From bc861e624e5ce1ef1cf667001f0f5281391de322 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Feb 06 2009 17:48:29 +0000 Subject: - Fix staff_t domain --- diff --git a/policy-20090105.patch b/policy-20090105.patch index 0b72d12..036f8ea 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -712,8 +712,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.4/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.6.4/policy/modules/admin/rpm.fc 2009-02-03 22:57:29.000000000 -0500 -@@ -11,7 +11,8 @@ ++++ serefpolicy-3.6.4/policy/modules/admin/rpm.fc 2009-02-05 13:41:50.000000000 -0500 +@@ -3,6 +3,7 @@ + /usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) + + /usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) + + /usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0) +@@ -11,7 +12,8 @@ /usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -723,7 +731,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0) ifdef(`distro_redhat', ` -@@ -21,14 +22,17 @@ +@@ -21,14 +23,17 @@ /usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -1706,7 +1714,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.4/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/apps/gnome.if 2009-02-03 22:57:29.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/apps/gnome.if 2009-02-05 15:12:13.000000000 -0500 @@ -89,5 +89,154 @@ allow $1 gnome_home_t:dir manage_dir_perms; @@ -6204,7 +6212,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.4/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/kernel/kernel.if 2009-02-03 22:57:29.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/kernel/kernel.if 2009-02-06 11:11:26.000000000 -0500 @@ -1197,6 +1197,26 @@ ') @@ -6331,6 +6339,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.4/policy/modules/kernel/kernel.te --- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-02-03 22:50:50.000000000 -0500 +++ serefpolicy-3.6.4/policy/modules/kernel/kernel.te 2009-02-03 22:57:29.000000000 -0500 +@@ -1,5 +1,5 @@ + +-policy_module(kernel, 1.10.3) ++policy_module(kernel, 1.10.2) + + ######################################## + # @@ -63,6 +63,15 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) @@ -6375,6 +6390,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow kernel_t proc_t:dir list_dir_perms; allow kernel_t proc_t:file read_file_perms; allow kernel_t proc_t:lnk_file read_lnk_file_perms; +@@ -221,10 +237,8 @@ + # connections with invalidated labels: + allow kernel_t unlabeled_t:packet send; + +-# Allow unlabeled network traffic ++# Forwarded network traffic + allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; +-corenet_in_generic_if(unlabeled_t) +-corenet_in_generic_node(unlabeled_t) + + corenet_all_recvfrom_unlabeled(kernel_t) + corenet_all_recvfrom_netlabel(kernel_t) @@ -248,7 +262,8 @@ selinux_load_policy(kernel_t) @@ -7047,16 +7074,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.4/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/roles/staff.te 2009-02-03 22:57:29.000000000 -0500 -@@ -8,112 +8,32 @@ - - role staff_r; - --userdom_unpriv_user_template(staff) -+userdom_admin_login_user_template(staff) - - ######################################## - # ++++ serefpolicy-3.6.4/policy/modules/roles/staff.te 2009-02-05 13:52:52.000000000 -0500 +@@ -15,156 +15,87 @@ # Local policy # @@ -7119,111 +7138,130 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - java_role(staff_r, staff_t) -') -- ++kernel_read_ring_buffer(staff_t) ++kernel_getattr_core_if(staff_t) ++kernel_getattr_message_if(staff_t) ++kernel_read_software_raid_state(staff_t) + -optional_policy(` - lockdev_role(staff_r, staff_t) -') -- ++auth_domtrans_pam_console(staff_t) + -optional_policy(` - lpd_role(staff_r, staff_t) -') -- ++libs_manage_shared_libs(staff_t) + -optional_policy(` - mozilla_role(staff_r, staff_t) -') -+kernel_read_ring_buffer(staff_t) -+kernel_getattr_core_if(staff_t) -+kernel_getattr_message_if(staff_t) -+kernel_read_software_raid_state(staff_t) ++seutil_run_newrole(staff_t, staff_r) --optional_policy(` + optional_policy(` - mplayer_role(staff_r, staff_t) --') -+auth_domtrans_pam_console(staff_t) ++ sudo_role_template(staff, staff_r, staff_t) + ') --optional_policy(` + optional_policy(` - mta_role(staff_r, staff_t) --') -+libs_manage_shared_libs(staff_t) ++ auditadm_role_change(staff_r) + ') optional_policy(` - oident_manage_user_content(staff_t) - oident_relabel_user_content(staff_t) --') -- --optional_policy(` ++ kerneloops_manage_tmp_files(staff_t) + ') + + optional_policy(` - pyzor_role(staff_r, staff_t) --') -- --optional_policy(` ++ logadm_role_change(staff_r) + ') + + optional_policy(` - razor_role(staff_r, staff_t) -+ auditadm_role_change(staff_r) ++ secadm_role_change(staff_r) ') optional_policy(` - rssh_role(staff_r, staff_t) -+ kerneloops_manage_tmp_files(staff_t) ++ ssh_role_template(staff, staff_r, staff_t) ') optional_policy(` - screen_role_template(staff, staff_r, staff_t) -+ logadm_role_change(staff_r) ++ sysadm_role_change(staff_r) ') optional_policy(` -@@ -121,50 +41,21 @@ +- secadm_role_change(staff_r) ++ usernetctl_run(staff_t, staff_r) ') optional_policy(` - spamassassin_role(staff_r, staff_t) --') -- --optional_policy(` - ssh_role_template(staff, staff_r, staff_t) ++ unconfined_role_change(staff_r) ') optional_policy(` +- ssh_role_template(staff, staff_r, staff_t) ++ webadm_role_change(staff_r) + ') + +-optional_policy(` - su_role_template(staff, staff_r, staff_t) -') -- ++domain_read_all_domains_state(staff_t) ++domain_getattr_all_domains(staff_t) ++domain_obj_id_change_exemption(staff_t) + -optional_policy(` - sudo_role_template(staff, staff_r, staff_t) -') -- ++files_read_kernel_modules(staff_t) + -optional_policy(` - sysadm_role_change(staff_r) +- sysadm_role_change(staff_r) - userdom_dontaudit_use_user_terminals(staff_t) -') -- ++kernel_read_fs_sysctls(staff_t) + -optional_policy(` - thunderbird_role(staff_r, staff_t) -') -- ++modutils_read_module_config(staff_t) ++modutils_read_module_deps(staff_t) + -optional_policy(` - tvtime_role(staff_r, staff_t) -') -- --optional_policy(` ++miscfiles_read_hwdata(staff_t) + + optional_policy(` - uml_role(staff_r, staff_t) --') -- --optional_policy(` ++ gnomeclock_dbus_chat(staff_t) + ') + + optional_policy(` - userhelper_role_template(staff, staff_r, staff_t) ++ kerneloops_dbus_chat(staff_t) ') optional_policy(` - vmware_role(staff_r, staff_t) -+ usernetctl_run(staff_t, staff_r) ++ rpm_dbus_chat(staff_usertype) ') optional_policy(` - wireshark_role(staff_r, staff_t) -+ unconfined_role_change(staff_r) ++ setroubleshoot_stream_connect(staff_t) ++ setroubleshoot_dbus_chat(staff_t) ') optional_policy(` - xserver_role(staff_r, staff_t) -+ webadm_role_change(staff_r) ++ virt_stream_connect(staff_t) ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.6.4/policy/modules/roles/sysadm.if --- nsaserefpolicy/policy/modules/roles/sysadm.if 2009-01-19 11:07:34.000000000 -0500 @@ -7561,7 +7599,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.4/policy/modules/roles/unprivuser.te --- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/roles/unprivuser.te 2009-02-03 22:57:29.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/roles/unprivuser.te 2009-02-05 10:45:18.000000000 -0500 @@ -14,142 +14,13 @@ userdom_unpriv_user_template(user) @@ -12263,8 +12301,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.4/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/services/devicekit.te 2009-02-04 08:40:38.000000000 -0500 -@@ -0,0 +1,125 @@ ++++ serefpolicy-3.6.4/policy/modules/services/devicekit.te 2009-02-06 11:17:45.000000000 -0500 +@@ -0,0 +1,131 @@ +policy_module(devicekit,1.0.0) + +######################################## @@ -12309,6 +12347,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dbus_system_bus_client(devicekit_t) +') + ++optional_policy(` ++ udev_read_db(devicekit_t) ++') ++ +# +# DeviceKit-Power local policy +# @@ -12324,7 +12366,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +domain_read_all_domains_state(devicekit_power_t) + +kernel_read_system_state(devicekit_power_t) ++kernel_rw_kernel_sysctl(devicekit_power_t) +kernel_rw_hotplug_sysctls(devicekit_power_t) ++kernel_write_proc_files(devicekit_power_t) + +dev_rw_generic_usb_dev(devicekit_power_t) +dev_rw_netcontrol(devicekit_power_t) @@ -12419,6 +12463,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## an dhcp environment ## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.6.4/policy/modules/services/dnsmasq.fc +--- nsaserefpolicy/policy/modules/services/dnsmasq.fc 2008-11-18 18:57:20.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/services/dnsmasq.fc 2009-02-06 11:38:55.000000000 -0500 +@@ -5,3 +5,4 @@ + /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) + /var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) + /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) ++/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.6.4/policy/modules/services/dnsmasq.if --- nsaserefpolicy/policy/modules/services/dnsmasq.if 2008-11-18 18:57:21.000000000 -0500 +++ serefpolicy-3.6.4/policy/modules/services/dnsmasq.if 2009-02-03 22:57:29.000000000 -0500 @@ -12522,7 +12574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.4/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/services/dnsmasq.te 2009-02-03 22:57:29.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/services/dnsmasq.te 2009-02-06 11:39:09.000000000 -0500 @@ -69,21 +69,22 @@ # allow access to dnsmasq.conf @@ -12705,7 +12757,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.4/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/services/dovecot.te 2009-02-03 22:57:29.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/services/dovecot.te 2009-02-06 11:32:01.000000000 -0500 @@ -15,12 +15,21 @@ domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t) role system_r types dovecot_auth_t; @@ -12795,12 +12847,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl }; +allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; - allow dovecot_auth_t dovecot_passwd_t:file read_file_perms; - +-allow dovecot_auth_t dovecot_passwd_t:file read_file_perms; ++read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) ++ +manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) +manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) +files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) -+ + # Allow dovecot to create and read SSL parameters file manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t) files_search_var_lib(dovecot_t) @@ -22173,8 +22226,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.4/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/services/ssh.te 2009-02-03 22:57:29.000000000 -0500 -@@ -75,7 +75,7 @@ ++++ serefpolicy-3.6.4/policy/modules/services/ssh.te 2009-02-06 12:43:43.000000000 -0500 +@@ -41,6 +41,9 @@ + files_tmp_file(sshd_tmp_t) + files_poly_parent(sshd_tmp_t) + ++type sshd_tmpfs_t; ++files_tmpfs_file(sshd_tmpfs_t) ++ + ifdef(`enable_mcs',` + init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh) + ') +@@ -75,7 +78,7 @@ ubac_constrained(ssh_tmpfs_t) type home_ssh_t; @@ -22183,7 +22246,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol typealias home_ssh_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; files_type(home_ssh_t) userdom_user_home_content(home_ssh_t) -@@ -95,7 +95,7 @@ +@@ -95,7 +98,7 @@ allow ssh_t self:sem create_sem_perms; allow ssh_t self:msgq create_msgq_perms; allow ssh_t self:msg { send receive }; @@ -22192,7 +22255,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow ssh_t self:netlink_route_socket r_netlink_socket_perms; # Read the ssh key file. -@@ -115,6 +115,7 @@ +@@ -115,6 +118,7 @@ manage_dirs_pattern(ssh_t,home_ssh_t,home_ssh_t) manage_sock_files_pattern(ssh_t,home_ssh_t,home_ssh_t) userdom_user_home_dir_filetrans(ssh_t, home_ssh_t, { dir sock_file }) @@ -22200,7 +22263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow the ssh program to communicate with ssh-agent. stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) -@@ -139,6 +140,8 @@ +@@ -139,6 +143,8 @@ corenet_tcp_sendrecv_all_ports(ssh_t) corenet_tcp_connect_ssh_port(ssh_t) corenet_sendrecv_ssh_client_packets(ssh_t) @@ -22209,7 +22272,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_urand(ssh_t) -@@ -173,6 +176,7 @@ +@@ -173,6 +179,7 @@ userdom_use_user_terminals(ssh_t) # needs to read krb tgt userdom_read_user_tmp_files(ssh_t) @@ -22217,7 +22280,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`allow_ssh_keysign',` domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) -@@ -202,6 +206,7 @@ +@@ -202,6 +209,7 @@ # for port forwarding tunable_policy(`user_tcp_server',` corenet_tcp_bind_ssh_port(ssh_t) @@ -22225,7 +22288,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -310,6 +315,8 @@ +@@ -310,6 +318,8 @@ kernel_search_key(sshd_t) kernel_link_key(sshd_t) @@ -22234,7 +22297,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_all_user_ptys(sshd_t) term_setattr_all_user_ptys(sshd_t) term_relabelto_all_user_ptys(sshd_t) -@@ -318,6 +325,10 @@ +@@ -318,6 +328,13 @@ corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) @@ -22242,10 +22305,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +userdom_read_user_home_content_symlinks(sshd_t) +userdom_search_admin_dir(sshd_t) + ++manage_files_pattern(sshd_t, sshd_tmpfs_t, sshd_tmpfs_t) ++fs_tmpfs_filetrans(sshd_t, sshd_tmpfs_t, file) ++ tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd # ioctl is necessary for logout() processing for utmp entry and for w to -@@ -331,6 +342,14 @@ +@@ -331,6 +348,14 @@ ') optional_policy(` @@ -22260,7 +22326,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol daemontools_service_domain(sshd_t, sshd_exec_t) ') -@@ -349,7 +368,11 @@ +@@ -349,7 +374,11 @@ ') optional_policy(` @@ -22273,7 +22339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_shell_domtrans(sshd_t) ') -@@ -408,6 +431,8 @@ +@@ -408,6 +437,8 @@ init_use_fds(ssh_keygen_t) init_use_script_ptys(ssh_keygen_t) @@ -22606,8 +22672,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.4/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/services/virt.if 2009-02-03 22:57:29.000000000 -0500 -@@ -293,6 +293,41 @@ ++++ serefpolicy-3.6.4/policy/modules/services/virt.if 2009-02-06 11:23:27.000000000 -0500 +@@ -117,12 +117,12 @@ + ') + + files_search_pids($1) +- allow $1 virt_var_run_t:file read_file_perms; ++ read_files_pattern($1, virt_var_run_t, virt_var_run_t) + ') + + ######################################## + ## +-## Manage virt pid files. ++## Manage virt PID files. + ## + ## + ## +@@ -135,6 +135,7 @@ + type virt_var_run_t; + ') + ++ files_search_pids($1) + manage_files_pattern($1, virt_var_run_t, virt_var_run_t) + ') + +@@ -293,6 +294,41 @@ ######################################## ## @@ -23458,7 +23547,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.4/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/services/xserver.te 2009-02-04 11:20:11.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/services/xserver.te 2009-02-05 18:20:04.000000000 -0500 @@ -34,6 +34,13 @@ ## @@ -23810,7 +23899,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -504,10 +569,12 @@ +@@ -472,6 +537,7 @@ + # Search /proc for any user domain processes. + userdom_read_all_users_state(xdm_t) + userdom_signal_all_users(xdm_t) ++userdom_write_user_tmp_files(xdm_t) + + xserver_rw_session(xdm_t,xdm_tmpfs_t) + xserver_unconfined(xdm_t) +@@ -504,10 +570,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -23823,7 +23920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -515,12 +582,41 @@ +@@ -515,12 +583,41 @@ ') optional_policy(` @@ -23865,7 +23962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_exec(xdm_t) ') -@@ -542,6 +638,19 @@ +@@ -542,6 +639,19 @@ ') optional_policy(` @@ -23885,7 +23982,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(xdm_t) ') -@@ -550,8 +659,9 @@ +@@ -550,8 +660,9 @@ ') optional_policy(` @@ -23897,7 +23994,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -560,7 +670,6 @@ +@@ -560,7 +671,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -23905,7 +24002,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -571,6 +680,10 @@ +@@ -571,6 +681,10 @@ ') optional_policy(` @@ -23916,7 +24013,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -587,7 +700,7 @@ +@@ -587,7 +701,7 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -23925,7 +24022,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:memprotect mmap_zero; -@@ -602,9 +715,11 @@ +@@ -602,9 +716,11 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -23937,7 +24034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t { input_xevent_t input_xevent_type }:x_event send; -@@ -622,7 +737,7 @@ +@@ -622,7 +738,7 @@ manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) @@ -23946,7 +24043,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -635,9 +750,19 @@ +@@ -635,9 +751,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -23966,7 +24063,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -680,9 +805,14 @@ +@@ -680,9 +806,14 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -23981,7 +24078,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -697,8 +827,13 @@ +@@ -697,8 +828,13 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -23995,7 +24092,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -720,6 +855,7 @@ +@@ -720,6 +856,7 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -24003,7 +24100,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol modutils_domtrans_insmod(xserver_t) -@@ -742,7 +878,7 @@ +@@ -742,7 +879,7 @@ ') ifdef(`enable_mls',` @@ -24012,7 +24109,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; ') -@@ -774,6 +910,10 @@ +@@ -774,6 +911,10 @@ ') optional_policy(` @@ -24023,7 +24120,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rhgb_getpgid(xserver_t) rhgb_signal(xserver_t) ') -@@ -806,7 +946,7 @@ +@@ -806,7 +947,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -24032,7 +24129,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -827,9 +967,14 @@ +@@ -827,9 +968,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -24047,7 +24144,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -844,11 +989,14 @@ +@@ -844,11 +990,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -24063,7 +24160,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -856,6 +1004,11 @@ +@@ -856,6 +1005,11 @@ rhgb_rw_tmpfs_files(xserver_t) ') @@ -24075,7 +24172,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Rules common to all X window domains -@@ -881,6 +1034,8 @@ +@@ -881,6 +1035,8 @@ # X Server # can read server-owned resources allow x_domain xserver_t:x_resource read; @@ -24084,7 +24181,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # can mess with own clients allow x_domain self:x_client { manage destroy }; -@@ -905,6 +1060,8 @@ +@@ -905,6 +1061,8 @@ # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -24093,7 +24190,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Colormaps # can use the default colormap allow x_domain rootwindow_t:x_colormap { read use add_color }; -@@ -972,17 +1129,51 @@ +@@ -972,17 +1130,51 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -28524,7 +28621,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.4/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/system/userdomain.if 2009-02-04 10:39:52.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/system/userdomain.if 2009-02-05 18:26:44.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -29435,7 +29532,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -899,28 +953,28 @@ +@@ -899,28 +953,29 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -29447,12 +29544,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - dbus_role_template($1, $1_r, $1_t) - dbus_system_bus_client($1_t) + apache_role($1_r, $1_usertype) -+ ') ++ ') optional_policy(` - consolekit_dbus_chat($1_t) + gnome_manage_config($1_usertype) + gnome_manage_gconf_home_files($1_usertype) ++ gnome_read_gconf_config($1_usertype) ') optional_policy(` @@ -29472,7 +29570,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -931,8 +985,7 @@ +@@ -931,8 +986,7 @@ ## ## ##

@@ -29482,7 +29580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

##

## This template creates a user domain, types, and -@@ -954,8 +1007,8 @@ +@@ -954,8 +1008,8 @@ # Declarations # @@ -29492,7 +29590,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -964,11 +1017,12 @@ +@@ -964,11 +1018,12 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -29507,7 +29605,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -986,37 +1040,47 @@ +@@ -986,37 +1041,47 @@ ') ') @@ -29568,7 +29666,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -1050,7 +1114,7 @@ +@@ -1050,7 +1115,7 @@ # template(`userdom_admin_user_template',` gen_require(` @@ -29577,7 +29675,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1059,8 +1123,7 @@ +@@ -1059,8 +1124,7 @@ # # Inherit rules for ordinary users. @@ -29587,7 +29685,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1083,7 +1146,8 @@ +@@ -1083,7 +1147,8 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -29597,7 +29695,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1099,6 +1163,7 @@ +@@ -1099,6 +1164,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -29605,7 +29703,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1106,8 +1171,6 @@ +@@ -1106,8 +1172,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -29614,7 +29712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1162,20 +1225,6 @@ +@@ -1162,20 +1226,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -29635,7 +29733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1221,6 +1270,7 @@ +@@ -1221,6 +1271,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -29643,7 +29741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1286,11 +1336,15 @@ +@@ -1286,11 +1337,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -29659,7 +29757,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1387,7 +1441,7 @@ +@@ -1387,7 +1442,7 @@ ######################################## ##

@@ -29668,7 +29766,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1420,6 +1474,14 @@ +@@ -1420,6 +1475,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -29683,7 +29781,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1435,9 +1497,11 @@ +@@ -1435,9 +1498,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -29695,7 +29793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1494,6 +1558,25 @@ +@@ -1494,6 +1559,25 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -29721,7 +29819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1547,9 +1630,9 @@ +@@ -1547,9 +1631,9 @@ type user_home_dir_t, user_home_t; ') @@ -29733,7 +29831,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1568,6 +1651,8 @@ +@@ -1568,6 +1652,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -29742,7 +29840,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1643,6 +1728,7 @@ +@@ -1643,6 +1729,7 @@ type user_home_dir_t, user_home_t; ') @@ -29750,7 +29848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1741,6 +1827,62 @@ +@@ -1741,6 +1828,62 @@ ######################################## ## @@ -29813,7 +29911,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute user home files. ## ## -@@ -1757,14 +1899,6 @@ +@@ -1757,14 +1900,6 @@ files_search_home($1) exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) @@ -29828,7 +29926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1787,6 +1921,46 @@ +@@ -1787,6 +1922,46 @@ ######################################## ## @@ -29875,7 +29973,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete files ## in a user home subdirectory. ## -@@ -1799,6 +1973,7 @@ +@@ -1799,6 +1974,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -29883,7 +29981,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -1921,7 +2096,7 @@ +@@ -1921,7 +2097,7 @@ ######################################## ## @@ -29892,7 +29990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## with an automatic type transition to ## a specified private type. ## -@@ -1941,28 +2116,58 @@ +@@ -1941,28 +2117,58 @@ ## ## # @@ -29958,11 +30056,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## The class of the object to be created. ## -@@ -2819,6 +3024,24 @@ +@@ -2814,7 +3020,43 @@ + type user_tmp_t; + ') - ######################################## - ## -+## Delete all users files in /tmp +- allow $1 user_tmp_t:file write_file_perms; ++ write_files_pattern($1, user_tmp_t, user_tmp_t) ++') ++ ++######################################## ++## ++## Write all users files in /tmp +## +## +## @@ -29970,20 +30074,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`userdom_delete_user_tmp_files',` ++interface(`userdom_write_user_tmp_dirs',` + gen_require(` + type user_tmp_t; + ') + -+ allow $1 user_tmp_t:file delete_file_perms; ++ write_files_pattern($1, user_tmp_t, user_tmp_t) +') + +######################################## +## - ## Do not audit attempts to use user ttys. - ## - ## -@@ -2851,6 +3074,7 @@ ++## Delete all users files in /tmp ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_delete_user_tmp_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ allow $1 user_tmp_t:file delete_file_perms; + ') + + ######################################## +@@ -2851,6 +3093,7 @@ ') read_files_pattern($1,userdomain,userdomain) @@ -29991,7 +30109,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -2965,6 +3189,24 @@ +@@ -2965,6 +3208,24 @@ ######################################## ## @@ -30016,7 +30134,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send a dbus message to all user domains. ## ## -@@ -2981,3 +3223,313 @@ +@@ -2981,3 +3242,313 @@ allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 76c74c4..2e7040c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.4 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -444,6 +444,9 @@ exit 0 %endif %changelog +* Thu Feb 5 2009 Dan Walsh 3.6.4-4 +- Fix staff_t domain + * Thu Feb 5 2009 Dan Walsh 3.6.4-3 - Grab remainder of network_peer_controls patch