From 4c6f2dd6a30a7e9fbea1cc16da9e5aacac87c8ea Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 12 2007 14:53:07 +0000 Subject: - Fixes for polkit - Allow xserver to ptrace --- diff --git a/policy-20071130.patch b/policy-20071130.patch index 03e1063..68022c2 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -6145,7 +6145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs. -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.3/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/dbus.if 2007-12-06 16:37:24.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/dbus.if 2007-12-11 17:07:29.000000000 -0500 @@ -91,7 +91,7 @@ # SE-DBus specific permissions allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg; @@ -6165,7 +6165,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus allow $1_dbusd_t $2:process sigkill; allow $2 $1_dbusd_t:fd use; allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms; -@@ -214,7 +213,7 @@ +@@ -161,7 +160,8 @@ + seutil_read_config($1_dbusd_t) + seutil_read_default_contexts($1_dbusd_t) + +- userdom_read_user_home_content_files($1, $1_dbusd_t) ++ userdom_read_unpriv_users_home_content_files($1_dbusd_t) ++ userdom_dontaudit_append_unpriv_home_content_files($1_dbusd_t) + + ifdef(`hide_broken_symptoms', ` + dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write }; +@@ -214,7 +214,7 @@ # SE-DBus specific permissions # allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg; @@ -6174,7 +6184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($2) -@@ -366,3 +365,35 @@ +@@ -366,3 +366,35 @@ allow $1 system_dbusd_t:dbus *; ') @@ -6868,7 +6878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.2.3/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2007-11-14 08:17:58.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/hal.te 2007-12-11 00:56:25.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/hal.te 2007-12-11 16:49:43.000000000 -0500 @@ -49,6 +49,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -6905,18 +6915,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. storage_raw_read_removable_device(hald_t) storage_raw_write_removable_device(hald_t) storage_raw_read_fixed_disk(hald_t) -@@ -265,6 +271,10 @@ +@@ -265,6 +271,11 @@ ') optional_policy(` + polkit_domtrans_auth(hald_t) ++ polkit_read_lib(hald_t) +') + +optional_policy(` rpc_search_nfs_state_data(hald_t) ') -@@ -291,6 +301,7 @@ +@@ -291,6 +302,7 @@ # allow hald_acl_t self:capability { dac_override fowner }; @@ -6924,19 +6935,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. allow hald_acl_t self:fifo_file read_fifo_file_perms; domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t) -@@ -325,6 +336,11 @@ +@@ -325,6 +337,11 @@ miscfiles_read_localization(hald_acl_t) +optional_policy(` + polkit_domtrans_auth(hald_acl_t) -+ polkit_search_lib(hald_acl_t) ++ polkit_read_lib(hald_acl_t) +') + ######################################## # # Local hald mac policy -@@ -338,10 +354,14 @@ +@@ -338,10 +355,14 @@ manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t) files_search_var_lib(hald_mac_t) @@ -6951,7 +6962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. libs_use_ld_so(hald_mac_t) libs_use_shared_libs(hald_mac_t) -@@ -391,3 +411,4 @@ +@@ -391,3 +412,4 @@ libs_use_shared_libs(hald_keymap_t) miscfiles_read_localization(hald_keymap_t) @@ -8351,8 +8362,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk +/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.2.3/policy/modules/services/polkit.if --- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/polkit.if 2007-12-11 00:56:05.000000000 -0500 -@@ -0,0 +1,41 @@ ++++ serefpolicy-3.2.3/policy/modules/services/polkit.if 2007-12-11 16:49:17.000000000 -0500 +@@ -0,0 +1,60 @@ + +## policy for polkit_auth + @@ -8394,6 +8405,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk + files_search_var_lib($1) +') + ++######################################## ++## ++## read polkit lib files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`polkit_read_lib',` ++ gen_require(` ++ type polkit_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, polkit_var_lib_t, polkit_var_lib_t) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.3/policy/modules/services/polkit.te --- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.2.3/policy/modules/services/polkit.te 2007-12-11 00:18:16.000000000 -0500 @@ -10792,7 +10822,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.3/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/services/xserver.if 2007-12-06 16:37:24.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/services/xserver.if 2007-12-11 17:02:56.000000000 -0500 +@@ -45,7 +45,7 @@ + # execheap needed until the X module loader is fixed. + # NVIDIA Needs execstack + +- allow $1_xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; ++ allow $1_xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_ptrace sys_tty_config mknod net_bind_service }; + dontaudit $1_xserver_t self:capability chown; + allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow $1_xserver_t self:memprotect mmap_zero; @@ -115,8 +115,7 @@ dev_rw_agp($1_xserver_t) dev_rw_framebuffer($1_xserver_t) @@ -10803,7 +10842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # raw memory access is needed if not using the frame buffer dev_read_raw_memory($1_xserver_t) dev_wx_raw_memory($1_xserver_t) -@@ -125,8 +124,12 @@ +@@ -125,8 +124,13 @@ # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev($1_xserver_t) dev_rwx_zero($1_xserver_t) @@ -10813,10 +10852,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser domain_mmap_low($1_xserver_t) + domain_read_all_domains_state($1_xserver_t) ++ domain_dontaudit_ptrace_all_domains($1_xserver_t) files_read_etc_files($1_xserver_t) files_read_etc_runtime_files($1_xserver_t) -@@ -140,12 +143,16 @@ +@@ -140,12 +144,16 @@ fs_getattr_xattr_fs($1_xserver_t) fs_search_nfs($1_xserver_t) fs_search_auto_mountpoints($1_xserver_t) @@ -10834,7 +10874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser term_setattr_unallocated_ttys($1_xserver_t) term_use_unallocated_ttys($1_xserver_t) -@@ -232,39 +239,26 @@ +@@ -232,39 +240,26 @@ # Declarations # @@ -10881,7 +10921,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ############################## # # $1_xserver_t Local policy -@@ -272,12 +266,15 @@ +@@ -272,12 +267,15 @@ domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t) @@ -10898,7 +10938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t) manage_files_pattern($2,$1_fonts_t,$1_fonts_t) -@@ -307,6 +304,7 @@ +@@ -307,6 +305,7 @@ userdom_use_user_ttys($1,$1_xserver_t) userdom_setattr_user_ttys($1,$1_xserver_t) userdom_rw_user_tmpfs_files($1,$1_xserver_t) @@ -10906,7 +10946,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_use_user_fonts($1,$1_xserver_t) xserver_rw_xdm_tmp_files($1_xauth_t) -@@ -330,12 +328,12 @@ +@@ -330,12 +329,12 @@ allow $1_xauth_t self:process signal; allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms; @@ -10924,7 +10964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser domtrans_pattern($2, xauth_exec_t, $1_xauth_t) -@@ -344,12 +342,6 @@ +@@ -344,12 +343,6 @@ # allow ps to show xauth ps_process_pattern($2,$1_xauth_t) @@ -10937,7 +10977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser domain_use_interactive_fds($1_xauth_t) files_read_etc_files($1_xauth_t) -@@ -378,6 +370,14 @@ +@@ -378,6 +371,14 @@ ') optional_policy(` @@ -10952,7 +10992,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ssh_sigchld($1_xauth_t) ssh_read_pipes($1_xauth_t) ssh_dontaudit_rw_tcp_sockets($1_xauth_t) -@@ -390,16 +390,16 @@ +@@ -390,16 +391,16 @@ domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t) @@ -10974,7 +11014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser fs_search_auto_mountpoints($1_iceauth_t) -@@ -523,17 +523,16 @@ +@@ -523,17 +524,16 @@ template(`xserver_user_client_template',` gen_require(` @@ -10999,7 +11039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -542,25 +541,55 @@ +@@ -542,25 +542,55 @@ allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; @@ -11063,7 +11103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ') -@@ -613,6 +642,24 @@ +@@ -613,6 +643,24 @@ ######################################## ## @@ -11088,7 +11128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -646,6 +693,73 @@ +@@ -646,6 +694,73 @@ ######################################## ## @@ -11162,7 +11202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -671,10 +785,10 @@ +@@ -671,10 +786,10 @@ # template(`xserver_user_home_dir_filetrans_user_xauth',` gen_require(` @@ -11175,7 +11215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -760,7 +874,7 @@ +@@ -760,7 +875,7 @@ type xconsole_device_t; ') @@ -11184,7 +11224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -860,6 +974,25 @@ +@@ -860,6 +975,25 @@ ######################################## ## @@ -11210,7 +11250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Read xdm-writable configuration files. ## ## -@@ -914,6 +1047,7 @@ +@@ -914,6 +1048,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t) @@ -11218,7 +11258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -974,6 +1108,37 @@ +@@ -974,6 +1109,37 @@ ######################################## ## @@ -11256,7 +11296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1123,7 +1288,7 @@ +@@ -1123,7 +1289,7 @@ type xdm_xserver_tmp_t; ') @@ -11265,7 +11305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1312,3 +1477,45 @@ +@@ -1312,3 +1478,45 @@ files_search_tmp($1) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') @@ -14503,7 +14543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.2.3/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2007-02-19 11:32:53.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/system/userdomain.fc 2007-12-06 16:37:24.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/userdomain.fc 2007-12-11 16:44:50.000000000 -0500 @@ -1,4 +1,5 @@ -HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh) -HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0) @@ -14513,10 +14553,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) +/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) -+/root(/.*) gen_context(system_u:object_r:admin_home_t,s0) ++/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.3/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.3/policy/modules/system/userdomain.if 2007-12-10 23:50:13.000000000 -0500 ++++ serefpolicy-3.2.3/policy/modules/system/userdomain.if 2007-12-11 17:06:47.000000000 -0500 @@ -29,8 +29,9 @@ ') @@ -16020,7 +16060,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4283,11 +4334,11 @@ +@@ -4283,16 +4334,16 @@ # interface(`userdom_relabelto_staff_home_dirs',` gen_require(` @@ -16034,20 +16074,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4303,10 +4354,10 @@ + ## +-## Do not audit attempts to append to the staff ++## Do not audit attempts to append to the + ## users home directory. + ## + ## +@@ -4301,12 +4352,27 @@ + ## + ## # - interface(`userdom_dontaudit_append_staff_home_content_files',` +-interface(`userdom_dontaudit_append_staff_home_content_files',` ++interface(`userdom_dontaudit_append_unpriv_home_content_files',` gen_require(` - type staff_home_t; + type user_home_t; ') - dontaudit $1 staff_home_t:file append; -+ dontaudit $1 user_home_t:file append; ++ dontaudit $1 user_home_t:file append_file_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to append to the staff ++## users home directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_append_staff_home_content_files',` ++ userdom_dontaudit_append_unpriv_home_content_files($1) ') ######################################## -@@ -4321,13 +4372,13 @@ +@@ -4321,13 +4387,13 @@ # interface(`userdom_read_staff_home_content_files',` gen_require(` @@ -16065,7 +16129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4525,10 +4576,10 @@ +@@ -4525,10 +4591,10 @@ # interface(`userdom_getattr_sysadm_home_dirs',` gen_require(` @@ -16078,7 +16142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4545,10 +4596,10 @@ +@@ -4545,10 +4611,10 @@ # interface(`userdom_dontaudit_getattr_sysadm_home_dirs',` gen_require(` @@ -16091,7 +16155,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4563,10 +4614,10 @@ +@@ -4563,10 +4629,10 @@ # interface(`userdom_search_sysadm_home_dirs',` gen_require(` @@ -16104,7 +16168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4582,10 +4633,10 @@ +@@ -4582,10 +4648,10 @@ # interface(`userdom_dontaudit_search_sysadm_home_dirs',` gen_require(` @@ -16117,7 +16181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4600,10 +4651,10 @@ +@@ -4600,10 +4666,10 @@ # interface(`userdom_list_sysadm_home_dirs',` gen_require(` @@ -16130,7 +16194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4619,10 +4670,10 @@ +@@ -4619,10 +4685,10 @@ # interface(`userdom_dontaudit_list_sysadm_home_dirs',` gen_require(` @@ -16143,7 +16207,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4638,12 +4689,11 @@ +@@ -4638,12 +4704,11 @@ # interface(`userdom_dontaudit_read_sysadm_home_content_files',` gen_require(` @@ -16159,7 +16223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4670,10 +4720,10 @@ +@@ -4670,10 +4735,10 @@ # interface(`userdom_sysadm_home_dir_filetrans',` gen_require(` @@ -16172,7 +16236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4688,10 +4738,10 @@ +@@ -4688,10 +4753,10 @@ # interface(`userdom_search_sysadm_home_content_dirs',` gen_require(` @@ -16185,7 +16249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4706,13 +4756,13 @@ +@@ -4706,13 +4771,13 @@ # interface(`userdom_read_sysadm_home_content_files',` gen_require(` @@ -16203,41 +16267,61 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4748,11 +4798,29 @@ +@@ -4748,16 +4813,15 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` +- attribute home_dir_type; + attribute user_home_dir_type; -+ ') -+ -+ files_list_home($1) + ') + + files_list_home($1) +- allow $1 home_dir_type:dir search_dir_perms; + allow $1 user_home_dir_type:dir search_dir_perms; -+') -+######################################## -+## + ') +- + ######################################## + ## +-## List all users home directories. +## Read all users home directories symlinks. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4765,18 +4829,18 @@ + ## + ## + # +-interface(`userdom_list_all_users_home_dirs',` +interface(`userdom_read_all_users_home_dirs_symlinks',` -+ gen_require(` + gen_require(` attribute home_dir_type; ') files_list_home($1) -- allow $1 home_dir_type:dir search_dir_perms; +- allow $1 home_dir_type:dir list_dir_perms; + allow $1 home_dir_type:lnk_file read_lnk_file_perms; ') ######################################## -@@ -4772,6 +4840,14 @@ - - files_list_home($1) - allow $1 home_dir_type:dir list_dir_perms; + ## +-## Search all users home directories. ++## List all users home directories. + ## + ## + ## +@@ -4784,9 +4848,36 @@ + ## + ## + # +-interface(`userdom_search_all_users_home_content',` ++interface(`userdom_list_all_users_home_dirs',` + gen_require(` +- attribute home_dir_type, home_type; ++ attribute home_dir_type; ++ ') ++ ++ files_list_home($1) ++ allow $1 home_dir_type:dir list_dir_perms; + + tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs(crond_t) @@ -16246,10 +16330,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + tunable_policy(`use_samba_home_dirs',` + fs_list_cifs(crond_t) + ') - ') ++') ++ ++######################################## ++## ++## Search all users home directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_search_all_users_home_content',` ++ gen_require(` ++ attribute home_dir_type, home_type; + ') - ######################################## -@@ -5109,7 +5185,7 @@ + files_list_home($1) +@@ -5109,7 +5200,7 @@ # interface(`userdom_relabelto_generic_user_home_dirs',` gen_require(` @@ -16258,29 +16357,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_search_home($1) -@@ -5298,8 +5374,8 @@ +@@ -5298,6 +5389,49 @@ ######################################## ## --## Create, read, write, and delete directories in --## unprivileged users home directories. +## append all unprivileged users home directory +## files. - ## - ## - ## -@@ -5307,13 +5383,56 @@ - ## - ## - # --interface(`userdom_manage_unpriv_users_home_content_dirs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`userdom_append_unpriv_users_home_content_files',` - gen_require(` - attribute user_home_dir_type, user_home_type; - ') - - files_search_home($1) -- manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type) ++ gen_require(` ++ attribute user_home_dir_type, user_home_type; ++ ') ++ ++ files_search_home($1) + allow $1 user_home_type:dir list_dir_perms; + append_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type) +') @@ -16309,26 +16404,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + +######################################## +## -+## Create, read, write, and delete directories in -+## unprivileged users home directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_manage_unpriv_users_home_content_dirs',` -+ gen_require(` -+ attribute user_home_dir_type, user_home_type; -+ ') -+ -+ files_search_home($1) -+ manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type) - ') - - ######################################## -@@ -5503,6 +5622,24 @@ + ## Create, read, write, and delete directories in + ## unprivileged users home directories. + ## +@@ -5503,6 +5637,24 @@ ######################################## ## @@ -16353,7 +16432,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Read and write unprivileged user ttys. ## ## -@@ -5668,6 +5805,24 @@ +@@ -5668,6 +5820,24 @@ ######################################## ## @@ -16378,7 +16457,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5698,3 +5853,277 @@ +@@ -5698,3 +5868,277 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 9c0484e..cfd6385 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.2.3 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -379,6 +379,10 @@ exit 0 %endif %changelog +* Tue Dec 11 2007 Dan Walsh 3.2.3-2 +- Fixes for polkit +- Allow xserver to ptrace + * Tue Dec 11 2007 Dan Walsh 3.2.3-1 - Add polkit policy - Symplify userdom context, remove automatic per_role changes