +# +# MultiCategory security policy +# +mcs = base + +# Layer: system +# Module: miscfiles +# +# Miscelaneous files. +# +miscfiles = base + +# Layer: system +# Module: modutils +# +# Policy for kernel module utilities +# +modutils = base + +# Layer: apps +# Module: mono +# +# mono executable +# +mono = base + +# Layer: admin +# Module: netutils +# +# Network analysis utilities +# +netutils = base + +# Layer: services +# Module: networkmanager +# +# Manager for dynamically switching between networks. +# +networkmanager = base + +# Layer: services +# Module: nscd +# +# Name service cache daemon +# +nscd = base + +# Layer: services +# Module: ntp +# +# Network time protocol daemon +# +ntp = base + +# Layer: admin +# Module: prelink +# +# Manage temporary directory sizes and file ages +# +prelink = base + +# Layer: admin +# Module: readahead +# +# Readahead, read files into page cache for improved performance +# +readahead = base + +# Layer: admin +# Module: rpm +# +# Policy for the RPM package manager. +# +rpm = base + +# Layer: kernel +# Module: selinux +# Required in base +# +# Policy for kernel security interface, in particular, selinuxfs. +# +selinux = base + +# Layer: system +# Module: selinuxutil +# +# Policy for SELinux policy and userland applications. +# +selinuxutil = base + +# Layer: kernel +# Module: storage +# +# Policy controlling access to storage devices +# +storage = base + +# Layer: system +# Module: sysnetwork +# +# Policy for network configuration: ifconfig and dhcp client. +# +sysnetwork = base + +# Layer: system +# Module: udev +# +# Policy for udev. +# +udev = base + +# Layer: system +# Module: userdomain +# +# Policy for user domains +# +userdomain = base + +# Layer: system +# Module: unconfined +# +# The unconfined domain. +# +unconfined = base + +# Layer: admin +# Module: usbmodules +# +# List kernel modules of USB devices +# +usbmodules = base + +# Layer: services +# Module: xfs +# +# X Windows Font Server +# +xfs = base + +# Layer: services +# Module: xserver +# +# X windows login display manager +# +xserver = base + +# Module: terminal +# Required in base +# +# Policy for terminals. +# +terminal = base + +# Layer: kernel +# Module: mls +# Required in base +# +# Multilevel security policy +# +mls = base + diff --git a/policy-20070525.patch b/policy-20070525.patch index 3105212..205f655 100644 --- a/policy-20070525.patch +++ b/policy-20070525.patch @@ -1,3 +1,11 @@ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/guest_u_default_contexts serefpolicy-3.0.1/config/appconfig-strict-mls/guest_u_default_contexts +--- nsaserefpolicy/config/appconfig-strict-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.0.1/config/appconfig-strict-mls/guest_u_default_contexts 2007-06-26 07:57:11.000000000 -0400 +@@ -0,0 +1,4 @@ ++system_r:local_login_t:s0 guest_r:guest_t:s0 ++system_r:remote_login_t:s0 guest_r:guest_t:s0 ++system_r:sshd_t:s0 guest_r:guest_t:s0 ++system_r:crond_t:s0 guest_r:guest_crond_t:s0 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/staff_u_default_contexts serefpolicy-3.0.1/config/appconfig-strict-mls/staff_u_default_contexts --- nsaserefpolicy/config/appconfig-strict-mls/staff_u_default_contexts 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.0.1/config/appconfig-strict-mls/staff_u_default_contexts 2007-06-19 17:06:27.000000000 -0400 @@ -4650,8 +4658,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.0.1/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2007-06-11 16:05:30.000000000 -0400 -+++ serefpolicy-3.0.1/policy/modules/services/ftp.te 2007-06-19 17:06:27.000000000 -0400 -@@ -156,6 +156,7 @@ ++++ serefpolicy-3.0.1/policy/modules/services/ftp.te 2007-06-26 07:22:44.000000000 -0400 +@@ -88,6 +88,7 @@ + allow ftpd_t self:unix_stream_socket create_stream_socket_perms; + allow ftpd_t self:tcp_socket create_stream_socket_perms; + allow ftpd_t self:udp_socket create_socket_perms; ++allow ftpd_t self:key { search write link }; + + allow ftpd_t ftpd_etc_t:file read_file_perms; + +@@ -156,6 +157,7 @@ auth_use_nsswitch(ftpd_t) auth_domtrans_chk_passwd(ftpd_t) @@ -4659,15 +4675,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. # Append to /var/log/wtmp. auth_append_login_records(ftpd_t) #kerberized ftp requires the following -@@ -167,6 +168,7 @@ +@@ -167,7 +169,9 @@ libs_use_ld_so(ftpd_t) libs_use_shared_libs(ftpd_t) +logging_send_audit_msgs(ftpd_t) logging_send_syslog_msg(ftpd_t) ++logging_set_loginuid(ftpd_t) miscfiles_read_localization(ftpd_t) -@@ -216,6 +218,14 @@ + miscfiles_read_public_files(ftpd_t) +@@ -216,6 +220,14 @@ userdom_manage_all_users_home_content_dirs(ftpd_t) userdom_manage_all_users_home_content_files(ftpd_t) userdom_manage_all_users_home_content_symlinks(ftpd_t) @@ -9661,7 +9679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +corecmd_exec_all_executables(unconfined_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-06-19 16:23:35.000000000 -0400 -+++ serefpolicy-3.0.1/policy/modules/system/userdomain.if 2007-06-21 14:03:09.000000000 -0400 ++++ serefpolicy-3.0.1/policy/modules/system/userdomain.if 2007-06-26 07:46:18.000000000 -0400 @@ -62,6 +62,10 @@ allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; @@ -9749,7 +9767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -677,16 +674,6 @@ +@@ -677,67 +674,39 @@ attribute unpriv_userdomain; ') @@ -9766,12 +9784,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_untrusted_content_template($1) userdom_basic_networking_template($1) -@@ -695,49 +682,29 @@ - userdom_xwindows_client_template($1) + userdom_exec_generic_pgms_template($1) -- userdom_change_password_template($1) +- userdom_xwindows_client_template($1) - +- userdom_change_password_template($1) ++ optional_policy(` ++ userdom_xwindows_client_template($1) ++ ') + ############################## # # User domain Local policy @@ -9816,7 +9838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_exec_etc_files($1_t) files_search_locks($1_t) # Check to see if cdrom is mounted -@@ -750,12 +717,6 @@ +@@ -750,12 +719,6 @@ # Stat lost+found. files_getattr_lost_found_dirs($1_t) @@ -9829,7 +9851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) selinux_validate_context($1_t) -@@ -768,31 +729,16 @@ +@@ -768,31 +731,16 @@ storage_getattr_fixed_disk_dev($1_t) auth_read_login_records($1_t) @@ -9863,7 +9885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) seutil_exec_checkpolicy($1_t) seutil_exec_setfiles($1_t) -@@ -807,19 +753,12 @@ +@@ -807,19 +755,12 @@ files_read_default_symlinks($1_t) files_read_default_sockets($1_t) files_read_default_pipes($1_t) @@ -9883,7 +9905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` alsa_read_rw_config($1_t) ') -@@ -834,34 +773,14 @@ +@@ -834,34 +775,14 @@ ') optional_policy(` @@ -9918,7 +9940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') optional_policy(` -@@ -889,17 +808,19 @@ +@@ -889,17 +810,19 @@ ') optional_policy(` @@ -9944,7 +9966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') optional_policy(` -@@ -913,16 +834,6 @@ +@@ -913,16 +836,6 @@ ') optional_policy(` @@ -9961,7 +9983,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo resmgr_stream_connect($1_t) ') -@@ -932,11 +843,6 @@ +@@ -932,11 +845,6 @@ ') optional_policy(` @@ -9973,7 +9995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo samba_stream_connect_winbind($1_t) ') -@@ -967,21 +873,122 @@ +@@ -967,21 +875,122 @@ ## ## # @@ -10102,7 +10124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; -@@ -990,15 +997,45 @@ +@@ -990,15 +999,45 @@ typeattribute $1_tmp_t user_tmpfile; typeattribute $1_tty_device_t user_ttynode; @@ -10152,7 +10174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # port access is audited even if dac would not have allowed it, so dontaudit it here corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) -@@ -1038,14 +1075,6 @@ +@@ -1038,14 +1077,6 @@ ') optional_policy(` @@ -10167,7 +10189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) ') -@@ -1059,12 +1088,8 @@ +@@ -1059,12 +1090,8 @@ setroubleshoot_stream_connect($1_t) ') @@ -10181,7 +10203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Do not audit write denials to /etc/ld.so.cache. dontaudit $1_t ld_so_cache_t:file write; -@@ -1107,6 +1132,8 @@ +@@ -1107,6 +1134,8 @@ class passwd { passwd chfn chsh rootok crontab }; ') @@ -10190,7 +10212,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # # Declarations -@@ -1132,7 +1159,7 @@ +@@ -1132,7 +1161,7 @@ # $1_t local policy # @@ -10199,7 +10221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1_t self:process { setexec setfscreate }; # Set password information for other users. -@@ -1144,8 +1171,6 @@ +@@ -1144,8 +1173,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -10208,7 +10230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -3083,7 +3108,7 @@ +@@ -3083,7 +3110,7 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -10217,7 +10239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_tmp_filetrans($2,$1_tmp_t,$3) -@@ -5553,6 +5578,26 @@ +@@ -5553,6 +5580,26 @@ ######################################## ## @@ -10244,7 +10266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Unconfined access to user domains. (Deprecated) ## ## -@@ -5564,3 +5609,124 @@ +@@ -5564,3 +5611,124 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/securetty_types-olpc b/securetty_types-olpc new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/securetty_types-olpc diff --git a/selinux-policy.spec b/selinux-policy.spec index b4ede7e..8f13e2c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -172,7 +172,7 @@ fi; %description SELinux Reference Policy - modular. -Based off of reference policy: Checked out revision 2336. +Based off of reference policy: Checked out revision 2348. %prep %setup -q -n serefpolicy-%{version} diff --git a/setrans-olpc.conf b/setrans-olpc.conf new file mode 100644 index 0000000..9b46bbd --- /dev/null +++ b/setrans-olpc.conf @@ -0,0 +1,19 @@ +# +# Multi-Category Security translation table for SELinux +# +# Uncomment the following to disable translation libary +# disable=1 +# +# Objects can be categorized with 0-1023 categories defined by the admin. +# Objects can be in more than one category at a time. +# Categories are stored in the system as c0-c1023. Users can use this +# table to translate the categories into a more meaningful output. +# Examples: +# s0:c0=CompanyConfidential +# s0:c1=PatientRecord +# s0:c2=Unclassified +# s0:c3=TopSecret +# s0:c1,c3=CompanyConfidentialRedHat +s0= +s0-s0:c0.c1023=SystemLow-SystemHigh +s0:c0.c1023=SystemHigh diff --git a/sources b/sources index 3566ffe..d4500e0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -7c004ddde0e20cfeba8a94b2aa308a06 serefpolicy-3.0.1.tgz +15e7cf49d82f31ea9b50c3520399c22d serefpolicy-3.0.1.tgz