From 68874ebc6f80ed249422ec882a19fa351864bf68 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Apr 29 2011 23:01:48 +0000 Subject: Fix dbus_session_domain Stop transitiong from unconfined_t to telepathy domains or to gkeyring domains --- diff --git a/policy-dbus.patch b/policy-dbus.patch new file mode 100644 index 0000000..74df61a --- /dev/null +++ b/policy-dbus.patch @@ -0,0 +1,232 @@ +diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if +index b1b6bf6..f9149e7 100644 +--- a/policy/modules/apps/gnome.if ++++ b/policy/modules/apps/gnome.if +@@ -51,7 +51,7 @@ interface(`gnome_role',` + ## + ## + ## +-## The user domain associated with the role. ++## The user domain associated with the role. + ## + ## + # +@@ -98,7 +98,7 @@ interface(`gnome_role_gkeyringd',` + allow $1_gkeyringd_t $3:dbus send_msg; + allow $3 $1_gkeyringd_t:dbus send_msg; + optional_policy(` +- dbus_session_domain($1_gkeyringd_t, gkeyringd_exec_t) ++ dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t) + dbus_session_bus_client($1_gkeyringd_t) + gnome_home_dir_filetrans($1_gkeyringd_t) + gnome_manage_generic_home_dirs($1_gkeyringd_t) +diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if +index 6878d68..4730846 100644 +--- a/policy/modules/apps/telepathy.if ++++ b/policy/modules/apps/telepathy.if +@@ -28,8 +28,6 @@ template(`telepathy_domain_template',` + type telepathy_$1_tmp_t; + files_tmp_file(telepathy_$1_tmp_t) + ubac_constrained(telepathy_$1_tmp_t) +- +- dbus_session_domain(telepathy_$1_t, telepathy_$1_exec_t) + ') + + ####################################### +@@ -51,6 +49,22 @@ template(`telepathy_domain_template',` + template(`telepathy_dbus_session_role', ` + gen_require(` + attribute telepathy_domain; ++ type telepathy_gabble_t; ++ type telepathy_sofiasip_t; ++ type telepathy_idle_t; ++ type telepathy_mission_control_t; ++ type telepathy_salut_t; ++ type telepathy_sunshine_t; ++ type telepathy_stream_engine_t; ++ type telepathy_msn_t; ++ type telepathy_gabble_exec_t; ++ type telepathy_sofiasip_exec_t; ++ type telepathy_idle_exec_t; ++ type telepathy_mission_control_exec_t; ++ type telepathy_salut_exec_t; ++ type telepathy_sunshine_exec_t; ++ type telepathy_stream_engine_exec_t; ++ type telepathy_msn_exec_t; + ') + + role $1 types telepathy_domain; +@@ -65,6 +79,15 @@ template(`telepathy_dbus_session_role', ` + telepathy_gabble_stream_connect($2) + telepathy_msn_stream_connect($2) + telepathy_salut_stream_connect($2) ++ ++ dbus_session_domain($2, telepathy_gabble_exec_t, telepathy_gabble_t) ++ dbus_session_domain($2, telepathy_sofiasip_exec_t, telepathy_sofiasip_t) ++ dbus_session_domain($2, telepathy_idle_exec_t, telepathy_idle_t) ++ dbus_session_domain($2, telepathy_mission_control_exec_t, telepathy_mission_control_t) ++ dbus_session_domain($2, telepathy_salut_exec_t, telepathy_salut_t) ++ dbus_session_domain($2, telepathy_sunshine_exec_t, telepathy_sunshine_t) ++ dbus_session_domain($2, telepathy_stream_engine_exec_t, telepathy_stream_engine_t) ++ dbus_session_domain($2, telepathy_msn_exec_t, telepathy_msn_t) + ') + + ######################################## +@@ -147,7 +170,6 @@ interface(`telepathy_msn_stream_connect', ` + files_search_tmp($1) + ') + +- + ######################################## + ## + ## Stream connect to Telepathy Salut +@@ -191,3 +213,46 @@ interface(`telepathy_mission_control_read_state',` + ps_process_pattern($1, telepathy_mission_control_t) + ') + ++######################################## ++## ++## Execute telepathy executable ++## in the specified domain. ++## ++## ++##

++## Execute a telepathy executable ++## in the specified domain. This allows ++## the specified domain to execute any file ++## on these filesystems in the specified ++## domain. ++##

++##

++## No interprocess communication (signals, pipes, ++## etc.) is provided by this interface since ++## the domains are not owned by this module. ++##

++##

++## This interface was added to handle ++## the ssh-agent policy. ++##

++## ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## The type of the new process. ++## ++## ++# ++interface(`telepathy_command_domtrans', ` ++ gen_require(` ++ attribute telepathy_executable; ++ ') ++ ++ allow $2 telepathy_executable:file entrypoint; ++ domain_transition_pattern($1, telepathy_executable, $2) ++ type_transition $1 telepathy_executable:process $2; ++') +diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te +index db5a937..fb6c6bd 100644 +--- a/policy/modules/roles/staff.te ++++ b/policy/modules/roles/staff.te +@@ -84,8 +84,6 @@ optional_policy(` + + optional_policy(` + gnome_role(staff_r, staff_t) +- gnome_role_gkeyringd(staff, staff_r, staff_t) +- permissive staff_gkeyringd_t; + ') + + optional_policy(` +diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te +index 805d0ea..693d944 100644 +--- a/policy/modules/roles/unconfineduser.te ++++ b/policy/modules/roles/unconfineduser.te +@@ -295,6 +295,10 @@ optional_policy(` + ') + + optional_policy(` ++ telepathy_command_domtrans(unconfined_dbusd_t, unconfined_t) ++ ') ++ ++ optional_policy(` + oddjob_dbus_chat(unconfined_usertype) + ') + +@@ -416,10 +420,6 @@ optional_policy(` + ') + + optional_policy(` +- telepathy_dbus_session_role(unconfined_r, unconfined_t) +-') +- +-optional_policy(` + vbetool_run(unconfined_t, unconfined_r) + ') + +@@ -500,4 +500,3 @@ domain_ptrace_all_domains(unconfined_notrans_t) + # + + gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +- +diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te +index dc6b88f..b56a290 100644 +--- a/policy/modules/roles/unprivuser.te ++++ b/policy/modules/roles/unprivuser.te +@@ -35,7 +35,6 @@ optional_policy(` + + optional_policy(` + gnome_role(user_r, user_t) +- + ') + + optional_policy(` +diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if +index cee56c8..d2d4d9d 100644 +--- a/policy/modules/services/dbus.if ++++ b/policy/modules/services/dbus.if +@@ -363,6 +363,12 @@ interface(`dbus_connect_session_bus',` + ## Allow a application domain to be started + ## by the session dbus. + ## ++## ++## ++## The prefix of the dbus session domain (e.g., user ++## is the prefix for user_t). ++## ++## + ## + ## + ## Type to be used as a domain. +@@ -377,13 +383,13 @@ interface(`dbus_connect_session_bus',` + # + interface(`dbus_session_domain',` + gen_require(` +- attribute session_bus_type; ++ type $1_dbusd_t; + ') + +- domtrans_pattern(session_bus_type, $2, $1) ++ domtrans_pattern($1_dbusd_t, $2, $3) + +- dbus_session_bus_client($1) +- dbus_connect_session_bus($1) ++ dbus_session_bus_client($3) ++ dbus_connect_session_bus($3) + ') + + ######################################## +diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if +index 4984747..f690d75 100644 +--- a/policy/modules/system/userdomain.if ++++ b/policy/modules/system/userdomain.if +@@ -1078,6 +1078,7 @@ template(`userdom_restricted_xwindows_user_template',` + # bug: #682499 + optional_policy(` + gnome_read_usr_config($1_usertype) ++ gnome_role_gkeyringd($1, $1_r, $1_t) + ') + + optional_policy(` diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te index 0b28cf8..713fdd0 100644 --- a/policy/modules/apps/telepathy.te +++ b/policy/modules/apps/telepathy.te @@ -75,8 +75,6 @@ dev_read_urand(telepathy_msn_t) files_read_etc_files(telepathy_msn_t) files_read_usr_files(telepathy_msn_t) -auth_use_nsswitch(telepathy_msn_t) - init_read_state(telepathy_msn_t) libs_exec_ldconfig(telepathy_msn_t) @@ -85,8 +83,6 @@ logging_send_syslog_msg(telepathy_msn_t) miscfiles_read_all_certs(telepathy_msn_t) -sysnet_read_config(telepathy_msn_t) - optional_policy(` dbus_system_bus_client(telepathy_msn_t) optional_policy(` @@ -136,8 +132,6 @@ files_read_usr_files(telepathy_gabble_t) miscfiles_read_all_certs(telepathy_gabble_t) -sysnet_read_config(telepathy_gabble_t) - optional_policy(` dbus_system_bus_client(telepathy_gabble_t) ') @@ -164,8 +158,6 @@ corenet_tcp_connect_ircd_port(telepathy_idle_t) files_read_etc_files(telepathy_idle_t) -sysnet_read_config(telepathy_idle_t) - ####################################### # # Telepathy Mission-Control local policy. @@ -191,8 +183,6 @@ tunable_policy(`use_samba_home_dirs', ` fs_manage_cifs_files(telepathy_mission_control_t) ') -auth_use_nsswitch(telepathy_mission_control_t) - # ~/.cache/.mc_connections. optional_policy(` manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t) @@ -224,8 +214,6 @@ dev_read_urand(telepathy_salut_t) files_read_etc_files(telepathy_salut_t) -sysnet_read_config(telepathy_salut_t) - optional_policy(` dbus_system_bus_client(telepathy_salut_t) @@ -250,8 +238,6 @@ dev_read_urand(telepathy_sofiasip_t) kernel_request_load_module(telepathy_sofiasip_t) -sysnet_read_config(telepathy_sofiasip_t) - ####################################### # # Telepathy Sunshine local policy. @@ -317,7 +303,8 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(telepathy_domain) + gnome_read_generic_cache_files(telepathy_domain) + gnome_write_generic_cache_files(telepathy_domain) ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index c066533..340d067 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,11 +21,12 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 18%{?dist} +Release: 19%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz patch: policy-F15.patch +patch1: policy-dbus.patch Source1: modules-targeted.conf Source2: booleans-targeted.conf Source3: Makefile.devel @@ -202,6 +203,7 @@ Based off of reference policy: Checked out revision 2.20091117 %prep %setup -n serefpolicy-%{version} -q %patch -p1 +%patch1 -p1 %install mkdir selinux_config @@ -471,6 +473,10 @@ exit 0 %endif %changelog +* Fri Apr 29 2011 Dan Walsh 3.9.16-19 +- Fix dbus_session_domain +- Stop transitiong from unconfined_t to telepathy domains or to gkeyring domains + * Wed Apr 27 2011 Miroslav Grepl 3.9.16-18 - Allow init_t getcap and setcap - Allow namespace_init_t to use nsswitch