From d90a3db27d10579bd44a830bc18aa1eed6e70ddb Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sep 20 2007 14:39:14 +0000 Subject: - Allow xserver to search devpts_t - Dontaudit ldconfig output to homedir --- diff --git a/policy-20070703.patch b/policy-20070703.patch index aa88f06..2749e99 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -1145,7 +1145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.0.8/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2007-09-12 10:34:51.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/admin/usermanage.te 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/admin/usermanage.te 2007-09-19 16:12:56.000000000 -0400 @@ -92,6 +92,7 @@ dev_read_urand(chfn_t) @@ -1154,7 +1154,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman auth_dontaudit_read_shadow(chfn_t) # allow checking if a shell is executable -@@ -520,6 +521,10 @@ +@@ -297,6 +298,7 @@ + term_use_all_user_ttys(passwd_t) + term_use_all_user_ptys(passwd_t) + ++auth_domtrans_chk_passwd(passwd_t) + auth_manage_shadow(passwd_t) + auth_relabel_shadow(passwd_t) + auth_etc_filetrans_shadow(passwd_t) +@@ -520,6 +522,10 @@ mta_manage_spool(useradd_t) optional_policy(` @@ -1165,7 +1173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman dpkg_use_fds(useradd_t) dpkg_rw_pipes(useradd_t) ') -@@ -529,6 +534,12 @@ +@@ -529,6 +535,12 @@ ') optional_policy(` @@ -1452,7 +1460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.8/policy/modules/apps/java.if --- nsaserefpolicy/policy/modules/apps/java.if 2007-08-02 08:17:26.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/apps/java.if 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/apps/java.if 2007-09-20 08:56:23.000000000 -0400 @@ -32,7 +32,7 @@ ## ## @@ -1472,7 +1480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if allow $1_javaplugin_t $2:fd use; # Unrestricted inheritance from the caller. allow $2 $1_javaplugin_t:process { noatsecure siginh rlimitinh }; -@@ -166,6 +165,53 @@ +@@ -166,6 +165,57 @@ optional_policy(` xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t) ') @@ -1515,6 +1523,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if + domain_type($1_java_t) + domain_entry_file($1_java_t,java_exec_t) + role $3 types $1_java_t; ++ ++ domain_interactive_fd($1_java_t) ++ ++ userdom_unpriv_usertype($1, $1_java_t) + + allow $1_java_t self:process { execheap execmem }; + @@ -1526,7 +1538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if ') ######################################## -@@ -219,3 +265,66 @@ +@@ -219,3 +269,66 @@ corecmd_search_bin($1) domtrans_pattern($1, java_exec_t, java_t) ') @@ -1606,8 +1618,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.0.8/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2007-05-29 14:10:48.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/apps/mono.if 2007-09-17 16:20:18.000000000 -0400 -@@ -18,3 +18,98 @@ ++++ serefpolicy-3.0.8/policy/modules/apps/mono.if 2007-09-20 08:56:35.000000000 -0400 +@@ -18,3 +18,102 @@ corecmd_search_bin($1) domtrans_pattern($1, mono_exec_t, mono_t) ') @@ -1698,6 +1710,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if + domain_entry_file($1_mono_t,mono_exec_t) + role $3 types $1_mono_t; + ++ domain_interactive_fd($1_mono_t) ++ ++ userdom_unpriv_usertype($1, $1_mono_t) ++ + allow $1_mono_t self:process { execheap execmem }; + + domtrans_pattern($2, mono_exec_t, $1_mono_t) @@ -2105,8 +2121,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t allow vmware_host_t self:rawip_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.0.8/policy/modules/apps/wine.if --- nsaserefpolicy/policy/modules/apps/wine.if 2007-05-29 14:10:48.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/apps/wine.if 2007-09-17 16:20:18.000000000 -0400 -@@ -18,3 +18,34 @@ ++++ serefpolicy-3.0.8/policy/modules/apps/wine.if 2007-09-20 08:56:45.000000000 -0400 +@@ -18,3 +18,84 @@ corecmd_search_bin($1) domtrans_pattern($1, wine_exec_t, wine_t) ') @@ -2141,9 +2157,59 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if + role $2 types wine_t; + allow wine_t $3:chr_file rw_term_perms; +') ++ ++####################################### ++## ++## The per role template for the wine module. ++## ++## ++##

++## This template creates a derived domains which are used ++## for wine applications. ++##

++## ++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++## ++## The type of the user domain. ++## ++## ++## ++## ++## The role associated with the user domain. ++## ++## ++# ++template(`wine_per_role_template',` ++ gen_require(` ++ type wine_exec_t; ++ ') ++ ++ type $1_wine_t; ++ domain_type($1_wine_t) ++ domain_entry_file($1_wine_t,wine_exec_t) ++ role $3 types $1_wine_t; ++ ++ domain_interactive_fd($1_wine_t) ++ ++ userdom_unpriv_usertype($1, $1_wine_t) ++ ++ allow $1_wine_t self:process { execheap execmem }; ++ ++ domtrans_pattern($2, wine_exec_t, $1_wine_t) ++ ++ optional_policy(` ++ xserver_xdm_rw_shm($1_wine_t) ++ ') ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.0.8/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2007-07-25 10:37:37.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/apps/wine.te 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/apps/wine.te 2007-09-20 09:45:04.000000000 -0400 @@ -9,6 +9,7 @@ type wine_t; type wine_exec_t; @@ -2166,7 +2232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te +') + +optional_policy(` -+ xserver_xdm_rw_shm(mono_t) ++ xserver_xdm_rw_shm(wine_t) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-08-22 07:14:06.000000000 -0400 @@ -4294,6 +4360,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam +optional_policy(` + mailscanner_manage_spool(clamscan_t) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.0.8/policy/modules/services/consolekit.if +--- nsaserefpolicy/policy/modules/services/consolekit.if 2007-05-29 14:10:57.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/consolekit.if 2007-09-20 08:49:41.000000000 -0400 +@@ -38,3 +38,24 @@ + allow $1 consolekit_t:dbus send_msg; + allow consolekit_t $1:dbus send_msg; + ') ++ ++######################################## ++## ++## dontaudit send and receive messages from ++## consolekit over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`consolekit_dontaudit_dbus_chat',` ++ gen_require(` ++ type consolekit_t; ++ class dbus send_msg; ++ ') ++ ++ dontaudit $1 consolekit_t:dbus send_msg; ++ dontaudit consolekit_t $1:dbus send_msg; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.0.8/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2007-07-25 10:37:42.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/consolekit.te 2007-09-17 16:20:18.000000000 -0400 @@ -6788,9 +6882,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi ######################################## # +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.0.8/policy/modules/services/networkmanager.if +--- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-06-15 14:54:33.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.if 2007-09-20 08:50:57.000000000 -0400 +@@ -97,3 +97,24 @@ + allow $1 NetworkManager_t:dbus send_msg; + allow NetworkManager_t $1:dbus send_msg; + ') ++ ++######################################## ++## ++## dontaudit send and receive messages from ++## NetworkManager over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`networkmanager_dontaudit_dbus_chat',` ++ gen_require(` ++ type NetworkManager_t; ++ class dbus send_msg; ++ ') ++ ++ dontaudit $1 NetworkManager_t:dbus send_msg; ++ dontaudit NetworkManager_t $1:dbus send_msg; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.8/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-09-12 10:34:50.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2007-09-20 08:50:29.000000000 -0400 @@ -20,7 +20,7 @@ # networkmanager will ptrace itself if gdb is installed @@ -9342,7 +9464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-09-19 11:59:57.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-09-20 09:43:06.000000000 -0400 @@ -126,6 +126,8 @@ # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev($1_xserver_t) @@ -9412,7 +9534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -555,25 +558,46 @@ +@@ -555,25 +558,49 @@ allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; @@ -9426,10 +9548,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_search_user_home_dirs($1,$2) - # for .xsession-errors - userdom_dontaudit_write_user_home_content_files($1,$2) -- + userdom_manage_user_home_content_dirs($1, xdm_t) + userdom_manage_user_home_content_files($1, xdm_t) + userdom_user_home_dir_filetrans_user_home_content($1, xdm_t, { dir file }) ++ userdom_manage_user_tmp_dirs($1, xdm_t) ++ userdom_manage_user_tmp_files($1, xdm_t) + xserver_ro_session_template(xdm,$2,$3) - xserver_rw_session_template($1,$2,$3) - xserver_use_user_fonts($1,$2) @@ -9468,7 +9592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ') -@@ -626,6 +650,24 @@ +@@ -626,6 +653,24 @@ ######################################## ## @@ -9493,7 +9617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -659,6 +701,73 @@ +@@ -659,6 +704,73 @@ ######################################## ## @@ -9567,7 +9691,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -987,6 +1096,37 @@ +@@ -927,6 +1039,7 @@ + files_search_tmp($1) + allow $1 xdm_tmp_t:dir list_dir_perms; + create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t) ++ allow $1 xdm_tmp_t:sock_file unlink; + ') + + ######################################## +@@ -987,6 +1100,37 @@ ######################################## ## @@ -9605,7 +9737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1136,7 +1276,7 @@ +@@ -1136,7 +1280,7 @@ type xdm_xserver_tmp_t; ') @@ -9614,7 +9746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1325,3 +1465,62 @@ +@@ -1325,3 +1469,62 @@ files_search_tmp($1) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') @@ -9894,7 +10026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-20 09:08:43.000000000 -0400 @@ -26,7 +26,8 @@ type $1_chkpwd_t, can_read_shadow_passwords; application_domain($1_chkpwd_t,chkpwd_exec_t) @@ -9905,16 +10037,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo allow $1_chkpwd_t self:process getattr; files_list_etc($1_chkpwd_t) -@@ -107,7 +108,7 @@ +@@ -106,9 +107,6 @@ + role $3 types $1_chkpwd_t; role $3 types system_chkpwd_t; - # cjp: is this really needed? +- # cjp: is this really needed? - allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -+ logging_send_audit_msgs($2) - +- dontaudit $2 shadow_t:file { getattr read }; -@@ -169,6 +170,9 @@ + # Transition from the user domain to this domain. +@@ -169,6 +167,9 @@ ## # interface(`auth_login_pgm_domain',` @@ -9924,7 +10057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo domain_type($1) domain_subj_id_change_exemption($1) -@@ -176,11 +180,23 @@ +@@ -176,11 +177,23 @@ domain_obj_id_change_exemption($1) role system_r types $1; @@ -9948,7 +10081,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo selinux_get_fs_mount($1) selinux_validate_context($1) selinux_compute_access_vector($1) -@@ -196,22 +212,33 @@ +@@ -196,22 +209,33 @@ mls_fd_share_all_levels($1) auth_domtrans_chk_passwd($1) @@ -9983,7 +10116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ') -@@ -309,9 +336,6 @@ +@@ -309,9 +333,6 @@ type system_chkpwd_t, chkpwd_exec_t, shadow_t; ') @@ -9993,7 +10126,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo corecmd_search_bin($1) domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t) -@@ -329,6 +353,7 @@ +@@ -329,6 +350,7 @@ optional_policy(` kerberos_use($1) @@ -10001,7 +10134,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') optional_policy(` -@@ -347,6 +372,37 @@ +@@ -347,6 +369,37 @@ ######################################## ## @@ -10039,7 +10172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ## Get the attributes of the shadow passwords file. ## ## -@@ -695,6 +751,24 @@ +@@ -695,6 +748,24 @@ ######################################## ## @@ -10064,7 +10197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ## Execute pam programs in the PAM domain. ## ## -@@ -1318,14 +1392,9 @@ +@@ -1318,14 +1389,9 @@ ## # interface(`auth_use_nsswitch',` @@ -10079,7 +10212,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo files_list_var_lib($1) miscfiles_read_certs($1) -@@ -1381,3 +1450,163 @@ +@@ -1381,3 +1447,163 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -11970,7 +12103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.8/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-05-30 11:47:29.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-09-20 09:37:08.000000000 -0400 @@ -432,6 +432,7 @@ role $2 types run_init_t; allow run_init_t $3:chr_file rw_term_perms; @@ -12022,12 +12155,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +# +interface(`seutil_domtrans_setsebool',` + gen_require(` -+ type semanage_t, setsebool_exec_t; ++ type setsebool_t, setsebool_exec_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) -+ domtrans_pattern($1,setsebool_exec_t,semanage_t) ++ domtrans_pattern($1,setsebool_exec_t,setsebool_t) +') + +######################################## @@ -12084,7 +12217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Full management of the semanage ## module store. ## -@@ -1058,3 +1134,120 @@ +@@ -1058,3 +1134,124 @@ files_search_etc($1) rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t) ') @@ -12157,6 +12290,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + allow $1 self:unix_dgram_socket create_socket_perms; + logging_send_audit_msgs($1) + ++ # Running genhomedircon requires this for finding all users ++ auth_use_nsswitch($1) ++ + allow $1 policy_config_t:file { read write }; + + allow $1 semanage_tmp_t:dir manage_dir_perms; @@ -12197,6 +12333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + + miscfiles_read_localization($1) + ++ seutil_search_default_contexts($1) + seutil_domtrans_loadpolicy($1) + seutil_read_config($1) + seutil_manage_bin_policy($1) @@ -12207,7 +12344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.8/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-09-12 10:34:51.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-09-20 09:31:29.000000000 -0400 @@ -76,7 +76,6 @@ type restorecond_exec_t; init_daemon_domain(restorecond_t,restorecond_exec_t) @@ -12349,6 +12486,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # +seutil_semanage_policy(setsebool_t) +selinux_set_boolean(setsebool_t) ++# Bug in semanage ++seutil_domtrans_setfiles(setsebool_t) -allow semanage_t self:capability { dac_override audit_write }; -allow semanage_t self:unix_stream_socket create_stream_socket_perms; @@ -12383,25 +12522,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu -selinux_getattr_fs(semanage_t) -# for setsebool: -selinux_set_boolean(semanage_t) +- +-term_use_all_terms(semanage_t) +- +-# Running genhomedircon requires this for finding all users +-auth_use_nsswitch(semanage_t) +- +-libs_use_ld_so(semanage_t) +-libs_use_shared_libs(semanage_t) +- +-locallogin_use_fds(semanage_t) +######################################## +# +# semodule local policy +# --term_use_all_terms(semanage_t) +-logging_send_syslog_msg(semanage_t) +seutil_semanage_policy(semanage_t) +can_exec(semanage_t, semanage_exec_t) - # Running genhomedircon requires this for finding all users - auth_use_nsswitch(semanage_t) -- --libs_use_ld_so(semanage_t) --libs_use_shared_libs(semanage_t) -- --locallogin_use_fds(semanage_t) -- --logging_send_syslog_msg(semanage_t) -- -miscfiles_read_localization(semanage_t) +# Admins are creating pp files in random locations +auth_read_all_files_except_shadow(semanage_t) @@ -12992,39 +13131,151 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-19 13:32:51.000000000 -0400 -@@ -45,7 +45,7 @@ ++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-20 09:09:10.000000000 -0400 +@@ -29,8 +29,9 @@ + ') + + attribute $1_file_type; ++ attribute $1_usertype; + +- type $1_t, userdomain; ++ type $1_t, userdomain, $1_usertype; + domain_type($1_t) + corecmd_shell_entry_type($1_t) + corecmd_bin_entry_type($1_t) +@@ -45,65 +46,69 @@ type $1_tty_device_t; term_user_tty($1_t,$1_tty_device_t) - allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession }; -+ allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr }; - allow $1_t self:fd use; - allow $1_t self:fifo_file rw_fifo_file_perms; - allow $1_t self:unix_dgram_socket { create_socket_perms sendto }; -@@ -62,6 +62,10 @@ - - allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; +- allow $1_t self:fd use; +- allow $1_t self:fifo_file rw_fifo_file_perms; +- allow $1_t self:unix_dgram_socket { create_socket_perms sendto }; +- allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto }; +- allow $1_t self:shm create_shm_perms; +- allow $1_t self:sem create_sem_perms; +- allow $1_t self:msgq create_msgq_perms; +- allow $1_t self:msg { send receive }; +- allow $1_t self:context contains; +- dontaudit $1_t self:socket create; +- +- allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; +- term_create_pty($1_t,$1_devpts_t) +- +- allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; +- +- kernel_read_kernel_sysctls($1_t) +- kernel_dontaudit_list_unlabeled($1_t) +- kernel_dontaudit_getattr_unlabeled_files($1_t) +- kernel_dontaudit_getattr_unlabeled_symlinks($1_t) +- kernel_dontaudit_getattr_unlabeled_pipes($1_t) +- kernel_dontaudit_getattr_unlabeled_sockets($1_t) +- kernel_dontaudit_getattr_unlabeled_blk_files($1_t) +- kernel_dontaudit_getattr_unlabeled_chr_files($1_t) ++ allow $1_t $1_usertype:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr }; ++ allow $1_usertype $1_usertype:fd use; ++ allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms; ++ allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto }; ++ allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto }; ++ allow $1_usertype $1_usertype:shm create_shm_perms; ++ allow $1_usertype $1_usertype:sem create_sem_perms; ++ allow $1_usertype $1_usertype:msgq create_msgq_perms; ++ allow $1_usertype $1_usertype:msg { send receive }; ++ allow $1_usertype $1_usertype:context contains; ++ dontaudit $1_usertype $1_usertype:socket create; ++ ++ allow $1_usertype $1_devpts_t:chr_file { setattr ioctl read getattr lock write append }; ++ term_create_pty($1_usertype,$1_devpts_t) ++ ++ allow $1_usertype $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; ++ ++ application_exec_all($1_usertype) ++ ++ auth_use_nsswitch($1_usertype) ++ ++ kernel_read_kernel_sysctls($1_usertype) ++ kernel_dontaudit_list_unlabeled($1_usertype) ++ kernel_dontaudit_getattr_unlabeled_files($1_usertype) ++ kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype) ++ kernel_dontaudit_getattr_unlabeled_pipes($1_usertype) ++ kernel_dontaudit_getattr_unlabeled_sockets($1_usertype) ++ kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype) ++ kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype) + + # When the user domain runs ps, there will be a number of access + # denials when ps tries to search /proc. Do not audit these denials. +- domain_dontaudit_read_all_domains_state($1_t) +- domain_dontaudit_getattr_all_domains($1_t) +- domain_dontaudit_getsession_all_domains($1_t) +- +- files_read_etc_files($1_t) +- files_read_etc_runtime_files($1_t) +- files_read_usr_files($1_t) ++ domain_dontaudit_read_all_domains_state($1_usertype) ++ domain_dontaudit_getattr_all_domains($1_usertype) ++ domain_dontaudit_getsession_all_domains($1_usertype) ++ ++ files_read_etc_files($1_usertype) ++ files_read_etc_runtime_files($1_usertype) ++ files_read_usr_files($1_usertype) + # Read directories and files with the readable_t type. + # This type is a general type for "world"-readable files. +- files_list_world_readable($1_t) +- files_read_world_readable_files($1_t) +- files_read_world_readable_symlinks($1_t) +- files_read_world_readable_pipes($1_t) +- files_read_world_readable_sockets($1_t) ++ files_list_world_readable($1_usertype) ++ files_read_world_readable_files($1_usertype) ++ files_read_world_readable_symlinks($1_usertype) ++ files_read_world_readable_pipes($1_usertype) ++ files_read_world_readable_sockets($1_usertype) + # old broswer_domain(): +- files_dontaudit_list_non_security($1_t) +- files_dontaudit_getattr_non_security_files($1_t) +- files_dontaudit_getattr_non_security_symlinks($1_t) +- files_dontaudit_getattr_non_security_pipes($1_t) +- files_dontaudit_getattr_non_security_sockets($1_t) +- files_dontaudit_getattr_non_security_blk_files($1_t) +- files_dontaudit_getattr_non_security_chr_files($1_t) +- +- libs_use_ld_so($1_t) +- libs_use_shared_libs($1_t) +- libs_exec_ld_so($1_t) ++ files_dontaudit_list_non_security($1_usertype) ++ files_dontaudit_getattr_non_security_files($1_usertype) ++ files_dontaudit_getattr_non_security_symlinks($1_usertype) ++ files_dontaudit_getattr_non_security_pipes($1_usertype) ++ files_dontaudit_getattr_non_security_sockets($1_usertype) ++ files_dontaudit_getattr_non_security_blk_files($1_usertype) ++ files_dontaudit_getattr_non_security_chr_files($1_usertype) ++ ++ libs_use_ld_so($1_usertype) ++ libs_use_shared_libs($1_usertype) ++ libs_exec_ld_so($1_usertype) + +- miscfiles_read_localization($1_t) +- miscfiles_read_certs($1_t) ++ miscfiles_read_localization($1_usertype) ++ miscfiles_read_certs($1_usertype) + +- sysnet_read_config($1_t) ++ sysnet_read_config($1_usertype) -+ application_exec_all($1_t) -+ -+ auth_use_nsswitch($1_t) -+ - kernel_read_kernel_sysctls($1_t) - kernel_dontaudit_list_unlabeled($1_t) - kernel_dontaudit_getattr_unlabeled_files($1_t) -@@ -114,6 +118,10 @@ + tunable_policy(`allow_execmem',` + # Allow loading DSOs that require executable stack. +@@ -114,6 +119,10 @@ # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') + + optional_policy(` -+ ssh_rw_stream_sockets($1_t) ++ ssh_rw_stream_sockets($1_usertype) + ') ') ####################################### -@@ -184,7 +192,7 @@ +@@ -184,7 +193,7 @@ files_list_home($1_t) tunable_policy(`use_nfs_home_dirs',` @@ -13033,7 +13284,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo fs_read_nfs_files($1_t) fs_read_nfs_symlinks($1_t) fs_read_nfs_named_sockets($1_t) -@@ -195,7 +203,7 @@ +@@ -195,7 +204,7 @@ ') tunable_policy(`use_samba_home_dirs',` @@ -13042,41 +13293,133 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo fs_read_cifs_files($1_t) fs_read_cifs_symlinks($1_t) fs_read_cifs_named_sockets($1_t) -@@ -315,13 +323,19 @@ +@@ -262,42 +271,42 @@ + + # full control of the home directory + allow $1_t $1_home_t:file entrypoint; +- manage_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) +- manage_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) +- manage_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) +- manage_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) +- manage_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) +- relabel_dirs_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) +- relabel_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) +- relabel_lnk_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) +- relabel_sock_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) +- relabel_fifo_files_pattern($1_t,{ $1_home_dir_t $1_home_t },$1_home_t) +- filetrans_pattern($1_t,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file }) +- files_list_home($1_t) ++ manage_dirs_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t) ++ manage_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t) ++ manage_lnk_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t) ++ manage_sock_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t) ++ manage_fifo_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t) ++ relabel_dirs_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t) ++ relabel_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t) ++ relabel_lnk_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t) ++ relabel_sock_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t) ++ relabel_fifo_files_pattern($1_usertype,{ $1_home_dir_t $1_home_t },$1_home_t) ++ filetrans_pattern($1_usertype,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file }) ++ files_list_home($1_usertype) + + # cjp: this should probably be removed: +- allow $1_t $1_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; ++ allow $1_usertype $1_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; + + tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_dirs($1_t) +- fs_manage_nfs_files($1_t) +- fs_manage_nfs_symlinks($1_t) +- fs_manage_nfs_named_sockets($1_t) +- fs_manage_nfs_named_pipes($1_t) ++ fs_manage_nfs_dirs($1_usertype) ++ fs_manage_nfs_files($1_usertype) ++ fs_manage_nfs_symlinks($1_usertype) ++ fs_manage_nfs_named_sockets($1_usertype) ++ fs_manage_nfs_named_pipes($1_usertype) + ',` +- fs_dontaudit_manage_nfs_dirs($1_t) +- fs_dontaudit_manage_nfs_files($1_t) ++ fs_dontaudit_manage_nfs_dirs($1_usertype) ++ fs_dontaudit_manage_nfs_files($1_usertype) + ') + + tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs($1_t) +- fs_manage_cifs_files($1_t) +- fs_manage_cifs_symlinks($1_t) +- fs_manage_cifs_named_sockets($1_t) +- fs_manage_cifs_named_pipes($1_t) ++ fs_manage_cifs_dirs($1_usertype) ++ fs_manage_cifs_files($1_usertype) ++ fs_manage_cifs_symlinks($1_usertype) ++ fs_manage_cifs_named_sockets($1_usertype) ++ fs_manage_cifs_named_pipes($1_usertype) + ',` +- fs_dontaudit_manage_cifs_dirs($1_t) +- fs_dontaudit_manage_cifs_files($1_t) ++ fs_dontaudit_manage_cifs_dirs($1_usertype) ++ fs_dontaudit_manage_cifs_files($1_usertype) + ') + ') + +@@ -315,14 +324,20 @@ ## # template(`userdom_exec_home_template',` - can_exec($1_t,$1_home_t) - tunable_policy(`use_nfs_home_dirs',` +- fs_exec_nfs_files($1_t) + tunable_policy(`allow_$1_exec_content', ` -+ can_exec($1_t,$1_home_t) ++ can_exec($1_usertype,$1_home_t) + ',` -+ dontaudit $1_t $1_home_t:file execute; -+ ') -+ -+ -+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` - fs_exec_nfs_files($1_t) ++ dontaudit $1_usertype $1_home_t:file execute; ') - tunable_policy(`use_samba_home_dirs',` +- fs_exec_cifs_files($1_t) ++ ++ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` ++ fs_exec_nfs_files($1_usertype) ++ ') ++ + tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` - fs_exec_cifs_files($1_t) ++ fs_exec_cifs_files($1_usertype) ') ') -@@ -395,7 +409,9 @@ + +@@ -374,12 +389,12 @@ + type $1_tmp_t, $1_file_type; + files_tmp_file($1_tmp_t) + +- manage_dirs_pattern($1_t,$1_tmp_t,$1_tmp_t) +- manage_files_pattern($1_t,$1_tmp_t,$1_tmp_t) +- manage_lnk_files_pattern($1_t,$1_tmp_t,$1_tmp_t) +- manage_sock_files_pattern($1_t,$1_tmp_t,$1_tmp_t) +- manage_fifo_files_pattern($1_t,$1_tmp_t,$1_tmp_t) +- files_tmp_filetrans($1_t, $1_tmp_t, { dir file lnk_file sock_file fifo_file }) ++ manage_dirs_pattern($1_usertype,$1_tmp_t,$1_tmp_t) ++ manage_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t) ++ manage_lnk_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t) ++ manage_sock_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t) ++ manage_fifo_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t) ++ files_tmp_filetrans($1_usertype, $1_tmp_t, { dir file lnk_file sock_file fifo_file }) + ') + + ####################################### +@@ -395,7 +410,9 @@ ## # template(`userdom_exec_tmp_template',` - exec_files_pattern($1_t,$1_tmp_t,$1_tmp_t) + tunable_policy(`allow_$1_exec_content', ` -+ exec_files_pattern($1_t,$1_tmp_t,$1_tmp_t) ++ exec_files_pattern($1_usertype,$1_tmp_t,$1_tmp_t) + ') ') ####################################### -@@ -509,10 +525,6 @@ +@@ -509,10 +526,6 @@ ## # template(`userdom_exec_generic_pgms_template',` @@ -13087,7 +13430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo corecmd_exec_bin($1_t) ') -@@ -530,9 +542,6 @@ +@@ -530,9 +543,6 @@ ## # template(`userdom_basic_networking_template',` @@ -13097,7 +13440,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; -@@ -563,32 +572,29 @@ +@@ -563,32 +573,29 @@ # template(`userdom_xwindows_client_template',` gen_require(` @@ -13151,7 +13494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -664,67 +670,39 @@ +@@ -664,67 +671,39 @@ attribute unpriv_userdomain; ') @@ -13222,7 +13565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_exec_etc_files($1_t) files_search_locks($1_t) # Check to see if cdrom is mounted -@@ -737,12 +715,6 @@ +@@ -737,12 +716,6 @@ # Stat lost+found. files_getattr_lost_found_dirs($1_t) @@ -13235,7 +13578,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) selinux_validate_context($1_t) -@@ -755,31 +727,16 @@ +@@ -755,31 +728,16 @@ storage_getattr_fixed_disk_dev($1_t) auth_read_login_records($1_t) @@ -13269,7 +13612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) seutil_exec_checkpolicy($1_t) seutil_exec_setfiles($1_t) -@@ -794,19 +751,12 @@ +@@ -794,19 +752,12 @@ files_read_default_symlinks($1_t) files_read_default_sockets($1_t) files_read_default_pipes($1_t) @@ -13289,7 +13632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` alsa_read_rw_config($1_t) ') -@@ -821,11 +771,6 @@ +@@ -821,11 +772,6 @@ ') optional_policy(` @@ -13301,7 +13644,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1_t self:dbus send_msg; dbus_system_bus_client_template($1,$1_t) -@@ -834,21 +779,18 @@ +@@ -834,21 +780,18 @@ ') optional_policy(` @@ -13327,7 +13670,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') optional_policy(` -@@ -876,17 +818,17 @@ +@@ -876,17 +819,17 @@ ') optional_policy(` @@ -13353,7 +13696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') optional_policy(` -@@ -900,16 +842,6 @@ +@@ -900,16 +843,6 @@ ') optional_policy(` @@ -13370,7 +13713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo resmgr_stream_connect($1_t) ') -@@ -919,11 +851,6 @@ +@@ -919,11 +852,6 @@ ') optional_policy(` @@ -13382,7 +13725,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo samba_stream_connect_winbind($1_t) ') -@@ -954,21 +881,163 @@ +@@ -954,21 +882,163 @@ ## ## # @@ -13457,66 +13800,66 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - userdom_common_user_template($1) + auth_dontaudit_write_login_records($1_t) + -+ dev_read_sysfs($1_t) -+ dev_read_urand($1_t) ++ dev_read_sysfs($1_usertype) ++ dev_read_urand($1_usertype) + -+ kernel_dontaudit_read_system_state($1_t) ++ kernel_dontaudit_read_system_state($1_usertype) + -+ domain_use_interactive_fds($1_t) ++ domain_use_interactive_fds($1_usertype) + # Command completion can fire hundreds of denials -+ domain_dontaudit_exec_all_entry_files($1_t) ++ domain_dontaudit_exec_all_entry_files($1_usertype) + + # Stat lost+found. -+ files_getattr_lost_found_dirs($1_t) ++ files_getattr_lost_found_dirs($1_usertype) + -+ fs_get_all_fs_quotas($1_t) -+ fs_getattr_all_fs($1_t) -+ fs_getattr_all_dirs($1_t) -+ fs_search_auto_mountpoints($1_t) -+ fs_list_inotifyfs($1_t) ++ fs_get_all_fs_quotas($1_usertype) ++ fs_getattr_all_fs($1_usertype) ++ fs_getattr_all_dirs($1_usertype) ++ fs_search_auto_mountpoints($1_usertype) ++ fs_list_inotifyfs($1_usertype) + + # Stop warnings about access to /dev/console -+ init_dontaudit_rw_utmp($1_t) -+ init_dontaudit_use_fds($1_t) -+ init_dontaudit_use_script_fds($1_t) ++ init_dontaudit_rw_utmp($1_usertype) ++ init_dontaudit_use_fds($1_usertype) ++ init_dontaudit_use_script_fds($1_usertype) + -+ libs_exec_lib_files($1_t) ++ libs_exec_lib_files($1_usertype) + -+ logging_dontaudit_getattr_all_logs($1_t) ++ logging_dontaudit_getattr_all_logs($1_usertype) + -+ miscfiles_read_man_pages($1_t) ++ miscfiles_read_man_pages($1_usertype) + # for running TeX programs -+ miscfiles_read_tetex_data($1_t) -+ miscfiles_exec_tetex_data($1_t) ++ miscfiles_read_tetex_data($1_usertype) ++ miscfiles_exec_tetex_data($1_usertype) + -+ seutil_read_config($1_t) ++ seutil_read_config($1_usertype) + -+ files_dontaudit_list_default($1_t) -+ files_dontaudit_read_default_files($1_t) ++ files_dontaudit_list_default($1_usertype) ++ files_dontaudit_read_default_files($1_usertype) + + userdom_poly_home_template($1) + userdom_poly_tmp_template($1) + + optional_policy(` -+ cups_stream_connect($1_t) -+ cups_stream_connect_ptal($1_t) ++ cups_stream_connect($1_usertype) ++ cups_stream_connect_ptal($1_usertype) + ') + + optional_policy(` -+ kerberos_use($1_t) ++ kerberos_use($1_usertype) + ') + + optional_policy(` -+ mta_dontaudit_read_spool_symlinks($1_t) ++ mta_dontaudit_read_spool_symlinks($1_usertype) + ') + + optional_policy(` -+ quota_dontaudit_getattr_db($1_t) ++ quota_dontaudit_getattr_db($1_usertype) + ') + + optional_policy(` -+ rpm_read_db($1_t) -+ rpm_dontaudit_manage_db($1_t) ++ rpm_read_db($1_usertype) ++ rpm_dontaudit_manage_db($1_usertype) + ') +') + @@ -13552,7 +13895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; -@@ -977,23 +1046,51 @@ +@@ -977,23 +1047,51 @@ typeattribute $1_tmp_t user_tmpfile; typeattribute $1_tty_device_t user_ttynode; @@ -13615,7 +13958,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # port access is audited even if dac would not have allowed it, so dontaudit it here corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) -@@ -1029,15 +1126,7 @@ +@@ -1029,15 +1127,7 @@ # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_all_nodes($1_t) @@ -13632,7 +13975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') optional_policy(` -@@ -1054,17 +1143,6 @@ +@@ -1054,17 +1144,6 @@ setroubleshoot_stream_connect($1_t) ') @@ -13650,7 +13993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1102,6 +1180,8 @@ +@@ -1102,6 +1181,8 @@ class passwd { passwd chfn chsh rootok crontab }; ') @@ -13659,7 +14002,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # # Declarations -@@ -1127,7 +1207,7 @@ +@@ -1127,7 +1208,7 @@ # $1_t local policy # @@ -13668,7 +14011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1_t self:process { setexec setfscreate }; # Set password information for other users. -@@ -1139,7 +1219,11 @@ +@@ -1139,7 +1220,11 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -13681,7 +14024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1902,6 +1986,41 @@ +@@ -1902,6 +1987,41 @@ ######################################## ## @@ -13723,7 +14066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -3078,7 +3197,7 @@ +@@ -3078,7 +3198,7 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -13732,7 +14075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_tmp_filetrans($2,$1_tmp_t,$3) -@@ -4615,6 +4734,24 @@ +@@ -4615,6 +4735,24 @@ files_list_home($1) allow $1 home_dir_type:dir search_dir_perms; ') @@ -13757,7 +14100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ######################################## ## -@@ -4633,6 +4770,14 @@ +@@ -4633,6 +4771,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -13772,7 +14115,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5323,7 +5468,7 @@ +@@ -5323,7 +5469,7 @@ attribute user_tmpfile; ') @@ -13781,7 +14124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5559,3 +5704,336 @@ +@@ -5559,3 +5705,372 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -13977,31 +14320,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + +userdom_xwindows_client_template($1) + -+logging_send_syslog_msg($1_t) ++logging_send_syslog_msg($1_usertype) + +optional_policy(` -+ alsa_read_rw_config($1_t) ++ alsa_read_rw_config($1_usertype) +') + +authlogin_per_role_template($1, $1_t, $1_r) + -+auth_search_pam_console_data($1_t) ++auth_search_pam_console_data($1_usertype) + -+dev_read_sound($1_t) -+dev_write_sound($1_t) ++dev_read_sound($1_usertype) ++dev_write_sound($1_usertype) + +optional_policy(` -+ dbus_per_role_template($1, $1_t, $1_r) -+ dbus_system_bus_client_template($1, $1_t) -+ allow $1_t self:dbus send_msg; ++ dbus_per_role_template($1, $1_usertype, $1_r) ++ dbus_system_bus_client_template($1, $1_usertype) ++ allow $1_usertype $1_usertype:dbus send_msg; + + optional_policy(` -+ cups_dbus_chat($1_t) ++ cups_dbus_chat($1_usertype) + ') + +') + +optional_policy(` ++ consolekit_dontaudit_dbus_chat($1_usertype) ++') ++ ++optional_policy(` + java_per_role_template($1, $1_t, $1_r) +') + @@ -14010,11 +14357,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +') + +optional_policy(` -+ setroubleshoot_dontaudit_stream_connect($1_t) ++ networkmanager_dontaudit_dbus_chat($1_usertype) ++') ++ ++optional_policy(` ++ setroubleshoot_dontaudit_stream_connect($1_usertype) +') + +# gnome keyring wants to read this. Needs to be exlicitly granted -+dev_dontaudit_read_rand($1_t) ++dev_dontaudit_read_rand($1_usertype) + +') + @@ -14118,6 +14469,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + allow $1 userdomain:process rlimitinh; +') + ++######################################## ++## ++## Define this type as a Allow apps to set rlimits on userdomain ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The prefix of the user domain (e.g., user ++## is the prefix for user_t). ++## ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++template(`userdom_unpriv_usertype',` ++ gen_require(` ++ attribute unpriv_userdomain, userdomain; ++ ') ++ typeattribute $2 $1_usertype, unpriv_userdomain, userdomain; ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.8/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2007-09-12 10:34:51.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/userdomain.te 2007-09-17 16:20:18.000000000 -0400 diff --git a/selinux-policy.spec b/selinux-policy.spec index c2bea8e..5edf7f0 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -288,7 +288,7 @@ SELinux Reference policy targeted base module. semodule -s targeted -r moilscanner 2>/dev/null %loadpolicy targeted %relabel targeted -if [ $1 = 0 ]; then +if [ $1 = 1 ]; then semanage login -m -s "system_u" __default__ 2> /dev/null semanage user -a -P unconfined -R "unconfined_r system_r" unconfined_u semanage user -a -P guest -R guest_r guest_u