From 7e3506426b3d73fe21ad8e08fa5751a9c34fdb56 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jul 12 2007 21:37:30 +0000 Subject: - Begin adding policy to separate setsebool from semanage - Fix xserver.if definition to not break sepolgen.if --- diff --git a/policy-20070703.patch b/policy-20070703.patch index ba52385..fb29ace 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -6685,18 +6685,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.2/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400 -+++ serefpolicy-3.0.2/policy/modules/services/xserver.if 2007-07-12 09:36:57.000000000 -0400 -@@ -353,9 +353,6 @@ ++++ serefpolicy-3.0.2/policy/modules/services/xserver.if 2007-07-12 17:01:56.000000000 -0400 +@@ -353,12 +353,6 @@ # allow ps to show xauth ps_process_pattern($2,$1_xauth_t) - allow $2 $1_xauth_home_t:file manage_file_perms; - allow $2 $1_xauth_home_t:file { relabelfrom relabelto }; - - allow xdm_t $1_xauth_home_t:file manage_file_perms; - userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file) +- allow xdm_t $1_xauth_home_t:file manage_file_perms; +- userdom_user_home_dir_filetrans($1,xdm_t,$1_xauth_home_t,file) +- + domain_use_interactive_fds($1_xauth_t) -@@ -387,6 +384,14 @@ + files_read_etc_files($1_xauth_t) +@@ -387,6 +381,14 @@ ') optional_policy(` @@ -6711,7 +6714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser nis_use_ypbind($1_xauth_t) ') -@@ -537,16 +542,14 @@ +@@ -537,16 +539,14 @@ gen_require(` type xdm_t, xdm_tmp_t; @@ -6730,7 +6733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -555,6 +558,8 @@ +@@ -555,25 +555,40 @@ allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; @@ -6739,8 +6742,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Allow connections to X server. files_search_tmp($2) -@@ -565,15 +570,26 @@ - userdom_dontaudit_write_user_home_content_files($1,$2) + miscfiles_read_fonts($2) + + userdom_search_user_home_dirs($1,$2) +- # for .xsession-errors +- userdom_dontaudit_write_user_home_content_files($1,$2) ++ userdom_manage_user_home_content_dirs($1, xdm_t) ++ userdom_manage_user_home_content_files($1, xdm_t) ++ userdom_user_home_dir_filetrans_user_home_content($1, xdm_t, { dir file }) xserver_ro_session_template(xdm,$2,$3) - xserver_rw_session_template($1,$2,$3) @@ -6754,6 +6763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser - allow $2 $1_xserver_tmpfs_t:file rw_file_perms; + xserver_xdm_stream_connect($2) + ++ + # Read .Xauthority file + optional_policy(` + xserver_read_user_xauth($1, $2) @@ -6772,7 +6782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ') -@@ -626,6 +642,24 @@ +@@ -626,6 +641,24 @@ ######################################## ## @@ -6797,7 +6807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -659,6 +693,73 @@ +@@ -659,6 +692,73 @@ ######################################## ## @@ -6871,7 +6881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -1136,7 +1237,7 @@ +@@ -1136,7 +1236,7 @@ type xdm_xserver_tmp_t; ') @@ -6880,7 +6890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1325,3 +1426,24 @@ +@@ -1325,3 +1425,23 @@ files_search_tmp($1) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') @@ -6904,7 +6914,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + allow $1 xdm_var_run_t:sock_file write; + allow $1 xdm_t:unix_stream_socket connectto; +') -+ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.2/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-07-03 07:06:27.000000000 -0400 +++ serefpolicy-3.0.2/policy/modules/services/xserver.te 2007-07-11 10:06:28.000000000 -0400 @@ -7563,8 +7572,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-3.0.2/policy/modules/system/brctl.te --- nsaserefpolicy/policy/modules/system/brctl.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.0.2/policy/modules/system/brctl.te 2007-07-11 10:06:28.000000000 -0400 -@@ -0,0 +1,38 @@ ++++ serefpolicy-3.0.2/policy/modules/system/brctl.te 2007-07-12 15:49:33.000000000 -0400 +@@ -0,0 +1,41 @@ +policy_module(brctl,1.0.0) + +######################################## @@ -7582,10 +7591,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl. +# brctl local policy +# + ++allow brctl_t self:tcp_socket create_socket_perms; ++allow brctl_t self:unix_dgram_socket create_socket_perms; ++ +# Init script handling +domain_use_interactive_fds(brctl_t) + +kernel_load_module(brctl_t) ++kernel_read_network_state(brctl_t) + +## internal communication is often done using fifo and unix sockets. +allow brctl_t self:fifo_file rw_file_perms; @@ -7602,7 +7615,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl. + term_dontaudit_use_unallocated_ttys(brctl_t) + term_dontaudit_use_generic_ptys(brctl_t) +') -+ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.0.2/policy/modules/system/fstools.fc --- nsaserefpolicy/policy/modules/system/fstools.fc 2007-06-11 16:05:30.000000000 -0400 +++ serefpolicy-3.0.2/policy/modules/system/fstools.fc 2007-07-11 10:06:28.000000000 -0400 @@ -8931,7 +8943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.2/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-05-30 11:47:29.000000000 -0400 -+++ serefpolicy-3.0.2/policy/modules/system/selinuxutil.if 2007-07-11 10:06:29.000000000 -0400 ++++ serefpolicy-3.0.2/policy/modules/system/selinuxutil.if 2007-07-12 10:58:12.000000000 -0400 @@ -432,6 +432,7 @@ role $2 types run_init_t; allow run_init_t $3:chr_file rw_term_perms; @@ -8940,6 +8952,82 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ') ######################################## +@@ -968,6 +969,26 @@ + + ######################################## + ## ++## Execute a domain transition to run setsebool. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`seutil_domtrans_setsebool',` ++ gen_require(` ++ type semanage_t, setsebool_exec_t; ++ ') ++ ++ files_search_usr($1) ++ corecmd_search_bin($1) ++ domtrans_pattern($1,setsebool_exec_t,semanage_t) ++') ++ ++######################################## ++## + ## Execute semanage in the semanage domain, and + ## allow the specified role the semanage domain, + ## and use the caller's terminal. +@@ -979,7 +1000,7 @@ + ## + ## + ## +-## The role to be allowed the checkpolicy domain. ++## The role to be allowed the semanage domain. + ## + ## + ## +@@ -1001,6 +1022,39 @@ + + ######################################## + ## ++## Execute setsebool in the semanage domain, and ++## allow the specified role the semanage domain, ++## and use the caller's terminal. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed the semanage domain. ++## ++## ++## ++## ++## The type of the terminal allow the semanage domain to use. ++## ++## ++## ++# ++interface(`seutil_run_setsebool',` ++ gen_require(` ++ type semanage_t; ++ ') ++ ++ seutil_domtrans_setsebool($1) ++ role $2 types semanage_t; ++ allow semanage_t $3:chr_file rw_term_perms; ++') ++ ++######################################## ++## + ## Full management of the semanage + ## module store. + ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.2/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-05-30 11:47:29.000000000 -0400 +++ serefpolicy-3.0.2/policy/modules/system/selinuxutil.te 2007-07-12 09:43:18.000000000 -0400 @@ -9488,7 +9576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.2/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2007-06-15 14:54:34.000000000 -0400 -+++ serefpolicy-3.0.2/policy/modules/system/unconfined.te 2007-07-11 10:06:29.000000000 -0400 ++++ serefpolicy-3.0.2/policy/modules/system/unconfined.te 2007-07-12 10:58:38.000000000 -0400 @@ -5,30 +5,36 @@ # # Declarations @@ -9542,13 +9630,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) -@@ -44,23 +51,21 @@ +@@ -44,23 +51,22 @@ logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) +# Unconfined running as system_r +mount_domtrans_unconfined(unconfined_t) ++seutil_run_setsebool(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) seutil_run_setfiles(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) seutil_run_semanage(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) @@ -9570,7 +9659,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -68,16 +73,6 @@ +@@ -68,16 +74,6 @@ ') optional_policy(` @@ -9587,7 +9676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf init_dbus_chat_script(unconfined_t) dbus_stub(unconfined_t) -@@ -120,11 +115,7 @@ +@@ -120,11 +116,7 @@ ') optional_policy(` @@ -9600,7 +9689,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -136,11 +127,7 @@ +@@ -136,11 +128,7 @@ ') optional_policy(` @@ -9613,7 +9702,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -157,18 +144,6 @@ +@@ -157,18 +145,6 @@ optional_policy(` postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) @@ -9632,7 +9721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -182,10 +157,6 @@ +@@ -182,10 +158,6 @@ ') optional_policy(` @@ -9643,7 +9732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf sysnet_run_dhcpc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) sysnet_dbus_chat_dhcpc(unconfined_t) ') -@@ -207,7 +178,7 @@ +@@ -207,7 +179,7 @@ ') optional_policy(` @@ -9652,7 +9741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -229,6 +200,12 @@ +@@ -229,6 +201,12 @@ unconfined_dbus_chat(unconfined_execmem_t) optional_policy(` @@ -9667,7 +9756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +corecmd_exec_all_executables(unconfined_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.2/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-07-03 07:06:32.000000000 -0400 -+++ serefpolicy-3.0.2/policy/modules/system/userdomain.if 2007-07-11 10:06:29.000000000 -0400 ++++ serefpolicy-3.0.2/policy/modules/system/userdomain.if 2007-07-12 17:08:16.000000000 -0400 @@ -62,6 +62,10 @@ allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; @@ -9996,7 +10085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo samba_stream_connect_winbind($1_t) ') -@@ -962,21 +876,122 @@ +@@ -962,21 +876,158 @@ ## ## # @@ -10017,6 +10106,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file }) +') + ++####################################### ++## ++## The template for creating a login user. ++## ++## ++##

++## This template creates a user domain, types, and ++## rules for the user's tty, pty, home directories, ++## tmp, and tmpfs files. ++##

++## ++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++# +template(`userdom_login_user_template', ` + userdom_base_user_template($1) + @@ -10112,6 +10219,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + ') +') + ++####################################### ++## ++## The template for creating a unprivileged login user. ++## ++## ++##

++## This template creates a user domain, types, and ++## rules for the user's tty, pty, home directories, ++## tmp, and tmpfs files. ++##

++## ++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++# +template(`userdom_unpriv_login_user', ` + gen_require(` + attribute unpriv_userdomain; @@ -10125,7 +10250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; -@@ -985,15 +1000,45 @@ +@@ -985,15 +1036,45 @@ typeattribute $1_tmp_t user_tmpfile; typeattribute $1_tty_device_t user_ttynode; @@ -10175,7 +10300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # port access is audited even if dac would not have allowed it, so dontaudit it here corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) -@@ -1033,14 +1078,6 @@ +@@ -1033,14 +1114,6 @@ ') optional_policy(` @@ -10190,7 +10315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) ') -@@ -1054,12 +1091,8 @@ +@@ -1054,12 +1127,8 @@ setroubleshoot_stream_connect($1_t) ') @@ -10204,7 +10329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Do not audit write denials to /etc/ld.so.cache. dontaudit $1_t ld_so_cache_t:file write; -@@ -1102,6 +1135,8 @@ +@@ -1102,6 +1171,8 @@ class passwd { passwd chfn chsh rootok crontab }; ') @@ -10213,7 +10338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # # Declarations -@@ -1127,7 +1162,7 @@ +@@ -1127,7 +1198,7 @@ # $1_t local policy # @@ -10222,7 +10347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1_t self:process { setexec setfscreate }; # Set password information for other users. -@@ -1139,8 +1174,6 @@ +@@ -1139,8 +1210,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -10231,7 +10356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -3078,7 +3111,7 @@ +@@ -3078,7 +3147,7 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -10240,7 +10365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_tmp_filetrans($2,$1_tmp_t,$3) -@@ -5323,7 +5356,7 @@ +@@ -5323,7 +5392,7 @@ attribute user_tmpfile; ') @@ -10249,7 +10374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5548,6 +5581,26 @@ +@@ -5548,6 +5617,26 @@ ######################################## ## @@ -10276,7 +10401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Unconfined access to user domains. (Deprecated) ## ## -@@ -5559,3 +5612,124 @@ +@@ -5559,3 +5648,173 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -10401,9 +10526,58 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + allow $1 user_home_type:file unlink; +') + ++####################################### ++## ++## The template for creating a unprivileged login user. ++## ++## ++##

++## This template creates a user domain, types, and ++## rules for the user's tty, pty, home directories, ++## tmp, and tmpfs files. ++##

++## ++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++# ++template(`userdom_unpriv_xwindows_login_user', ` ++ ++userdom_unpriv_login_user($1) ++userdom_xwindows_client_template($1) ++ ++auth_exec_pam($1_t) ++logging_send_syslog_msg($1_t) ++ ++optional_policy(` ++ alsa_read_rw_config($1_t) ++') ++authlogin_per_role_template($1, $1_t, $1_r) ++ ++optional_policy(` ++ dbus_per_role_template($1, $1_t, $1_r) ++ dbus_system_bus_client_template($1, $1_t) ++ allow $1_t self:dbus send_msg; ++') ++ ++optional_policy(` ++ ssh_per_role_template($1, $1_t, $1_r) ++') ++ ++optional_policy(` ++ setroubleshoot_dontaudit_stream_connect($1_t) ++') ++ ++#dev_read_rand($1_t) ++ ++') ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.2/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2007-07-03 07:06:32.000000000 -0400 -+++ serefpolicy-3.0.2/policy/modules/system/userdomain.te 2007-07-11 10:06:29.000000000 -0400 ++++ serefpolicy-3.0.2/policy/modules/system/userdomain.te 2007-07-12 10:51:56.000000000 -0400 @@ -74,6 +74,9 @@ # users home directory contents attribute home_type; @@ -10477,7 +10651,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo netutils_run(sysadm_t,sysadm_r,admin_terminal) netutils_run_ping(sysadm_t,sysadm_r,admin_terminal) netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal) -@@ -456,6 +457,9 @@ +@@ -451,11 +452,15 @@ + ') + + optional_policy(` ++ seutil_run_setsebool(sysadm_t,sysadm_r,admin_terminal) + seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal) + seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal) ifdef(`enable_mls',` userdom_security_admin_template(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t }) @@ -10487,7 +10667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ', ` userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal) ') -@@ -498,3 +502,7 @@ +@@ -498,3 +503,7 @@ optional_policy(` yam_run(sysadm_t,sysadm_r,admin_terminal) ') @@ -10541,135 +10721,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.i +## Policy for guest user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.0.2/policy/modules/users/guest.te --- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.0.2/policy/modules/users/guest.te 2007-07-11 10:06:29.000000000 -0400 -@@ -0,0 +1,127 @@ ++++ serefpolicy-3.0.2/policy/modules/users/guest.te 2007-07-12 17:31:09.000000000 -0400 +@@ -0,0 +1,5 @@ +policy_module(guest,1.0.0) -+ -+define(`userdom_login_user', ` -+ userdom_base_user_template($1) -+ -+ userdom_manage_home_template($1) -+ userdom_exec_home_template($1) -+ userdom_manage_tmp_template($1) -+ userdom_exec_tmp_template($1) -+ userdom_manage_tmpfs_template($1) -+ -+ userdom_change_password_template($1) -+ -+ role $1_r types $1_t; -+ allow system_r $1_r; -+ -+ application_exec_all($1_t) -+ -+ allow $1_t self:capability { setgid chown fowner }; -+ dontaudit $1_t self:capability { sys_nice fsetid }; -+ allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; -+ -+ dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; -+ -+ ############################## -+ # -+ # User domain Local policy -+ # -+ -+ kernel_read_system_state($1_t) -+ -+ dev_read_sysfs($1_t) -+ dev_read_urand($1_t) -+ -+ domain_use_interactive_fds($1_t) -+ # Command completion can fire hundreds of denials -+ domain_dontaudit_exec_all_entry_files($1_t) -+ -+ # Stat lost+found. -+ files_getattr_lost_found_dirs($1_t) -+ -+ fs_get_all_fs_quotas($1_t) -+ fs_getattr_all_fs($1_t) -+ fs_getattr_all_dirs($1_t) -+ fs_search_auto_mountpoints($1_t) -+ fs_list_inotifyfs($1_t) -+ -+ # Stop warnings about access to /dev/console -+ init_dontaudit_rw_utmp($1_t) -+ init_dontaudit_use_fds($1_t) -+ init_dontaudit_use_script_fds($1_t) -+ -+ libs_exec_lib_files($1_t) -+ -+ logging_dontaudit_getattr_all_logs($1_t) -+ -+ miscfiles_read_man_pages($1_t) -+ # for running TeX programs -+ miscfiles_read_tetex_data($1_t) -+ miscfiles_exec_tetex_data($1_t) -+ -+ seutil_read_config($1_t) -+ -+ files_dontaudit_list_default($1_t) -+ files_dontaudit_read_default_files($1_t) -+ -+ tunable_policy(`user_ttyfile_stat',` -+ term_getattr_all_user_ttys($1_t) -+ ') -+ -+ # for running depmod as part of the kernel packaging process -+ optional_policy(` -+ modutils_read_module_config($1_t) -+ ') -+ -+ optional_policy(` -+ mta_rw_spool($1_t) -+ ') -+ -+ optional_policy(` -+ nis_use_ypbind($1_t) -+ ') -+ -+ optional_policy(` -+ nscd_socket_use($1_t) -+ ') -+ -+ optional_policy(` -+ quota_dontaudit_getattr_db($1_t) -+ ') -+ -+ optional_policy(` -+ rpm_read_db($1_t) -+ rpm_dontaudit_manage_db($1_t) -+ ') -+') -+ -+define(`userdom_unpriv_login_user', ` -+ gen_require(` -+ attribute unpriv_userdomain; -+ attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode; -+ ') -+ userdom_login_user($1) -+ userdom_privhome_user_template($1) -+ -+ typeattribute $1_t unpriv_userdomain; -+ -+ typeattribute $1_t unpriv_userdomain; -+ domain_interactive_fd($1_t) -+ -+ typeattribute $1_devpts_t user_ptynode; -+ typeattribute $1_home_dir_t user_home_dir_type; -+ typeattribute $1_home_t user_home_type; -+ typeattribute $1_tmp_t user_tmpfile; -+ typeattribute $1_tty_device_t user_ttynode; -+ -+') +userdom_unpriv_login_user(guest) +userdom_unpriv_login_user(gadmin) -+#userdom_basic_networking_template(guest) -+#kernel_read_network_state($1_t) -+#kernel_read_net_sysctls($1_t) -+#corenet_udp_bind_all_nodes($1_t) -+#corenet_udp_bind_generic_port($1_t) -+ -+ -+ ++userdom_unpriv_xwindows_login_user(xguest) ++mozilla_per_role_template(xguest, xguest_t, xguest_r) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.0.2/policy/modules/users/logadm.fc --- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.0.2/policy/modules/users/logadm.fc 2007-07-11 10:06:29.000000000 -0400 diff --git a/selinux-policy.spec b/selinux-policy.spec index 6133c79..a456a75 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.2 -Release: 6%{?dist} +Release: 7%{?dist} License: GPL Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -356,7 +356,8 @@ exit 0 %endif %changelog -* Thu Jul 12 2007 Dan Walsh 3.0.2-6 +* Thu Jul 12 2007 Dan Walsh 3.0.2-7 +- Begin adding policy to separate setsebool from semanage - Fix xserver.if definition to not break sepolgen.if * Wed Jul 11 2007 Dan Walsh 3.0.2-5