From 07351eb493a81fefea6d5546028809ffa6b44e5b Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jul 30 2007 14:37:54 +0000 Subject: - Allow xserver to write to ramfs mounted by rhgb --- diff --git a/policy-20070703.patch b/policy-20070703.patch index 77ccf48..9e4930c 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -434,7 +434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.t optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.0.4/policy/modules/admin/logrotate.te --- nsaserefpolicy/policy/modules/admin/logrotate.te 2007-07-25 10:37:43.000000000 -0400 -+++ serefpolicy-3.0.4/policy/modules/admin/logrotate.te 2007-07-25 13:27:51.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/admin/logrotate.te 2007-07-28 10:42:11.000000000 -0400 @@ -75,11 +75,13 @@ mls_file_read_up(logrotate_t) mls_file_write_down(logrotate_t) @@ -449,7 +449,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota # Run helper programs. corecmd_exec_bin(logrotate_t) -@@ -114,8 +116,6 @@ +@@ -95,6 +97,7 @@ + files_read_etc_files(logrotate_t) + files_read_etc_runtime_files(logrotate_t) + files_read_all_pids(logrotate_t) ++files_search_all(logrotate_t) + # Write to /var/spool/slrnpull - should be moved into its own type. + files_manage_generic_spool(logrotate_t) + files_manage_generic_spool_dirs(logrotate_t) +@@ -114,8 +117,6 @@ seutil_dontaudit_read_config(logrotate_t) @@ -458,7 +466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota userdom_dontaudit_search_sysadm_home_dirs(logrotate_t) userdom_use_unpriv_users_fds(logrotate_t) -@@ -177,14 +177,6 @@ +@@ -177,14 +178,6 @@ ') optional_policy(` @@ -2135,6 +2143,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp auth_manage_pam_pid($1_userhelper_t) auth_manage_var_auth($1_userhelper_t) auth_search_pam_console_data($1_userhelper_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/usernetctl.te serefpolicy-3.0.4/policy/modules/apps/usernetctl.te +--- nsaserefpolicy/policy/modules/apps/usernetctl.te 2007-07-25 10:37:37.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/apps/usernetctl.te 2007-07-28 11:05:08.000000000 -0400 +@@ -6,14 +6,6 @@ + # Declarations + # + +-## +-##

+-## Allow users to control network interfaces +-## (also needs USERCTL=true) +-##

+-## +-gen_tunable(user_net_control,false) +- + type usernetctl_t; + type usernetctl_exec_t; + application_domain(usernetctl_t,usernetctl_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.0.4/policy/modules/apps/vmware.fc --- nsaserefpolicy/policy/modules/apps/vmware.fc 2007-07-03 07:05:43.000000000 -0400 +++ serefpolicy-3.0.4/policy/modules/apps/vmware.fc 2007-07-25 13:27:51.000000000 -0400 @@ -2630,6 +2656,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + allow $1 root_t:dir rw_dir_perms; + allow $1 root_t:file { create getattr write }; +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.4/policy/modules/kernel/filesystem.if +--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-07-03 07:05:38.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/kernel/filesystem.if 2007-07-30 10:20:15.000000000 -0400 +@@ -1192,6 +1192,24 @@ + + ######################################## + ## ++## unmount a FUSE filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_unmount_fusefs',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ allow $1 fusefs_t:filesystem unmount; ++') ++ ++######################################## ++## + ## Search inotifyfs filesystem. + ## + ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.4/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-07-25 10:37:36.000000000 -0400 +++ serefpolicy-3.0.4/policy/modules/kernel/filesystem.te 2007-07-25 13:27:51.000000000 -0400 @@ -6561,8 +6615,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. fs_search_auto_mountpoints($1_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.4/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.4/policy/modules/services/rpc.te 2007-07-25 13:27:51.000000000 -0400 -@@ -59,6 +59,8 @@ ++++ serefpolicy-3.0.4/policy/modules/services/rpc.te 2007-07-30 09:46:58.000000000 -0400 +@@ -59,10 +59,13 @@ manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t) files_pid_filetrans(rpcd_t,rpcd_var_run_t,file) @@ -6571,7 +6625,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. kernel_read_system_state(rpcd_t) kernel_search_network_state(rpcd_t) # for rpc.rquotad -@@ -76,9 +78,11 @@ + kernel_read_sysctl(rpcd_t) ++kernel_getattr_core_if(nfsd_t) + + fs_list_rpc(rpcd_t) + fs_read_rpc_files(rpcd_t) +@@ -76,9 +79,11 @@ miscfiles_read_certs(rpcd_t) seutil_dontaudit_search_config(rpcd_t) @@ -6583,7 +6642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ') ######################################## -@@ -91,9 +95,13 @@ +@@ -91,9 +96,13 @@ allow nfsd_t exports_t:file { getattr read }; allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; @@ -6597,7 +6656,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. corenet_tcp_bind_all_rpc_ports(nfsd_t) corenet_udp_bind_all_rpc_ports(nfsd_t) -@@ -123,6 +131,7 @@ +@@ -123,6 +132,7 @@ tunable_policy(`nfs_export_all_rw',` fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) @@ -6605,7 +6664,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ') tunable_policy(`nfs_export_all_ro',` -@@ -143,6 +152,8 @@ +@@ -143,6 +153,8 @@ manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) @@ -6614,7 +6673,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_search_network_sysctl(gssd_t) -@@ -158,6 +169,11 @@ +@@ -158,6 +170,11 @@ miscfiles_read_certs(gssd_t) @@ -7260,7 +7319,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.4/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400 -+++ serefpolicy-3.0.4/policy/modules/services/xserver.if 2007-07-25 13:27:51.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/services/xserver.if 2007-07-30 10:01:38.000000000 -0400 +@@ -141,7 +141,7 @@ + fs_getattr_xattr_fs($1_xserver_t) + fs_search_nfs($1_xserver_t) + fs_search_auto_mountpoints($1_xserver_t) +- fs_search_ramfs($1_xserver_t) ++ fs_manage_ramfs_files($1_xserver_t) + + init_getpgid($1_xserver_t) + @@ -353,12 +353,6 @@ # allow ps to show xauth ps_process_pattern($2,$1_xauth_t) @@ -10523,7 +10591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +corecmd_exec_all_executables(unconfined_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.4/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-07-03 07:06:32.000000000 -0400 -+++ serefpolicy-3.0.4/policy/modules/system/userdomain.if 2007-07-26 10:11:38.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/system/userdomain.if 2007-07-28 11:09:17.000000000 -0400 @@ -62,6 +62,10 @@ allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; @@ -11159,21 +11227,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # port access is audited even if dac would not have allowed it, so dontaudit it here corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) # Need the following rule to allow users to run vpnc -@@ -1033,14 +1127,6 @@ - ') - - optional_policy(` -- kerberos_use($1_t) +@@ -1029,15 +1123,7 @@ + # and may change other protocols + tunable_policy(`user_tcp_server',` + corenet_tcp_bind_all_nodes($1_t) +- corenet_tcp_bind_generic_port($1_t) - ') - - optional_policy(` -- loadkeys_run($1_t,$1_r,$1_tty_device_t) +- kerberos_use($1_t) - ') - - optional_policy(` - netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) - netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) +- loadkeys_run($1_t,$1_r,$1_tty_device_t) ++ corenet_tcp_bind_all_unreserved_ports($1_t) ') + + optional_policy(` @@ -1054,17 +1140,6 @@ setroubleshoot_stream_connect($1_t) ') @@ -11806,7 +11876,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm. +## Policy for webadm user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.0.4/policy/modules/users/webadm.te --- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.0.4/policy/modules/users/webadm.te 2007-07-25 13:27:51.000000000 -0400 ++++ serefpolicy-3.0.4/policy/modules/users/webadm.te 2007-07-27 14:44:20.000000000 -0400 @@ -0,0 +1,70 @@ +policy_module(webadm,1.0.0) + @@ -11815,7 +11885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm. +# webadmin local policy +# + -+userdom_login_user_template(webadm) ++userdom_base_user_template(webadm) +allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; + +# Allow webadm_t to restart the apache service diff --git a/selinux-policy.spec b/selinux-policy.spec index f260ac2..4164f69 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.4 -Release: 2%{?dist} +Release: 3%{?dist} License: GPL Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -359,6 +359,9 @@ exit 0 %endif %changelog +* Mon Jul 30 2007 Dan Walsh 3.0.4-3 +- Allow xserver to write to ramfs mounted by rhgb + * Tue Jul 23 2007 Dan Walsh 3.0.4-2 - Add context for dbus machine id