From 84fb84f8b1c5594a20c8a6d7b0e618e0c440be45 Mon Sep 17 00:00:00 2001 From: Miroslav Date: Oct 21 2011 13:38:03 +0000 Subject: - Policy update should not modify local contexts --- diff --git a/policy-F16.patch b/policy-F16.patch index 01d3a37..1d7ce0d 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -322,10 +322,18 @@ index 63ef90e..a535b31 100644 ') diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if -index 1392679..c94911d 100644 +index 1392679..e75873a 100644 --- a/policy/modules/admin/alsa.if +++ b/policy/modules/admin/alsa.if -@@ -206,3 +206,21 @@ interface(`alsa_read_lib',` +@@ -148,6 +148,7 @@ interface(`alsa_manage_home_files',` + + userdom_search_user_home_dirs($1) + allow $1 alsa_home_t:file manage_file_perms; ++ alsa_filetrans_home_content(unpriv_userdomain) + ') + + ######################################## +@@ -206,3 +207,47 @@ interface(`alsa_read_lib',` files_search_var_lib($1) read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) ') @@ -340,12 +348,38 @@ index 1392679..c94911d 100644 +## +## +# ++interface(`alsa_filetrans_home_content',` ++ gen_require(` ++ type alsa_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc") ++') ++ ++######################################## ++## ++## Transition to alsa named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`alsa_filetrans_named_content',` + gen_require(` + type alsa_home_t; ++ type alsa_etc_rw_t; ++ type alsa_var_lib_t; + ') + + userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc") ++ files_etc_filetrans($1, alsa_etc_rw_t, file, "asound.state") ++ files_etc_filetrans($1, alsa_etc_rw_t, dir, "pcm") ++ files_etc_filetrans($1, alsa_etc_rw_t, dir, "asound") ++ files_usr_filetrans($1, alsa_etc_rw_t, file, "alsa.conf") ++ files_usr_filetrans($1, alsa_etc_rw_t, dir, "pcm") ++ files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa") +') diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc index e3e0701..3fd0282 100644 @@ -3658,7 +3692,7 @@ index 7bddc02..2b59ed0 100644 + +/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if -index 975af1a..2aa37b4 100644 +index 975af1a..634c47a 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -32,6 +32,7 @@ template(`sudo_role_template',` @@ -3669,23 +3703,38 @@ index 975af1a..2aa37b4 100644 attribute sudodomain; ') -@@ -47,6 +48,15 @@ template(`sudo_role_template',` +@@ -47,26 +48,11 @@ template(`sudo_role_template',` ubac_constrained($1_sudo_t) role $2 types $1_sudo_t; +- ############################## +- # +- # Local Policy +- # + type $1_sudo_tmp_t; + files_tmp_file($1_sudo_tmp_t) -+ + +- # Use capabilities. +- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource }; +- allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +- allow $1_sudo_t self:process { setexec setrlimit }; +- allow $1_sudo_t self:fd use; +- allow $1_sudo_t self:fifo_file rw_fifo_file_perms; +- allow $1_sudo_t self:shm create_shm_perms; +- allow $1_sudo_t self:sem create_sem_perms; +- allow $1_sudo_t self:msgq create_msgq_perms; +- allow $1_sudo_t self:msg { send receive }; +- allow $1_sudo_t self:unix_dgram_socket create_socket_perms; +- allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms; +- allow $1_sudo_t self:unix_dgram_socket sendto; +- allow $1_sudo_t self:unix_stream_socket connectto; +- allow $1_sudo_t self:key manage_key_perms; + allow $1_sudo_t $1_sudo_tmp_t:file manage_file_perms; + files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file) -+ -+ manage_dirs_pattern($1_sudo_t, sudo_db_t, sudo_db_t) -+ manage_files_pattern($1_sudo_t, sudo_db_t, sudo_db_t) -+ - ############################## - # - # Local Policy -@@ -76,6 +86,11 @@ template(`sudo_role_template',` + + allow $1_sudo_t $3:key search; + +@@ -76,88 +62,19 @@ template(`sudo_role_template',` # By default, revert to the calling domain when a shell is executed. corecmd_shell_domtrans($1_sudo_t, $3) corecmd_bin_domtrans($1_sudo_t, $3) @@ -3697,50 +3746,90 @@ index 975af1a..2aa37b4 100644 allow $3 $1_sudo_t:fd use; allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms; allow $3 $1_sudo_t:process signal_perms; -@@ -113,12 +128,15 @@ template(`sudo_role_template',` - term_getattr_pty_fs($1_sudo_t) - term_relabel_all_ttys($1_sudo_t) - term_relabel_all_ptys($1_sudo_t) -+ term_getattr_pty_fs($1_sudo_t) +- kernel_read_kernel_sysctls($1_sudo_t) +- kernel_read_system_state($1_sudo_t) +- kernel_link_key($1_sudo_t) +- +- corecmd_read_bin_symlinks($1_sudo_t) +- corecmd_exec_all_executables($1_sudo_t) +- +- dev_getattr_fs($1_sudo_t) +- dev_read_urand($1_sudo_t) +- dev_rw_generic_usb_dev($1_sudo_t) +- dev_read_sysfs($1_sudo_t) +- +- domain_use_interactive_fds($1_sudo_t) +- domain_sigchld_interactive_fds($1_sudo_t) +- domain_getattr_all_entry_files($1_sudo_t) +- +- files_read_etc_files($1_sudo_t) +- files_read_var_files($1_sudo_t) +- files_read_usr_symlinks($1_sudo_t) +- files_getattr_usr_files($1_sudo_t) +- # for some PAM modules and for cwd +- files_dontaudit_search_home($1_sudo_t) +- files_list_tmp($1_sudo_t) +- +- fs_search_auto_mountpoints($1_sudo_t) +- fs_getattr_xattr_fs($1_sudo_t) +- +- selinux_validate_context($1_sudo_t) +- selinux_compute_relabel_context($1_sudo_t) +- +- term_getattr_pty_fs($1_sudo_t) +- term_relabel_all_ttys($1_sudo_t) +- term_relabel_all_ptys($1_sudo_t) +- auth_run_chk_passwd($1_sudo_t, $2) - # sudo stores a token in the pam_pid directory - auth_manage_pam_pid($1_sudo_t) +- # sudo stores a token in the pam_pid directory +- auth_manage_pam_pid($1_sudo_t) auth_use_nsswitch($1_sudo_t) -+ application_signal($1_sudo_t) -+ - init_rw_utmp($1_sudo_t) - - logging_send_audit_msgs($1_sudo_t) -@@ -126,7 +144,7 @@ template(`sudo_role_template',` - - miscfiles_read_localization($1_sudo_t) - +- init_rw_utmp($1_sudo_t) +- +- logging_send_audit_msgs($1_sudo_t) +- logging_send_syslog_msg($1_sudo_t) +- +- miscfiles_read_localization($1_sudo_t) +- - seutil_search_default_contexts($1_sudo_t) -+ seutil_read_default_contexts($1_sudo_t) - seutil_libselinux_linked($1_sudo_t) - - userdom_spec_domtrans_all_users($1_sudo_t) -@@ -135,12 +153,13 @@ template(`sudo_role_template',` - userdom_manage_user_tmp_files($1_sudo_t) - userdom_manage_user_tmp_symlinks($1_sudo_t) - userdom_use_user_terminals($1_sudo_t) -+ userdom_signal_all_users($1_sudo_t) - # for some PAM modules and for cwd +- seutil_libselinux_linked($1_sudo_t) +- +- userdom_spec_domtrans_all_users($1_sudo_t) +- userdom_manage_user_home_content_files($1_sudo_t) +- userdom_manage_user_home_content_symlinks($1_sudo_t) +- userdom_manage_user_tmp_files($1_sudo_t) +- userdom_manage_user_tmp_symlinks($1_sudo_t) +- userdom_use_user_terminals($1_sudo_t) +- # for some PAM modules and for cwd - userdom_dontaudit_search_user_home_content($1_sudo_t) -+ userdom_search_user_home_content($1_sudo_t) -+ userdom_search_admin_dir($1_sudo_t) -+ userdom_manage_all_users_keys($1_sudo_t) - +- - ifdef(`hide_broken_symptoms', ` - dontaudit $1_sudo_t $3:socket_class_set { read write }; - ') +- +- tunable_policy(`use_nfs_home_dirs',` +- fs_manage_nfs_files($1_sudo_t) +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_files($1_sudo_t) +- ') +- +- optional_policy(` +- dbus_system_bus_client($1_sudo_t) +- ') +- +- optional_policy(` +- fprintd_dbus_chat($1_sudo_t) +- ') +- + mta_role($2, $1_sudo_t) + ') - tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_files($1_sudo_t) -@@ -177,3 +196,22 @@ interface(`sudo_sigchld',` + ######################################## +@@ -177,3 +94,22 @@ interface(`sudo_sigchld',` allow $1 sudodomain:process sigchld; ') @@ -3764,10 +3853,10 @@ index 975af1a..2aa37b4 100644 + can_exec($1, sudo_exec_t) +') diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te -index 2731fa1..3443ba2 100644 +index 2731fa1..22beabf 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te -@@ -7,3 +7,7 @@ attribute sudodomain; +@@ -7,3 +7,110 @@ attribute sudodomain; type sudo_exec_t; application_executable_file(sudo_exec_t) @@ -3775,6 +3864,109 @@ index 2731fa1..3443ba2 100644 +type sudo_db_t; +files_type(sudo_db_t) + ++manage_dirs_pattern(sudodomain, sudo_db_t, sudo_db_t) ++manage_files_pattern(sudodomain, sudo_db_t, sudo_db_t) ++ ++############################## ++# ++# Local Policy ++# ++ ++# Use capabilities. ++allow sudodomain self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource }; ++allow sudodomain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; ++allow sudodomain self:process { setexec setrlimit }; ++allow sudodomain self:fd use; ++allow sudodomain self:fifo_file rw_fifo_file_perms; ++allow sudodomain self:shm create_shm_perms; ++allow sudodomain self:sem create_sem_perms; ++allow sudodomain self:msgq create_msgq_perms; ++allow sudodomain self:msg { send receive }; ++allow sudodomain self:unix_dgram_socket create_socket_perms; ++allow sudodomain self:unix_stream_socket create_stream_socket_perms; ++allow sudodomain self:unix_dgram_socket sendto; ++allow sudodomain self:unix_stream_socket connectto; ++allow sudodomain self:key manage_key_perms; ++ ++kernel_read_kernel_sysctls(sudodomain) ++kernel_read_system_state(sudodomain) ++kernel_link_key(sudodomain) ++ ++corecmd_read_bin_symlinks(sudodomain) ++corecmd_exec_all_executables(sudodomain) ++ ++dev_getattr_fs(sudodomain) ++dev_read_urand(sudodomain) ++dev_rw_generic_usb_dev(sudodomain) ++dev_read_sysfs(sudodomain) ++ ++domain_use_interactive_fds(sudodomain) ++domain_sigchld_interactive_fds(sudodomain) ++domain_getattr_all_entry_files(sudodomain) ++ ++files_read_etc_files(sudodomain) ++files_read_var_files(sudodomain) ++files_read_usr_symlinks(sudodomain) ++files_getattr_usr_files(sudodomain) ++# for some PAM modules and for cwd ++files_dontaudit_search_home(sudodomain) ++files_list_tmp(sudodomain) ++ ++fs_search_auto_mountpoints(sudodomain) ++fs_getattr_xattr_fs(sudodomain) ++ ++selinux_validate_context(sudodomain) ++selinux_compute_relabel_context(sudodomain) ++ ++term_getattr_pty_fs(sudodomain) ++term_relabel_all_ttys(sudodomain) ++term_relabel_all_ptys(sudodomain) ++term_getattr_pty_fs(sudodomain) ++ ++#auth_run_chk_passwd(sudodomain) ++# sudo stores a token in the pam_pid directory ++auth_manage_pam_pid(sudodomain) ++#auth_use_nsswitch(sudodomain) ++ ++application_signal(sudodomain) ++ ++init_rw_utmp(sudodomain) ++ ++logging_send_audit_msgs(sudodomain) ++logging_send_syslog_msg(sudodomain) ++ ++miscfiles_read_localization(sudodomain) ++ ++seutil_read_default_contexts(sudodomain) ++seutil_libselinux_linked(sudodomain) ++ ++userdom_spec_domtrans_all_users(sudodomain) ++userdom_manage_user_home_content_files(sudodomain) ++userdom_manage_user_home_content_symlinks(sudodomain) ++userdom_manage_user_tmp_files(sudodomain) ++userdom_manage_user_tmp_symlinks(sudodomain) ++userdom_use_user_terminals(sudodomain) ++userdom_signal_all_users(sudodomain) ++# for some PAM modules and for cwd ++userdom_search_user_home_content(sudodomain) ++userdom_search_admin_dir(sudodomain) ++userdom_manage_all_users_keys(sudodomain) ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_files(sudodomain) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_files(sudodomain) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(sudodomain) ++') ++ ++optional_policy(` ++ fprintd_dbus_chat(sudodomain) ++') diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te index d5aaf0e..6b16aef 100644 --- a/policy/modules/admin/sxid.te @@ -4136,7 +4328,7 @@ index 81fb26f..66cf96c 100644 ## ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 441cf22..772a68e 100644 +index 441cf22..cd9d876 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto; @@ -4147,7 +4339,7 @@ index 441cf22..772a68e 100644 selinux_get_fs_mount(chfn_t) selinux_validate_context(chfn_t) -@@ -79,18 +80,17 @@ selinux_compute_create_context(chfn_t) +@@ -79,18 +80,18 @@ selinux_compute_create_context(chfn_t) selinux_compute_relabel_context(chfn_t) selinux_compute_user_contexts(chfn_t) @@ -4155,6 +4347,7 @@ index 441cf22..772a68e 100644 -term_use_all_ptys(chfn_t) +term_use_all_inherited_ttys(chfn_t) +term_use_all_inherited_ptys(chfn_t) ++term_getattr_all_ptys(chfn_t) fs_getattr_xattr_fs(chfn_t) fs_search_auto_mountpoints(chfn_t) @@ -4170,7 +4363,7 @@ index 441cf22..772a68e 100644 # allow checking if a shell is executable corecmd_check_exec_shell(chfn_t) -@@ -105,6 +105,7 @@ files_dontaudit_search_home(chfn_t) +@@ -105,6 +106,7 @@ files_dontaudit_search_home(chfn_t) # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(chfn_t) @@ -4178,7 +4371,7 @@ index 441cf22..772a68e 100644 miscfiles_read_localization(chfn_t) -@@ -118,6 +119,10 @@ userdom_use_unpriv_users_fds(chfn_t) +@@ -118,6 +120,10 @@ userdom_use_unpriv_users_fds(chfn_t) # on user home dir userdom_dontaudit_search_user_home_content(chfn_t) @@ -4189,17 +4382,18 @@ index 441cf22..772a68e 100644 ######################################## # # Crack local policy -@@ -194,8 +199,7 @@ selinux_compute_create_context(groupadd_t) +@@ -194,8 +200,8 @@ selinux_compute_create_context(groupadd_t) selinux_compute_relabel_context(groupadd_t) selinux_compute_user_contexts(groupadd_t) -term_use_all_ttys(groupadd_t) -term_use_all_ptys(groupadd_t) +term_use_all_inherited_terms(groupadd_t) ++term_getattr_all_ptys(groupadd_t) init_use_fds(groupadd_t) init_read_utmp(groupadd_t) -@@ -277,6 +281,7 @@ kernel_read_kernel_sysctls(passwd_t) +@@ -277,6 +283,7 @@ kernel_read_kernel_sysctls(passwd_t) # for SSP dev_read_urand(passwd_t) @@ -4207,13 +4401,14 @@ index 441cf22..772a68e 100644 fs_getattr_xattr_fs(passwd_t) fs_search_auto_mountpoints(passwd_t) -@@ -291,17 +296,18 @@ selinux_compute_create_context(passwd_t) +@@ -291,17 +298,19 @@ selinux_compute_create_context(passwd_t) selinux_compute_relabel_context(passwd_t) selinux_compute_user_contexts(passwd_t) -term_use_all_ttys(passwd_t) -term_use_all_ptys(passwd_t) +term_use_all_inherited_terms(passwd_t) ++term_getattr_all_ptys(passwd_t) -auth_domtrans_chk_passwd(passwd_t) auth_manage_shadow(passwd_t) @@ -4230,7 +4425,7 @@ index 441cf22..772a68e 100644 domain_use_interactive_fds(passwd_t) -@@ -311,6 +317,8 @@ files_search_var(passwd_t) +@@ -311,6 +320,8 @@ files_search_var(passwd_t) files_dontaudit_search_pids(passwd_t) files_relabel_etc_files(passwd_t) @@ -4239,7 +4434,7 @@ index 441cf22..772a68e 100644 # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(passwd_t) -@@ -323,7 +331,7 @@ miscfiles_read_localization(passwd_t) +@@ -323,7 +334,7 @@ miscfiles_read_localization(passwd_t) seutil_dontaudit_search_config(passwd_t) @@ -4248,7 +4443,7 @@ index 441cf22..772a68e 100644 userdom_use_unpriv_users_fds(passwd_t) # make sure that getcon succeeds userdom_getattr_all_users(passwd_t) -@@ -332,6 +340,7 @@ userdom_read_user_tmp_files(passwd_t) +@@ -332,6 +343,7 @@ userdom_read_user_tmp_files(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -4256,17 +4451,18 @@ index 441cf22..772a68e 100644 optional_policy(` nscd_domtrans(passwd_t) -@@ -381,8 +390,7 @@ dev_read_urand(sysadm_passwd_t) +@@ -381,8 +393,8 @@ dev_read_urand(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t) fs_search_auto_mountpoints(sysadm_passwd_t) -term_use_all_ttys(sysadm_passwd_t) -term_use_all_ptys(sysadm_passwd_t) +term_use_all_inherited_terms(sysadm_passwd_t) ++term_getattr_all_ptys(sysadm_passwd_t) auth_manage_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t) -@@ -426,7 +434,7 @@ optional_policy(` +@@ -426,7 +438,7 @@ optional_policy(` # Useradd local policy # @@ -4275,7 +4471,7 @@ index 441cf22..772a68e 100644 dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; -@@ -448,8 +456,12 @@ corecmd_exec_shell(useradd_t) +@@ -448,8 +460,12 @@ corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(useradd_t) @@ -4288,7 +4484,7 @@ index 441cf22..772a68e 100644 files_manage_etc_files(useradd_t) files_search_var_lib(useradd_t) -@@ -460,6 +472,7 @@ fs_search_auto_mountpoints(useradd_t) +@@ -460,6 +476,7 @@ fs_search_auto_mountpoints(useradd_t) fs_getattr_xattr_fs(useradd_t) mls_file_upgrade(useradd_t) @@ -4296,17 +4492,18 @@ index 441cf22..772a68e 100644 # Allow access to context for shadow file selinux_get_fs_mount(useradd_t) -@@ -469,8 +482,7 @@ selinux_compute_create_context(useradd_t) +@@ -469,8 +486,8 @@ selinux_compute_create_context(useradd_t) selinux_compute_relabel_context(useradd_t) selinux_compute_user_contexts(useradd_t) -term_use_all_ttys(useradd_t) -term_use_all_ptys(useradd_t) +term_use_all_inherited_terms(useradd_t) ++term_getattr_all_ptys(useradd_t) auth_domtrans_chk_passwd(useradd_t) auth_rw_lastlog(useradd_t) -@@ -498,21 +510,11 @@ seutil_domtrans_setfiles(useradd_t) +@@ -498,21 +515,11 @@ seutil_domtrans_setfiles(useradd_t) userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories @@ -20755,10 +20952,10 @@ index 2be17d2..2c588ca 100644 + userdom_execmod_user_home_files(staff_usertype) +') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index e14b961..f3980e0 100644 +index e14b961..f2aac71 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -24,20 +24,48 @@ ifndef(`enable_mls',` +@@ -24,20 +24,52 @@ ifndef(`enable_mls',` # # Local policy # @@ -20802,12 +20999,16 @@ index e14b961..f3980e0 100644 +userdom_manage_tmp_role(sysadm_r, sysadm_t) + +optional_policy(` ++ alsa_filetrans_named_content(sysadm_t) ++') ++ ++optional_policy(` + ssh_filetrans_admin_home_content(sysadm_t) +') ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -55,6 +83,7 @@ ifndef(`enable_mls',` +@@ -55,6 +87,7 @@ ifndef(`enable_mls',` logging_manage_audit_log(sysadm_t) logging_manage_audit_config(sysadm_t) logging_run_auditctl(sysadm_t, sysadm_r) @@ -20815,7 +21016,7 @@ index e14b961..f3980e0 100644 ') tunable_policy(`allow_ptrace',` -@@ -67,9 +96,9 @@ optional_policy(` +@@ -67,9 +100,9 @@ optional_policy(` optional_policy(` apache_run_helper(sysadm_t, sysadm_r) @@ -20826,7 +21027,7 @@ index e14b961..f3980e0 100644 ') optional_policy(` -@@ -98,6 +127,10 @@ optional_policy(` +@@ -98,6 +131,10 @@ optional_policy(` ') optional_policy(` @@ -20837,7 +21038,7 @@ index e14b961..f3980e0 100644 certwatch_run(sysadm_t, sysadm_r) ') -@@ -110,11 +143,19 @@ optional_policy(` +@@ -110,11 +147,19 @@ optional_policy(` ') optional_policy(` @@ -20858,7 +21059,7 @@ index e14b961..f3980e0 100644 ') optional_policy(` -@@ -128,6 +169,10 @@ optional_policy(` +@@ -128,6 +173,10 @@ optional_policy(` ') optional_policy(` @@ -20869,7 +21070,7 @@ index e14b961..f3980e0 100644 dmesg_exec(sysadm_t) ') -@@ -163,6 +208,13 @@ optional_policy(` +@@ -163,6 +212,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -20883,7 +21084,7 @@ index e14b961..f3980e0 100644 ') optional_policy(` -@@ -170,15 +222,20 @@ optional_policy(` +@@ -170,15 +226,20 @@ optional_policy(` ') optional_policy(` @@ -20907,7 +21108,7 @@ index e14b961..f3980e0 100644 ') optional_policy(` -@@ -198,22 +255,19 @@ optional_policy(` +@@ -198,22 +259,19 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -20935,7 +21136,7 @@ index e14b961..f3980e0 100644 ') optional_policy(` -@@ -225,25 +279,47 @@ optional_policy(` +@@ -225,25 +283,47 @@ optional_policy(` ') optional_policy(` @@ -20983,7 +21184,7 @@ index e14b961..f3980e0 100644 portage_run(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) ') -@@ -253,19 +329,19 @@ optional_policy(` +@@ -253,19 +333,19 @@ optional_policy(` ') optional_policy(` @@ -21007,7 +21208,7 @@ index e14b961..f3980e0 100644 ') optional_policy(` -@@ -274,10 +350,7 @@ optional_policy(` +@@ -274,10 +354,7 @@ optional_policy(` optional_policy(` rpm_run(sysadm_t, sysadm_r) @@ -21019,7 +21220,7 @@ index e14b961..f3980e0 100644 ') optional_policy(` -@@ -302,12 +375,18 @@ optional_policy(` +@@ -302,12 +379,18 @@ optional_policy(` ') optional_policy(` @@ -21039,7 +21240,7 @@ index e14b961..f3980e0 100644 ') optional_policy(` -@@ -332,7 +411,10 @@ optional_policy(` +@@ -332,7 +415,10 @@ optional_policy(` ') optional_policy(` @@ -21051,7 +21252,7 @@ index e14b961..f3980e0 100644 ') optional_policy(` -@@ -343,19 +425,15 @@ optional_policy(` +@@ -343,19 +429,15 @@ optional_policy(` ') optional_policy(` @@ -21073,7 +21274,7 @@ index e14b961..f3980e0 100644 ') optional_policy(` -@@ -367,45 +445,45 @@ optional_policy(` +@@ -367,45 +449,45 @@ optional_policy(` ') optional_policy(` @@ -21130,7 +21331,7 @@ index e14b961..f3980e0 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -418,10 +496,6 @@ ifndef(`distro_redhat',` +@@ -418,10 +500,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -21141,7 +21342,7 @@ index e14b961..f3980e0 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) ') -@@ -439,6 +513,7 @@ ifndef(`distro_redhat',` +@@ -439,6 +517,7 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role(sysadm_r, sysadm_t) @@ -21149,7 +21350,7 @@ index e14b961..f3980e0 100644 ') optional_policy(` -@@ -446,11 +521,66 @@ ifndef(`distro_redhat',` +@@ -446,11 +525,66 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -21172,8 +21373,9 @@ index e14b961..f3980e0 100644 + + optional_policy(` + mplayer_role(sysadm_r, sysadm_t) -+ ') -+ + ') +-') + + optional_policy(` + pyzor_role(sysadm_r, sysadm_t) + ') @@ -21212,9 +21414,8 @@ index e14b961..f3980e0 100644 + + optional_policy(` + wireshark_role(sysadm_r, sysadm_t) - ') --') - ++ ') ++ + optional_policy(` + xserver_role(sysadm_r, sysadm_t) + ') @@ -21928,10 +22129,10 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..8d7dde1 +index 0000000..50c38f9 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,502 @@ +@@ -0,0 +1,498 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -22159,11 +22360,7 @@ index 0000000..8d7dde1 +') + +optional_policy(` -+ ada_run(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` -+ alsa_run(unconfined_t, unconfined_r) ++ alsa_filetrans_named_content(unconfined_t) +') + +optional_policy(` @@ -73110,10 +73307,10 @@ index 0000000..79c358c + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..1449552 +index 0000000..a84b8e7 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,370 @@ +@@ -0,0 +1,371 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -73267,6 +73464,7 @@ index 0000000..1449552 + +manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); +manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); ++manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); +manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); +init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file }) + @@ -78167,7 +78365,7 @@ index 4b2878a..34d01ef 100644 + allow $1 unpriv_userdomain:sem rw_sem_perms; +') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 9b4a930..04d748b 100644 +index 9b4a930..d6c3860 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2) @@ -78220,7 +78418,7 @@ index 9b4a930..04d748b 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -71,26 +98,78 @@ ubac_constrained(user_home_dir_t) +@@ -71,26 +98,77 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -78283,7 +78481,6 @@ index 9b4a930..04d748b 100644 + alsa_read_rw_config(unpriv_userdomain) + alsa_manage_home_files(unpriv_userdomain) + alsa_relabel_home_files(unpriv_userdomain) -+ alsa_filetrans_named_content(unpriv_userdomain) +') + +optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 1b7761b..e930d1d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -466,6 +466,9 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Oct 20 2011 Miroslav Grepl 3.10.0-46 +- Policy update should not modify local contexts + * Thu Oct 20 2011 Dan Walsh 3.10.0-45.1 - Allow systemd_passwd to talk to sock_files in systemd_passwd_var_run_t directories