From 2ced404c557d03d94dcbe0fc705835e956527706 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jul 23 2007 16:00:09 +0000 Subject: - Add anon_inodefs - Allow unpriv user exec pam_exec_t - Fix trigger --- diff --git a/policy-20070703.patch b/policy-20070703.patch index 69570d4..3fecf74 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -333,8 +333,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.0.3/policy/modules/admin/anaconda.te --- nsaserefpolicy/policy/modules/admin/anaconda.te 2007-05-29 14:10:59.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/admin/anaconda.te 2007-07-17 15:46:25.000000000 -0400 -@@ -37,10 +37,6 @@ ++++ serefpolicy-3.0.3/policy/modules/admin/anaconda.te 2007-07-23 09:26:54.000000000 -0400 +@@ -31,16 +31,13 @@ + modutils_domtrans_insmod(anaconda_t) + + seutil_domtrans_semanage(anaconda_t) ++seutil_domtrans_setsebool(anaconda_t) + + unconfined_domain(anaconda_t) + userdom_generic_user_home_dir_filetrans_generic_user_home_content(anaconda_t,{ dir file lnk_file fifo_file sock_file }) optional_policy(` @@ -547,6 +554,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil role system_r types traceroute_t; ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.if serefpolicy-3.0.3/policy/modules/admin/portage.if +--- nsaserefpolicy/policy/modules/admin/portage.if 2007-07-03 07:06:36.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/admin/portage.if 2007-07-23 09:28:12.000000000 -0400 +@@ -324,6 +324,7 @@ + seutil_domtrans_setfiles($1) + # run semodule + seutil_domtrans_semanage($1) ++ seutil_domtrans_setsebool($1) + + portage_domtrans_gcc_config($1) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.0.3/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2007-06-15 14:54:34.000000000 -0400 +++ serefpolicy-3.0.3/policy/modules/admin/prelink.te 2007-07-17 15:46:25.000000000 -0400 @@ -806,7 +824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.0.3/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2007-07-03 07:06:36.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/admin/rpm.te 2007-07-17 15:46:25.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/admin/rpm.te 2007-07-20 17:08:28.000000000 -0400 @@ -9,6 +9,8 @@ type rpm_t; type rpm_exec_t; @@ -816,6 +834,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te domain_obj_id_change_exemption(rpm_t) domain_role_change_exemption(rpm_t) domain_system_change_exemption(rpm_t) +@@ -321,6 +323,7 @@ + seutil_domtrans_loadpolicy(rpm_script_t) + seutil_domtrans_setfiles(rpm_script_t) + seutil_domtrans_semanage(rpm_script_t) ++seutil_domtrans_setsebool(rpm_script_t) + + userdom_use_all_users_fds(rpm_script_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.0.3/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2007-05-29 14:10:59.000000000 -0400 +++ serefpolicy-3.0.3/policy/modules/admin/sudo.if 2007-07-17 15:46:25.000000000 -0400 @@ -1234,8 +1260,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc /usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.0.3/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2007-05-29 14:10:48.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/apps/gnome.if 2007-07-17 15:46:25.000000000 -0400 -@@ -33,6 +33,50 @@ ++++ serefpolicy-3.0.3/policy/modules/apps/gnome.if 2007-07-23 11:05:01.000000000 -0400 +@@ -33,6 +33,51 @@ ## # template(`gnome_per_role_template',` @@ -1245,6 +1271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if + # Declarations + # + type $1_gnome_home_t; ++ userdom_user_home_type($1_gnome_home_t) + userdom_user_home_content($1, $1_gnome_home_t) + manage_dirs_pattern($2,$1_gnome_home_t, $1_gnome_home_t) + manage_files_pattern($2,$1_gnome_home_t, $1_gnome_home_t) @@ -1286,7 +1313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if gen_require(` type gconfd_exec_t; attribute gnomedomain; -@@ -51,9 +95,6 @@ +@@ -51,9 +96,6 @@ type $1_gconf_home_t; userdom_user_home_content($1, $1_gconf_home_t) @@ -1296,7 +1323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if type $1_gconf_tmp_t; files_tmp_file($1_gconf_tmp_t) -@@ -78,9 +119,6 @@ +@@ -78,9 +120,6 @@ allow $1_gconfd_t $2:fifo_file write; allow $1_gconfd_t $2:unix_stream_socket connectto; @@ -1306,7 +1333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if ps_process_pattern($2,$1_gconfd_t) dev_read_urand($1_gconfd_t) -@@ -101,9 +139,18 @@ +@@ -101,9 +140,18 @@ gnome_stream_connect_gconf_template($1,$2) optional_policy(` @@ -1325,7 +1352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if optional_policy(` xserver_use_xdm_fds($1_gconfd_t) xserver_rw_xdm_pipes($1_gconfd_t) -@@ -136,13 +183,32 @@ +@@ -136,13 +184,32 @@ allow $2 $1_gconfd_t:unix_stream_socket connectto; ') @@ -1359,7 +1386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if ##

##

## This is a templated interface, and should only -@@ -171,6 +237,30 @@ +@@ -171,6 +238,30 @@ ######################################## ##

@@ -1390,7 +1417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if ## manage gnome homedir content (.config) ## ## -@@ -193,3 +283,23 @@ +@@ -193,3 +284,23 @@ allow $2 $1_gnome_home_t:dir manage_dir_perms; allow $2 $1_gnome_home_t:file manage_file_perms; ') @@ -1406,7 +1433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if +## +## +# -+template(`gnome_exec_gconf',` ++interface(`gnome_exec_gconf',` + gen_require(` + type gconfd_exec_t; + ') @@ -1711,7 +1738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.3/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-07-03 07:05:43.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/apps/mozilla.if 2007-07-17 15:46:25.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/apps/mozilla.if 2007-07-20 17:26:25.000000000 -0400 @@ -36,6 +36,8 @@ gen_require(` type mozilla_conf_t, mozilla_exec_t; @@ -1736,7 +1763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ######################################## # # Local policy -@@ -97,15 +107,36 @@ +@@ -97,15 +107,37 @@ relabel_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t) relabel_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t) @@ -1758,6 +1785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. + userdom_read_user_home_content_files($1,$1_mozilla_t) + userdom_read_user_home_content_symlinks($1,$1_mozilla_t) + userdom_read_user_tmp_files($1,$1_mozilla_t) ++ userdom_list_user_files($1,$1_mozilla_t) + userdom_manage_user_tmp_dirs($1,$1_mozilla_t) + userdom_manage_user_tmp_files($1,$1_mozilla_t) + userdom_manage_user_tmp_sockets($1,$1_mozilla_t) @@ -1780,7 +1808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. # Unrestricted inheritance from the caller. allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh }; -@@ -171,6 +202,8 @@ +@@ -171,6 +203,8 @@ fs_list_inotifyfs($1_mozilla_t) fs_rw_tmpfs_files($1_mozilla_t) @@ -1789,7 +1817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. term_dontaudit_getattr_pty_dirs($1_mozilla_t) libs_use_ld_so($1_mozilla_t) -@@ -186,12 +219,9 @@ +@@ -186,12 +220,9 @@ sysnet_dns_name_resolve($1_mozilla_t) sysnet_read_config($1_mozilla_t) @@ -1805,7 +1833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t) xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t) -@@ -213,133 +243,6 @@ +@@ -213,133 +244,6 @@ fs_manage_cifs_symlinks($1_mozilla_t) ') @@ -1939,7 +1967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. optional_policy(` apache_read_user_scripts($1,$1_mozilla_t) apache_read_user_content($1,$1_mozilla_t) -@@ -352,21 +255,23 @@ +@@ -352,21 +256,23 @@ optional_policy(` cups_read_rw_config($1_mozilla_t) cups_dbus_chat($1_mozilla_t) @@ -1966,7 +1994,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') optional_policy(` -@@ -386,25 +291,6 @@ +@@ -386,25 +292,6 @@ thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t) ') @@ -1992,7 +2020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') ######################################## -@@ -577,3 +463,27 @@ +@@ -577,3 +464,27 @@ allow $2 $1_mozilla_t:tcp_socket rw_socket_perms; ') @@ -2272,7 +2300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.0.3/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2007-06-19 16:23:34.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/kernel/domain.if 2007-07-17 15:46:25.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/kernel/domain.if 2007-07-20 16:52:28.000000000 -0400 @@ -45,6 +45,11 @@ # start with basic domain domain_base_type($1) @@ -2552,6 +2580,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + allow $1 root_t:dir rw_dir_perms; + allow $1 root_t:file { create getattr write }; +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.3/policy/modules/kernel/filesystem.te +--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-07-03 07:05:38.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/kernel/filesystem.te 2007-07-23 10:44:40.000000000 -0400 +@@ -43,6 +43,12 @@ + # + # Non-persistent/pseudo filesystems + # ++ ++type anon_inodefs_t; ++fs_type(anon_inodefs_t) ++files_mountpoint(anon_inodefs_t) ++genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0) ++ + type bdev_t; + fs_type(bdev_t) + genfscon bdev / gen_context(system_u:object_r:bdev_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.3/policy/modules/kernel/kernel.if --- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-07-03 07:05:38.000000000 -0400 +++ serefpolicy-3.0.3/policy/modules/kernel/kernel.if 2007-07-17 15:46:25.000000000 -0400 @@ -4598,8 +4642,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.0.3/policy/modules/services/dovecot.fc --- nsaserefpolicy/policy/modules/services/dovecot.fc 2007-05-29 14:10:57.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/services/dovecot.fc 2007-07-17 15:46:25.000000000 -0400 -@@ -17,10 +17,12 @@ ++++ serefpolicy-3.0.3/policy/modules/services/dovecot.fc 2007-07-23 09:12:16.000000000 -0400 +@@ -17,16 +17,19 @@ ifdef(`distro_debian', ` /usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) @@ -4612,6 +4656,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove ') # + # /var + # + /var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) ++/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) + + /var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.0.3/policy/modules/services/dovecot.if --- nsaserefpolicy/policy/modules/services/dovecot.if 2007-05-29 14:10:57.000000000 -0400 +++ serefpolicy-3.0.3/policy/modules/services/dovecot.if 2007-07-17 15:46:25.000000000 -0400 @@ -4967,7 +5018,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.3/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2007-07-03 07:06:26.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/services/hal.te 2007-07-17 15:46:25.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/services/hal.te 2007-07-20 15:18:42.000000000 -0400 @@ -22,6 +22,12 @@ type hald_log_t; files_type(hald_log_t) @@ -5007,7 +5058,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. fs_getattr_all_fs(hald_t) fs_search_all(hald_t) -@@ -180,6 +191,7 @@ +@@ -163,6 +174,7 @@ + #hal runs shutdown, probably need a shutdown domain + init_rw_utmp(hald_t) + init_telinit(hald_t) ++init_dontaudit_use_fds(hald_t) + + libs_use_ld_so(hald_t) + libs_use_shared_libs(hald_t) +@@ -180,6 +192,7 @@ seutil_read_config(hald_t) seutil_read_default_contexts(hald_t) @@ -5015,7 +5074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. sysnet_read_config(hald_t) -@@ -187,6 +199,7 @@ +@@ -187,6 +200,7 @@ userdom_dontaudit_search_sysadm_home_dirs(hald_t) optional_policy(` @@ -5023,7 +5082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. alsa_read_rw_config(hald_t) ') -@@ -228,6 +241,10 @@ +@@ -228,6 +242,10 @@ optional_policy(` networkmanager_dbus_chat(hald_t) ') @@ -5034,7 +5093,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. ') optional_policy(` -@@ -296,7 +313,10 @@ +@@ -296,7 +314,10 @@ corecmd_exec_bin(hald_acl_t) dev_getattr_all_chr_files(hald_acl_t) @@ -5045,7 +5104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. dev_setattr_sound_dev(hald_acl_t) dev_setattr_generic_usb_dev(hald_acl_t) dev_setattr_usbfs_files(hald_acl_t) -@@ -358,3 +378,25 @@ +@@ -358,3 +379,25 @@ libs_use_shared_libs(hald_sonypic_t) miscfiles_read_localization(hald_sonypic_t) @@ -6185,7 +6244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.0.3/policy/modules/services/radius.te --- nsaserefpolicy/policy/modules/services/radius.te 2007-07-03 07:06:27.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/services/radius.te 2007-07-17 15:46:25.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/services/radius.te 2007-07-23 10:49:33.000000000 -0400 @@ -82,6 +82,7 @@ auth_read_shadow(radiusd_t) @@ -6194,6 +6253,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi corecmd_exec_bin(radiusd_t) corecmd_exec_shell(radiusd_t) +@@ -99,6 +100,7 @@ + logging_send_syslog_msg(radiusd_t) + + miscfiles_read_localization(radiusd_t) ++miscfiles_read_certs(radiusd_t) + + sysnet_read_config(radiusd_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.0.3/policy/modules/services/rhgb.te --- nsaserefpolicy/policy/modules/services/rhgb.te 2007-07-03 07:06:27.000000000 -0400 +++ serefpolicy-3.0.3/policy/modules/services/rhgb.te 2007-07-17 15:46:25.000000000 -0400 @@ -6994,7 +7061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.3/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/services/xserver.if 2007-07-17 15:46:25.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/services/xserver.if 2007-07-23 11:02:03.000000000 -0400 @@ -353,12 +353,6 @@ # allow ps to show xauth ps_process_pattern($2,$1_xauth_t) @@ -7042,7 +7109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -555,25 +555,47 @@ +@@ -555,25 +555,46 @@ allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; @@ -7056,10 +7123,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_search_user_home_dirs($1,$2) - # for .xsession-errors - userdom_dontaudit_write_user_home_content_files($1,$2) +- + userdom_manage_user_home_content_dirs($1, xdm_t) + userdom_manage_user_home_content_files($1, xdm_t) + userdom_user_home_dir_filetrans_user_home_content($1, xdm_t, { dir file }) - xserver_ro_session_template(xdm,$2,$3) - xserver_rw_session_template($1,$2,$3) - xserver_use_user_fonts($1,$2) @@ -7076,8 +7143,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + userdom_read_all_users_home_content_files(xdm_t) + userdom_read_all_users_home_content_files(xdm_xserver_t) +#Compiler is broken so these wont work -+# gnome_read_user_gnome_config($1, xdm_t) -+# gnome_read_user_gnome_config($1, xdm_xserver_t) ++ gnome_read_user_gnome_config($1, xdm_t) ++ gnome_read_user_gnome_config($1, xdm_xserver_t) + ') + + # Read .Xauthority file @@ -7098,7 +7165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ') -@@ -626,6 +648,24 @@ +@@ -626,6 +647,24 @@ ######################################## ## @@ -7123,7 +7190,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -659,6 +699,73 @@ +@@ -659,6 +698,73 @@ ######################################## ## @@ -7197,7 +7264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -1136,7 +1243,7 @@ +@@ -1136,7 +1242,7 @@ type xdm_xserver_tmp_t; ') @@ -7206,7 +7273,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1325,3 +1432,44 @@ +@@ -1325,3 +1431,44 @@ files_search_tmp($1) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') @@ -7549,7 +7616,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.3/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2007-06-15 14:54:34.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/system/authlogin.if 2007-07-20 11:12:25.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/system/authlogin.if 2007-07-20 14:51:53.000000000 -0400 @@ -27,7 +27,8 @@ domain_type($1_chkpwd_t) domain_entry_file($1_chkpwd_t,chkpwd_exec_t) @@ -8038,14 +8105,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.fc serefpolicy-3.0.3/policy/modules/system/fusermount.fc --- nsaserefpolicy/policy/modules/system/fusermount.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.0.3/policy/modules/system/fusermount.fc 2007-07-17 15:46:25.000000000 -0400 -@@ -0,0 +1,6 @@ ++++ serefpolicy-3.0.3/policy/modules/system/fusermount.fc 2007-07-23 08:11:14.000000000 -0400 +@@ -0,0 +1,7 @@ +# fusermount executable will have: +# label: system_u:object_r:fusermount_exec_t +# MLS sensitivity: s0 +# MCS categories: + +/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) ++/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.if serefpolicy-3.0.3/policy/modules/system/fusermount.if --- nsaserefpolicy/policy/modules/system/fusermount.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.0.3/policy/modules/system/fusermount.if 2007-07-17 15:46:25.000000000 -0400 @@ -9033,13 +9101,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi /var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.3/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2007-05-29 14:10:58.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/system/modutils.te 2007-07-17 15:46:25.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/system/modutils.te 2007-07-23 09:23:58.000000000 -0400 @@ -43,7 +43,7 @@ # insmod local policy # -allow insmod_t self:capability { dac_override net_raw sys_tty_config }; -+allow insmod_t self:capability { dac_override mknod net_raw sys_tty_config }; ++allow insmod_t self:capability { dac_override mknod net_raw sys_nice sys_tty_config }; allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; allow insmod_t self:udp_socket create_socket_perms; @@ -10301,7 +10369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +corecmd_exec_all_executables(unconfined_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.3/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-07-03 07:06:32.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/system/userdomain.if 2007-07-17 15:46:25.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/system/userdomain.if 2007-07-23 11:53:11.000000000 -0400 @@ -29,90 +29,99 @@ ') @@ -10845,12 +10913,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - kernel_get_sysvipc_info($1_t) - # Find CDROM devices: - kernel_read_device_sysctls($1_t) -+ kernel_get_sysvipc_info($1_usertype) - +- - corenet_udp_bind_all_nodes($1_t) - corenet_udp_bind_generic_port($1_t) -+ corenet_udp_bind_all_nodes($1_usertype) -+ corenet_udp_bind_generic_port($1_usertype) ++ kernel_get_sysvipc_info($1_usertype) - dev_read_sysfs($1_t) - dev_read_rand($1_t) @@ -10859,7 +10925,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - dev_read_sound($1_t) - dev_read_sound_mixer($1_t) - dev_write_sound_mixer($1_t) -- ++ corenet_udp_bind_all_nodes($1_usertype) ++ corenet_udp_bind_generic_port($1_usertype) + - domain_use_interactive_fds($1_t) - # Command completion can fire hundreds of denials - domain_dontaudit_exec_all_entry_files($1_t) @@ -10925,10 +10993,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - # Stop warnings about access to /dev/console - init_dontaudit_use_fds($1_t) - init_dontaudit_use_script_fds($1_t) +- +- libs_exec_lib_files($1_t) + storage_getattr_fixed_disk_dev($1_usertype) -- libs_exec_lib_files($1_t) -- - logging_dontaudit_getattr_all_logs($1_t) - - miscfiles_read_man_pages($1_t) @@ -11317,12 +11385,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; -@@ -985,36 +1038,66 @@ +@@ -985,36 +1038,68 @@ typeattribute $1_tmp_t user_tmpfile; typeattribute $1_tty_device_t user_ttynode; - userdom_poly_home_template($1) - userdom_poly_tmp_template($1) ++ auth_exec_pam($1_t) ++ + optional_policy(` + loadkeys_run($1_t,$1_r,$1_tty_device_t) + ') @@ -11398,7 +11468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -1028,16 +1111,8 @@ +@@ -1028,16 +1113,8 @@ # the same domain and outside users) disabling this forces FTP passive mode # and may change other protocols tunable_policy(`user_tcp_server',` @@ -11417,7 +11487,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') optional_policy(` -@@ -1054,17 +1129,6 @@ +@@ -1054,17 +1131,6 @@ setroubleshoot_stream_connect($1_t) ') @@ -11435,7 +11505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1102,6 +1166,8 @@ +@@ -1102,6 +1168,8 @@ class passwd { passwd chfn chsh rootok crontab }; ') @@ -11444,7 +11514,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # # Declarations -@@ -1127,7 +1193,7 @@ +@@ -1127,7 +1195,7 @@ # $1_t local policy # @@ -11453,7 +11523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1_t self:process { setexec setfscreate }; # Set password information for other users. -@@ -1139,8 +1205,6 @@ +@@ -1139,8 +1207,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -11462,7 +11532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1902,6 +1966,41 @@ +@@ -1902,6 +1968,41 @@ ######################################## ## @@ -11504,7 +11574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -3078,7 +3177,7 @@ +@@ -3078,7 +3179,7 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -11513,7 +11583,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_tmp_filetrans($2,$1_tmp_t,$3) -@@ -5323,7 +5422,7 @@ +@@ -5323,7 +5424,7 @@ attribute user_tmpfile; ') @@ -11522,7 +11592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5548,6 +5647,26 @@ +@@ -5548,6 +5649,26 @@ ######################################## ## @@ -11549,7 +11619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Unconfined access to user domains. (Deprecated) ## ## -@@ -5559,3 +5678,191 @@ +@@ -5559,3 +5680,234 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -11617,6 +11687,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + +######################################## +## ++## allow getattr all user file type ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_list_user_files',` ++ gen_require(` ++ attribute $1_file_type; ++ ') ++ ++ allow $2 $1_file_type:dir search_dir_perms; ++ allow $2 $1_file_type:file getattr; ++') ++ ++######################################## ++## +## Do not audit attempts to write to homedirs of sysadm users +## home directory. +## @@ -11695,10 +11785,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +template(`userdom_unpriv_xwindows_login_user', ` + +userdom_unpriv_login_user($1) ++# Should be optional but policy will not build because of compiler problems ++# Must be before xwindows calls ++#optional_policy(` ++ gnome_per_role_template($1, $1_usertype, $1_r) ++ gnome_exec_gconf($1_t) ++#') ++ +userdom_xwindows_client_template($1) +allow xguest_usertype xguest_usertype:unix_stream_socket { create_stream_socket_perms connectto }; + -+auth_exec_pam($1_t) +logging_send_syslog_msg($1_usertype) + +optional_policy(` @@ -11717,11 +11813,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +') + +optional_policy(` -+ gnome_per_role_template($1, $1_usertype, $1_r) -+ gnome_exec_gconf($1_t) -+') -+ -+optional_policy(` + java_per_role_template($1, $1_t, $1_r) +') + @@ -11741,6 +11832,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +dev_dontaudit_read_rand($1_usertype) + +') ++ ++######################################## ++## ++## Identify specified type as being in a users home directory ++## ++## ++##

++## Make the specified type a home type. ++##

++## ++## ++## ++## Type to be used as a home directory type. ++## ++## ++# ++interface(`userdom_user_home_type',` ++ gen_require(` ++ attribute user_home_type; ++ ') ++ typeattribute $1 user_home_type; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.3/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2007-07-03 07:06:32.000000000 -0400 +++ serefpolicy-3.0.3/policy/modules/system/userdomain.te 2007-07-17 15:46:25.000000000 -0400 diff --git a/selinux-policy.spec b/selinux-policy.spec index c6d9072..a52c8db 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.3 -Release: 3%{?dist} +Release: 4%{?dist} License: GPL Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -293,13 +293,13 @@ semodule -r moilscanner 2>/dev/null %relabel targeted exit 0 -%triggerpostun targeted -- selinux-policy-targeted < 3.0.3.2 +%triggerpostun targeted -- selinux-policy-targeted <= 3.0.3-4 setsebool -P use_nfs_home_dirs=1 +restorecon -R /root /etc/selinux/targeted 2> /dev/null semanage login -m -s "system_u" __default__ 2> /dev/null semanage user -a -P unconfined -R "unconfined_r system_r" unconfined_u 2> /dev/null -semanage user -a -P guest -R guest_r guest_u -semanage user -a -P xguest -R xguest_r xguest_u -restorecon -R /root 2> /dev/null +semanage user -a -P guest -R guest_r guest_u 2> /dev/null +semanage user -a -P xguest -R xguest_r xguest_u exit 0 %files targeted @@ -359,6 +359,11 @@ exit 0 %endif %changelog +* Fri Jul 20 2007 Dan Walsh 3.0.3-4 +- Add anon_inodefs +- Allow unpriv user exec pam_exec_t +- Fix trigger + * Fri Jul 20 2007 Dan Walsh 3.0.3-3 - Allow cups to use generic usb - fix inetd to be able to run random apps (git)