From a98c376293dfbe217fbffbd294054fd9decf193c Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 04 2008 14:28:43 +0000 Subject: - Allow nsplugin to list gconf_home_t directory --- diff --git a/booleans-targeted.conf b/booleans-targeted.conf index 8c33d07..41fa534 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -237,7 +237,7 @@ allow_nsplugin_execmem=true # Allow unconfined domain to transition to confined domain # -allow_unconfined_nsplugin_transition=true +allow_unconfined_nsplugin_transition=false # Allow unconfined domains mmap low kernel memory # diff --git a/policy-20080710.patch b/policy-20080710.patch index 8dd8f81..189cef0 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -6454,17 +6454,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +wm_domain_template(user,xdm) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-10-17 08:49:14.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc 2008-11-24 10:49:49.000000000 -0500 -@@ -129,6 +129,8 @@ ++++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc 2008-12-04 09:14:24.000000000 -0500 +@@ -129,6 +129,9 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') +/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/opt/Adobe(/.*)?/sidecars(/.*)? gen_context(system_u:object_r:bin_t,s0) + # # /usr # -@@ -184,10 +186,8 @@ +@@ -184,10 +187,8 @@ /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -6477,7 +6478,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -292,3 +292,14 @@ +@@ -292,3 +293,14 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -25653,7 +25654,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.13/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2008-10-17 08:49:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ssh.if 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/ssh.if 2008-12-04 09:20:21.000000000 -0500 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -25937,7 +25938,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.5.13/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ssh.te 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/ssh.te 2008-12-04 09:20:48.000000000 -0500 @@ -24,7 +24,7 @@ # Type for the ssh-agent executable. @@ -25947,7 +25948,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # ssh client executable. type ssh_exec_t; -@@ -55,6 +55,12 @@ +@@ -55,6 +55,16 @@ init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh) ') @@ -25957,10 +25958,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +type ssh_tmp_t; +files_tmp_file(ssh_tmp_t) + ++typealias ssh_home_t alias unconfined_ssh_home_t; ++typealias ssh_home_t alias unconfined_home_ssh_t; ++typealias ssh_tmp_t alias unconfined_ssh_tmp_t; ++ ################################# # # sshd local policy -@@ -78,6 +84,9 @@ +@@ -78,6 +88,9 @@ corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) @@ -25970,7 +25975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd # ioctl is necessary for logout() processing for utmp entry and for w to -@@ -99,6 +108,14 @@ +@@ -99,6 +112,14 @@ ') optional_policy(` @@ -25985,7 +25990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol daemontools_service_domain(sshd_t, sshd_exec_t) ') -@@ -117,7 +134,11 @@ +@@ -117,7 +138,11 @@ ') optional_policy(` @@ -25998,7 +26003,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_shell_domtrans(sshd_t) ') -@@ -176,6 +197,8 @@ +@@ -176,6 +201,8 @@ init_use_fds(ssh_keygen_t) init_use_script_ptys(ssh_keygen_t) @@ -29884,7 +29889,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow iscsid_t iscsi_tmp_t:dir manage_dir_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-12-01 16:41:03.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-12-04 08:07:48.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -29986,16 +29991,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -267,6 +284,8 @@ +@@ -267,6 +284,9 @@ /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/(virtualbox(-ose)?/)?(components/)?VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/virtualbox/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -291,6 +310,8 @@ +@@ -291,6 +311,8 @@ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -30004,7 +30010,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') dnl end distro_redhat # -@@ -310,3 +331,21 @@ +@@ -310,3 +332,21 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -30220,7 +30226,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.5.13/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/logging.te 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/system/logging.te 2008-12-04 08:26:19.000000000 -0500 @@ -129,7 +129,7 @@ allow auditd_t self:process { signal_perms setpgid setsched }; allow auditd_t self:file rw_file_perms; @@ -30230,7 +30236,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow auditd_t self:tcp_socket create_stream_socket_perms; allow auditd_t auditd_etc_t:dir list_dir_perms; -@@ -221,9 +221,9 @@ +@@ -182,6 +182,8 @@ + logging_domtrans_dispatcher(auditd_t) + logging_signal_dispatcher(auditd_t) + ++auth_use_nsswitch(auditd_t) ++ + libs_use_ld_so(auditd_t) + libs_use_shared_libs(auditd_t) + +@@ -221,9 +223,9 @@ # audit dispatcher local policy # @@ -30242,7 +30257,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow audisp_t self:unix_stream_socket create_stream_socket_perms; allow audisp_t self:unix_dgram_socket create_socket_perms; -@@ -237,9 +237,12 @@ +@@ -237,9 +239,12 @@ domain_use_interactive_fds(audisp_t) files_read_etc_files(audisp_t) @@ -30255,7 +30270,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_ld_so(audisp_t) libs_use_shared_libs(audisp_t) -@@ -352,7 +355,7 @@ +@@ -262,9 +267,14 @@ + corenet_tcp_sendrecv_all_nodes(audisp_remote_t) + corenet_tcp_connect_audit_port(audisp_remote_t) + corenet_sendrecv_audit_client_packets(audisp_remote_t) ++corenet_tcp_bind_audit_port(audisp_remote_t) ++corenet_tcp_sendrecv_all_ports(audisp_remote_t) ++corenet_tcp_bind_all_nodes(audisp_remote_t) + + files_read_etc_files(audisp_remote_t) + ++auth_use_nsswitch(audisp_remote_t) ++ + libs_use_ld_so(audisp_remote_t) + libs_use_shared_libs(audisp_remote_t) + +@@ -352,7 +362,7 @@ allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; allow syslogd_t self:unix_dgram_socket sendto; diff --git a/selinux-policy.spec b/selinux-policy.spec index 9b0c950..e635195 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.5.13 -Release: 30%{?dist} +Release: 31%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -336,6 +336,8 @@ semodule -s targeted -r gamin 2>/dev/null fi exit 0 +%triggerpostun targeted -- selinux-policy-targeted < 3.5.13-31.fc10 +setsebool -P allow_unconfined_nsplugin_transition=0 %triggerpostun targeted -- selinux-policy-targeted < 3.2.5-9.fc9 . /etc/selinux/config