From 90c354a5d6bd757e36afaf85cde6f008d0cd12b6 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 17 2007 22:50:40 +0000 Subject: - Allow ssh to read sym links in homedirs --- diff --git a/policy-20070703.patch b/policy-20070703.patch index c8239bf..5b8263b 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -2353,8 +2353,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.0.8/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/admin/usermanage.te 2007-12-02 21:15:34.000000000 -0500 -@@ -92,6 +92,7 @@ ++++ serefpolicy-3.0.8/policy/modules/admin/usermanage.te 2007-12-17 10:55:24.000000000 -0500 +@@ -92,10 +92,12 @@ dev_read_urand(chfn_t) auth_domtrans_chk_passwd(chfn_t) @@ -2362,7 +2362,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman auth_dontaudit_read_shadow(chfn_t) # allow checking if a shell is executable -@@ -297,9 +298,11 @@ + corecmd_check_exec_shell(chfn_t) ++corecmd_exec_bin(chfn_t) + + domain_use_interactive_fds(chfn_t) + +@@ -297,9 +299,11 @@ term_use_all_user_ttys(passwd_t) term_use_all_user_ptys(passwd_t) @@ -2374,7 +2379,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman # allow checking if a shell is executable corecmd_check_exec_shell(passwd_t) -@@ -315,6 +318,7 @@ +@@ -315,6 +319,7 @@ # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(passwd_t) @@ -2382,7 +2387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman libs_use_ld_so(passwd_t) libs_use_shared_libs(passwd_t) -@@ -520,6 +524,10 @@ +@@ -520,6 +525,10 @@ mta_manage_spool(useradd_t) optional_policy(` @@ -2393,7 +2398,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman dpkg_use_fds(useradd_t) dpkg_rw_pipes(useradd_t) ') -@@ -529,6 +537,12 @@ +@@ -529,6 +538,12 @@ ') optional_policy(` @@ -3237,7 +3242,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.8/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/apps/mozilla.if 2007-12-07 15:45:14.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/apps/mozilla.if 2007-12-13 08:25:49.000000000 -0500 @@ -36,6 +36,8 @@ gen_require(` type mozilla_conf_t, mozilla_exec_t; @@ -3270,7 +3275,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. allow $1_mozilla_t self:fifo_file rw_fifo_file_perms; allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create }; allow $1_mozilla_t self:sem create_sem_perms; -@@ -96,15 +106,37 @@ +@@ -71,6 +81,11 @@ + # for bash - old mozilla binary + can_exec($1_mozilla_t, mozilla_exec_t) + ++ domain_read_all_domains_state($1_mozilla_t) ++ ++ fs_getattr_tmpfs($1_mozilla_t) ++ fs_manage_tmpfs_files($1_mozilla_t) ++ + # X access, Home files + manage_dirs_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t) + manage_files_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t) +@@ -96,15 +111,37 @@ relabel_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t) relabel_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t) @@ -3315,7 +3332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. # Unrestricted inheritance from the caller. allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh }; -@@ -115,8 +147,9 @@ +@@ -115,8 +152,9 @@ kernel_read_kernel_sysctls($1_mozilla_t) kernel_read_network_state($1_mozilla_t) # Access /proc, sysctl @@ -3327,7 +3344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. # Look for plugins corecmd_list_bin($1_mozilla_t) -@@ -165,11 +198,23 @@ +@@ -165,11 +203,23 @@ files_read_var_files($1_mozilla_t) files_read_var_symlinks($1_mozilla_t) files_dontaudit_getattr_boot_dirs($1_mozilla_t) @@ -3351,7 +3368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. term_dontaudit_getattr_pty_dirs($1_mozilla_t) libs_use_ld_so($1_mozilla_t) -@@ -184,16 +229,14 @@ +@@ -184,16 +234,14 @@ sysnet_dns_name_resolve($1_mozilla_t) sysnet_read_config($1_mozilla_t) @@ -3372,7 +3389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. tunable_policy(`allow_execmem',` allow $1_mozilla_t self:process { execmem execstack }; -@@ -211,131 +254,8 @@ +@@ -211,131 +259,8 @@ fs_manage_cifs_symlinks($1_mozilla_t) ') @@ -3506,7 +3523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') optional_policy(` -@@ -350,21 +270,26 @@ +@@ -350,21 +275,26 @@ optional_policy(` cups_read_rw_config($1_mozilla_t) cups_dbus_chat($1_mozilla_t) @@ -3519,14 +3536,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. - dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t) - dbus_send_user_bus($1,$1_mozilla_t) +# dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t) -+ ') -+ -+ optional_policy(` -+ gnome_exec_gconf($1_mozilla_t) -+ gnome_manage_user_gnome_config($1,$1_mozilla_t) ') optional_policy(` ++ gnome_exec_gconf($1_mozilla_t) ++ gnome_manage_user_gnome_config($1,$1_mozilla_t) ++ ') ++ ++ optional_policy(` + gnome_domtrans_user_gconf($1,$1_mozilla_t) gnome_stream_connect_gconf_template($1,$1_mozilla_t) ') @@ -3537,7 +3554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') optional_policy(` -@@ -384,25 +309,6 @@ +@@ -384,25 +314,6 @@ thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t) ') @@ -3563,7 +3580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ') ######################################## -@@ -575,3 +481,27 @@ +@@ -575,3 +486,27 @@ allow $2 $1_mozilla_t:tcp_socket rw_socket_perms; ') @@ -3689,7 +3706,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.0.8/policy/modules/apps/vmware.te --- nsaserefpolicy/policy/modules/apps/vmware.te 2007-10-22 13:21:41.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/apps/vmware.te 2007-12-02 21:33:52.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/apps/vmware.te 2007-12-13 10:47:36.000000000 -0500 @@ -22,17 +22,21 @@ type vmware_var_run_t; files_pid_file(vmware_var_run_t) @@ -3732,7 +3749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t dev_rw_vmware(vmware_host_t) domain_use_interactive_fds(vmware_host_t) -@@ -99,14 +107,6 @@ +@@ -99,14 +107,11 @@ ') netutils_domtrans_ping(vmware_host_t) @@ -3741,13 +3758,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t optional_policy(` -allow kernel_t cardmgr_var_lib_t:dir { getattr search }; -allow kernel_t cardmgr_var_lib_t:file { getattr ioctl read }; --') ++ unconfined_domain(vmware_host_t) + ') -# Vmware create network devices -allow kernel_t self:capability net_admin; -allow kernel_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; -allow kernel_t self:socket create; -+ unconfined_domain(vmware_host_t) ++ ++optional_policy(` ++ xserver_xdm_rw_shm(vmware_host_t) ') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.0.8/policy/modules/apps/wine.if --- nsaserefpolicy/policy/modules/apps/wine.if 2007-10-22 13:21:41.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/apps/wine.if 2007-12-02 21:15:34.000000000 -0500 @@ -3991,7 +4012,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-10-22 13:21:41.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2007-12-02 21:15:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2007-12-13 16:59:06.000000000 -0500 @@ -55,6 +55,11 @@ type reserved_port_t, port_type, reserved_port_type; @@ -4052,7 +4073,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postgresql, tcp,5432,s0) -@@ -146,7 +157,7 @@ +@@ -141,12 +152,12 @@ + network_port(rsh, tcp,514,s0) + network_port(rsync, tcp,873,s0, udp,873,s0) + network_port(rwho, udp,513,s0) +-network_port(smbd, tcp,139,s0, tcp,445,s0) ++network_port(smbd, tcp,137-139,s0, tcp,445,s0) + network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0) network_port(spamd, tcp,783,s0) network_port(ssh, tcp,22,s0) @@ -8254,6 +8281,55 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + unconfined_use_terminals(system_dbusd_t) +') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.0.8/policy/modules/services/dcc.if +--- nsaserefpolicy/policy/modules/services/dcc.if 2007-10-22 13:21:39.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/dcc.if 2007-12-13 15:57:40.000000000 -0500 +@@ -72,6 +72,24 @@ + + ######################################## + ## ++## Send a signal to the dcc_client. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dcc_signal_client',` ++ gen_require(` ++ type dcc_client_t; ++ ') ++ ++ allow $1 dcc_client_t:process signal; ++') ++ ++######################################## ++## + ## Execute dcc_client in the dcc_client domain, and + ## allow the specified role the dcc_client domain. + ## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.0.8/policy/modules/services/dcc.te +--- nsaserefpolicy/policy/modules/services/dcc.te 2007-10-22 13:21:39.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/dcc.te 2007-12-13 15:53:15.000000000 -0500 +@@ -124,7 +124,7 @@ + # dcc procmail interface local policy + # + +-allow dcc_client_t self:capability setuid; ++allow dcc_client_t self:capability { setgid setuid }; + allow dcc_client_t self:unix_dgram_socket create_socket_perms; + allow dcc_client_t self:udp_socket create_socket_perms; + +@@ -148,6 +148,8 @@ + files_read_etc_files(dcc_client_t) + files_read_etc_runtime_files(dcc_client_t) + ++kernel_read_system_state(dcc_client_t) ++ + libs_use_ld_so(dcc_client_t) + libs_use_shared_libs(dcc_client_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.fc serefpolicy-3.0.8/policy/modules/services/dictd.fc --- nsaserefpolicy/policy/modules/services/dictd.fc 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/dictd.fc 2007-12-02 21:15:34.000000000 -0500 @@ -11897,7 +11973,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlog ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.0.8/policy/modules/services/rpcbind.te --- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/rpcbind.te 2007-12-02 21:15:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/rpcbind.te 2007-12-13 08:21:32.000000000 -0500 @@ -21,11 +21,13 @@ # rpcbind local policy # @@ -11913,6 +11989,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcb allow rpcbind_t self:tcp_socket create_stream_socket_perms; manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t) +@@ -37,6 +39,7 @@ + manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t) + files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file }) + ++kernel_read_system_state(rpcbind_t) + kernel_read_network_state(rpcbind_t) + + corenet_all_recvfrom_unlabeled(rpcbind_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.0.8/policy/modules/services/rpc.if --- nsaserefpolicy/policy/modules/services/rpc.if 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/rpc.if 2007-12-02 21:15:34.000000000 -0500 @@ -12932,7 +13016,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.8/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-12-02 21:15:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-12-17 13:48:38.000000000 -0500 @@ -20,19 +20,22 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -12958,16 +13042,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send allow sendmail_t sendmail_log_t:dir setattr; manage_files_pattern(sendmail_t,sendmail_log_t,sendmail_log_t) -@@ -49,6 +52,8 @@ +@@ -48,6 +51,9 @@ + kernel_read_kernel_sysctls(sendmail_t) # for piping mail to a command kernel_read_system_state(sendmail_t) - -+auth_use_nsswitch(sendmail_t) ++kernel_read_network_state(sendmail_t) + ++auth_use_nsswitch(sendmail_t) + corenet_all_recvfrom_unlabeled(sendmail_t) corenet_all_recvfrom_netlabel(sendmail_t) - corenet_tcp_sendrecv_all_if(sendmail_t) -@@ -66,6 +71,8 @@ +@@ -66,6 +72,8 @@ fs_getattr_all_fs(sendmail_t) fs_search_auto_mountpoints(sendmail_t) @@ -12976,7 +13061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send term_dontaudit_use_console(sendmail_t) # for piping mail to a command -@@ -94,30 +101,34 @@ +@@ -94,30 +102,34 @@ miscfiles_read_certs(sendmail_t) miscfiles_read_localization(sendmail_t) @@ -13017,7 +13102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send ') optional_policy(` -@@ -131,28 +142,33 @@ +@@ -131,28 +143,33 @@ ') optional_policy(` @@ -13330,7 +13415,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.0.8/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2007-12-02 21:15:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2007-12-13 15:57:17.000000000 -0500 @@ -81,11 +81,12 @@ # var/lib files for spamd @@ -13359,6 +13444,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam fs_manage_cifs_files(spamd_t) ') +@@ -171,6 +174,7 @@ + + optional_policy(` + dcc_domtrans_client(spamd_t) ++ dcc_signal_client(spamd_t) + dcc_stream_connect_dccifd(spamd_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.fc serefpolicy-3.0.8/policy/modules/services/squid.fc --- nsaserefpolicy/policy/modules/services/squid.fc 2007-10-22 13:21:36.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/squid.fc 2007-12-02 21:15:34.000000000 -0500 @@ -13396,7 +13489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.0.8/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/squid.te 2007-12-02 21:15:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/squid.te 2007-12-13 08:37:13.000000000 -0500 @@ -36,7 +36,7 @@ # Local policy # @@ -13638,7 +13731,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.0.8/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/ssh.te 2007-12-02 21:15:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/ssh.te 2007-12-12 16:38:01.000000000 -0500 @@ -24,7 +24,7 @@ # Type for the ssh-agent executable. @@ -13648,16 +13741,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. # ssh client executable. type ssh_exec_t; -@@ -80,6 +80,8 @@ +@@ -80,6 +80,10 @@ corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) +userdom_read_all_users_home_dirs_symlinks(sshd_t) ++userdom_read_all_users_home_content_files(sshd_t) ++userdom_read_all_users_home_dirs_symlinks(sshd_t) + tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd # ioctl is necessary for logout() processing for utmp entry and for w to -@@ -100,6 +102,11 @@ +@@ -100,6 +104,11 @@ userdom_use_unpriv_users_ptys(sshd_t) ') @@ -13669,7 +13764,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. optional_policy(` daemontools_service_domain(sshd_t, sshd_exec_t) ') -@@ -119,7 +126,13 @@ +@@ -119,7 +128,13 @@ ') optional_policy(` @@ -13684,7 +13779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh. ') ifdef(`TODO',` -@@ -231,9 +244,15 @@ +@@ -231,9 +246,15 @@ ') optional_policy(` @@ -14528,7 +14623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-12-06 20:54:55.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-12-12 16:40:57.000000000 -0500 @@ -16,6 +16,13 @@ ## @@ -14690,8 +14785,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Talk to the console mouse server. gpm_stream_connect(xdm_t) gpm_setattr_gpmctl(xdm_t) -@@ -350,10 +393,7 @@ +@@ -348,12 +391,10 @@ + ') + optional_policy(` ++ unconfined_domain(xdm_xserver_t) unconfined_domain(xdm_t) unconfined_domtrans(xdm_t) - @@ -14702,7 +14800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; -@@ -385,7 +425,7 @@ +@@ -385,7 +426,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -14711,7 +14809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) -@@ -397,6 +437,15 @@ +@@ -397,6 +438,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -14727,7 +14825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -425,6 +474,14 @@ +@@ -425,6 +475,14 @@ ') optional_policy(` @@ -14742,7 +14840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser resmgr_stream_connect(xdm_t) ') -@@ -434,47 +491,26 @@ +@@ -434,47 +492,26 @@ ') optional_policy(` @@ -15856,7 +15954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.8/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/init.te 2007-12-02 21:15:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/init.te 2007-12-13 14:24:45.000000000 -0500 @@ -10,6 +10,20 @@ # Declarations # @@ -15979,10 +16077,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t userdom_read_all_users_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such -@@ -497,6 +511,47 @@ +@@ -496,6 +510,52 @@ + ') ') - optional_policy(` ++# Cron jobs used to start and stop services ++optional_policy(` ++ cron_read_pipes(daemon) ++') ++ ++optional_policy(` + rhgb_use_ptys(daemon) +') + @@ -16023,11 +16127,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t + ') +') + -+optional_policy(` + optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) - ') -@@ -632,12 +687,6 @@ +@@ -632,12 +692,6 @@ mta_read_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') @@ -16040,7 +16143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t optional_policy(` ifdef(`distro_redhat',` -@@ -649,15 +698,10 @@ +@@ -649,15 +703,10 @@ ') optional_policy(` @@ -16056,7 +16159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t openvpn_read_config(initrc_t) ') -@@ -703,6 +747,9 @@ +@@ -703,6 +752,9 @@ # why is this needed: rpm_manage_db(initrc_t) @@ -16066,7 +16169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t ') optional_policy(` -@@ -749,6 +796,12 @@ +@@ -749,6 +801,12 @@ ') ') @@ -16234,7 +16337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.8/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2007-12-02 21:15:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2007-12-17 11:22:51.000000000 -0500 @@ -65,11 +65,15 @@ /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -18322,7 +18425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-12-02 21:15:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-12-13 12:37:30.000000000 -0500 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -18914,7 +19017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-12-10 14:48:25.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-12-12 16:38:48.000000000 -0500 @@ -29,8 +29,9 @@ ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 8a74487..690fece 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.8 -Release: 68%{?dist} +Release: 69%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -303,8 +303,9 @@ fi exit 0 -%triggerpostun targeted -- selinux-policy-targeted < 3.0.8-63-1 +%triggerpostun targeted -- selinux-policy-targeted < 3.0.8-69-1 semanage user -a -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null +semanage user -m -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null semanage login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ 2> /dev/null exit 0 @@ -381,6 +382,9 @@ exit 0 %endif %changelog +* Wed Dec 12 2007 Dan Walsh 3.0.8-69 +- Allow ssh to read sym links in homedirs + * Mon Dec 10 2007 Dan Walsh 3.0.8-68 - Allow ldconfig to manage files in the homedir