From a721d24a11f1184cfe4b4a6b478f851914aa8db3 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Oct 23 2009 14:40:39 +0000 Subject: - Allow firefox to transition to java --- diff --git a/modules-minimum.conf b/modules-minimum.conf index 2723d30..eb63f27 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -1682,6 +1682,13 @@ timidity = off tftp = module # Layer: services +# Module: tuned +# +# Dynamic adaptive system tuning daemon +# +tuned = module + +# Layer: services # Module: uucp # # Unix to Unix Copy diff --git a/modules-targeted.conf b/modules-targeted.conf index 2723d30..eb63f27 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1682,6 +1682,13 @@ timidity = off tftp = module # Layer: services +# Module: tuned +# +# Dynamic adaptive system tuning daemon +# +tuned = module + +# Layer: services # Module: uucp # # Unix to Unix Copy diff --git a/policy-F12.patch b/policy-F12.patch index 161f839..c4f79b3 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -641,7 +641,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-10-21 09:33:05.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-10-23 08:38:05.000000000 -0400 @@ -13,11 +13,34 @@ interface(`rpm_domtrans',` gen_require(` @@ -689,7 +689,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_run_loadpolicy(rpm_script_t, $2) seutil_run_semanage(rpm_script_t, $2) seutil_run_setfiles(rpm_script_t, $2) -@@ -146,6 +174,36 @@ +@@ -146,6 +174,40 @@ ######################################## ## @@ -711,14 +711,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + + dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms; ++ dontaudit $1 rpm_t:tcp_socket rw_socket_perms; ++ dontaudit $1 rpm_t:unix_dgram_socket rw_socket_perms; ++ dontaudit $1 rpm_t:shm rw_shm_perms; ++ + dontaudit $1 rpm_script_t:fd use; + dontaudit $1 rpm_script_t:fifo_file rw_fifo_file_perms; ++ + dontaudit $1 rpm_var_run_t:file write_file_perms; ++ + dontaudit $1 rpm_tmp_t:file rw_file_perms; -+ dontaudit $1 rpm_t:shm rw_shm_perms; + dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms; + dontaudit $1 rpm_tmpfs_t:file write_file_perms; -+ dontaudit $1 rpm_t:tcp_socket rw_socket_perms; +') + +######################################## @@ -726,7 +730,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send and receive messages from ## rpm over dbus. ## -@@ -167,6 +225,68 @@ +@@ -167,6 +229,68 @@ ######################################## ## @@ -795,7 +799,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete the RPM log. ## ## -@@ -186,6 +306,24 @@ +@@ -186,6 +310,24 @@ ######################################## ## @@ -820,7 +824,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Inherit and use file descriptors from RPM scripts. ## ## -@@ -219,7 +357,51 @@ +@@ -219,7 +361,51 @@ ') files_search_tmp($1) @@ -872,7 +876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -241,6 +423,25 @@ +@@ -241,6 +427,25 @@ allow $1 rpm_var_lib_t:dir list_dir_perms; read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) @@ -898,7 +902,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -265,6 +466,47 @@ +@@ -265,6 +470,47 @@ ######################################## ## @@ -946,7 +950,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to create, read, ## write, and delete the RPM package database. ## -@@ -283,3 +525,81 @@ +@@ -283,3 +529,81 @@ dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') @@ -1953,8 +1957,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.6.32/policy/modules/apps/execmem.if --- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/execmem.if 2009-10-22 14:59:29.000000000 -0400 -@@ -0,0 +1,74 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/execmem.if 2009-10-23 09:23:30.000000000 -0400 +@@ -0,0 +1,76 @@ +## execmem domain + +######################################## @@ -2020,6 +2024,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + domtrans_pattern($3, execmem_exec_t, $1_execmem_t) + corecmd_bin_domtrans($1_execmem_t, $1_t) + ++ files_execmod_tmp($1_execmem_t) ++ + optional_policy(` + chrome_role($2, $1_execmem_t) + ') @@ -2596,7 +2602,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.32/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2009-08-18 11:41:14.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/java.if 2009-10-07 16:35:17.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/apps/java.if 2009-10-23 09:22:39.000000000 -0400 @@ -30,6 +30,7 @@ allow java_t $2:unix_stream_socket connectto; @@ -2605,7 +2611,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -71,24 +72,129 @@ +@@ -71,24 +72,131 @@ ######################################## ## @@ -2733,6 +2739,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_dontaudit_rw_tmpfs_files($1_java_t) + corecmd_bin_domtrans($1_java_t, $1_t) + ++ files_execmod_all_files($1_java_t) ++ + optional_policy(` + xserver_common_app($1_java_t) + xserver_role($1_r, $1_java_t) @@ -2740,7 +2748,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.32/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2009-08-18 11:41:14.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/java.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/apps/java.te 2009-10-23 08:58:46.000000000 -0400 @@ -20,6 +20,8 @@ typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t }; typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t }; @@ -2750,7 +2758,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type java_tmp_t; files_tmp_file(java_tmp_t) ubac_constrained(java_tmp_t) -@@ -80,6 +82,7 @@ +@@ -32,9 +34,6 @@ + typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t }; + typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t }; + +-type unconfined_java_t; +-init_system_domain(unconfined_java_t, java_exec_t) +- + ######################################## + # + # Local policy +@@ -80,6 +79,7 @@ dev_write_sound(java_t) dev_read_urand(java_t) dev_read_rand(java_t) @@ -2758,7 +2776,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(java_t) files_read_usr_files(java_t) -@@ -131,6 +134,7 @@ +@@ -131,20 +131,9 @@ ') optional_policy(` @@ -2766,25 +2784,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_user_x_domain_template(java, java_t, java_tmpfs_t) ') -@@ -143,8 +147,18 @@ - # execheap is needed for itanium/BEA jrocket - allow unconfined_java_t self:process { execstack execmem execheap }; +-######################################## +-# +-# Unconfined java local policy +-# +- +-optional_policy(` +- # execheap is needed for itanium/BEA jrocket +- allow unconfined_java_t self:process { execstack execmem execheap }; -+ files_execmod_all_files(unconfined_java_t) -+ - init_dbus_chat_script(unconfined_java_t) +- init_dbus_chat_script(unconfined_java_t) - unconfined_domain_noaudit(unconfined_java_t) - unconfined_dbus_chat(unconfined_java_t) -+ optional_policy(` -+ hal_dbus_chat(unconfined_java_t) -+') -+ -+ optional_policy(` -+ rpm_domtrans(unconfined_java_t) - ') -+') -+ +- unconfined_domain_noaudit(unconfined_java_t) +- unconfined_dbus_chat(unconfined_java_t) +-') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.6.32/policy/modules/apps/kdumpgui.fc --- nsaserefpolicy/policy/modules/apps/kdumpgui.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.32/policy/modules/apps/kdumpgui.fc 2009-09-30 16:12:48.000000000 -0400 @@ -6561,7 +6574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-10-13 11:03:54.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-10-23 09:23:13.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -6679,7 +6692,40 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3449,6 +3516,24 @@ +@@ -3320,6 +3387,32 @@ + + ######################################## + ## ++## Allow shared library text relocations in tmp files. ++## ++## ++##

++## Allow shared library text relocations in tmp files. ++##

++##

++## This is added to support java policy. ++##

++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_execmod_tmp',` ++ gen_require(` ++ attribute tmpfile; ++ ') ++ ++ allow $1 tmpfile:file execmod; ++') ++ ++######################################## ++## + ## Manage temporary files and directories in /tmp. + ## + ## +@@ -3449,6 +3542,24 @@ ######################################## ## @@ -6704,7 +6750,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read all tmp files. ## ## -@@ -3515,6 +3600,8 @@ +@@ -3515,6 +3626,8 @@ delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -6713,7 +6759,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3623,7 +3710,12 @@ +@@ -3623,7 +3736,12 @@ type usr_t; ') @@ -6727,7 +6773,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3662,6 +3754,7 @@ +@@ -3662,6 +3780,7 @@ allow $1 usr_t:dir list_dir_perms; read_files_pattern($1, usr_t, usr_t) read_lnk_files_pattern($1, usr_t, usr_t) @@ -6735,7 +6781,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4188,6 +4281,24 @@ +@@ -4188,6 +4307,24 @@ ######################################## ## @@ -6760,7 +6806,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Search the /var/lib directory. ## ## -@@ -4955,7 +5066,7 @@ +@@ -4955,7 +5092,7 @@ selinux_compute_member($1) # Need sys_admin capability for mounting @@ -6769,7 +6815,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Need to give access to the directories to be polyinstantiated allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -@@ -4977,12 +5088,15 @@ +@@ -4977,12 +5114,15 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -6786,7 +6832,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -5003,3 +5117,173 @@ +@@ -5003,3 +5143,173 @@ typeattribute $1 files_unconfined_type; ') @@ -8804,8 +8850,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-10-22 14:38:40.000000000 -0400 -@@ -0,0 +1,411 @@ ++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-10-23 08:59:33.000000000 -0400 +@@ -0,0 +1,425 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -9027,7 +9073,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` -+ java_run_unconfined(unconfined_t, unconfined_r) ++ java_role_template(unconfined, unconfined_r, unconfined_t) ++ ++ files_execmod_all_files(unconfined_java_t) ++ ++ init_dbus_chat_script(unconfined_java_t) ++ ++ unconfined_domain_noaudit(unconfined_java_t) ++ unconfined_dbus_chat(unconfined_java_t) ++ optional_policy(` ++ hal_dbus_chat(unconfined_java_t) ++ ') ++ ++ optional_policy(` ++ rpm_domtrans(unconfined_java_t) ++ ') +') + +optional_policy(` @@ -9623,7 +9683,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/cman_.* -s gen_context(system_u:object_r:aisexec_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.6.32/policy/modules/services/aisexec.if --- nsaserefpolicy/policy/modules/services/aisexec.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/aisexec.if 2009-10-21 07:51:25.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/aisexec.if 2009-10-23 09:31:29.000000000 -0400 @@ -0,0 +1,106 @@ +## SELinux policy for Aisexec Cluster Engine + @@ -9861,7 +9921,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.32/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2009-10-01 08:26:33.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2009-10-23 08:20:45.000000000 -0400 @@ -1,12 +1,13 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -9925,7 +9985,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -@@ -64,11 +75,30 @@ +@@ -64,11 +75,33 @@ /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -9950,6 +10010,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_rw_t,s0) +/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + ++/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) ++ +/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) + +/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) @@ -9957,6 +10019,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) +/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2009-07-28 15:51:13.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/apache.if 2009-10-21 11:09:04.000000000 -0400 @@ -14795,21 +14858,73 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/lircd\.pid gen_context(system_u:object_r:lircd_var_run_t,s0) +/var/run/lircd(/.*)? gen_context(system_u:object_r:lircd_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.if serefpolicy-3.6.32/policy/modules/services/lircd.if +--- nsaserefpolicy/policy/modules/services/lircd.if 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/lircd.if 2009-10-23 09:32:21.000000000 -0400 +@@ -32,12 +32,11 @@ + # + interface(`lircd_stream_connect',` + gen_require(` +- type lircd_sock_t, lircd_t; ++ type lircd_var_run_t, lircd_t; + ') + +- allow $1 lircd_t:unix_stream_socket connectto; +- allow $1 lircd_sock_t:sock_file write_sock_file_perms; + files_search_pids($1) ++ stream_connect_pattern($1, lircd_var_run_t, lircd_var_run_t, lircd_t) + ') + + ####################################### +@@ -77,7 +76,7 @@ + # + interface(`lircd_admin',` + gen_require(` +- type lircd_t, lircd_var_run_t, lircd_sock_t; ++ type lircd_t, lircd_var_run_t; + type lircd_initrc_exec_t, lircd_etc_t; + ') + +@@ -94,6 +93,4 @@ + + files_search_pids($1) + admin_pattern($1, lircd_var_run_t) +- +- admin_pattern($1, lircd_sock_t) + ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.32/policy/modules/services/lircd.te --- nsaserefpolicy/policy/modules/services/lircd.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/lircd.te 2009-10-19 09:14:01.000000000 -0400 -@@ -37,12 +37,24 @@ - # pid file ++++ serefpolicy-3.6.32/policy/modules/services/lircd.te 2009-10-23 09:34:30.000000000 -0400 +@@ -16,13 +16,9 @@ + type lircd_etc_t; + files_type(lircd_etc_t) + +-type lircd_var_run_t; ++type lircd_var_run_t alias lircd_sock_t; + files_pid_file(lircd_var_run_t) + +-# type for lircd /dev/ sock file +-type lircd_sock_t; +-files_type(lircd_sock_t) +- + ######################################## + # + # lircd local policy +@@ -34,15 +30,24 @@ + # etc file + read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t) + +-# pid file manage_dirs_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) +manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file }) # /dev/lircd socket - manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t) - dev_filetrans(lircd_t, lircd_sock_t, sock_file ) +-manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t) +-dev_filetrans(lircd_t, lircd_sock_t, sock_file ) ++dev_filetrans(lircd_t, lircd_var_run_t, sock_file ) +dev_read_generic_usb_dev(lircd_t) -+ +dev_filetrans_lirc(lircd_t) +dev_rw_lirc(lircd_t) +dev_rw_input_dev(lircd_t) @@ -15094,20 +15209,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mysql_write_log(mysqld_safe_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2009-09-30 16:12:48.000000000 -0400 -@@ -1,16 +1,21 @@ ++++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2009-10-23 08:00:38.000000000 -0400 +@@ -1,16 +1,22 @@ /etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) /etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) +/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) +/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) - /usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) - /usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) +-/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) +-/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) ++/usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) ++/usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) -/usr/lib(64)?/cgi-bin/netsaint/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) -/usr/lib(64)?/nagios/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0) +/usr/lib(64)?/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) +/usr/lib(64)?/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) ++#/usr/lib(64)?/nagios/plugins(/.*)? gen_context(system_u:object_r:nagios_plugin_exec_t,s0) /var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) /var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) @@ -15224,7 +15342,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te --- nsaserefpolicy/policy/modules/services/nagios.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2009-10-23 09:18:37.000000000 -0400 @@ -10,13 +10,12 @@ type nagios_exec_t; init_daemon_domain(nagios_t, nagios_exec_t) @@ -15252,7 +15370,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type nrpe_t; type nrpe_exec_t; init_daemon_domain(nrpe_t, nrpe_exec_t) -@@ -60,6 +62,8 @@ +@@ -33,6 +35,9 @@ + type nrpe_etc_t; + files_config_file(nrpe_etc_t) + ++type nrpe_var_run_t; ++files_pid_file(nrpe_var_run_t) ++ + ######################################## + # + # Nagios local policy +@@ -60,6 +65,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t) files_pid_filetrans(nagios_t, nagios_var_run_t, file) @@ -15261,7 +15389,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(nagios_t) kernel_read_kernel_sysctls(nagios_t) -@@ -127,39 +131,34 @@ +@@ -127,52 +134,57 @@ # # Nagios CGI local policy # @@ -15271,46 +15399,46 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -allow nagios_cgi_t self:process signal_perms; -allow nagios_cgi_t self:fifo_file rw_fifo_file_perms; -+allow httpd_nagios_script_t self:process signal_perms; - +- -read_files_pattern(nagios_cgi_t, nagios_t, nagios_t) -read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t) -+read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) -+read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) ++allow httpd_nagios_script_t self:process signal_perms; -allow nagios_cgi_t nagios_etc_t:dir list_dir_perms; -read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) -read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t) -+files_search_spool(httpd_nagios_script_t) -+rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t) ++read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) ++read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t) -allow nagios_cgi_t nagios_log_t:dir list_dir_perms; -read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) -read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t) ++files_search_spool(httpd_nagios_script_t) ++rw_fifo_files_pattern(httpd_nagios_script_t, nagios_spool_t, nagios_spool_t) + +-kernel_read_system_state(nagios_cgi_t) +allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms; +read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) +read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t) --kernel_read_system_state(nagios_cgi_t) +-corecmd_exec_bin(nagios_cgi_t) +allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms; +read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) +read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t) --corecmd_exec_bin(nagios_cgi_t) -+kernel_read_system_state(httpd_nagios_script_t) - -domain_dontaudit_read_all_domains_state(nagios_cgi_t) -+domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) ++kernel_read_system_state(httpd_nagios_script_t) -files_read_etc_files(nagios_cgi_t) -files_read_etc_runtime_files(nagios_cgi_t) -files_read_kernel_symbol_table(nagios_cgi_t) -+files_read_etc_runtime_files(httpd_nagios_script_t) -+files_read_kernel_symbol_table(httpd_nagios_script_t) ++domain_dontaudit_read_all_domains_state(httpd_nagios_script_t) -logging_send_syslog_msg(nagios_cgi_t) -logging_search_logs(nagios_cgi_t) -- ++files_read_etc_runtime_files(httpd_nagios_script_t) ++files_read_kernel_symbol_table(httpd_nagios_script_t) + -miscfiles_read_localization(nagios_cgi_t) - -optional_policy(` @@ -15320,6 +15448,39 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # + # Nagios remote plugin executor local policy + # + ++allow nrpe_t self:capability {setuid setgid}; + dontaudit nrpe_t self:capability sys_tty_config; + allow nrpe_t self:process { setpgid signal_perms }; + allow nrpe_t self:fifo_file rw_fifo_file_perms; ++allow nrpe_t self:tcp_socket create_stream_socket_perms; + +-allow nrpe_t nrpe_etc_t:file read_file_perms; ++read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t) + files_search_etc(nrpe_t) + ++manage_files_pattern(nrpe_t, nrpe_var_run_t, nrpe_var_run_t) ++files_pid_filetrans(nrpe_t,nrpe_var_run_t,file) ++files_read_etc_files(nrpe_t) ++ ++corenet_tcp_bind_generic_node(nrpe_t) ++corenet_tcp_bind_inetd_child_port(nrpe_t) ++corenet_sendrecv_unlabeled_packets(nrpe_t) ++ + kernel_read_system_state(nrpe_t) + kernel_read_kernel_sysctls(nrpe_t) + +@@ -192,6 +204,8 @@ + + miscfiles_read_localization(nrpe_t) + ++sysnet_read_config(nrpe_t) ++ + userdom_dontaudit_use_unpriv_user_fds(nrpe_t) + + optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.32/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/networkmanager.fc 2009-09-30 16:12:48.000000000 -0400 @@ -20486,7 +20647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.32/policy/modules/services/setroubleshoot.if --- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.if 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.if 2009-10-22 15:56:48.000000000 -0400 @@ -16,8 +16,8 @@ ') @@ -20498,7 +20659,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -36,6 +36,102 @@ +@@ -36,6 +36,123 @@ type setroubleshootd_t, setroubleshoot_var_run_t; ') @@ -20530,6 +20691,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## ++## dontaudit send and receive messages from ++## setroubleshoot over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`setroubleshoot_dontaudit_dbus_chat',` ++ gen_require(` ++ type setroubleshootd_t; ++ class dbus send_msg; ++ ') ++ ++ dontaudit $1 setroubleshootd_t:dbus send_msg; ++ dontaudit setroubleshootd_t $1:dbus send_msg; ++') ++ ++######################################## ++## +## Send and receive messages from +## setroubleshoot over dbus. +## @@ -22043,6 +22225,219 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_t,s0) +/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.fc serefpolicy-3.6.32/policy/modules/services/tuned.fc +--- nsaserefpolicy/policy/modules/services/tuned.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/tuned.fc 2009-10-23 09:38:54.000000000 -0400 +@@ -0,0 +1,6 @@ ++ ++/etc/rc\.d/init\.d/tuned -- gen_context(system_u:object_r:tuned_initrc_exec_t,s0) ++ ++/usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0) ++ ++/var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.if serefpolicy-3.6.32/policy/modules/services/tuned.if +--- nsaserefpolicy/policy/modules/services/tuned.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/tuned.if 2009-10-23 09:38:54.000000000 -0400 +@@ -0,0 +1,136 @@ ++ ++## policy for tuned - dynamic adaptive system tuning daemon ++ ++######################################## ++## ++## Execute a domain transition to run tuned. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`tuned_domtrans',` ++ gen_require(` ++ type tuned_t, tuned_exec_t; ++ ') ++ ++ domtrans_pattern($1,tuned_exec_t,tuned_t) ++') ++ ++####################################### ++## ++## Execute tuned in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tuned_exec',` ++ gen_require(` ++ type tuned_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, tuned_exec_t) ++') ++ ++###################################### ++## ++## Read tuned PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tuned_read_pid_files',` ++ gen_require(` ++ type tuned_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, tuned_var_run_t, tuned_var_run_t) ++') ++ ++####################################### ++## ++## Manage tuned PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tuned_manage_pid_files',` ++ gen_require(` ++ type tuned_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ manage_files_pattern($1, tuned_var_run_t, tuned_var_run_t) ++') ++ ++######################################## ++## ++## Execute tuned server in the tuned domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`tuned_initrc_domtrans',` ++ gen_require(` ++ type tuned_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1,tuned_initrc_exec_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an tuned environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`tuned_admin',` ++ gen_require(` ++ type tuned_t, tuned_var_run_t; ++ ') ++ ++ allow $1 tuned_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, tuned_t, tuned_t) ++ ++ ++ gen_require(` ++ type tuned_initrc_exec_t; ++ ') ++ ++ tuned_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 tuned_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ files_search_pids($1) ++ admin_pattern($1, tuned_var_run_t) ++ ++') ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.6.32/policy/modules/services/tuned.te +--- nsaserefpolicy/policy/modules/services/tuned.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/tuned.te 2009-10-23 09:38:54.000000000 -0400 +@@ -0,0 +1,59 @@ ++ ++policy_module(tuned,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type tuned_t; ++type tuned_exec_t; ++init_daemon_domain(tuned_t, tuned_exec_t) ++ ++type tuned_initrc_exec_t; ++init_script_file(tuned_initrc_exec_t) ++ ++type tuned_var_run_t; ++files_pid_file(tuned_var_run_t) ++ ++permissive tuned_t; ++ ++######################################## ++# ++# tuned local policy ++# ++ ++dontaudit tuned_t self:capability { dac_override }; ++ ++manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) ++files_pid_filetrans(tuned_t, tuned_var_run_t, { file }) ++ ++corecmd_exec_shell(tuned_t) ++ ++kernel_read_system_state(tuned_t) ++kernel_read_network_state(tuned_t) ++ ++dev_read_sysfs(tuned_t) ++ ++# to allow cpu tuning ++dev_rw_netcontrol(tuned_t) ++ ++files_read_etc_files(tuned_t) ++files_read_usr_files(tuned_t) ++ ++files_dontaudit_search_home(tuned_t) ++ ++userdom_dontaudit_search_user_home_dirs(tuned_t) ++ ++miscfiles_read_localization(tuned_t) ++ ++# to allow disk tuning ++optional_policy(` ++ fstools_domtrans(tuned_t) ++') ++ ++# to allow network interface tuning ++optional_policy(` ++ sysnet_domtrans_ifconfig(tuned_t) ++') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.32/policy/modules/services/uucp.te --- nsaserefpolicy/policy/modules/services/uucp.te 2009-08-14 16:14:31.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/uucp.te 2009-09-30 16:12:48.000000000 -0400 @@ -29825,7 +30220,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.gvfs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-22 13:55:01.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-23 09:13:02.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -30195,7 +30590,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -420,35 +414,54 @@ +@@ -420,35 +414,58 @@ ## is the prefix for user_t). ## ## @@ -30251,6 +30646,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - xserver_dontaudit_write_log($1_t) - xserver_stream_connect_xdm($1_t) + optional_policy(` ++ setroubleshoot_dontaudit_dbus_chat($1) ++ ') ++ ++ optional_policy(` + xserver_user_client($1, user_tmpfs_t) + xserver_xsession_entry_type($1) + xserver_dontaudit_write_log($1) @@ -30269,7 +30668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -498,7 +511,7 @@ +@@ -498,7 +515,7 @@ attribute unpriv_userdomain; ') @@ -30278,7 +30677,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -508,182 +521,213 @@ +@@ -508,182 +525,213 @@ # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -30299,27 +30698,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + kernel_get_sysvipc_info($1_usertype) # Find CDROM devices: - kernel_read_device_sysctls($1_t) +- +- corecmd_exec_bin($1_t) + kernel_read_device_sysctls($1_usertype) + kernel_request_load_module($1_usertype) -- corecmd_exec_bin($1_t) +- corenet_udp_bind_generic_node($1_t) +- corenet_udp_bind_generic_port($1_t) + corenet_udp_bind_generic_node($1_usertype) + corenet_udp_bind_generic_port($1_usertype) -- corenet_udp_bind_generic_node($1_t) -- corenet_udp_bind_generic_port($1_t) +- dev_read_rand($1_t) +- dev_write_sound($1_t) +- dev_read_sound($1_t) +- dev_read_sound_mixer($1_t) +- dev_write_sound_mixer($1_t) + dev_read_rand($1_usertype) + dev_write_sound($1_usertype) + dev_read_sound($1_usertype) + dev_read_sound_mixer($1_usertype) + dev_write_sound_mixer($1_usertype) -- dev_read_rand($1_t) -- dev_write_sound($1_t) -- dev_read_sound($1_t) -- dev_read_sound_mixer($1_t) -- dev_write_sound_mixer($1_t) -- - files_exec_etc_files($1_t) - files_search_locks($1_t) + files_exec_etc_files($1_usertype) @@ -30395,37 +30794,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + optional_policy(` + alsa_read_rw_config($1_usertype) -+ ') -+ -+ optional_policy(` -+ # Allow graphical boot to check battery lifespan -+ apm_stream_connect($1_usertype) ') - tunable_policy(`user_ttyfile_stat',` - term_getattr_all_user_ttys($1_t) + optional_policy(` -+ canna_stream_connect($1_usertype) ++ # Allow graphical boot to check battery lifespan ++ apm_stream_connect($1_usertype) ') optional_policy(` - alsa_read_rw_config($1_t) -+ chrome_role($1_r, $1_usertype) ++ canna_stream_connect($1_usertype) ') optional_policy(` - # Allow graphical boot to check battery lifespan - apm_stream_connect($1_t) ++ chrome_role($1_r, $1_usertype) + ') + + optional_policy(` +- canna_stream_connect($1_t) + dbus_system_bus_client($1_usertype) + + allow $1_usertype $1_usertype:dbus send_msg; + + optional_policy(` + avahi_dbus_chat($1_usertype) - ') - - optional_policy(` -- canna_stream_connect($1_t) ++ ') ++ ++ optional_policy(` + bluetooth_dbus_chat($1_usertype) ') @@ -30491,21 +30890,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - modutils_read_module_config($1_t) + modutils_read_module_config($1_usertype) -+ ') -+ -+ optional_policy(` -+ mta_rw_spool($1_usertype) -+ mta_manage_queue($1_usertype) ') optional_policy(` - mta_rw_spool($1_t) -+ nsplugin_role($1_r, $1_usertype) ++ mta_rw_spool($1_usertype) ++ mta_manage_queue($1_usertype) ') optional_policy(` - tunable_policy(`allow_user_mysql_connect',` - mysql_stream_connect($1_t) ++ nsplugin_role($1_r, $1_usertype) ++ ') ++ ++ optional_policy(` + tunable_policy(`allow_user_postgresql_connect',` + postgresql_stream_connect($1_usertype) ') @@ -30565,18 +30964,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -711,13 +755,26 @@ +@@ -711,13 +759,26 @@ userdom_base_user_template($1) - userdom_manage_home_role($1_r, $1_t) + userdom_manage_home_role($1_r, $1_usertype) -+ -+ userdom_manage_tmp_role($1_r, $1_usertype) -+ userdom_manage_tmpfs_role($1_r, $1_usertype) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) ++ userdom_manage_tmp_role($1_r, $1_usertype) ++ userdom_manage_tmpfs_role($1_r, $1_usertype) + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) + ifelse(`$1',`unconfined',`',` + gen_tunable(allow_$1_exec_content, true) + @@ -30587,9 +30988,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') - -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) ++ + tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') @@ -30597,7 +30996,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_change_password_template($1) -@@ -735,70 +792,72 @@ +@@ -735,70 +796,72 @@ allow $1_t self:context contains; @@ -30703,7 +31102,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -826,6 +885,8 @@ +@@ -826,6 +889,8 @@ ') userdom_login_user_template($1) @@ -30712,7 +31111,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) -@@ -836,6 +897,25 @@ +@@ -836,6 +901,25 @@ # optional_policy(` @@ -30738,7 +31137,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol loadkeys_run($1_t,$1_r) ') ') -@@ -865,51 +945,93 @@ +@@ -865,51 +949,93 @@ userdom_restricted_user_template($1) @@ -30755,12 +31154,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_role($1_r, $1_t) - auth_search_pam_console_data($1_t) + auth_search_pam_console_data($1_usertype) ++ ++ xserver_role($1_r, $1_t) ++ xserver_communicate($1_usertype, $1_usertype) - dev_read_sound($1_t) - dev_write_sound($1_t) -+ xserver_role($1_r, $1_t) -+ xserver_communicate($1_usertype, $1_usertype) -+ + dev_read_sound($1_usertype) + dev_write_sound($1_usertype) # gnome keyring wants to read this. @@ -30795,12 +31194,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + optional_policy(` + alsa_read_rw_config($1_usertype) + ') -+ + +- xserver_restricted_role($1_r, $1_t) + optional_policy(` + apache_role($1_r, $1_usertype) + ') - -- xserver_restricted_role($1_r, $1_t) ++ + optional_policy(` + devicekit_dbus_chat($1_usertype) + devicekit_dbus_chat_disk($1_usertype) @@ -30845,7 +31244,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -943,8 +1065,8 @@ +@@ -943,8 +1069,8 @@ # Declarations # @@ -30855,7 +31254,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -953,58 +1075,67 @@ +@@ -953,58 +1079,67 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -30889,10 +31288,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - storage_raw_read_removable_device($1_t) + optional_policy(` + cdrecord_role($1_r, $1_t) - ') ++ ') + + optional_policy(` + cron_role($1_r, $1_t) + ') ++ ++ optional_policy(` ++ games_rw_data($1_usertype) ') - tunable_policy(`user_dmesg',` @@ -30900,7 +31303,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - ',` - kernel_dontaudit_read_ring_buffer($1_t) + optional_policy(` -+ games_rw_data($1_usertype) ++ gpg_role($1_r, $1_usertype) ') - # Allow users to run TCP servers (bind to ports and accept connection from @@ -30910,32 +31313,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - corenet_tcp_bind_generic_node($1_t) - corenet_tcp_bind_generic_port($1_t) + optional_policy(` -+ gpg_role($1_r, $1_usertype) ++ gpm_stream_connect($1_usertype) ') optional_policy(` - netutils_run_ping_cond($1_t,$1_r) - netutils_run_traceroute_cond($1_t,$1_r) -+ gpm_stream_connect($1_usertype) ++ execmem_role_template($1, $1_r, $1_t) ') optional_policy(` - postgresql_role($1_r,$1_t) -+ execmem_role_template($1, $1_r, $1_t) ++ java_role_template($1, $1_r, $1_t) ') - # Run pppd in pppd_t by default for user optional_policy(` - ppp_run_cond($1_t,$1_r) -+ java_role_template($1, $1_r, $1_t) ++ mono_role_template($1, $1_r, $1_t) ') optional_policy(` - setroubleshoot_stream_connect($1_t) -+ mono_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` + mount_run($1_t, $1_r) + ') + @@ -30953,7 +31352,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1040,7 +1171,7 @@ +@@ -1040,7 +1175,7 @@ template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -30962,7 +31361,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1049,8 +1180,7 @@ +@@ -1049,8 +1184,7 @@ # # Inherit rules for ordinary users. @@ -30972,7 +31371,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1075,6 +1205,9 @@ +@@ -1075,6 +1209,9 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -30982,7 +31381,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1089,6 +1222,7 @@ +@@ -1089,6 +1226,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -30990,7 +31389,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1096,8 +1230,6 @@ +@@ -1096,8 +1234,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -30999,7 +31398,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1124,12 +1256,11 @@ +@@ -1124,12 +1260,11 @@ files_exec_usr_src_files($1_t) fs_getattr_all_fs($1_t) @@ -31014,7 +31413,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_all_terms($1_t) auth_getattr_shadow($1_t) -@@ -1152,20 +1283,6 @@ +@@ -1152,20 +1287,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -31035,7 +31434,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1211,6 +1328,7 @@ +@@ -1211,6 +1332,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -31043,7 +31442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1276,11 +1394,15 @@ +@@ -1276,11 +1398,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -31059,7 +31458,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1391,12 +1513,13 @@ +@@ -1391,12 +1517,13 @@ ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -31074,7 +31473,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1429,6 +1552,14 @@ +@@ -1429,6 +1556,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -31089,7 +31488,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1444,9 +1575,11 @@ +@@ -1444,9 +1579,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -31101,7 +31500,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1503,6 +1636,42 @@ +@@ -1503,6 +1640,42 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -31144,7 +31543,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1577,6 +1746,8 @@ +@@ -1577,6 +1750,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -31153,7 +31552,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1619,6 +1790,24 @@ +@@ -1619,6 +1794,24 @@ ######################################## ## @@ -31178,7 +31577,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1670,6 +1859,7 @@ +@@ -1670,6 +1863,7 @@ type user_home_dir_t, user_home_t; ') @@ -31186,7 +31585,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1797,19 +1987,32 @@ +@@ -1797,19 +1991,32 @@ # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -31226,7 +31625,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1844,6 +2047,7 @@ +@@ -1844,6 +2051,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -31234,7 +31633,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2391,7 +2595,7 @@ +@@ -2391,7 +2599,7 @@ ######################################## ## @@ -31243,7 +31642,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2399,19 +2603,20 @@ +@@ -2399,19 +2607,20 @@ ## ## # @@ -31267,7 +31666,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2419,38 +2624,17 @@ +@@ -2419,33 +2628,12 @@ ## ## # @@ -31282,11 +31681,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) - allow $1 user_tmpfs_t:dir list_dir_perms; - fs_search_tmpfs($1) -+ allow $1 user_tty_device_t:chr_file getattr; - ') - - ######################################## - ## +-') +- +-######################################## +-## -## Get the attributes of a user domain tty. -## -## @@ -31301,16 +31699,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - ') - - allow $1 user_tty_device_t:chr_file getattr; --') -- --######################################## --## --## Do not audit attempts to get the attributes of a user domain tty. -+## Do not audit attempts to get the attributes of a user domain tty. - ## - ## - ## -@@ -2749,7 +2933,7 @@ ++ allow $1 user_tty_device_t:chr_file getattr; + ') + + ######################################## +@@ -2749,7 +2937,7 @@ domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -31319,7 +31712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow unpriv_userdomain $1:process sigchld; ') -@@ -2765,11 +2949,32 @@ +@@ -2765,11 +2953,32 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -31354,7 +31747,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2897,7 +3102,25 @@ +@@ -2897,7 +3106,25 @@ type user_tmp_t; ') @@ -31381,7 +31774,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2934,6 +3157,7 @@ +@@ -2934,6 +3161,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -31389,7 +31782,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -3064,3 +3288,578 @@ +@@ -3064,3 +3292,578 @@ allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index b294df0..371ec28 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 32%{?dist} +Release: 33%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -445,6 +445,9 @@ exit 0 %endif %changelog +* Fri Oct 23 2009 Dan Walsh 3.6.32-33 +- Allow firefox to transition to java + * Thu Oct 22 2009 Dan Walsh 3.6.32-32 - Allow unconfined_execmem_t to transition to sandbox - Allow postfix_cleanup to read etc_alias