diff --git a/policy-20090105.patch b/policy-20090105.patch index ecdf395..7e13851 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -2875,8 +2875,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.3/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/apps/nsplugin.te 2009-01-19 13:10:02.000000000 -0500 -@@ -0,0 +1,277 @@ ++++ serefpolicy-3.6.3/policy/modules/apps/nsplugin.te 2009-02-02 09:39:29.000000000 -0500 +@@ -0,0 +1,288 @@ + +policy_module(nsplugin, 1.0.0) + @@ -2892,6 +2892,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +gen_tunable(allow_nsplugin_execmem, false) + ++## ++##

++## Allow nsplugin code to connect to unreserved ports ++##

++## ++gen_tunable(nsplugin_can_network, True) ++ +type nsplugin_exec_t; +application_executable_file(nsplugin_exec_t) + @@ -2940,6 +2947,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow nsplugin_config_t self:process { execstack execmem }; +') + ++tunable_policy(`nsplugin_can_network',` ++ corenet_tcp_connect_all_unreserved_ports(nsplugin_t) ++') ++ +manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) +exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) +manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t) @@ -4313,8 +4324,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.6.3/policy/modules/kernel/corenetwork.if.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/kernel/corenetwork.if.in 2009-01-19 13:13:31.000000000 -0500 -@@ -1579,6 +1579,24 @@ ++++ serefpolicy-3.6.3/policy/modules/kernel/corenetwork.if.in 2009-02-02 09:34:32.000000000 -0500 +@@ -1504,6 +1504,24 @@ + + ######################################## + ## ++## Connect TCP sockets to all ports > 1024. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`corenet_tcp_connect_all_unreserved_ports',` ++ gen_require(` ++ attribute port_type, reserved_port_type; ++ ') ++ ++ allow $1 { port_type -reserved_port_type }:tcp_socket name_connect; ++') ++ ++######################################## ++## + ## Do not audit attempts to connect TCP sockets + ## all reserved ports. + ## +@@ -1579,6 +1597,24 @@ ######################################## ## @@ -9419,6 +9455,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t; +typealias httpd_sys_script_t alias httpd_fastcgi_script_t; +typealias httpd_var_run_t alias httpd_fastcgi_var_run_t; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.6.3/policy/modules/services/apcupsd.fc +--- nsaserefpolicy/policy/modules/services/apcupsd.fc 2008-10-08 19:00:27.000000000 -0400 ++++ serefpolicy-3.6.3/policy/modules/services/apcupsd.fc 2009-02-02 08:21:34.000000000 -0500 +@@ -5,6 +5,7 @@ + ') + + /usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) ++/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0) + + /var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) + /var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.3/policy/modules/services/apm.te --- nsaserefpolicy/policy/modules/services/apm.te 2009-01-05 15:39:43.000000000 -0500 +++ serefpolicy-3.6.3/policy/modules/services/apm.te 2009-01-28 09:26:27.000000000 -0500 @@ -14526,6 +14573,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) +manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t) + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.6.3/policy/modules/services/mysql.fc +--- nsaserefpolicy/policy/modules/services/mysql.fc 2008-11-18 18:57:20.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/mysql.fc 2009-02-02 08:23:53.000000000 -0500 +@@ -10,6 +10,7 @@ + # + # /usr + # ++/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_exec_t,s0) + /usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0) + + /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.3/policy/modules/services/mysql.te +--- nsaserefpolicy/policy/modules/services/mysql.te 2009-01-19 11:06:49.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/mysql.te 2009-02-02 08:24:35.000000000 -0500 +@@ -65,6 +65,7 @@ + kernel_read_system_state(mysqld_t) + kernel_read_kernel_sysctls(mysqld_t) + ++can_exec(mysqld_t, mysqld_exec_t) + corenet_all_recvfrom_unlabeled(mysqld_t) + corenet_all_recvfrom_netlabel(mysqld_t) + corenet_tcp_sendrecv_generic_if(mysqld_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.3/policy/modules/services/nagios.fc --- nsaserefpolicy/policy/modules/services/nagios.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.3/policy/modules/services/nagios.fc 2009-01-19 13:10:02.000000000 -0500 @@ -19924,13 +19993,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_write_login_records(rshd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.3/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/rsync.te 2009-01-19 13:10:02.000000000 -0500 -@@ -119,5 +119,8 @@ ++++ serefpolicy-3.6.3/policy/modules/services/rsync.te 2009-02-02 08:28:58.000000000 -0500 +@@ -119,5 +119,9 @@ tunable_policy(`rsync_export_all_ro',` fs_read_noxattr_fs_files(rsync_t) + auth_read_all_dirs_except_shadow(rsync_t) auth_read_all_files_except_shadow(rsync_t) ++ auth_read_all_symlinks_except_shadow(rsync_t) + auth_tunable_read_shadow(rsync_t) ') +auth_can_read_shadow_passwords(rsync_t) @@ -20365,7 +20435,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.3/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/samba.te 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/samba.te 2009-02-03 10:22:51.000000000 -0500 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -20519,7 +20589,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`hide_broken_symptoms', ` files_dontaudit_getattr_default_dirs(smbd_t) files_dontaudit_getattr_boot_dirs(smbd_t) -@@ -350,8 +377,20 @@ +@@ -338,20 +365,27 @@ + ') + + tunable_policy(`samba_enable_home_dirs',` +- userdom_manage_user_home_content_dirs(smbd_t) +- userdom_manage_user_home_content_files(smbd_t) +- userdom_manage_user_home_content_symlinks(smbd_t) +- userdom_manage_user_home_content_sockets(smbd_t) +- userdom_manage_user_home_content_pipes(smbd_t) +- userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file }) ++ userdom_manage_user_home_content(smbd_t) + ') + + # Support Samba sharing of NFS mount points tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) @@ -20540,7 +20623,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` cups_read_rw_config(smbd_t) cups_stream_connect(smbd_t) -@@ -359,6 +398,16 @@ +@@ -359,6 +393,16 @@ optional_policy(` kerberos_use(smbd_t) @@ -20557,7 +20640,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -381,8 +430,10 @@ +@@ -381,8 +425,10 @@ tunable_policy(`samba_export_all_ro',` fs_read_noxattr_fs_files(smbd_t) @@ -20568,7 +20651,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_read_all_files_except_shadow(nmbd_t) ') -@@ -454,6 +505,7 @@ +@@ -454,6 +500,7 @@ dev_getattr_mtrr_dev(nmbd_t) fs_getattr_all_fs(nmbd_t) @@ -20576,7 +20659,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_search_auto_mountpoints(nmbd_t) domain_use_interactive_fds(nmbd_t) -@@ -553,19 +605,33 @@ +@@ -553,19 +600,33 @@ userdom_use_user_terminals(smbmount_t) userdom_use_all_users_fds(smbmount_t) @@ -20613,7 +20696,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) -@@ -585,6 +651,9 @@ +@@ -585,6 +646,9 @@ files_pid_filetrans(swat_t, swat_var_run_t, file) allow swat_t winbind_exec_t:file mmap_file_perms; @@ -20623,7 +20706,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -609,15 +678,18 @@ +@@ -609,15 +673,18 @@ dev_read_urand(swat_t) @@ -20642,7 +20725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_search_logs(swat_t) miscfiles_read_localization(swat_t) -@@ -635,6 +707,17 @@ +@@ -635,6 +702,17 @@ kerberos_use(swat_t) ') @@ -20660,7 +20743,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Winbind local policy -@@ -642,7 +725,7 @@ +@@ -642,7 +720,7 @@ allow winbind_t self:capability { dac_override ipc_lock setuid }; dontaudit winbind_t self:capability sys_tty_config; @@ -20669,7 +20752,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow winbind_t self:fifo_file rw_fifo_file_perms; allow winbind_t self:unix_dgram_socket create_socket_perms; allow winbind_t self:unix_stream_socket create_stream_socket_perms; -@@ -683,9 +766,10 @@ +@@ -683,9 +761,10 @@ manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) files_pid_filetrans(winbind_t, winbind_var_run_t, file) @@ -20682,7 +20765,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(winbind_t) corenet_all_recvfrom_netlabel(winbind_t) -@@ -709,10 +793,12 @@ +@@ -709,10 +788,12 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) @@ -20695,7 +20778,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(winbind_t) -@@ -768,8 +854,13 @@ +@@ -768,8 +849,13 @@ userdom_use_user_terminals(winbind_helper_t) optional_policy(` @@ -20709,7 +20792,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -778,6 +869,16 @@ +@@ -778,6 +864,16 @@ # optional_policy(` @@ -20726,7 +20809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -788,9 +889,43 @@ +@@ -788,9 +884,43 @@ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -21996,7 +22079,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.3/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/ssh.te 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/ssh.te 2009-02-02 14:39:09.000000000 -0500 @@ -75,7 +75,7 @@ ubac_constrained(ssh_tmpfs_t) @@ -23252,7 +23335,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-28 13:23:35.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-02-02 14:36:35.000000000 -0500 @@ -34,6 +34,13 @@ ## @@ -23652,17 +23735,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(xdm_t) ') -@@ -550,8 +651,8 @@ +@@ -550,9 +651,11 @@ ') optional_policy(` - unconfined_domain(xdm_t) - unconfined_domtrans(xdm_t) +- unconfined_domtrans(xdm_t) ++ unconfined_shell_domtrans(xdm_t) + unconfined_signal(xdm_t) ++') ++optional_policy(` ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -571,6 +672,10 @@ + ') +@@ -571,6 +674,10 @@ ') optional_policy(` @@ -23673,7 +23760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -587,7 +692,7 @@ +@@ -587,7 +694,7 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -23682,7 +23769,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:memprotect mmap_zero; -@@ -602,9 +707,11 @@ +@@ -602,9 +709,11 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -23694,7 +23781,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t { input_xevent_t input_xevent_type }:x_event send; -@@ -622,7 +729,7 @@ +@@ -622,7 +731,7 @@ manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) @@ -23703,7 +23790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -635,6 +742,15 @@ +@@ -635,6 +744,15 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -23719,7 +23806,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Create files in /var/log with the xserver_log_t type. manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) logging_log_filetrans(xserver_t, xserver_log_t,file) -@@ -680,9 +796,14 @@ +@@ -680,9 +798,14 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -23734,7 +23821,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -697,8 +818,13 @@ +@@ -697,8 +820,13 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -23748,7 +23835,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -720,6 +846,7 @@ +@@ -720,6 +848,7 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -23756,7 +23843,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol modutils_domtrans_insmod(xserver_t) -@@ -742,7 +869,7 @@ +@@ -742,7 +871,7 @@ ') ifdef(`enable_mls',` @@ -23765,7 +23852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; ') -@@ -774,6 +901,10 @@ +@@ -774,6 +903,10 @@ ') optional_policy(` @@ -23776,7 +23863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rhgb_getpgid(xserver_t) rhgb_signal(xserver_t) ') -@@ -806,7 +937,7 @@ +@@ -806,7 +939,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -23785,7 +23872,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -827,9 +958,14 @@ +@@ -827,9 +960,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -23800,7 +23887,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -844,11 +980,14 @@ +@@ -844,11 +982,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -23816,7 +23903,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -856,6 +995,11 @@ +@@ -856,6 +997,11 @@ rhgb_rw_tmpfs_files(xserver_t) ') @@ -23828,7 +23915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Rules common to all X window domains -@@ -881,6 +1025,8 @@ +@@ -881,6 +1027,8 @@ # X Server # can read server-owned resources allow x_domain xserver_t:x_resource read; @@ -23837,7 +23924,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # can mess with own clients allow x_domain self:x_client { manage destroy }; -@@ -905,6 +1051,8 @@ +@@ -905,6 +1053,8 @@ # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -23846,7 +23933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Colormaps # can use the default colormap allow x_domain rootwindow_t:x_colormap { read use add_color }; -@@ -972,6 +1120,37 @@ +@@ -972,6 +1122,37 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -23884,7 +23971,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`TODO',` tunable_policy(`allow_polyinstantiation',` # xdm needs access for linking .X11-unix to poly /tmp -@@ -986,3 +1165,12 @@ +@@ -986,3 +1167,12 @@ # allow xdm_t user_home_type:file unlink; ') dnl end TODO @@ -27634,7 +27721,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.3/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/system/unconfined.if 2009-01-19 13:10:02.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/system/unconfined.if 2009-02-02 14:49:54.000000000 -0500 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -27692,7 +27779,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -367,6 +376,24 @@ +@@ -227,13 +236,9 @@ + # + interface(`unconfined_shell_domtrans',` + gen_require(` +- type unconfined_t; ++ type unconfined_login_domain; + ') +- +- corecmd_shell_domtrans($1,unconfined_t) +- allow unconfined_t $1:fd use; +- allow unconfined_t $1:fifo_file rw_file_perms; +- allow unconfined_t $1:process sigchld; ++ typeattribute $1 unconfined_login_domain + ') + + ######################################## +@@ -367,6 +372,24 @@ ######################################## ## @@ -27717,7 +27820,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send generic signals to the unconfined domain. ## ## -@@ -581,3 +608,150 @@ +@@ -581,3 +604,150 @@ allow $1 unconfined_t:dbus acquire_svc; ') @@ -27870,11 +27973,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.3/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/system/unconfined.te 2009-01-30 10:55:24.000000000 -0500 -@@ -6,35 +6,77 @@ ++++ serefpolicy-3.6.3/policy/modules/system/unconfined.te 2009-02-02 14:52:21.000000000 -0500 +@@ -5,36 +5,86 @@ + # # Declarations # - ++attribute unconfined_login_domain; ++ +## +##

+## Transition to confined nsplugin domains from unconfined user @@ -27884,6 +27989,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +## +##

++## Allow a user to login as an unconfined domain ++##

++## ++gen_tunable(unconfined_login, true) ++ ++## ++##

+## Allow unconfined domain to map low memory in the kernel +##

+## @@ -27895,7 +28007,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +##

+## +gen_tunable(allow_unconfined_qemu_transition, false) -+ + # usage in this module of types created by these # calls is not correct, however we dont currently # have another method to add access to these types @@ -27956,7 +28068,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_run_ldconfig(unconfined_t, unconfined_r) -@@ -42,26 +84,39 @@ +@@ -42,26 +92,39 @@ logging_run_auditctl(unconfined_t, unconfined_r) mount_run_unconfined(unconfined_t, unconfined_r) @@ -27998,7 +28110,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -102,12 +157,24 @@ +@@ -102,12 +165,24 @@ ') optional_policy(` @@ -28023,7 +28135,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -119,31 +186,33 @@ +@@ -119,31 +194,33 @@ ') optional_policy(` @@ -28064,7 +28176,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -155,36 +224,38 @@ +@@ -155,36 +232,38 @@ ') optional_policy(` @@ -28115,7 +28227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -192,7 +263,7 @@ +@@ -192,7 +271,7 @@ ') optional_policy(` @@ -28124,7 +28236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -204,11 +275,12 @@ +@@ -204,11 +283,12 @@ ') optional_policy(` @@ -28139,7 +28251,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -218,14 +290,60 @@ +@@ -218,14 +298,68 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -28183,7 +28295,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + type mplayer_exec_t; + ') + domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t) -+') + ') + +optional_policy(` +tunable_policy(`allow_unconfined_nsplugin_transition',`', ` @@ -28191,7 +28303,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + type mozilla_exec_t; + ') + domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t) - ') ++') +') + +optional_policy(` @@ -28202,6 +28314,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) ++ ++tunable_policy(`unconfined_login',` ++ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t) ++ allow unconfined_t unconfined_login_domain:fd use; ++ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms; ++ allow unconfined_t unconfined_login_domain:process sigchld; ++') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.3/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-11-11 16:13:48.000000000 -0500 +++ serefpolicy-3.6.3/policy/modules/system/userdomain.fc 2009-01-19 13:10:02.000000000 -0500 @@ -28216,7 +28336,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-30 09:14:16.000000000 -0500 ++++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-02-03 10:23:11.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -29682,7 +29802,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send a dbus message to all user domains. ## ## -@@ -2981,3 +3235,285 @@ +@@ -2981,3 +3235,313 @@ allow $1 userdomain:dbus send_msg; ') @@ -29968,6 +30088,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + exec_files_pattern($1, admin_home_t, admin_home_t) +') + ++ ++####################################### ++## ++## Manage all files/directories in the homedir ++## ++## ++## ++## The user domain ++## ++## ++## ++# ++interface(`userdom_manage_user_home_content',` ++ gen_require(` ++ type user_home_dir_t; ++ attribute user_home_type; ++ ') ++ ++ files_list_home($1) ++ manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type) ++ manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) ++ manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) ++ manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) ++ manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) ++ filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) ++ ++') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.3/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.3/policy/modules/system/userdomain.te 2009-01-19 13:10:02.000000000 -0500 diff --git a/selinux-policy.spec b/selinux-policy.spec index 4cd961e..682aabf 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.3 -Release: 12%{?dist} +Release: 13%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -234,7 +234,7 @@ make clean %installCmds olpc mcs n y allow %endif -make UNK_PERMS=allow NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs +make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs mkdir %{buildroot}%{_usr}/share/selinux/devel/ mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include install -m 755 $RPM_SOURCE_DIR/policygentool %{buildroot}%{_usr}/share/selinux/devel/ @@ -444,6 +444,9 @@ exit 0 %endif %changelog +* Mon Feb 2 2009 Dan Walsh 3.6.3-13 +- Add boolean to disallow unconfined_t login + * Fri Jan 30 2009 Dan Walsh 3.6.3-12 - Add back transition from xguest to mozilla