From 2b4700d4cd869688850412b23994e4c9c9b44125 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Oct 09 2009 16:03:29 +0000 Subject: - Add home_cert_t for labeling of certs in the homedir --- diff --git a/policy-F12.patch b/policy-F12.patch index b444d26..b659de3 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -95,6 +95,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mlsconstrain process { transition dyntransition } (( h1 dom h2 ) or ( t1 == mcssetcats )); +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.6.32/policy/modules/admin/alsa.te +--- nsaserefpolicy/policy/modules/admin/alsa.te 2009-08-14 16:14:31.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/admin/alsa.te 2009-10-09 07:40:41.000000000 -0400 +@@ -51,6 +51,8 @@ + files_read_etc_files(alsa_t) + files_read_usr_files(alsa_t) + ++term_use_console(alsa_t) ++ + auth_use_nsswitch(alsa_t) + + init_use_fds(alsa_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.32/policy/modules/admin/anaconda.te --- nsaserefpolicy/policy/modules/admin/anaconda.te 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/admin/anaconda.te 2009-09-30 16:12:48.000000000 -0400 @@ -1603,7 +1615,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.6.32/policy/modules/admin/vpn.te --- nsaserefpolicy/policy/modules/admin/vpn.te 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/vpn.te 2009-10-01 09:40:37.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/admin/vpn.te 2009-10-09 09:10:49.000000000 -0400 @@ -46,6 +46,7 @@ kernel_read_system_state(vpnc_t) kernel_read_network_state(vpnc_t) @@ -1612,6 +1624,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_rw_net_sysctls(vpnc_t) corenet_all_recvfrom_unlabeled(vpnc_t) +@@ -98,6 +99,7 @@ + logging_dontaudit_search_logs(vpnc_t) + + miscfiles_read_localization(vpnc_t) ++miscfiles_read_home_certs(vpnc_t) + + seutil_dontaudit_search_config(vpnc_t) + seutil_use_newrole_fds(vpnc_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/calamaris.te serefpolicy-3.6.32/policy/modules/apps/calamaris.te --- nsaserefpolicy/policy/modules/apps/calamaris.te 2009-08-14 16:14:31.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/apps/calamaris.te 2009-09-30 16:12:48.000000000 -0400 @@ -1645,7 +1665,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.6.32/policy/modules/apps/chrome.if --- nsaserefpolicy/policy/modules/apps/chrome.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/chrome.if 2009-10-02 08:37:09.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/apps/chrome.if 2009-10-09 10:13:58.000000000 -0400 @@ -0,0 +1,85 @@ + +## policy for chrome @@ -1720,7 +1740,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + chrome_domtrans_sandbox($2) + + ps_process_pattern($2, chrome_sandbox_t) -+ allow $2 chrome_sandbox_t:process signal; ++ allow $2 chrome_sandbox_t:process signal_perms; + + allow chrome_sandbox_t $2:unix_dgram_socket { read write }; + allow $2 chrome_sandbox_t:unix_dgram_socket { read write }; @@ -1845,8 +1865,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.6.32/policy/modules/apps/execmem.if --- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/execmem.if 2009-10-08 09:29:38.000000000 -0400 -@@ -0,0 +1,70 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/execmem.if 2009-10-09 10:34:56.000000000 -0400 +@@ -0,0 +1,74 @@ +## execmem domain + +######################################## @@ -1913,8 +1933,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + corecmd_bin_domtrans($1_execmem_t, $1_t) + + optional_policy(` ++ chrome_role($2, $1_execmem_t) ++ ') ++ ++ optional_policy(` + xserver_common_app($1_execmem_t) -+ xserver_role($1_r, $1_execmem_t) ++ xserver_role($2, $1_execmem_t) + ') +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.6.32/policy/modules/apps/execmem.te @@ -7130,7 +7154,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.32/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2009-10-09 07:40:19.000000000 -0400 @@ -196,7 +196,7 @@ dev_list_all_dev_nodes($1) @@ -19735,7 +19759,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -') dnl end TODO diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.32/policy/modules/services/ssh.fc --- nsaserefpolicy/policy/modules/services/ssh.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/ssh.fc 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/ssh.fc 2009-10-09 09:06:33.000000000 -0400 @@ -14,3 +14,5 @@ /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) @@ -25062,10 +25086,48 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` modutils_domtrans_insmod(lvm_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.6.32/policy/modules/system/miscfiles.fc +--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/miscfiles.fc 2009-10-09 09:06:59.000000000 -0400 +@@ -85,3 +85,5 @@ + /var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) + /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) + ') ++ ++HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if --- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2009-10-07 13:48:11.000000000 -0400 -@@ -87,6 +87,44 @@ ++++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2009-10-09 09:10:29.000000000 -0400 +@@ -23,6 +23,28 @@ + + ######################################## + ## ++## Read system SSL certificates in the users homedir. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`miscfiles_read_home_certs',` ++ gen_require(` ++ type home_cert_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ allow $1 home_cert_t:dir list_dir_perms; ++ read_files_pattern($1, home_cert_t, home_cert_t) ++ read_lnk_files_pattern($1, home_cert_t, home_cert_t) ++') ++ ++######################################## ++## + ## manange system SSL certificates. + ## + ## +@@ -87,6 +109,44 @@ ######################################## ## @@ -25110,6 +25172,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to write fonts. ## ## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.6.32/policy/modules/system/miscfiles.te +--- nsaserefpolicy/policy/modules/system/miscfiles.te 2009-08-14 16:14:31.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/miscfiles.te 2009-10-09 09:09:07.000000000 -0400 +@@ -12,6 +12,9 @@ + type cert_t; + files_type(cert_t) + ++type home_cert_t; ++userdom_user_home_content(home_cert_t) ++ + # + # fonts_t is the type of various font + # files in /usr diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.fc serefpolicy-3.6.32/policy/modules/system/modutils.fc --- nsaserefpolicy/policy/modules/system/modutils.fc 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/system/modutils.fc 2009-09-30 16:12:48.000000000 -0400 @@ -27764,7 +27839,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.gvfs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-08 15:35:26.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-09 10:06:24.000000000 -0400 @@ -30,8 +30,9 @@ ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 76e1129..b5a2460 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 23%{?dist} +Release: 24%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -449,6 +449,9 @@ exit 0 %endif %changelog +* Fri Oct 10 2009 Dan Walsh 3.6.32-24 +- Add home_cert_t for labeling of certs in the homedir + * Wed Oct 8 2009 Dan Walsh 3.6.32-23 - Allow xdm to unlink xauth_home_t