From 3c970690087d819518dd1f6cb87d6aa69cbdbc8f Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jun 30 2008 20:52:16 +0000 Subject: - Allow exim to use system_cron pipes - Allow gdm to read rpm database - Allow nsplugin to read mplayer config files - Allow login programs to write to /var/run/pam directory (Encrypted directories) --- diff --git a/policy-20071130.patch b/policy-20071130.patch index 890ee91..f25138b 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -1456,18 +1456,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-3.3.1/policy/modules/admin/amanda.te --- nsaserefpolicy/policy/modules/admin/amanda.te 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/admin/amanda.te 2008-06-12 23:38:02.000000000 -0400 -@@ -82,8 +82,7 @@ ++++ serefpolicy-3.3.1/policy/modules/admin/amanda.te 2008-06-29 08:00:54.000000000 -0400 +@@ -82,8 +82,9 @@ allow amanda_t amanda_config_t:file { getattr read }; # access to amandas data structure -allow amanda_t amanda_data_t:dir { read search write }; -allow amanda_t amanda_data_t:file manage_file_perms; ++manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t) +manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t) ++filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) # access to amanda_dumpdates_t allow amanda_t amanda_dumpdates_t:file { getattr lock read write }; -@@ -94,7 +93,7 @@ +@@ -94,7 +95,7 @@ # access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists) allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms; allow amanda_t amanda_gnutarlists_t:file manage_file_perms; @@ -1476,7 +1478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda. manage_dirs_pattern(amanda_t,amanda_var_lib_t,amanda_var_lib_t) manage_files_pattern(amanda_t,amanda_var_lib_t,amanda_var_lib_t) -@@ -220,6 +219,7 @@ +@@ -220,6 +221,7 @@ auth_use_nsswitch(amanda_recover_t) fstools_domtrans(amanda_t) @@ -2135,6 +2137,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te - dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr; - dontaudit mrtg_t root_t:lnk_file getattr; -') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.if serefpolicy-3.3.1/policy/modules/admin/netutils.if +--- nsaserefpolicy/policy/modules/admin/netutils.if 2008-06-12 23:38:01.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/admin/netutils.if 2008-06-30 13:17:25.000000000 -0400 +@@ -124,6 +124,24 @@ + + ######################################## + ## ++## Send generic signals to netutils. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`netutils_signal',` ++ gen_require(` ++ type netutils_t; ++ ') ++ ++ allow $1 netutils_t:process signal; ++') ++ ++######################################## ++## + ## Execute ping in the ping domain, and + ## allow the specified role the ping domain. + ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.3.1/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2008-06-12 23:38:01.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/admin/netutils.te 2008-06-12 23:38:03.000000000 -0400 @@ -6031,8 +6061,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-06-12 23:38:04.000000000 -0400 -@@ -0,0 +1,210 @@ ++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-06-29 08:22:11.000000000 -0400 +@@ -0,0 +1,211 @@ + +policy_module(nsplugin,1.0.0) + @@ -6116,6 +6146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + +files_read_usr_files(nsplugin_t) +files_read_etc_files(nsplugin_t) ++files_read_config_files(nsplugin_t) + +fs_list_inotifyfs(nsplugin_t) +fs_manage_tmpfs_files(nsplugin_t) @@ -12263,19 +12294,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.fc serefpolicy-3.3.1/policy/modules/services/courier.fc --- nsaserefpolicy/policy/modules/services/courier.fc 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/courier.fc 2008-06-12 23:38:04.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/courier.fc 2008-06-30 13:23:49.000000000 -0400 @@ -1,4 +1,5 @@ /etc/courier(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) +/etc/authlib(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) /usr/bin/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -@@ -6,11 +7,18 @@ +@@ -6,11 +7,19 @@ /usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0) /usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) +/usr/libexec/courier-authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) /usr/lib(64)?/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0) ++/usr/lib(64)?/courier/sendmail -- gen_context(system_u:object_r:courier_exec_t,s0) +/usr/lib(64)?/courier/bin(/.*)? gen_context(system_u:object_r:courier_exec_t,s0) +/usr/lib(64)?/courier/sbin(/.*)? gen_context(system_u:object_r:courier_exec_t,s0) /usr/lib(64)?/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0) @@ -12289,7 +12321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cour /usr/lib(64)?/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) /usr/lib(64)?/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0) /usr/lib(64)?/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) -@@ -19,3 +27,5 @@ +@@ -19,3 +28,5 @@ /var/lib/courier(/.*)? -- gen_context(system_u:object_r:courier_var_lib_t,s0) /var/run/courier(/.*)? -- gen_context(system_u:object_r:courier_var_run_t,s0) @@ -12418,7 +12450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron +/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.3.1/policy/modules/services/cron.if --- nsaserefpolicy/policy/modules/services/cron.if 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/cron.if 2008-06-12 23:38:04.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/cron.if 2008-06-30 13:57:14.000000000 -0400 @@ -35,38 +35,23 @@ # template(`cron_per_role_template',` @@ -13598,6 +13630,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups + +userdom_dontaudit_read_sysadm_home_content_files(cups_pdf_t) + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.fc serefpolicy-3.3.1/policy/modules/services/cvs.fc +--- nsaserefpolicy/policy/modules/services/cvs.fc 2008-06-12 23:38:02.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/cvs.fc 2008-06-30 16:00:29.000000000 -0400 +@@ -5,3 +5,6 @@ + + /var/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0) + ++#CVSWeb file context ++/usr/share/cvsweb/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) ++/var/www/cgi-bin/cvsweb\.cgi -- gen_context(system_u:object_r:httpd_cvs_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.3.1/policy/modules/services/cvs.if --- nsaserefpolicy/policy/modules/services/cvs.if 2008-06-12 23:38:02.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/services/cvs.if 2008-06-12 23:38:04.000000000 -0400 @@ -13676,7 +13718,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.3.1/policy/modules/services/cvs.te --- nsaserefpolicy/policy/modules/services/cvs.te 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/cvs.te 2008-06-12 23:38:03.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/cvs.te 2008-06-30 16:00:47.000000000 -0400 @@ -28,6 +28,9 @@ type cvs_var_run_t; files_pid_file(cvs_var_run_t) @@ -13704,18 +13746,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs. mta_send_mail(cvs_t) # cjp: typeattribute doesnt work in conditionals yet -@@ -102,11 +104,3 @@ - kerberos_read_config(cvs_t) +@@ -103,10 +105,12 @@ kerberos_dontaudit_write_config(cvs_t) ') -- + -optional_policy(` - nis_use_ypbind(cvs_t) -') -- ++######################################## ++# CVSWeb policy + -optional_policy(` - nscd_socket_use(cvs_t) -') ++apache_content_template(cvs) ++ ++read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) ++manage_dirs_pattern(httpd_cvs_script_t_t,cvs_tmp_t,cvs_tmp_t) ++manage_files_pattern(httpd_cvs_script_t,cvs_tmp_t,cvs_tmp_t) ++files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir }) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.fc serefpolicy-3.3.1/policy/modules/services/cyphesis.fc --- nsaserefpolicy/policy/modules/services/cyphesis.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/cyphesis.fc 2008-06-12 23:38:04.000000000 -0400 @@ -15457,7 +15506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.3.1/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/exim.te 2008-06-12 23:38:03.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/exim.te 2008-06-30 13:58:55.000000000 -0400 @@ -21,9 +21,20 @@ ## gen_tunable(exim_manage_user_files,false) @@ -15562,7 +15611,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim tunable_policy(`exim_read_user_files',` userdom_read_unpriv_users_home_content_files(exim_t) -@@ -111,3 +144,71 @@ +@@ -111,3 +144,76 @@ userdom_read_unpriv_users_tmp_files(exim_t) userdom_write_unpriv_users_tmp_files(exim_t) ') @@ -15604,6 +15653,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim +') + +optional_policy(` ++ cron_read_pipes(exim_t) ++ cron_rw_system_job_pipes(exim_t) ++') ++ ++optional_policy(` + cyrus_stream_connect(exim_t) +') + @@ -17656,22 +17710,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail +files_type(mailscanner_spool_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.3.1/policy/modules/services/mta.fc --- nsaserefpolicy/policy/modules/services/mta.fc 2008-06-12 23:38:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/mta.fc 2008-06-12 23:38:04.000000000 -0400 -@@ -9,8 +9,10 @@ - ') - ++++ serefpolicy-3.3.1/policy/modules/services/mta.fc 2008-06-30 13:25:01.000000000 -0400 +@@ -11,6 +11,7 @@ /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) -+/usr/lib(64)?/courier/sendmail -- gen_context(system_u:object_r:courier_exec_t,s0) /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0) /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) -@@ -25,3 +27,4 @@ - #ifdef(`postfix.te', `', ` - #/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) - #') +@@ -22,6 +23,4 @@ + /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) + /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) + +-#ifdef(`postfix.te', `', ` +-#/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +-#') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.3.1/policy/modules/services/mta.if --- nsaserefpolicy/policy/modules/services/mta.if 2008-06-12 23:38:02.000000000 -0400 @@ -17850,7 +17904,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.3.1/policy/modules/services/mta.te --- nsaserefpolicy/policy/modules/services/mta.te 2008-06-12 23:38:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/mta.te 2008-06-24 05:41:39.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/mta.te 2008-06-30 13:57:46.000000000 -0400 @@ -6,6 +6,8 @@ # Declarations # @@ -20141,8 +20195,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.3.1/policy/modules/services/polkit.te --- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/polkit.te 2008-06-12 23:38:04.000000000 -0400 -@@ -0,0 +1,218 @@ ++++ serefpolicy-3.3.1/policy/modules/services/polkit.te 2008-06-30 10:22:01.000000000 -0400 +@@ -0,0 +1,220 @@ +policy_module(polkit_auth,1.0.0) + +######################################## @@ -20299,6 +20353,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk + +polkit_domtrans_auth(polkit_grant_t) + ++manage_files_pattern(polkit_grant_t,polkit_var_run_t,polkit_var_run_t) ++ +manage_files_pattern(polkit_grant_t, polkit_var_lib_t, polkit_var_lib_t) +userdom_read_all_users_state(polkit_grant_t) + @@ -21404,8 +21460,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.3.1/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-06-24 06:34:17.000000000 -0400 -@@ -0,0 +1,248 @@ ++++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-06-30 15:19:48.000000000 -0400 +@@ -0,0 +1,249 @@ + +policy_module(prelude, 1.0.0) + @@ -21555,10 +21611,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel +libs_use_shared_libs(prelude_audisp_t) + +logging_send_syslog_msg(prelude_audisp_t) ++logging_audisp_system_domain(prelude_audisp_t, prelude_audisp_exec_t) + +miscfiles_read_localization(prelude_audisp_t) + -+logging_audisp_system_domain(prelude_audisp_t, prelude_audisp_exec_t) ++sysnet_dns_name_resolve(prelude_audisp_t) + +######################################## +# @@ -22368,7 +22425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.3.1/policy/modules/services/razor.if --- nsaserefpolicy/policy/modules/services/razor.if 2008-06-12 23:38:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/razor.if 2008-06-12 23:38:04.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/razor.if 2008-06-30 13:44:58.000000000 -0400 @@ -137,6 +137,7 @@ template(`razor_per_role_template',` gen_require(` @@ -22394,10 +22451,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo ############################## # -@@ -218,3 +217,42 @@ +@@ -217,4 +216,44 @@ + ') domtrans_pattern($1, razor_exec_t, razor_t) - ') ++ allow $1 razor_t:process signal; ++') + +######################################## +## @@ -22435,7 +22494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo + allow $2 user_home_dir_t:dir search_dir_perms; + manage_files_pattern($2,user_razor_home_t,user_razor_home_t) + read_lnk_files_pattern($2,user_razor_home_t,user_razor_home_t) -+') + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.3.1/policy/modules/services/razor.te --- nsaserefpolicy/policy/modules/services/razor.te 2008-06-12 23:38:01.000000000 -0400 @@ -28294,7 +28353,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2008-06-12 23:38:02.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-06-14 07:17:28.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-06-29 08:15:14.000000000 -0400 @@ -8,6 +8,14 @@ ## @@ -28367,7 +28426,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser type iceauth_exec_t; -application_executable_file(iceauth_exec_t) +application_domain(iceauth_t,iceauth_exec_t) - ++ +type input_xevent_t, xevent_type; +type manage_xevent_t, xevent_type; +type output_xext_t, xextension_type; @@ -28383,7 +28442,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +type x_rootcolormap_t; +type x_rootscreen_t; +type x_rootwindow_t; -+ + +type xauth_t; type xauth_exec_t; -application_executable_file(xauth_exec_t) @@ -28642,14 +28701,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` alsa_domtrans(xdm_t) + alsa_read_rw_config(xdm_t) ++') ++ ++optional_policy(` ++ bootloader_domtrans(xdm_t) ') optional_policy(` - consolekit_dbus_chat(xdm_t) -+ bootloader_domtrans(xdm_t) -+') -+ -+optional_policy(` + consolekit_read_log(xdm_t) ') @@ -28689,7 +28748,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser loadkeys_exec(xdm_t) ') -@@ -335,6 +499,11 @@ +@@ -335,6 +499,21 @@ ') optional_policy(` @@ -28698,10 +28757,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') + +optional_policy(` ++ resmgr_stream_connect(xdm_t) ++') ++ ++# On crash gdm execs gdb to dump stack ++optional_policy(` ++ rpm_read_db(xdm_t) ++ rpm_dontaudit_manage_db(xdm_t) ++') ++ ++optional_policy(` seutil_sigchld_newrole(xdm_t) ') -@@ -343,8 +512,8 @@ +@@ -343,8 +522,8 @@ ') optional_policy(` @@ -28711,7 +28780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -380,7 +549,7 @@ +@@ -380,7 +559,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -28720,7 +28789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) -@@ -392,6 +561,15 @@ +@@ -392,6 +571,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -28736,7 +28805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -404,9 +582,18 @@ +@@ -404,9 +592,18 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_unpriv_users_home_content_files(xdm_xserver_t) @@ -28755,10 +28824,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_xserver_t) fs_manage_nfs_files(xdm_xserver_t) -@@ -420,6 +607,22 @@ +@@ -420,7 +617,19 @@ ') optional_policy(` +- resmgr_stream_connect(xdm_t) + dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t) + + optional_policy(` @@ -28772,13 +28842,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + +optional_policy(` + mono_rw_shm(xdm_xserver_t) -+') -+ -+optional_policy(` - resmgr_stream_connect(xdm_t) ') -@@ -429,47 +632,138 @@ + optional_policy(` +@@ -429,47 +638,138 @@ ') optional_policy(` @@ -28803,15 +28870,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + unconfined_signal(xdm_xserver_t) + unconfined_getpgid(xdm_xserver_t) + unconfined_domain(xdm_xserver_t) -+') -+ -+ -+tunable_policy(`allow_xserver_execmem', ` -+ allow xdm_xserver_t self:process { execheap execmem execstack }; -+') -+ -+ifndef(`distro_redhat',` -+ allow xdm_xserver_t self:process { execheap execmem }; ') -ifdef(`TODO',` @@ -28835,10 +28893,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser -allow xdm_t polymember:lnk_file { create unlink }; -# xdm needs access for copying .Xauthority into new home -allow xdm_t polymember:file { create getattr write }; -+ifdef(`distro_rhel4',` ++ ++tunable_policy(`allow_xserver_execmem', ` ++ allow xdm_xserver_t self:process { execheap execmem execstack }; ++') ++ ++ifndef(`distro_redhat',` + allow xdm_xserver_t self:process { execheap execmem }; ') ++ifdef(`distro_rhel4',` ++ allow xdm_xserver_t self:process { execheap execmem }; ++') ++ +############################## # -# Wants to delete .xsession-errors file @@ -28889,10 +28956,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') + +############################## -+# -+# iceauth_t Local policy # -allow xdm_t user_home_type:file unlink; ++# iceauth_t Local policy + # +-# Should fix exec of pam_timestamp_check is not closing xdm file descriptor + +allow iceauth_t user_iceauth_home_t:file manage_file_perms; +userdom_user_home_dir_filetrans($1,iceauth_t,user_iceauth_home_t,file) @@ -28917,11 +28985,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + +######################################## # --# Should fix exec of pam_timestamp_check is not closing xdm file descriptor -+# Rules for unconfined access to this module - # -allow pam_t xdm_t:fifo_file { getattr ioctl write }; -') dnl end TODO ++# Rules for unconfined access to this module ++# + +allow xserver_unconfined_type x_server_domain:x_server *; +allow xserver_unconfined_type { x_domain x_rootwindow_t self }:x_drawable *; @@ -29199,7 +29266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.3.1/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-06-12 23:38:02.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/system/authlogin.if 2008-06-30 16:49:50.000000000 -0400 @@ -56,10 +56,6 @@ miscfiles_read_localization($1_chkpwd_t) @@ -29257,7 +29324,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo # for SSP/ProPolice dev_read_urand($1) # for fingerprint readers -@@ -226,8 +239,40 @@ +@@ -207,14 +220,15 @@ + mls_process_set_level($1) + mls_fd_share_all_levels($1) + ++ auth_append_login_records($1) ++ auth_exec_pam($1) + auth_domtrans_chk_passwd($1) + auth_domtrans_upd_passwd($1) + auth_dontaudit_read_shadow($1) + auth_read_login_records($1) +- auth_append_login_records($1) +- auth_rw_lastlog($1) ++ auth_manage_pam_pid($1) + auth_rw_faillog($1) +- auth_exec_pam($1) ++ auth_rw_lastlog($1) + auth_use_nsswitch($1) + + init_rw_utmp($1) +@@ -226,8 +240,40 @@ seutil_read_config($1) seutil_read_default_contexts($1) @@ -29298,7 +29384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ') -@@ -333,19 +378,15 @@ +@@ -333,19 +379,15 @@ dev_read_rand($1) dev_read_urand($1) @@ -29322,7 +29408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') optional_policy(` -@@ -356,6 +397,28 @@ +@@ -356,6 +398,28 @@ optional_policy(` samba_stream_connect_winbind($1) ') @@ -29351,7 +29437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -369,12 +432,12 @@ +@@ -369,12 +433,12 @@ ## ## ## @@ -29366,7 +29452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ## ## # -@@ -386,6 +449,7 @@ +@@ -386,6 +450,7 @@ auth_domtrans_chk_passwd($1) role $2 types system_chkpwd_t; allow system_chkpwd_t $3:chr_file rw_file_perms; @@ -29374,7 +29460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -1447,6 +1511,10 @@ +@@ -1447,6 +1512,10 @@ ') optional_policy(` @@ -29385,7 +29471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo nis_use_ypbind($1) ') -@@ -1457,6 +1525,7 @@ +@@ -1457,6 +1526,7 @@ optional_policy(` samba_stream_connect_winbind($1) samba_read_var_files($1) @@ -29393,7 +29479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ') -@@ -1491,3 +1560,59 @@ +@@ -1491,3 +1561,59 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -29659,8 +29745,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.3.1/policy/modules/system/hotplug.te --- nsaserefpolicy/policy/modules/system/hotplug.te 2008-06-12 23:38:01.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/system/hotplug.te 2008-06-12 23:38:02.000000000 -0400 -@@ -179,6 +179,7 @@ ++++ serefpolicy-3.3.1/policy/modules/system/hotplug.te 2008-06-30 13:17:55.000000000 -0400 +@@ -120,6 +120,7 @@ + optional_policy(` + # for arping used for static IP addresses on PCMCIA ethernet + netutils_domtrans(hotplug_t) ++ netutils_signal(hotplug_t) + fs_rw_tmpfs_chr_files(hotplug_t) + ') + files_getattr_generic_locks(hotplug_t) +@@ -179,6 +180,7 @@ sysnet_read_dhcpc_pid(hotplug_t) sysnet_rw_dhcp_config(hotplug_t) sysnet_domtrans_ifconfig(hotplug_t)