From 9185c8bf704dc4df7fdabc5ec7e20e59acb539ae Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: May 12 2009 18:10:24 +0000 Subject: - Add /usr/share/selinux/packages - Turn on nsplugin boolean --- diff --git a/booleans-targeted.conf b/booleans-targeted.conf index 3f67bf8..35b11a9 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -241,7 +241,7 @@ allow_nsplugin_execmem=true # Allow unconfined domain to transition to confined domain # -allow_unconfined_nsplugin_transition=false +allow_unconfined_nsplugin_transition=true # Allow unconfined domains mmap low kernel memory # diff --git a/policy-20090105.patch b/policy-20090105.patch index 001a2d0..91e057f 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -2667,8 +2667,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +seutil_domtrans_setfiles_mac(livecd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.12/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2008-08-07 11:15:02.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/apps/mono.if 2009-04-23 09:44:57.000000000 -0400 -@@ -21,6 +21,104 @@ ++++ serefpolicy-3.6.12/policy/modules/apps/mono.if 2009-05-12 13:53:34.000000000 -0400 +@@ -21,6 +21,105 @@ ######################################## ## @@ -2751,6 +2751,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + role $2 types $1_mono_t; + + domain_interactive_fd($1_mono_t) ++ application_type($1_mono_t) + + userdom_unpriv_usertype($1, $1_mono_t) + userdom_manage_tmpfs_role($2, $1_mono_t) @@ -2773,7 +2774,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute the mono program in the caller domain. ## ## -@@ -31,7 +129,7 @@ +@@ -31,7 +130,7 @@ # interface(`mono_exec',` gen_require(` @@ -2784,7 +2785,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_search_bin($1) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.12/policy/modules/apps/mono.te --- nsaserefpolicy/policy/modules/apps/mono.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/apps/mono.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/apps/mono.te 2009-05-12 13:53:03.000000000 -0400 @@ -15,7 +15,7 @@ # Local policy # @@ -2794,7 +2795,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol init_dbus_chat_script(mono_t) -@@ -42,7 +42,11 @@ +@@ -42,7 +42,12 @@ ') optional_policy(` @@ -2802,11 +2803,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + unconfined_domain(mono_t) unconfined_dbus_chat(mono_t) unconfined_dbus_connect(mono_t) - ') ++ application_type(mono_t) ++') + +optional_policy(` + xserver_rw_shm(mono_t) -+') + ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.12/policy/modules/apps/mozilla.fc --- nsaserefpolicy/policy/modules/apps/mozilla.fc 2008-11-11 16:13:42.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/mozilla.fc 2009-04-23 09:44:57.000000000 -0400 @@ -3185,8 +3187,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.12/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te 2009-05-08 12:52:11.000000000 -0400 -@@ -0,0 +1,293 @@ ++++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te 2009-05-12 13:51:52.000000000 -0400 +@@ -0,0 +1,288 @@ + +policy_module(nsplugin, 1.0.0) + @@ -3464,12 +3466,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + mozilla_read_user_home_files(nsplugin_config_t) +') + -+optional_policy(` -+ gen_require(` -+ type unconfined_mono_t; -+ ') -+ allow nsplugin_t unconfined_mono_t:process signull; -+') ++application_signull(nsplugin_t) + +optional_policy(` + pulseaudio_stream_connect(nsplugin_t) @@ -4326,7 +4323,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.12/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/apps/qemu.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/apps/qemu.te 2009-05-12 13:52:29.000000000 -0400 @@ -13,28 +13,96 @@ ## gen_tunable(qemu_full_network, false) @@ -4432,6 +4429,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # qemu_unconfined local policy +@@ -44,6 +112,9 @@ + type qemu_unconfined_t; + domain_type(qemu_unconfined_t) + unconfined_domain_noaudit(qemu_unconfined_t) ++ userdom_manage_tmpfs_role(unconfined_r, qemu_unconfined_t) + ++ application_type(qemu_unconfined_t) ++ role unconfined_r types qemu_unconfined_t; + allow qemu_unconfined_t self:process { execstack execmem }; + ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.6.12/policy/modules/apps/sambagui.fc --- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/sambagui.fc 2009-04-23 09:44:57.000000000 -0400 @@ -5926,7 +5933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.12/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-03-04 16:49:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/filesystem.if 2009-04-23 17:21:31.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/filesystem.if 2009-05-12 13:59:59.000000000 -0400 @@ -723,6 +723,24 @@ ######################################## @@ -6347,7 +6354,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.12/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/terminal.if 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/terminal.if 2009-05-12 08:30:38.000000000 -0400 @@ -173,7 +173,7 @@ dev_list_all_dev_nodes($1) @@ -6369,6 +6376,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## +@@ -451,6 +453,23 @@ + + ######################################## + ## ++## dontaudit getattr of generic pty devices. ++## ++## ++## ++## The type of the process to not audit. ++## ++## ++# ++interface(`term_dontaudit_getattr_generic_ptys',` ++ gen_require(` ++ type devpts_t; ++ ') ++ ++ dontaudit $1 devpts_t:chr_file getattr; ++') ++######################################## ++## + ## ioctl of generic pty devices. + ## + ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.12/policy/modules/roles/guest.te --- nsaserefpolicy/policy/modules/roles/guest.te 2009-04-06 12:42:08.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/roles/guest.te 2009-04-23 09:44:57.000000000 -0400 @@ -19851,7 +19882,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.12/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/procmail.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/procmail.te 2009-05-12 08:59:00.000000000 -0400 @@ -77,6 +77,7 @@ files_read_usr_files(procmail_t) @@ -19879,6 +19910,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol pyzor_domtrans(procmail_t) pyzor_signal(procmail_t) ') +@@ -136,7 +142,7 @@ + mta_read_config(procmail_t) + sendmail_domtrans(procmail_t) + sendmail_signal(procmail_t) +- sendmail_rw_tcp_sockets(procmail_t) ++ sendmail_dontaudit_rw_tcp_sockets(procmail_t) + sendmail_rw_unix_stream_sockets(procmail_t) + ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.fc serefpolicy-3.6.12/policy/modules/services/psad.fc --- nsaserefpolicy/policy/modules/services/psad.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/psad.fc 2009-04-23 09:44:57.000000000 -0400 @@ -20688,7 +20728,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.12/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2009-03-20 12:39:39.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-05-11 09:09:05.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-05-12 14:00:28.000000000 -0400 @@ -23,7 +23,7 @@ gen_tunable(allow_nfsd_anon_write, false) @@ -20698,7 +20738,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpc_domain_template(gssd) -@@ -69,26 +69,37 @@ +@@ -69,15 +69,22 @@ kernel_read_sysctl(rpcd_t) kernel_rw_fs_sysctls(rpcd_t) kernel_dontaudit_getattr_core_if(rpcd_t) @@ -20707,18 +20747,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(rpcd_t) files_manage_mounttab(rpcd_t) ++files_getattr_all_dirs(rpcd_t) +fs_list_inotifyfs(rpcd_t) fs_list_rpc(rpcd_t) fs_read_rpc_files(rpcd_t) fs_read_rpc_symlinks(rpcd_t) fs_rw_rpc_sockets(rpcd_t) - -+storage_getattr_fixed_disk_dev(rpcd_t) ++fs_get_all_fs_quotas(rpcd_t) ++fs_getattr_all_fs(rpcd_t) + ++storage_getattr_fixed_disk_dev(rpcd_t) + selinux_dontaudit_read_fs(rpcd_t) - miscfiles_read_certs(rpcd_t) +@@ -85,10 +92,17 @@ seutil_dontaudit_search_config(rpcd_t) @@ -20736,7 +20779,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # NFSD local policy -@@ -116,8 +127,9 @@ +@@ -116,8 +130,9 @@ # for exportfs and rpc.mountd files_getattr_tmp_dirs(nfsd_t) # cjp: this should really have its own type @@ -20747,7 +20790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_mount_nfsd_fs(nfsd_t) fs_search_nfsd_fs(nfsd_t) fs_getattr_all_fs(nfsd_t) -@@ -125,6 +137,7 @@ +@@ -125,6 +140,7 @@ fs_rw_nfsd_fs(nfsd_t) storage_dontaudit_read_fixed_disk(nfsd_t) @@ -20755,7 +20798,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Read access to public_content_t and public_content_rw_t miscfiles_read_public_files(nfsd_t) -@@ -141,6 +154,7 @@ +@@ -141,6 +157,7 @@ fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) ') @@ -20763,7 +20806,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`nfs_export_all_ro',` dev_getattr_all_blk_files(nfsd_t) -@@ -175,6 +189,7 @@ +@@ -175,6 +192,7 @@ corecmd_exec_bin(gssd_t) @@ -20771,7 +20814,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_list_rpc(gssd_t) fs_rw_rpc_sockets(gssd_t) fs_read_rpc_files(gssd_t) -@@ -183,9 +198,12 @@ +@@ -183,9 +201,12 @@ files_read_usr_symlinks(gssd_t) auth_use_nsswitch(gssd_t) @@ -20798,7 +20841,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_write_login_records(rshd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.12/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2009-03-23 13:47:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/rsync.te 2009-04-29 13:19:21.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/rsync.te 2009-05-11 20:42:00.000000000 -0400 @@ -8,6 +8,13 @@ ## @@ -21748,7 +21791,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.12/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/services/sendmail.if 2009-04-30 08:12:22.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/sendmail.if 2009-05-12 08:58:39.000000000 -0400 +@@ -59,20 +59,20 @@ + + ######################################## + ## +-## Read and write sendmail TCP sockets. ++## Dontaudit Read and write sendmail TCP sockets. + ## + ## + ## +-## Domain allowed access. ++## Domain not allowed access. + ## + ## + # +-interface(`sendmail_rw_tcp_sockets',` ++interface(`sendmail_dontaudit_rw_tcp_sockets',` + gen_require(` + type sendmail_t; + ') + +- allow $1 sendmail_t:tcp_socket { read write }; ++ dontaudit $1 sendmail_t:tcp_socket { read write }; + ') + ######################################## + ## @@ -89,7 +89,7 @@ type sendmail_t; ') @@ -22737,7 +22805,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-05-08 07:53:09.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-05-12 09:01:37.000000000 -0400 @@ -20,6 +20,35 @@ ## gen_tunable(spamd_enable_home_dirs, true) @@ -22809,15 +22877,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sysnet_read_config(spamassassin_t) ') -@@ -195,6 +234,7 @@ +@@ -195,6 +234,8 @@ optional_policy(` mta_read_config(spamassassin_t) sendmail_stub(spamassassin_t) + sendmail_rw_unix_stream_sockets(spamassassin_t) ++ sendmail_dontaudit_rw_tcp_sockets(spamassassin_t) ') ######################################## -@@ -216,16 +256,32 @@ +@@ -216,16 +257,32 @@ allow spamc_t self:unix_stream_socket connectto; allow spamc_t self:tcp_socket create_stream_socket_perms; allow spamc_t self:udp_socket create_socket_perms; @@ -22850,7 +22919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(spamc_t) corenet_all_recvfrom_netlabel(spamc_t) -@@ -239,6 +295,7 @@ +@@ -239,6 +296,7 @@ corenet_sendrecv_all_client_packets(spamc_t) fs_search_auto_mountpoints(spamc_t) @@ -22858,7 +22927,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: these should probably be removed: corecmd_list_bin(spamc_t) -@@ -255,9 +312,15 @@ +@@ -255,9 +313,15 @@ files_dontaudit_search_var(spamc_t) # cjp: this may be removable: files_list_home(spamc_t) @@ -22874,7 +22943,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(spamc_t) # cjp: this should probably be removed: -@@ -265,13 +328,16 @@ +@@ -265,13 +329,16 @@ sysnet_read_config(spamc_t) @@ -22898,7 +22967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -280,16 +346,21 @@ +@@ -280,16 +347,22 @@ ') optional_policy(` @@ -22919,10 +22988,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + mta_read_queue(spamc_t) sendmail_stub(spamc_t) + sendmail_rw_pipes(spamc_t) ++ sendmail_dontaudit_rw_tcp_sockets(spamc_t) ') ######################################## -@@ -301,7 +372,7 @@ +@@ -301,7 +374,7 @@ # setuids to the user running spamc. Comment this if you are not # using this ability. @@ -22931,7 +23001,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; -@@ -317,10 +388,13 @@ +@@ -317,10 +390,13 @@ allow spamd_t self:unix_stream_socket connectto; allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; @@ -22946,7 +23016,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -@@ -329,10 +403,11 @@ +@@ -329,10 +405,11 @@ # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -22959,7 +23029,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) kernel_read_all_sysctls(spamd_t) -@@ -382,22 +457,27 @@ +@@ -382,22 +459,27 @@ init_dontaudit_rw_utmp(spamd_t) @@ -22991,7 +23061,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_manage_cifs_files(spamd_t) ') -@@ -415,6 +495,7 @@ +@@ -415,6 +497,7 @@ optional_policy(` dcc_domtrans_client(spamd_t) @@ -22999,7 +23069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dcc_stream_connect_dccifd(spamd_t) ') -@@ -424,10 +505,6 @@ +@@ -424,10 +507,6 @@ ') optional_policy(` @@ -23010,7 +23080,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol postfix_read_config(spamd_t) ') -@@ -442,6 +519,10 @@ +@@ -442,6 +521,10 @@ optional_policy(` razor_domtrans(spamd_t) @@ -23021,7 +23091,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -454,5 +535,9 @@ +@@ -454,5 +537,9 @@ ') optional_policy(` @@ -25398,7 +25468,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-05-06 08:50:01.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-05-12 13:45:25.000000000 -0400 @@ -34,6 +34,13 @@ ## @@ -26140,6 +26210,40 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') domtrans_pattern($1, zos_remote_exec_t, zos_remote_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.6.12/policy/modules/system/application.if +--- nsaserefpolicy/policy/modules/system/application.if 2008-08-07 11:15:12.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/application.if 2009-05-12 13:54:23.000000000 -0400 +@@ -2,7 +2,7 @@ + + ######################################## + ## +-## Make the specified type usable as an application domain. ++## Send signull to application domains + ## + ## + ## +@@ -101,3 +101,21 @@ + application_executable_file($2) + domain_entry_file($1,$2) + ') ++ ++######################################## ++## ++## Send signull to unprivileged user domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`application_signull',` ++ gen_require(` ++ attribute application_domain_type; ++ ') ++ ++ allow $1 application_domain_type:process signull; ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.12/policy/modules/system/application.te --- nsaserefpolicy/policy/modules/system/application.te 2008-08-07 11:15:12.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/application.te 2009-04-23 09:44:57.000000000 -0400 @@ -30638,7 +30742,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-05-08 13:06:19.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-05-12 13:51:30.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -30650,12 +30754,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_type($1_t) corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) -@@ -41,71 +42,85 @@ +@@ -41,71 +42,87 @@ allow system_r $1_r; term_user_pty($1_t, user_devpts_t) - term_user_tty($1_t, user_tty_device_t) ++ term_dontaudit_getattr_generic_ptys($1_t) - allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr }; - allow $1_t self:fd use; @@ -30742,6 +30847,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_read_mnt_files($1_usertype) + files_read_etc_runtime_files($1_usertype) + files_read_usr_files($1_usertype) ++ files_read_usr_src_files($1_usertype) # Read directories and files with the readable_t type. # This type is a general type for "world"-readable files. - files_list_world_readable($1_t) @@ -30787,7 +30893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. -@@ -116,6 +131,12 @@ +@@ -116,6 +133,12 @@ # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') @@ -30800,7 +30906,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -147,6 +168,7 @@ +@@ -147,6 +170,7 @@ interface(`userdom_ro_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -30808,7 +30914,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') role $1 types { user_home_t user_home_dir_t }; -@@ -157,6 +179,7 @@ +@@ -157,6 +181,7 @@ # type_member $2 user_home_dir_t:dir user_home_dir_t; @@ -30816,7 +30922,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # read-only home directory allow $2 user_home_dir_t:dir list_dir_perms; -@@ -168,27 +191,6 @@ +@@ -168,27 +193,6 @@ read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) @@ -30844,7 +30950,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -220,9 +222,10 @@ +@@ -220,9 +224,10 @@ interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -30856,7 +30962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -232,17 +235,20 @@ +@@ -232,17 +237,20 @@ type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory @@ -30887,7 +30993,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) files_list_home($2) -@@ -250,25 +256,23 @@ +@@ -250,25 +258,23 @@ allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` @@ -30917,7 +31023,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -303,6 +307,7 @@ +@@ -303,6 +309,7 @@ manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) @@ -30925,7 +31031,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -322,6 +327,7 @@ +@@ -322,6 +329,7 @@ ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -30933,7 +31039,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_tmp($1) ') -@@ -368,46 +374,41 @@ +@@ -368,46 +376,41 @@ ####################################### ## @@ -31000,7 +31106,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -420,34 +421,41 @@ +@@ -420,34 +423,41 @@ ## is the prefix for user_t). ## ## @@ -31060,7 +31166,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -497,11 +505,7 @@ +@@ -497,11 +507,7 @@ attribute unpriv_userdomain; ') @@ -31073,7 +31179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -512,189 +516,200 @@ +@@ -512,189 +518,200 @@ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -31355,7 +31461,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -722,13 +737,26 @@ +@@ -722,13 +739,26 @@ userdom_base_user_template($1) @@ -31387,7 +31493,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_change_password_template($1) -@@ -746,70 +774,71 @@ +@@ -746,70 +776,71 @@ allow $1_t self:context contains; @@ -31492,7 +31598,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -846,6 +875,28 @@ +@@ -846,6 +877,28 @@ # Local policy # @@ -31521,7 +31627,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` loadkeys_run($1_t,$1_r) ') -@@ -876,7 +927,10 @@ +@@ -876,7 +929,10 @@ userdom_restricted_user_template($1) @@ -31533,7 +31639,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -884,14 +938,19 @@ +@@ -884,14 +940,19 @@ # auth_role($1_r, $1_t) @@ -31558,7 +31664,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -899,28 +958,33 @@ +@@ -899,28 +960,33 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -31599,7 +31705,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -954,8 +1018,8 @@ +@@ -954,8 +1020,8 @@ # Declarations # @@ -31609,7 +31715,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -964,11 +1028,12 @@ +@@ -964,11 +1030,12 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -31624,7 +31730,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -986,37 +1051,55 @@ +@@ -986,37 +1053,55 @@ ') ') @@ -31694,7 +31800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -1050,7 +1133,7 @@ +@@ -1050,7 +1135,7 @@ # template(`userdom_admin_user_template',` gen_require(` @@ -31703,7 +31809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1059,8 +1142,7 @@ +@@ -1059,8 +1144,7 @@ # # Inherit rules for ordinary users. @@ -31713,7 +31819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1083,7 +1165,8 @@ +@@ -1083,7 +1167,8 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -31723,7 +31829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1099,6 +1182,7 @@ +@@ -1099,6 +1184,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -31731,7 +31837,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1106,8 +1190,6 @@ +@@ -1106,8 +1192,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -31740,7 +31846,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1162,20 +1244,6 @@ +@@ -1162,20 +1246,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -31761,7 +31867,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1221,6 +1289,7 @@ +@@ -1221,6 +1291,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -31769,7 +31875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1286,11 +1355,15 @@ +@@ -1286,11 +1357,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -31785,7 +31891,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1387,7 +1460,7 @@ +@@ -1387,7 +1462,7 @@ ######################################## ## @@ -31794,7 +31900,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1420,6 +1493,14 @@ +@@ -1420,6 +1495,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -31809,7 +31915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1435,9 +1516,11 @@ +@@ -1435,9 +1518,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -31821,7 +31927,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1494,6 +1577,25 @@ +@@ -1494,6 +1579,25 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -31847,7 +31953,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1568,6 +1670,8 @@ +@@ -1568,6 +1672,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -31856,7 +31962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1643,6 +1747,7 @@ +@@ -1643,6 +1749,7 @@ type user_home_dir_t, user_home_t; ') @@ -31864,7 +31970,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1741,30 +1846,80 @@ +@@ -1741,30 +1848,80 @@ ######################################## ## @@ -31955,7 +32061,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1787,6 +1942,46 @@ +@@ -1787,6 +1944,46 @@ ######################################## ## @@ -32002,7 +32108,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete files ## in a user home subdirectory. ## -@@ -1799,6 +1994,7 @@ +@@ -1799,6 +1996,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -32010,7 +32116,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2328,7 +2524,7 @@ +@@ -2328,7 +2526,7 @@ ######################################## ## @@ -32019,7 +32125,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2814,12 +3010,12 @@ +@@ -2814,12 +3012,12 @@ type user_tmp_t; ') @@ -32034,7 +32140,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2827,17 +3023,35 @@ +@@ -2827,17 +3025,35 @@ ## ## # @@ -32074,7 +32180,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2851,6 +3065,7 @@ +@@ -2851,6 +3067,7 @@ ') read_files_pattern($1,userdomain,userdomain) @@ -32082,7 +32188,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -2981,3 +3196,481 @@ +@@ -2981,3 +3198,481 @@ allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index cc34eb9..94eba3d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 34%{?dist} +Release: 35%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -63,6 +63,7 @@ SELinux Base package %dir %{_usr}/share/selinux %dir %{_usr}/share/selinux/devel %dir %{_usr}/share/selinux/devel/include +%dir %{_usr}/share/selinux/packages %dir %{_sysconfdir}/selinux %ghost %config(noreplace) %{_sysconfdir}/selinux/config %ghost %{_sysconfdir}/sysconfig/selinux @@ -234,6 +235,7 @@ make clean make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs mkdir %{buildroot}%{_usr}/share/selinux/devel/ +mkdir %{buildroot}%{_usr}/share/selinux/packages/ mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include install -m 755 $RPM_SOURCE_DIR/policygentool %{buildroot}%{_usr}/share/selinux/devel/ install -m 644 $RPM_SOURCE_DIR/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile @@ -471,6 +473,10 @@ exit 0 %endif %changelog +* Mon May 11 2009 Dan Walsh 3.6.12-35 +- Add /usr/share/selinux/packages +- Turn on nsplugin boolean + * Mon May 11 2009 Dan Walsh 3.6.12-34 - Allow rpcd_t to send signals to kernel threads