From f20d57c1686d59565c0bf057bc74e10850fe71e9 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 18 2007 19:58:21 +0000 Subject: - Allow ssh to read sym links in homedirs --- diff --git a/policy-20070703.patch b/policy-20070703.patch index 5b8263b..f24d080 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -1615,7 +1615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.0.8/policy/modules/admin/kudzu.te --- nsaserefpolicy/policy/modules/admin/kudzu.te 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/admin/kudzu.te 2007-12-02 21:15:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/admin/kudzu.te 2007-12-18 13:49:54.000000000 -0500 @@ -21,8 +21,8 @@ # Local policy # @@ -1644,7 +1644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.t # kudzu will telinit to make init re-read # the inittab after configuring serial consoles init_telinit(kudzu_t) -@@ -134,20 +137,15 @@ +@@ -134,36 +137,18 @@ ') optional_policy(` @@ -1667,16 +1667,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.t + udev_read_db(kudzu_t) ') - ifdef(`TODO',` -@@ -162,6 +160,9 @@ - allow kudzu_t rhgb_t:unix_stream_socket connectto; - ') +-ifdef(`TODO',` +-allow kudzu_t modules_conf_t:file unlink; +-optional_policy(` +- allow kudzu_t printconf_t:file { getattr read }; +-') optional_policy(` +- allow kudzu_t xserver_exec_t:file getattr; +-') +-optional_policy(` +- allow kudzu_t rhgb_t:unix_stream_socket connectto; +-') +-optional_policy(` +- role system_r types sysadm_userhelper_t; +- domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t) +-') +-allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms; ++ unconfined_domtrans(kudzu_t) + unconfined_domain(kudzu_t) -+') -+optional_policy(` - role system_r types sysadm_userhelper_t; - domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.0.8/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2007-10-22 13:21:42.000000000 -0400 @@ -3886,7 +3894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2007-12-02 21:15:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2007-12-18 11:39:11.000000000 -0500 @@ -36,6 +36,11 @@ /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0) @@ -3899,7 +3907,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0) /etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0) /etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0) -@@ -126,10 +131,10 @@ +@@ -108,7 +113,6 @@ + /opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0) + /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) + ') +- + # + # /usr + # +@@ -126,10 +130,10 @@ /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -3912,7 +3928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) -@@ -163,7 +168,10 @@ +@@ -163,8 +167,13 @@ /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -3922,9 +3938,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco +/usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/local/Printer/[^/]*/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -180,6 +188,7 @@ + /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) +@@ -180,6 +189,7 @@ /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) @@ -3932,7 +3951,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ifdef(`distro_gentoo', ` /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -259,3 +268,18 @@ +@@ -259,3 +269,18 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -4210,7 +4229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.8/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-22 13:21:41.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-12-02 21:15:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-12-18 10:37:23.000000000 -0500 @@ -65,7 +65,7 @@ relabelfrom_dirs_pattern($1,device_t,device_node) @@ -6861,8 +6880,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitl + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.0.8/policy/modules/services/bitlbee.te --- nsaserefpolicy/policy/modules/services/bitlbee.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.0.8/policy/modules/services/bitlbee.te 2007-12-02 21:15:34.000000000 -0500 -@@ -0,0 +1,70 @@ ++++ serefpolicy-3.0.8/policy/modules/services/bitlbee.te 2007-12-18 09:56:09.000000000 -0500 +@@ -0,0 +1,73 @@ + +policy_module(bitlbee, 1.0.0) + @@ -6919,6 +6938,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitl +corenet_tcp_connect_msnp_port(bitlbee_t) +corenet_tcp_sendrecv_msnp_port(bitlbee_t) + ++dev_read_rand(bitlbee_t) ++dev_read_urand(bitlbee_t) ++ +files_read_etc_files(bitlbee_t) +files_search_pids(bitlbee_t) +# grant read-only access to the user help files @@ -13377,7 +13399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.0.8/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.if 2007-12-05 08:51:28.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.if 2007-12-18 13:43:52.000000000 -0500 @@ -286,6 +286,12 @@ userdom_manage_user_home_content_symlinks($1,spamd_t) ') @@ -13415,7 +13437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.0.8/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2007-12-13 15:57:17.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2007-12-18 13:54:36.000000000 -0500 @@ -81,11 +81,12 @@ # var/lib files for spamd @@ -13452,6 +13474,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam dcc_stream_connect_dccifd(spamd_t) ') +@@ -212,3 +216,30 @@ + optional_policy(` + udev_read_db(spamd_t) + ') ++ ++optional_policy(` ++tunable_policy(`spamd_enable_home_dirs',` ++ userdom_manage_user_home_content_dirs(unconfined,spamd_t) ++ userdom_manage_user_home_content_files(unconfined,spamd_t) ++ userdom_manage_user_home_content_symlinks(unconfined,spamd_t) ++') ++ ++optional_policy(` ++ tunable_policy(`spamd_enable_home_dirs',` ++ razor_manage_user_home_files(unconfined,spamd_t) ++ ') ++') ++') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_dirs(spamd_t) ++ fs_manage_nfs_files(spamd_t) ++ fs_manage_nfs_symlinks(spamd_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_dirs(spamd_t) ++ fs_manage_cifs_files(spamd_t) ++ fs_manage_cifs_symlinks(spamd_t) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.0.8/policy/modules/services/squid.fc --- nsaserefpolicy/policy/modules/services/squid.fc 2007-10-22 13:21:36.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/squid.fc 2007-12-02 21:15:34.000000000 -0500