From a2f7d6a48e3799b30620308c3ecda873aee08985 Mon Sep 17 00:00:00 2001 From: Miroslav Date: Sep 06 2011 21:08:08 +0000 Subject: - For some reason chfn tries to stat all devices, dontaudit this - On resume, devicekit_power is resetting X using xmodutil, so it needs to talk to the Xserver - Allow saslauthd to be able to manipulate afs kernel subsystem at login - allow xdm_t to execute content labeled xdm_tmp_t, needed for xdm to be able to run gnome-shell - /etc/passwd.adjunct and /etc/passwd.adjunct.old need to be labeled shadow_t --- diff --git a/policy-F16.patch b/policy-F16.patch index 213601a..178c903 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -3621,10 +3621,10 @@ index 81fb26f..66cf96c 100644 ## ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 441cf22..3d2f418 100644 +index 441cf22..0df5af0 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te -@@ -79,8 +79,8 @@ selinux_compute_create_context(chfn_t) +@@ -79,18 +79,17 @@ selinux_compute_create_context(chfn_t) selinux_compute_relabel_context(chfn_t) selinux_compute_user_contexts(chfn_t) @@ -3635,9 +3635,10 @@ index 441cf22..3d2f418 100644 fs_getattr_xattr_fs(chfn_t) fs_search_auto_mountpoints(chfn_t) -@@ -88,9 +88,7 @@ fs_search_auto_mountpoints(chfn_t) + # for SSP dev_read_urand(chfn_t) ++dev_dontaudit_getattr_all(chfn_t) -auth_domtrans_chk_passwd(chfn_t) -auth_dontaudit_read_shadow(chfn_t) @@ -3646,7 +3647,7 @@ index 441cf22..3d2f418 100644 # allow checking if a shell is executable corecmd_check_exec_shell(chfn_t) -@@ -118,6 +116,10 @@ userdom_use_unpriv_users_fds(chfn_t) +@@ -118,6 +117,10 @@ userdom_use_unpriv_users_fds(chfn_t) # on user home dir userdom_dontaudit_search_user_home_content(chfn_t) @@ -3657,7 +3658,7 @@ index 441cf22..3d2f418 100644 ######################################## # # Crack local policy -@@ -194,8 +196,7 @@ selinux_compute_create_context(groupadd_t) +@@ -194,8 +197,7 @@ selinux_compute_create_context(groupadd_t) selinux_compute_relabel_context(groupadd_t) selinux_compute_user_contexts(groupadd_t) @@ -3667,7 +3668,7 @@ index 441cf22..3d2f418 100644 init_use_fds(groupadd_t) init_read_utmp(groupadd_t) -@@ -291,17 +292,18 @@ selinux_compute_create_context(passwd_t) +@@ -291,17 +293,18 @@ selinux_compute_create_context(passwd_t) selinux_compute_relabel_context(passwd_t) selinux_compute_user_contexts(passwd_t) @@ -3690,7 +3691,7 @@ index 441cf22..3d2f418 100644 domain_use_interactive_fds(passwd_t) -@@ -323,7 +325,7 @@ miscfiles_read_localization(passwd_t) +@@ -323,7 +326,7 @@ miscfiles_read_localization(passwd_t) seutil_dontaudit_search_config(passwd_t) @@ -3699,7 +3700,7 @@ index 441cf22..3d2f418 100644 userdom_use_unpriv_users_fds(passwd_t) # make sure that getcon succeeds userdom_getattr_all_users(passwd_t) -@@ -332,6 +334,7 @@ userdom_read_user_tmp_files(passwd_t) +@@ -332,6 +335,7 @@ userdom_read_user_tmp_files(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -3707,7 +3708,7 @@ index 441cf22..3d2f418 100644 optional_policy(` nscd_domtrans(passwd_t) -@@ -381,8 +384,7 @@ dev_read_urand(sysadm_passwd_t) +@@ -381,8 +385,7 @@ dev_read_urand(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t) fs_search_auto_mountpoints(sysadm_passwd_t) @@ -3717,7 +3718,7 @@ index 441cf22..3d2f418 100644 auth_manage_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t) -@@ -426,7 +428,7 @@ optional_policy(` +@@ -426,7 +429,7 @@ optional_policy(` # Useradd local policy # @@ -3726,7 +3727,7 @@ index 441cf22..3d2f418 100644 dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; -@@ -448,6 +450,9 @@ corecmd_exec_shell(useradd_t) +@@ -448,6 +451,9 @@ corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(useradd_t) @@ -3736,7 +3737,7 @@ index 441cf22..3d2f418 100644 domain_use_interactive_fds(useradd_t) domain_read_all_domains_state(useradd_t) -@@ -460,6 +465,7 @@ fs_search_auto_mountpoints(useradd_t) +@@ -460,6 +466,7 @@ fs_search_auto_mountpoints(useradd_t) fs_getattr_xattr_fs(useradd_t) mls_file_upgrade(useradd_t) @@ -3744,7 +3745,7 @@ index 441cf22..3d2f418 100644 # Allow access to context for shadow file selinux_get_fs_mount(useradd_t) -@@ -469,8 +475,7 @@ selinux_compute_create_context(useradd_t) +@@ -469,8 +476,7 @@ selinux_compute_create_context(useradd_t) selinux_compute_relabel_context(useradd_t) selinux_compute_user_contexts(useradd_t) @@ -3754,7 +3755,7 @@ index 441cf22..3d2f418 100644 auth_domtrans_chk_passwd(useradd_t) auth_rw_lastlog(useradd_t) -@@ -498,21 +503,11 @@ seutil_domtrans_setfiles(useradd_t) +@@ -498,21 +504,11 @@ seutil_domtrans_setfiles(useradd_t) userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories @@ -25800,10 +25801,10 @@ index fa62787..ffd0da5 100644 admin_pattern($1, certmaster_etc_rw_t) diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te -index 3384132..daef4e1 100644 +index 3384132..97d3269 100644 --- a/policy/modules/services/certmaster.te +++ b/policy/modules/services/certmaster.te -@@ -43,23 +43,23 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir }) +@@ -43,23 +43,25 @@ files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir }) # log files manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t) @@ -25826,6 +25827,8 @@ index 3384132..daef4e1 100644 corenet_tcp_bind_generic_node(certmaster_t) corenet_tcp_bind_certmaster_port(certmaster_t) ++dev_read_urand(certmaster_t) ++ files_search_etc(certmaster_t) +files_read_usr_files(certmaster_t) files_list_var(certmaster_t) @@ -30915,7 +30918,7 @@ index f706b99..13d3a35 100644 + files_list_pids($1) ') diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te -index f231f17..5a06fc7 100644 +index f231f17..544ab05 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t) @@ -31100,7 +31103,7 @@ index f231f17..5a06fc7 100644 policykit_dbus_chat(devicekit_power_t) policykit_domtrans_auth(devicekit_power_t) policykit_read_lib(devicekit_power_t) -@@ -276,9 +325,25 @@ optional_policy(` +@@ -276,9 +325,30 @@ optional_policy(` ') optional_policy(` @@ -31126,6 +31129,11 @@ index f231f17..5a06fc7 100644 +optional_policy(` vbetool_domtrans(devicekit_power_t) ') ++ ++optional_policy(` ++ corenet_tcp_connect_xserver_port(devicekit_power_t) ++ xserver_stream_connect(devicekit_power_t) ++') diff --git a/policy/modules/services/dhcp.fc b/policy/modules/services/dhcp.fc index 767e0c7..7956248 100644 --- a/policy/modules/services/dhcp.fc @@ -35311,10 +35319,10 @@ index 0000000..3b1870a + diff --git a/policy/modules/services/glance.te b/policy/modules/services/glance.te new file mode 100644 -index 0000000..030a521 +index 0000000..3d67b98 --- /dev/null +++ b/policy/modules/services/glance.te -@@ -0,0 +1,122 @@ +@@ -0,0 +1,131 @@ +policy_module(glance, 1.0.0) + +######################################## @@ -35329,6 +35337,9 @@ index 0000000..030a521 +type glance_registry_initrc_exec_t; +init_script_file(glance_registry_initrc_exec_t) + ++type glance_registry_tmp_t; ++files_tmp_file(glance_registry_tmp_t) ++ +type glance_api_t; +type glance_api_exec_t; +init_daemon_domain(glance_api_t, glance_api_exec_t) @@ -35357,6 +35368,10 @@ index 0000000..030a521 +allow glance_registry_t self:unix_stream_socket create_stream_socket_perms; +allow glance_registry_t self:tcp_socket create_stream_socket_perms; + ++manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t) ++manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t) ++files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir }) ++ +manage_dirs_pattern(glance_registry_t, glance_log_t, glance_log_t) +manage_files_pattern(glance_registry_t, glance_log_t, glance_log_t) +logging_log_filetrans(glance_registry_t, glance_log_t, { dir file }) @@ -35423,6 +35438,8 @@ index 0000000..030a521 + +dev_read_urand(glance_api_t) + ++fs_getattr_xattr_fs(glance_api_t) ++ +domain_use_interactive_fds(glance_api_t) + +files_read_etc_files(glance_api_t) @@ -51351,7 +51368,7 @@ index f1aea88..a5a75a8 100644 admin_pattern($1, saslauthd_var_run_t) ') diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te -index cfc60dd..53a9d2d 100644 +index cfc60dd..791c5b3 100644 --- a/policy/modules/services/sasl.te +++ b/policy/modules/services/sasl.te @@ -19,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t) @@ -51364,7 +51381,7 @@ index cfc60dd..53a9d2d 100644 type saslauthd_var_run_t; files_pid_file(saslauthd_var_run_t) -@@ -38,17 +35,19 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms; +@@ -38,16 +35,19 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms; allow saslauthd_t self:unix_stream_socket create_stream_socket_perms; allow saslauthd_t self:tcp_socket create_socket_perms; @@ -51381,14 +51398,14 @@ index cfc60dd..53a9d2d 100644 kernel_read_kernel_sysctls(saslauthd_t) kernel_read_system_state(saslauthd_t) - ++kernel_rw_afs_state(saslauthd_t) ++ +#577519 +corecmd_exec_bin(saslauthd_t) -+ + corenet_all_recvfrom_unlabeled(saslauthd_t) corenet_all_recvfrom_netlabel(saslauthd_t) - corenet_tcp_sendrecv_generic_if(saslauthd_t) -@@ -94,6 +93,7 @@ tunable_policy(`allow_saslauthd_read_shadow',` +@@ -94,6 +94,7 @@ tunable_policy(`allow_saslauthd_read_shadow',` optional_policy(` kerberos_keytab_template(saslauthd, saslauthd_t) @@ -53919,7 +53936,7 @@ index 941380a..6dbfc01 100644 # Allow sssd_t to restart the apache service sssd_initrc_domtrans($1) diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te -index 8ffa257..4ecf377 100644 +index 8ffa257..69e86c3 100644 --- a/policy/modules/services/sssd.te +++ b/policy/modules/services/sssd.te @@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t) @@ -53928,7 +53945,7 @@ index 8ffa257..4ecf377 100644 # -allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid }; + -+allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid }; ++allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid }; allow sssd_t self:process { setfscreate setsched sigkill signal getsched }; -allow sssd_t self:fifo_file rw_file_perms; +allow sssd_t self:fifo_file rw_fifo_file_perms; @@ -58161,7 +58178,7 @@ index 130ced9..b6fb17a 100644 + userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 143c893..00b270e 100644 +index 143c893..453a478 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -58527,7 +58544,7 @@ index 143c893..00b270e 100644 # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -325,43 +454,62 @@ can_exec(xdm_t, xdm_exec_t) +@@ -325,43 +454,63 @@ can_exec(xdm_t, xdm_exec_t) allow xdm_t xdm_lock_t:file manage_file_perms; files_lock_filetrans(xdm_t, xdm_lock_t, file) @@ -58545,6 +58562,7 @@ index 143c893..00b270e 100644 +files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file lnk_file }) +relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) +relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) ++can_exec(xdm_t, xdm_tmp_t) manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) @@ -58596,7 +58614,7 @@ index 143c893..00b270e 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -370,18 +518,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -370,18 +519,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -58624,7 +58642,7 @@ index 143c893..00b270e 100644 corenet_all_recvfrom_unlabeled(xdm_t) corenet_all_recvfrom_netlabel(xdm_t) -@@ -393,38 +549,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -393,38 +550,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -58678,7 +58696,7 @@ index 143c893..00b270e 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -435,9 +602,23 @@ files_list_mnt(xdm_t) +@@ -435,9 +603,23 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -58702,7 +58720,7 @@ index 143c893..00b270e 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -446,28 +627,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -446,28 +628,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -58742,7 +58760,7 @@ index 143c893..00b270e 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -476,9 +666,30 @@ userdom_read_user_home_content_files(xdm_t) +@@ -476,9 +667,30 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -58773,7 +58791,7 @@ index 143c893..00b270e 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_t) -@@ -494,6 +705,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -494,6 +706,14 @@ tunable_policy(`use_samba_home_dirs',` fs_exec_cifs_files(xdm_t) ') @@ -58788,7 +58806,7 @@ index 143c893..00b270e 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -507,11 +726,21 @@ tunable_policy(`xdm_sysadm_login',` +@@ -507,11 +727,21 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -58810,7 +58828,7 @@ index 143c893..00b270e 100644 ') optional_policy(` -@@ -519,12 +748,62 @@ optional_policy(` +@@ -519,12 +749,62 @@ optional_policy(` ') optional_policy(` @@ -58873,7 +58891,7 @@ index 143c893..00b270e 100644 hostname_exec(xdm_t) ') -@@ -542,28 +821,69 @@ optional_policy(` +@@ -542,28 +822,69 @@ optional_policy(` ') optional_policy(` @@ -58952,7 +58970,7 @@ index 143c893..00b270e 100644 ') optional_policy(` -@@ -575,6 +895,14 @@ optional_policy(` +@@ -575,6 +896,14 @@ optional_policy(` ') optional_policy(` @@ -58967,7 +58985,7 @@ index 143c893..00b270e 100644 xfs_stream_connect(xdm_t) ') -@@ -599,7 +927,7 @@ allow xserver_t input_xevent_t:x_event send; +@@ -599,7 +928,7 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -58976,7 +58994,7 @@ index 143c893..00b270e 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -613,8 +941,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -613,8 +942,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -58992,7 +59010,7 @@ index 143c893..00b270e 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -633,12 +968,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -633,12 +969,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -59014,7 +59032,7 @@ index 143c893..00b270e 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -646,6 +988,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -646,6 +989,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -59022,7 +59040,7 @@ index 143c893..00b270e 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -672,7 +1015,6 @@ dev_rw_apm_bios(xserver_t) +@@ -672,7 +1016,6 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -59030,7 +59048,7 @@ index 143c893..00b270e 100644 dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -682,11 +1024,17 @@ dev_wx_raw_memory(xserver_t) +@@ -682,11 +1025,17 @@ dev_wx_raw_memory(xserver_t) dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -59048,7 +59066,7 @@ index 143c893..00b270e 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -697,8 +1045,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -697,8 +1046,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -59062,7 +59080,7 @@ index 143c893..00b270e 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -711,8 +1064,6 @@ init_getpgid(xserver_t) +@@ -711,8 +1065,6 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -59071,7 +59089,7 @@ index 143c893..00b270e 100644 locallogin_use_fds(xserver_t) logging_send_syslog_msg(xserver_t) -@@ -720,11 +1071,12 @@ logging_send_audit_msgs(xserver_t) +@@ -720,11 +1072,12 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -59086,7 +59104,7 @@ index 143c893..00b270e 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -778,16 +1130,40 @@ optional_policy(` +@@ -778,16 +1131,40 @@ optional_policy(` ') optional_policy(` @@ -59128,7 +59146,7 @@ index 143c893..00b270e 100644 unconfined_domtrans(xserver_t) ') -@@ -796,6 +1172,10 @@ optional_policy(` +@@ -796,6 +1173,10 @@ optional_policy(` ') optional_policy(` @@ -59139,7 +59157,7 @@ index 143c893..00b270e 100644 xfs_stream_connect(xserver_t) ') -@@ -811,10 +1191,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -811,10 +1192,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -59153,7 +59171,7 @@ index 143c893..00b270e 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -822,7 +1202,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -822,7 +1203,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -59162,7 +59180,7 @@ index 143c893..00b270e 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -835,6 +1215,9 @@ init_use_fds(xserver_t) +@@ -835,6 +1216,9 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -59172,7 +59190,7 @@ index 143c893..00b270e 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -842,6 +1225,11 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -842,6 +1226,11 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_symlinks(xserver_t) ') @@ -59184,7 +59202,7 @@ index 143c893..00b270e 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(xserver_t) fs_manage_cifs_files(xserver_t) -@@ -850,11 +1238,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -850,11 +1239,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -59201,7 +59219,7 @@ index 143c893..00b270e 100644 ') optional_policy(` -@@ -862,6 +1253,10 @@ optional_policy(` +@@ -862,6 +1254,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -59212,7 +59230,7 @@ index 143c893..00b270e 100644 ######################################## # # Rules common to all X window domains -@@ -905,7 +1300,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -905,7 +1301,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -59221,7 +59239,7 @@ index 143c893..00b270e 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -959,11 +1354,31 @@ allow x_domain self:x_resource { read write }; +@@ -959,11 +1355,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -59253,7 +59271,7 @@ index 143c893..00b270e 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -985,18 +1400,32 @@ tunable_policy(`! xserver_object_manager',` +@@ -985,18 +1401,32 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -59702,10 +59720,18 @@ index c6fdab7..41198a4 100644 cron_sigchld(application_domain_type) ') diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index 28ad538..5b765ce 100644 +index 28ad538..59742f4 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc -@@ -30,6 +30,7 @@ ifdef(`distro_gentoo', ` +@@ -5,6 +5,7 @@ + /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0) + /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0) + /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) ++/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:shadow_t,s0) + /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) + + /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) +@@ -30,6 +31,7 @@ ifdef(`distro_gentoo', ` /var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) @@ -59713,7 +59739,7 @@ index 28ad538..5b765ce 100644 /var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0) /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) -@@ -45,5 +46,4 @@ ifdef(`distro_gentoo', ` +@@ -45,5 +47,4 @@ ifdef(`distro_gentoo', ` /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) @@ -64579,7 +64605,7 @@ index 9c0faab..dd6530e 100644 ## loading modules. ## diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index a0eef20..d5408ff 100644 +index a0eef20..fcfad00 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -18,11 +18,12 @@ type insmod_t; @@ -64712,13 +64738,14 @@ index a0eef20..d5408ff 100644 userdom_dontaudit_search_user_home_dirs(insmod_t) if( ! secure_mode_insmod ) { -@@ -187,28 +206,27 @@ optional_policy(` +@@ -187,28 +206,28 @@ optional_policy(` ') optional_policy(` - firstboot_dontaudit_rw_pipes(insmod_t) - firstboot_dontaudit_rw_stream_sockets(insmod_t) + devicekit_use_fds_disk(insmod_t) ++ devicekit_dontaudit_read_pid_files(insmod_t) ') optional_policy(` @@ -64747,7 +64774,7 @@ index a0eef20..d5408ff 100644 ') optional_policy(` -@@ -236,6 +254,10 @@ optional_policy(` +@@ -236,6 +255,10 @@ optional_policy(` ') optional_policy(` @@ -64758,7 +64785,7 @@ index a0eef20..d5408ff 100644 # cjp: why is this needed: dev_rw_xserver_misc(insmod_t) -@@ -296,7 +318,7 @@ logging_send_syslog_msg(update_modules_t) +@@ -296,7 +319,7 @@ logging_send_syslog_msg(update_modules_t) miscfiles_read_localization(update_modules_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index d9ad8a4..d62a65b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 24%{?dist} +Release: 25%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,13 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Sep 6 2011 Miroslav Grepl 3.10.0-25 +- For some reason chfn tries to stat all devices, dontaudit this +- On resume, devicekit_power is resetting X using xmodutil, so it needs to talk to the Xserver +- Allow saslauthd to be able to manipulate afs kernel subsystem at login +- allow xdm_t to execute content labeled xdm_tmp_t, needed for xdm to be able to run gnome-shell +- /etc/passwd.adjunct and /etc/passwd.adjunct.old need to be labeled shadow_t + * Tue Sep 6 2011 Miroslav Grepl 3.10.0-24 - Add exim_exec_t label for /usr/sbin/exim_tidydb - Call init_dontaudit_rw_stream_socket() interface in mta policy