From 548c96838a4845095dc0cf4bbfb278109e2cbacb Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 07 2007 21:18:41 +0000 Subject: - Allow kdm to transition to bootloader_t through grub --- diff --git a/policy-20070703.patch b/policy-20070703.patch index b0c2759..aae74c3 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -3237,7 +3237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.8/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/apps/mozilla.if 2007-12-07 13:35:56.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/apps/mozilla.if 2007-12-07 15:45:14.000000000 -0500 @@ -36,6 +36,8 @@ gen_require(` type mozilla_conf_t, mozilla_exec_t; @@ -3506,7 +3506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') optional_policy(` -@@ -350,6 +270,7 @@ +@@ -350,21 +270,26 @@ optional_policy(` cups_read_rw_config($1_mozilla_t) cups_dbus_chat($1_mozilla_t) @@ -3514,15 +3514,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') optional_policy(` -@@ -360,11 +281,17 @@ - ') - - optional_policy(` -+ gnome_exec_gconf($1_mozilla_t) -+ gnome_manage_user_gnome_config($1,$1_mozilla_t) + dbus_system_bus_client_template($1_mozilla,$1_mozilla_t) +- dbus_send_system_bus($1_mozilla_t) +- dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t) +- dbus_send_user_bus($1,$1_mozilla_t) ++# dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t) + ') + + optional_policy(` ++ gnome_exec_gconf($1_mozilla_t) ++ gnome_manage_user_gnome_config($1,$1_mozilla_t) + ') + + optional_policy(` + gnome_domtrans_user_gconf($1,$1_mozilla_t) gnome_stream_connect_gconf_template($1,$1_mozilla_t) ') @@ -3533,7 +3537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') optional_policy(` -@@ -384,25 +311,6 @@ +@@ -384,25 +309,6 @@ thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t) ') @@ -3559,7 +3563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') ######################################## -@@ -575,3 +483,27 @@ +@@ -575,3 +481,27 @@ allow $2 $1_mozilla_t:tcp_socket rw_socket_perms; ') @@ -4963,7 +4967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-12-02 21:15:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-12-07 15:03:55.000000000 -0500 @@ -271,45 +271,6 @@ ######################################## @@ -5010,7 +5014,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Mount an automount pseudo filesystem. ## ## -@@ -1231,7 +1192,7 @@ +@@ -1171,6 +1132,25 @@ + + ######################################## + ## ++## Create, read, write, and delete dirs ++## on a DOS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_manage_dos_dirs',` ++ gen_require(` ++ type dosfs_t; ++ ') ++ ++ manage_dirs_pattern($1,dosfs_t,dosfs_t) ++') ++ ++######################################## ++## + ## Create, read, write, and delete files + ## on a DOS filesystem. + ## +@@ -1231,7 +1211,7 @@ ######################################## ## @@ -5019,7 +5049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## ## ## -@@ -2139,6 +2100,7 @@ +@@ -2139,6 +2119,7 @@ rw_files_pattern($1,nfsd_fs_t,nfsd_fs_t) ') @@ -5027,7 +5057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ######################################## ## ## Mount a RAM filesystem. -@@ -2214,6 +2176,24 @@ +@@ -2214,6 +2195,24 @@ ######################################## ## @@ -5052,7 +5082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## Search directories on a ramfs ## ## -@@ -2276,7 +2256,7 @@ +@@ -2276,7 +2275,7 @@ ## Domain allowed access. ## ## @@ -5061,7 +5091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy interface(`fs_dontaudit_read_ramfs_files',` gen_require(` type ramfs_t; -@@ -3322,6 +3302,24 @@ +@@ -3322,6 +3321,24 @@ ######################################## ## @@ -5086,7 +5116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy ## List all directories with a filesystem type. ## ## -@@ -3533,3 +3531,42 @@ +@@ -3533,3 +3550,42 @@ relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs) relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs) ') @@ -7967,7 +7997,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.8/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2007-12-07 13:31:07.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2007-12-07 15:45:18.000000000 -0500 @@ -50,6 +50,12 @@ ## # @@ -18828,7 +18858,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-12-05 08:41:28.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-12-07 15:26:55.000000000 -0500 @@ -29,8 +29,9 @@ ') @@ -19595,17 +19625,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; -@@ -977,23 +1053,51 @@ +@@ -976,24 +1052,48 @@ + typeattribute $1_home_t user_home_type; typeattribute $1_tmp_t user_tmpfile; typeattribute $1_tty_device_t user_ttynode; ++') - userdom_poly_home_template($1) - userdom_poly_tmp_template($1) -+ optional_policy(` -+ loadkeys_run($1_t,$1_r,$1_tty_device_t) -+ ') -+') -+ +####################################### +## +## The template for creating a unprivileged user. @@ -19658,7 +19685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # port access is audited even if dac would not have allowed it, so dontaudit it here corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) -@@ -1029,42 +1133,22 @@ +@@ -1029,20 +1129,11 @@ # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_all_nodes($1_t) @@ -19668,30 +19695,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` - kerberos_use($1_t) -+ hal_dbus_chat($1_t) - ') - -+ # Run pppd in pppd_t by default for user - optional_policy(` -- loadkeys_run($1_t,$1_r,$1_tty_device_t) -+ ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) - ') - - optional_policy(` -- netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) -- netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) -+ setroubleshoot_stream_connect($1_t) - ') - -- # Run pppd in pppd_t by default for user -- optional_policy(` -- ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) - ') - - optional_policy(` -- setroubleshoot_stream_connect($1_t) +- loadkeys_run($1_t,$1_r,$1_tty_device_t) - ') - +- optional_policy(` +- netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) +- netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) ++ hal_dbus_chat($1_t) + ') + + # Run pppd in pppd_t by default for user +@@ -1054,17 +1145,6 @@ + setroubleshoot_stream_connect($1_t) + ') + - ifdef(`TODO',` - ifdef(`xdm.te', ` - # this should cause the .xsession-errors file to be written to /tmp @@ -19706,7 +19726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1102,6 +1186,8 @@ +@@ -1102,6 +1182,8 @@ class passwd { passwd chfn chsh rootok crontab }; ') @@ -19715,7 +19735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # # Declarations -@@ -1127,7 +1213,7 @@ +@@ -1127,7 +1209,7 @@ # $1_t local policy # @@ -19724,7 +19744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1_t self:process { setexec setfscreate }; # Set password information for other users. -@@ -1139,7 +1225,11 @@ +@@ -1139,7 +1221,11 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -19737,7 +19757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1277,6 +1367,7 @@ +@@ -1277,6 +1363,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -19745,7 +19765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1642,9 +1733,13 @@ +@@ -1642,9 +1729,13 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -19759,7 +19779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_type($2) ') -@@ -1894,10 +1989,46 @@ +@@ -1894,10 +1985,46 @@ template(`userdom_manage_user_home_content_dirs',` gen_require(` type $1_home_dir_t, $1_home_t; @@ -19807,7 +19827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2994,6 +3125,25 @@ +@@ -2994,6 +3121,25 @@ ######################################## ## @@ -19833,7 +19853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Create objects in a user temporary directory ## with an automatic type transition to ## a specified private type. -@@ -3078,7 +3228,7 @@ +@@ -3078,7 +3224,7 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -19842,7 +19862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_tmp_filetrans($2,$1_tmp_t,$3) -@@ -4410,6 +4560,7 @@ +@@ -4410,6 +4556,7 @@ ') dontaudit $1 sysadm_home_dir_t:dir getattr; @@ -19850,7 +19870,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4574,6 +4725,7 @@ +@@ -4574,6 +4721,7 @@ allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms; read_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t) read_lnk_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t) @@ -19858,7 +19878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4609,11 +4761,29 @@ +@@ -4609,11 +4757,29 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -19889,7 +19909,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4633,6 +4803,14 @@ +@@ -4633,6 +4799,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -19904,7 +19924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5323,7 +5501,7 @@ +@@ -5323,7 +5497,7 @@ attribute user_tmpfile; ') @@ -19913,7 +19933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5346,6 +5524,25 @@ +@@ -5346,6 +5520,25 @@ ######################################## ## @@ -19939,7 +19959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Write all unprivileged users files in /tmp ## ## -@@ -5529,6 +5726,24 @@ +@@ -5529,6 +5722,24 @@ ######################################## ## @@ -19964,7 +19984,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5559,3 +5774,396 @@ +@@ -5559,3 +5770,399 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -20151,6 +20171,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +template(`userdom_restricted_xwindows_user_template', ` + +userdom_restricted_user_template($1) ++ ++ optional_policy(` ++ dbus_per_role_template($1, $1_usertype, $1_r) ++ dbus_system_bus_client_template($1, $1_usertype) ++ allow $1_usertype $1_usertype:dbus send_msg; ++ ++ optional_policy(` ++ cups_dbus_chat($1_usertype) ++ ') ++ ++ optional_policy(` ++ consolekit_dbus_chat($1_usertype) ++ ') ++ ') ++ ++ optional_policy(` ++ java_per_role_template($1, $1_t, $1_r) ++ ') ++ ++ optional_policy(` ++ mono_per_role_template($1, $1_t, $1_r) ++ ') ++ ++ optional_policy(` ++ loadkeys_run($1_t,$1_r,$1_tty_device_t) ++ ') ++ +userdom_xwindows_client_template($1) + +logging_send_syslog_msg($1_usertype) @@ -20178,30 +20225,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +dev_read_sound($1_usertype) +dev_write_sound($1_usertype) + -+optional_policy(` -+ dbus_per_role_template($1, $1_usertype, $1_r) -+ dbus_system_bus_client_template($1, $1_usertype) -+ allow $1_usertype $1_usertype:dbus send_msg; -+ -+ optional_policy(` -+ cups_dbus_chat($1_usertype) -+ ') -+ -+ -+ optional_policy(` -+ consolekit_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` -+ java_per_role_template($1, $1_t, $1_r) -+ ') -+ -+ optional_policy(` -+ mono_per_role_template($1, $1_t, $1_r) -+ ') -+ -+') -+ +# gnome keyring wants to read this. Needs to be exlicitly granted +dev_dontaudit_read_rand($1_usertype) + @@ -20856,7 +20879,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm. +## Policy for webadm user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.0.8/policy/modules/users/webadm.te --- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.0.8/policy/modules/users/webadm.te 2007-12-02 21:15:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/users/webadm.te 2007-12-07 15:47:51.000000000 -0500 @@ -0,0 +1,42 @@ +policy_module(webadm,1.0.0) + @@ -20912,8 +20935,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest. +## Policy for xguest user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.te serefpolicy-3.0.8/policy/modules/users/xguest.te --- nsaserefpolicy/policy/modules/users/xguest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.0.8/policy/modules/users/xguest.te 2007-12-02 21:15:34.000000000 -0500 -@@ -0,0 +1,54 @@ ++++ serefpolicy-3.0.8/policy/modules/users/xguest.te 2007-12-07 15:55:04.000000000 -0500 +@@ -0,0 +1,60 @@ +policy_module(xguest,1.0.1) + +## @@ -20968,6 +20991,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest. + bluetooth_dbus_chat(xguest_t) + ') +') ++ ++# The following lines are broken and had to be added by hand ++#allow xguest_mozilla_t { xguest_dbusd_t self }:dbus send_msg; ++#allow xguest_mozilla_t xguest_dbusd_t:dbus connectto; ++#allow xguest_dbusd_t xguest_mozilla_t:dbus send_msg; ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.0.8/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-10-22 13:21:43.000000000 -0400 +++ serefpolicy-3.0.8/policy/support/obj_perm_sets.spt 2007-12-02 21:15:34.000000000 -0500