From 7483cf9369d30181111cc6003a4a538813e1269b Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Feb 05 2008 18:25:42 +0000 Subject: - Add policy for kerneloops - Add policy for gnomeclock --- diff --git a/policy-20071130.patch b/policy-20071130.patch index 3d8af6f..cfd4375 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -6429,7 +6429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.2.6/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/services/apache.te 2008-02-01 16:01:42.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/services/apache.te 2008-02-05 13:01:09.000000000 -0500 @@ -20,6 +20,8 @@ # Declarations # @@ -7516,7 +7516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.2.6/policy/modules/services/avahi.te --- nsaserefpolicy/policy/modules/services/avahi.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/services/avahi.te 2008-02-01 16:01:42.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/services/avahi.te 2008-02-05 13:17:08.000000000 -0500 @@ -13,6 +13,9 @@ type avahi_var_run_t; files_pid_file(avahi_var_run_t) @@ -8223,7 +8223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons Binary files nsaserefpolicy/policy/modules/services/consolekit.pp and serefpolicy-3.2.6/policy/modules/services/consolekit.pp differ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.2.6/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/services/consolekit.te 2008-02-04 11:52:57.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/services/consolekit.te 2008-02-05 13:20:29.000000000 -0500 @@ -13,6 +13,9 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -8261,7 +8261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons # needs to read /var/lib/dbus/machine-id files_read_var_lib_files(consolekit_t) -@@ -47,15 +56,31 @@ +@@ -47,16 +56,32 @@ auth_use_nsswitch(consolekit_t) @@ -8282,18 +8282,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons +hal_ptrace(consolekit_t) +mcs_ptrace_all(consolekit_t) + -+optional_policy(` + optional_policy(` +- dbus_system_bus_client_template(consolekit, consolekit_t) +- dbus_connect_system_bus(consolekit_t) + cron_read_system_job_lib_files(consolekit_t) +') -+ - optional_policy(` - dbus_system_bus_client_template(consolekit, consolekit_t) - dbus_connect_system_bus(consolekit_t) -- + +- hal_dbus_chat(consolekit_t) ++optional_policy(` + dbus_system_domain(consolekit_t, consolekit_exec_t) - hal_dbus_chat(consolekit_t) ++ optional_policy(` ++ hal_dbus_chat(consolekit_t) ++ ') optional_policy(` + unconfined_dbus_chat(consolekit_t) @@ -64,6 +89,33 @@ ') @@ -9659,7 +9662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru # Local policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.6/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/services/dbus.if 2008-02-01 16:01:42.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/services/dbus.if 2008-02-05 13:18:08.000000000 -0500 @@ -53,6 +53,7 @@ gen_require(` type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t; @@ -9840,7 +9843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ## Read dbus configuration. ## ## -@@ -366,3 +443,52 @@ +@@ -366,3 +443,55 @@ allow $1 system_dbusd_t:dbus *; ') @@ -9892,10 +9895,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + + domtrans_pattern(system_dbusd_t,$2,$1) + ++ dbus_system_bus_client_template($1,$1) ++ dbus_connect_system_bus($1) ++ +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.2.6/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/services/dbus.te 2008-02-01 16:01:42.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/services/dbus.te 2008-02-05 13:15:48.000000000 -0500 @@ -9,6 +9,7 @@ # # Delcarations @@ -9921,6 +9927,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus selinux_get_fs_mount(system_dbusd_t) selinux_validate_context(system_dbusd_t) +@@ -121,9 +123,20 @@ + ') + + optional_policy(` ++ polkit_domtrans_auth(system_dbusd_t) ++ polkit_search_lib(system_dbusd_t) ++') ++ ++optional_policy(` + sysnet_domtrans_dhcpc(system_dbusd_t) + ') + + optional_policy(` + udev_read_db(system_dbusd_t) + ') ++ ++optional_policy(` ++ consolekit_dbus_chat(system_dbusd_t) ++') ++ ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.2.6/policy/modules/services/dcc.if --- nsaserefpolicy/policy/modules/services/dcc.if 2007-03-26 10:39:05.000000000 -0400 +++ serefpolicy-3.2.6/policy/modules/services/dcc.if 2008-02-01 16:01:42.000000000 -0500 @@ -11510,6 +11537,146 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. ') optional_policy(` +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.2.6/policy/modules/services/gnomeclock.fc +--- nsaserefpolicy/policy/modules/services/gnomeclock.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/services/gnomeclock.fc 2008-02-05 13:14:26.000000000 -0500 +@@ -0,0 +1,2 @@ ++ ++/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.2.6/policy/modules/services/gnomeclock.if +--- nsaserefpolicy/policy/modules/services/gnomeclock.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/services/gnomeclock.if 2008-02-05 13:14:26.000000000 -0500 +@@ -0,0 +1,75 @@ ++ ++## policy for gnomeclock ++ ++######################################## ++## ++## Execute a domain transition to run gnomeclock. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`gnomeclock_domtrans',` ++ gen_require(` ++ type gnomeclock_t; ++ type gnomeclock_exec_t; ++ ') ++ ++ domtrans_pattern($1,gnomeclock_exec_t,gnomeclock_t) ++') ++ ++ ++######################################## ++## ++## Execute gnomeclock in the gnomeclock domain, and ++## allow the specified role the gnomeclock domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the gnomeclock domain. ++## ++## ++## ++## ++## The type of the role's terminal. ++## ++## ++# ++interface(`gnomeclock_run',` ++ gen_require(` ++ type gnomeclock_t; ++ ') ++ ++ gnomeclock_domtrans($1) ++ role $2 types gnomeclock_t; ++ dontaudit gnomeclock_t $3:chr_file rw_term_perms; ++') ++ ++ ++######################################## ++## ++## Send and receive messages from ++## gnomeclock over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnomeclock_dbus_chat',` ++ gen_require(` ++ type gnomeclock_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 gnomeclock_t:dbus send_msg; ++ allow gnomeclock_t $1:dbus send_msg; ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.2.6/policy/modules/services/gnomeclock.te +--- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/services/gnomeclock.te 2008-02-05 13:21:34.000000000 -0500 +@@ -0,0 +1,51 @@ ++policy_module(gnomeclock,1.0.0) ++######################################## ++# ++# Declarations ++# ++ ++type gnomeclock_t; ++type gnomeclock_exec_t; ++dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) ++ ++ ++######################################## ++# ++# gnomeclock local policy ++# ++allow gnomeclock_t self:capability sys_time; ++allow gnomeclock_t self:process getsched; ++ ++## internal communication is often done using fifo and unix sockets. ++allow gnomeclock_t self:fifo_file rw_file_perms; ++allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms; ++ ++corecmd_search_bin(gnomeclock_t) ++ ++files_read_etc_files(gnomeclock_t) ++files_read_usr_files(gnomeclock_t) ++ ++fs_list_inotifyfs(gnomeclock_t) ++ ++auth_use_nsswitch(gnomeclock_t) ++ ++libs_use_ld_so(gnomeclock_t) ++libs_use_shared_libs(gnomeclock_t) ++ ++miscfiles_read_localization(gnomeclock_t) ++ ++userdom_read_all_users_state(gnomeclock_t) ++ ++optional_policy(` ++ consolekit_dbus_chat(gnomeclock_t) ++') ++ ++optional_policy(` ++ clock_domtrans(gnomeclock_t) ++') ++ ++optional_policy(` ++ polkit_domtrans_auth(gnomeclock_t) ++ polkit_read_lib(gnomeclock_t) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.2.6/policy/modules/services/hal.fc --- nsaserefpolicy/policy/modules/services/hal.fc 2007-11-14 08:17:58.000000000 -0500 +++ serefpolicy-3.2.6/policy/modules/services/hal.fc 2008-02-01 16:01:42.000000000 -0500 @@ -12154,7 +12321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.2.6/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/services/kerberos.te 2008-02-01 16:01:42.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/services/kerberos.te 2008-02-05 11:26:22.000000000 -0500 @@ -54,6 +54,12 @@ type krb5kdc_var_run_t; files_pid_file(krb5kdc_var_run_t) @@ -12228,7 +12395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t) -@@ -233,6 +246,7 @@ +@@ -233,8 +246,10 @@ optional_policy(` seutil_sigchld_newrole(krb5kdc_t) @@ -12236,6 +12403,185 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb ') optional_policy(` + udev_read_db(krb5kdc_t) + ') ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.fc serefpolicy-3.2.6/policy/modules/services/kerneloops.fc +--- nsaserefpolicy/policy/modules/services/kerneloops.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/services/kerneloops.fc 2008-02-05 13:14:34.000000000 -0500 +@@ -0,0 +1,4 @@ ++ ++/usr/sbin/kerneloops -- gen_context(system_u:object_r:kerneloops_exec_t,s0) ++ ++/etc/rc.d/init.d/kerneloops -- gen_context(system_u:object_r:kerneloops_script_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.2.6/policy/modules/services/kerneloops.if +--- nsaserefpolicy/policy/modules/services/kerneloops.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/services/kerneloops.if 2008-02-05 13:14:34.000000000 -0500 +@@ -0,0 +1,104 @@ ++ ++## policy for kerneloops ++ ++######################################## ++## ++## Execute a domain transition to run kerneloops. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`kerneloops_domtrans',` ++ gen_require(` ++ type kerneloops_t; ++ type kerneloops_exec_t; ++ ') ++ ++ domtrans_pattern($1,kerneloops_exec_t,kerneloops_t) ++') ++ ++ ++######################################## ++## ++## Execute kerneloops server in the kerneloops domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`kerneloops_script_domtrans',` ++ gen_require(` ++ type kerneloops_script_exec_t; ++ ') ++ ++ init_script_domtrans_spec($1,kerneloops_script_exec_t) ++') ++ ++######################################## ++## ++## Send and receive messages from ++## kerneloops over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kerneloops_dbus_chat',` ++ gen_require(` ++ type kerneloops_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 kerneloops_t:dbus send_msg; ++ allow kerneloops_t $1:dbus send_msg; ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an kerneloops environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the kerneloops domain. ++## ++## ++## ++## ++## The type of the user terminal. ++## ++## ++## ++# ++interface(`kerneloops_admin',` ++ gen_require(` ++ type kerneloops_t; ++ ') ++ ++ allow $1 kerneloops_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, kerneloops_t, kerneloops_t) ++ ++ ++ gen_require(` ++ type kerneloops_script_exec_t; ++ ') ++ ++ # Allow kerneloops_t to restart the apache service ++ kerneloops_script_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 kerneloops_script_exec_t system_r; ++ allow $2 system_r; ++ ++') +Binary files nsaserefpolicy/policy/modules/services/kerneloops.pp and serefpolicy-3.2.6/policy/modules/services/kerneloops.pp differ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.2.6/policy/modules/services/kerneloops.te +--- nsaserefpolicy/policy/modules/services/kerneloops.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/services/kerneloops.te 2008-02-05 13:14:35.000000000 -0500 +@@ -0,0 +1,55 @@ ++policy_module(kerneloops,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type kerneloops_t; ++type kerneloops_exec_t; ++domain_type(kerneloops_t) ++init_daemon_domain(kerneloops_t, kerneloops_exec_t) ++ ++type kerneloops_script_exec_t; ++init_script_type(kerneloops_script_exec_t) ++ ++######################################## ++# ++# kerneloops local policy ++# ++allow kerneloops_t self:capability sys_nice; ++allow kerneloops_t self:process { setsched getsched }; ++ ++# Init script handling ++domain_use_interactive_fds(kerneloops_t) ++ ++## internal communication is often done using fifo and unix sockets. ++allow kerneloops_t self:fifo_file rw_file_perms; ++allow kerneloops_t self:unix_stream_socket create_stream_socket_perms; ++ ++corenet_all_recvfrom_unlabeled(kerneloops_t) ++corenet_all_recvfrom_netlabel(kerneloops_t) ++corenet_tcp_sendrecv_all_if(kerneloops_t) ++corenet_tcp_sendrecv_all_nodes(kerneloops_t) ++corenet_tcp_sendrecv_all_ports(kerneloops_t) ++corenet_tcp_bind_http_port(kerneloops_t) ++ ++files_read_etc_files(kerneloops_t) ++ ++kernel_read_ring_buffer(kerneloops_t) ++ ++libs_use_ld_so(kerneloops_t) ++libs_use_shared_libs(kerneloops_t) ++ ++logging_send_syslog_msg(kerneloops_t) ++logging_read_generic_logs(kerneloops_t) ++ ++miscfiles_read_localization(kerneloops_t) ++ ++sysnet_dns_name_resolve(kerneloops_t) ++ ++optional_policy(` ++ dbus_system_bus_client_template(kerneloops,kerneloops_t) ++ dbus_connect_system_bus(kerneloops_t) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.2.6/policy/modules/services/ldap.fc --- nsaserefpolicy/policy/modules/services/ldap.fc 2006-11-16 17:15:20.000000000 -0500 +++ serefpolicy-3.2.6/policy/modules/services/ldap.fc 2008-02-01 16:01:42.000000000 -0500 @@ -14390,10 +14736,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.2.6/policy/modules/services/polkit.fc --- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/services/polkit.fc 2008-02-01 16:01:42.000000000 -0500 -@@ -0,0 +1,7 @@ ++++ serefpolicy-3.2.6/policy/modules/services/polkit.fc 2008-02-05 13:14:51.000000000 -0500 +@@ -0,0 +1,8 @@ + +/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0) ++/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:polkit_grant_exec_t,s0) +/usr/libexec/polkitd -- gen_context(system_u:object_r:polkit_exec_t,s0) + +/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) @@ -14401,8 +14748,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk +/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.2.6/policy/modules/services/polkit.if --- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/services/polkit.if 2008-02-04 11:48:36.000000000 -0500 -@@ -0,0 +1,62 @@ ++++ serefpolicy-3.2.6/policy/modules/services/polkit.if 2008-02-05 13:14:52.000000000 -0500 +@@ -0,0 +1,119 @@ + +## policy for polkit_auth + @@ -14465,10 +14812,67 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk + # Broken placement + cron_read_system_job_lib_files($1) +') ++ ++######################################## ++## ++## Execute a domain transition to run polkit_grant. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`polkit_domtrans_grant',` ++ gen_require(` ++ type polkit_grant_t; ++ type polkit_grant_exec_t; ++ ') ++ ++ domtrans_pattern($1,polkit_grant_exec_t,polkit_grant_t) ++') ++ ++######################################## ++## ++## Execute a policy_grant in the policy_grant domain, and ++## allow the specified role the policy_grant domain, ++## and use the caller's terminal. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed the load_policy domain. ++## ++## ++## ++## ++## The type of the terminal allow the load_policy domain to use. ++## ++## ++## ++# ++interface(`polkit_run_grant',` ++ gen_require(` ++ type polkit_grant_t; ++ type polkit_auth_t; ++ ') ++ ++ polkit_domtrans_grant($1) ++ role $2 types polkit_grant_t; ++ role $2 types polkit_auth_t; ++ allow polkit_grant_t $3:chr_file rw_term_perms; ++ allow $1 polkit_grant_t:process signal; ++ read_files_pattern(polkit_grant_t, $1, $1) ++ allow polkit_grant_t $1:process getattr; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.6/policy/modules/services/polkit.te --- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/services/polkit.te 2008-02-01 16:01:42.000000000 -0500 -@@ -0,0 +1,110 @@ ++++ serefpolicy-3.2.6/policy/modules/services/polkit.te 2008-02-05 13:20:13.000000000 -0500 +@@ -0,0 +1,154 @@ +policy_module(polkit_auth,1.0.0) + +######################################## @@ -14478,12 +14882,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk + +type polkit_t; +type polkit_exec_t; -+domain_type(polkit_t) +init_daemon_domain(polkit_t, polkit_exec_t) + ++type polkit_grant_t; ++type polkit_grant_exec_t; ++init_system_domain(polkit_grant_t, polkit_grant_exec_t) ++ +type polkit_auth_t; +type polkit_auth_exec_t; -+domain_type(polkit_auth_t) +init_daemon_domain(polkit_auth_t, polkit_auth_exec_t) + +type polkit_var_lib_t; @@ -14528,9 +14934,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk +files_pid_filetrans(polkit_t,polkit_var_run_t, { file dir }) + +optional_policy(` -+ dbus_system_bus_client_template(polkit, polkit_t) -+ consolekit_dbus_chat(polkit_t) + dbus_system_domain(polkit_t, polkit_exec_t) ++ optional_policy(` ++ consolekit_dbus_chat(polkit_t) ++ ') +') + +######################################## @@ -14579,6 +14986,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk + hal_read_state(polkit_auth_t) +') + ++######################################## ++# ++# polkit_grant local policy ++# ++ ++allow polkit_grant_t self:capability setuid; ++allow polkit_grant_t self:process getattr; ++ ++allow polkit_grant_t self:unix_dgram_socket create_socket_perms; ++allow polkit_grant_t self:fifo_file rw_file_perms; ++allow polkit_grant_t self:unix_stream_socket create_stream_socket_perms; ++ ++can_exec(polkit_grant_t, polkit_grant_exec_t) ++corecmd_search_bin(polkit_grant_t) ++ ++files_read_etc_files(polkit_grant_t) ++files_read_usr_files(polkit_grant_t) ++ ++auth_use_nsswitch(polkit_grant_t) ++auth_domtrans_chk_passwd(polkit_grant_t) ++ ++libs_use_ld_so(polkit_grant_t) ++libs_use_shared_libs(polkit_grant_t) ++ ++miscfiles_read_localization(polkit_grant_t) ++ ++logging_send_syslog_msg(polkit_grant_t) ++ ++polkit_domtrans_auth(polkit_grant_t) ++ ++manage_files_pattern(polkit_grant_t, polkit_var_lib_t, polkit_var_lib_t) ++ ++optional_policy(` ++ dbus_system_bus_client_template(polkit_grant, polkit_grant_t) ++ consolekit_dbus_chat(polkit_grant_t) ++') ++ ++gen_require(` ++ type system_crond_var_lib_t; ++') ++manage_files_pattern(polkit_grant_t, system_crond_var_lib_t, system_crond_var_lib_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.2.6/policy/modules/services/postfix.fc --- nsaserefpolicy/policy/modules/services/postfix.fc 2007-09-12 10:34:18.000000000 -0400 +++ serefpolicy-3.2.6/policy/modules/services/postfix.fc 2008-02-01 16:01:42.000000000 -0500 @@ -24828,7 +25276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.6/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/system/unconfined.te 2008-02-02 00:21:41.000000000 -0500 ++++ serefpolicy-3.2.6/policy/modules/system/unconfined.te 2008-02-05 09:47:51.000000000 -0500 @@ -6,35 +6,59 @@ # Declarations # @@ -24949,7 +25397,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf optional_policy(` init_dbus_chat_script(unconfined_t) -@@ -107,6 +146,10 @@ +@@ -101,12 +140,20 @@ + ') + + optional_policy(` ++ kerneloops_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` + networkmanager_dbus_chat(unconfined_t) + ') + optional_policy(` oddjob_dbus_chat(unconfined_t) ') @@ -24960,7 +25418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -118,11 +161,7 @@ +@@ -118,11 +165,7 @@ ') optional_policy(` @@ -24973,7 +25431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -134,14 +173,6 @@ +@@ -134,14 +177,6 @@ ') optional_policy(` @@ -24988,7 +25446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf oddjob_domtrans_mkhomedir(unconfined_t) ') -@@ -154,38 +185,32 @@ +@@ -154,38 +189,32 @@ ') optional_policy(` @@ -25034,7 +25492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -205,11 +230,30 @@ +@@ -205,11 +234,30 @@ ') optional_policy(` @@ -25044,14 +25502,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + +optional_policy(` + java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ++') ++ ++optional_policy(` ++ mono_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) ') optional_policy(` - xserver_domtrans_xdm_xserver(unconfined_t) -+ mono_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -+') -+ -+optional_policy(` + mozilla_per_role_template(unconfined, unconfined_t, unconfined_r) + unconfined_domain(unconfined_mozilla_t) + allow unconfined_mozilla_t self:process { execstack execmem }; @@ -25067,7 +25525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -219,14 +263,34 @@ +@@ -219,14 +267,34 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -25087,7 +25545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf - ') +optional_policy(` + avahi_dbus_chat(unconfined_execmem_t) -+') + ') + +optional_policy(` + hal_dbus_chat(unconfined_execmem_t) @@ -25095,7 +25553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + +optional_policy(` + xserver_xdm_rw_shm(unconfined_execmem_t) - ') ++') + +######################################## +# @@ -28810,8 +29268,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.i +## Policy for staff user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.6/policy/modules/users/staff.te --- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.2.6/policy/modules/users/staff.te 2008-02-04 08:26:47.000000000 -0500 -@@ -0,0 +1,51 @@ ++++ serefpolicy-3.2.6/policy/modules/users/staff.te 2008-02-05 09:47:25.000000000 -0500 +@@ -0,0 +1,55 @@ +policy_module(staff,1.0.1) +userdom_unpriv_user_template(staff) + @@ -28843,6 +29301,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t +') + +optional_policy(` ++ kerneloops_dbus_chat(staff_t) ++') ++ ++optional_policy(` + mono_per_role_template(staff, staff_t, staff_r) +') +