From 644114cfe326e7a1aea66653b12b802cb8ad7f70 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mar 10 2010 17:24:01 +0000 Subject: - Update to upstream --- diff --git a/modules-minimum.conf b/modules-minimum.conf index 3197745..cce75d9 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -1462,6 +1462,13 @@ seunshare = module shorewall = base # Layer: admin +# Module: shutdown +# +# Policy for shutdown +# +shutdown = module + +# Layer: admin # Module: sectoolm # # Policy for sectool-mechanism diff --git a/modules-mls.conf b/modules-mls.conf index c966444..64e3d42 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -2008,3 +2008,9 @@ rhcs = module # shorewall = base +# Layer: admin +# Module: shutdown +# +# Policy for shutdown +# +shutdown = module diff --git a/modules-targeted.conf b/modules-targeted.conf index 3197745..cce75d9 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1462,6 +1462,13 @@ seunshare = module shorewall = base # Layer: admin +# Module: shutdown +# +# Policy for shutdown +# +shutdown = module + +# Layer: admin # Module: sectoolm # # Policy for sectool-mechanism diff --git a/policy-F13.patch b/policy-F13.patch index 82dfa5d..7d41d01 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -1472,6 +1472,180 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa optional_policy(` iptables_domtrans(shorewall_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.fc serefpolicy-3.7.13/policy/modules/admin/shutdown.fc +--- nsaserefpolicy/policy/modules/admin/shutdown.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/shutdown.fc 2010-03-10 12:04:36.000000000 -0500 +@@ -0,0 +1,5 @@ ++/etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0) ++ ++/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) ++ ++/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.if serefpolicy-3.7.13/policy/modules/admin/shutdown.if +--- nsaserefpolicy/policy/modules/admin/shutdown.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/shutdown.if 2010-03-10 12:09:48.000000000 -0500 +@@ -0,0 +1,100 @@ ++ ++## policy for shutdown ++ ++######################################## ++## ++## Execute a domain transition to run shutdown. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`shutdown_domtrans',` ++ gen_require(` ++ type shutdown_t, shutdown_exec_t; ++ ') ++ ++ domtrans_pattern($1, shutdown_exec_t, shutdown_t) ++ ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit shutdown_t $2:socket_class_set { read write }; ++ dontaudit shutdown_t $2:fifo_file rw_inherited_fifo_file_perms; ++ ') ++') ++ ++ ++######################################## ++## ++## Execute shutdown in the shutdown domain, and ++## allow the specified role the shutdown domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the shutdown domain. ++## ++## ++# ++interface(`shutdown_run',` ++ gen_require(` ++ type shutdown_t; ++ ') ++ ++ shutdown_domtrans($1) ++ role $2 types shutdown_t; ++') ++ ++######################################## ++## ++## Role access for shutdown ++## ++## ++## ++## Role allowed access ++## ++## ++## ++## ++## User domain for the role ++## ++## ++# ++interface(`shutdown_role',` ++ gen_require(` ++ type shutdown_t; ++ ') ++ ++ role $1 types shutdown_t; ++ ++ shutdown_domtrans($2) ++ ++ ps_process_pattern($2, shutdown_t) ++ allow $2 shutdown_t:process signal; ++') ++ ++######################################## ++## ++## Send and receive messages from ++## shutdown over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`shutdown_dbus_chat',` ++ gen_require(` ++ type shutdown_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 shutdown_t:dbus send_msg; ++ allow shutdown_t $1:dbus send_msg; ++') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.7.13/policy/modules/admin/shutdown.te +--- nsaserefpolicy/policy/modules/admin/shutdown.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/admin/shutdown.te 2010-03-10 12:05:08.000000000 -0500 +@@ -0,0 +1,57 @@ ++policy_module(shutdown,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type shutdown_t; ++type shutdown_exec_t; ++application_domain(shutdown_t, shutdown_exec_t) ++role system_r types shutdown_t; ++ ++type shutdown_etc_t; ++files_config_file(shutdown_etc_t) ++ ++type shutdown_var_run_t; ++files_pid_file(shutdown_var_run_t) ++ ++permissive shutdown_t; ++ ++######################################## ++# ++# shutdown local policy ++# ++ ++allow shutdown_t self:capability { kill setuid sys_tty_config }; ++allow shutdown_t self:process { fork signal }; ++ ++allow shutdown_t self:fifo_file manage_fifo_file_perms; ++allow shutdown_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_files_pattern(shutdown_t, shutdown_etc_t, shutdown_etc_t) ++files_etc_filetrans(shutdown_t, shutdown_etc_t, file) ++ ++manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t) ++files_pid_filetrans(shutdown_t, shutdown_var_run_t, file) ++ ++files_read_etc_files(shutdown_t) ++files_read_generic_pids(shutdown_t) ++ ++term_use_all_terms(shutdown_t) ++ ++auth_use_nsswitch(shutdown_t) ++auth_write_login_records(shutdown_t) ++ ++init_dontaudit_write_utmp(shutdown_t) ++init_read_utmp(shutdown_t) ++init_telinit(shutdown_t) ++ ++logging_send_audit_msgs(shutdown_t) ++ ++miscfiles_read_localization(shutdown_t) ++ ++optional_policy(` ++ dbus_system_bus_client(shutdown_t) ++ dbus_connect_system_bus(shutdown_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.7.13/policy/modules/admin/smoltclient.fc --- nsaserefpolicy/policy/modules/admin/smoltclient.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.7.13/policy/modules/admin/smoltclient.fc 2010-03-09 18:51:11.000000000 -0500 @@ -7883,7 +8057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.t +gen_user(guest_u, user, guest_r, s0, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.13/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2010-02-17 14:07:02.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/roles/staff.te 2010-03-09 18:51:11.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/roles/staff.te 2010-03-10 12:12:42.000000000 -0500 @@ -10,11 +10,26 @@ userdom_unpriv_user_template(staff) @@ -7989,17 +8163,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t optional_policy(` thunderbird_role(staff_r, staff_t) ') -@@ -172,3 +209,69 @@ +@@ -172,3 +209,73 @@ optional_policy(` xserver_role(staff_r, staff_t) ') +') + +optional_policy(` -+ usernetctl_run(staff_t, staff_r) -+') -+ -+optional_policy(` + unconfined_role_change(staff_r) +') + @@ -8059,9 +8229,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t +optional_policy(` + virt_stream_connect(staff_t) +') ++ ++optional_policy(` ++ gen_require(` ++ type mozilla_exec_t; ++ type staff_execmem_t; ++ ') ++ domtrans_pattern(staff_t, mozilla_exec_t, staff_execmem_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.13/policy/modules/roles/sysadm.te --- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-02-17 10:37:39.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/roles/sysadm.te 2010-03-09 18:51:11.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/roles/sysadm.te 2010-03-10 12:06:33.000000000 -0500 @@ -15,7 +15,7 @@ role sysadm_r; @@ -8297,19 +8475,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` rsync_exec(sysadm_t) -@@ -357,9 +410,11 @@ - seutil_run_runinit(sysadm_t, sysadm_r) +@@ -358,8 +411,14 @@ ') -+ifndef(`distro_redhat',` optional_policy(` ++ shutdown_run(sysadm_t, sysadm_r) ++') ++ ++ifndef(`distro_redhat',` ++optional_policy(` spamassassin_role(sysadm_r, sysadm_t) ') +') optional_policy(` ssh_role_template(sysadm, sysadm_r, sysadm_t) -@@ -369,6 +424,7 @@ +@@ -369,6 +428,7 @@ staff_role_change(sysadm_r) ') @@ -8317,7 +8498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` su_role_template(sysadm, sysadm_r, sysadm_t) ') -@@ -376,15 +432,18 @@ +@@ -376,15 +436,18 @@ optional_policy(` sudo_role_template(sysadm, sysadm_r, sysadm_t) ') @@ -8336,7 +8517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` tripwire_run_siggen(sysadm_t, sysadm_r) -@@ -393,17 +452,21 @@ +@@ -393,17 +456,21 @@ tripwire_run_twprint(sysadm_t, sysadm_r) ') @@ -8358,7 +8539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` unconfined_domtrans(sysadm_t) -@@ -417,9 +480,11 @@ +@@ -417,9 +484,11 @@ usbmodules_run(sysadm_t, sysadm_r) ') @@ -8370,7 +8551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` usermanage_run_admin_passwd(sysadm_t, sysadm_r) -@@ -427,9 +492,15 @@ +@@ -427,9 +496,15 @@ usermanage_run_useradd(sysadm_t, sysadm_r) ') @@ -8386,7 +8567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm. optional_policy(` vpn_run(sysadm_t, sysadm_r) -@@ -440,13 +511,26 @@ +@@ -440,13 +515,26 @@ ') optional_policy(` @@ -9100,8 +9281,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.13/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/roles/unconfineduser.te 2010-03-09 18:51:11.000000000 -0500 -@@ -0,0 +1,433 @@ ++++ serefpolicy-3.7.13/policy/modules/roles/unconfineduser.te 2010-03-10 12:16:20.000000000 -0500 +@@ -0,0 +1,437 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -9277,6 +9458,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + ') + + optional_policy(` ++ shutdown_run(unconfined_t, unconfined_r) ++ ') ++ ++ optional_policy(` + tzdata_run(unconfined_usertype, unconfined_r) + ') + @@ -9537,7 +9722,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.13/policy/modules/roles/unprivuser.te --- nsaserefpolicy/policy/modules/roles/unprivuser.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/roles/unprivuser.te 2010-03-09 18:51:11.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/roles/unprivuser.te 2010-03-10 12:12:52.000000000 -0500 @@ -13,6 +13,7 @@ userdom_unpriv_user_template(user) @@ -9572,7 +9757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu optional_policy(` spamassassin_role(user_r, user_t) ') -@@ -157,3 +172,8 @@ +@@ -157,3 +172,16 @@ optional_policy(` xserver_role(user_r, user_t) ') @@ -9581,6 +9766,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu +optional_policy(` + setroubleshoot_dontaudit_stream_connect(user_t) +') ++ ++optional_policy(` ++ gen_require(` ++ type mozilla_exec_t; ++ type user_execmem_t; ++ ') ++ domtrans_pattern(user_t, mozilla_exec_t, user_execmem_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.13/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 2010-02-18 14:06:31.000000000 -0500 +++ serefpolicy-3.7.13/policy/modules/roles/xguest.te 2010-03-09 18:51:11.000000000 -0500 @@ -13686,7 +13879,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.13/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.13/policy/modules/services/consolekit.te 2010-03-09 18:51:11.000000000 -0500 ++++ serefpolicy-3.7.13/policy/modules/services/consolekit.te 2010-03-10 12:19:32.000000000 -0500 @@ -16,12 +16,15 @@ type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -13745,7 +13938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons ') optional_policy(` -@@ -100,6 +111,7 @@ +@@ -100,19 +111,33 @@ ') optional_policy(` @@ -13753,7 +13946,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons policykit_domtrans_auth(consolekit_t) policykit_read_lib(consolekit_t) policykit_read_reload(consolekit_t) -@@ -110,9 +122,18 @@ + ') + + optional_policy(` ++ shutdown_domtrans(consolekit_t) ++') ++ ++optional_policy(` + xserver_read_xdm_pid(consolekit_t) xserver_read_user_xauth(consolekit_t) xserver_non_drawing_client(consolekit_t) corenet_tcp_connect_xserver_port(consolekit_t) @@ -25882,6 +26082,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp corenet_all_recvfrom_unlabeled(tftpd_t) corenet_all_recvfrom_netlabel(tftpd_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.fc serefpolicy-3.7.13/policy/modules/services/tor.fc +--- nsaserefpolicy/policy/modules/services/tor.fc 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.13/policy/modules/services/tor.fc 2010-03-10 12:13:19.000000000 -0500 +@@ -5,5 +5,8 @@ + /usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0) + + /var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) ++/var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0) ++ + /var/log/tor(/.*)? gen_context(system_u:object_r:tor_var_log_t,s0) ++ + /var/run/tor(/.*)? gen_context(system_u:object_r:tor_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.13/policy/modules/services/tor.te --- nsaserefpolicy/policy/modules/services/tor.te 2009-08-14 16:14:31.000000000 -0400 +++ serefpolicy-3.7.13/policy/modules/services/tor.te 2010-03-09 18:51:13.000000000 -0500