From a61a65edf264c9b33a18e041c6f23becab86a84d Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Nov 06 2007 21:06:39 +0000 Subject: - Allow all dns_resolves to use avahi stream - Don't transition from unconfined_t to ping_t --- diff --git a/policy-20070703.patch b/policy-20070703.patch index 6f86997..f39af0d 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -16438,7 +16438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.0.8/policy/modules/system/sysnetwork.if --- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.if 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/sysnetwork.if 2007-11-06 15:55:57.000000000 -0500 @@ -145,6 +145,25 @@ ######################################## @@ -16465,7 +16465,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ## Send and receive messages from ## dhcpc over dbus. ## -@@ -522,6 +541,8 @@ +@@ -493,6 +512,10 @@ + + files_search_etc($1) + allow $1 net_conf_t:file read_file_perms; ++ ++ optional_policy(` ++ avahi_stream_connect($1) ++ ') + ') + + ######################################## +@@ -522,6 +545,8 @@ files_search_etc($1) allow $1 net_conf_t:file read_file_perms; @@ -16474,7 +16485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet ') ######################################## -@@ -556,3 +577,23 @@ +@@ -556,3 +581,23 @@ files_search_etc($1) allow $1 net_conf_t:file read_file_perms; ') @@ -17245,7 +17256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-02 11:09:48.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-06 16:01:20.000000000 -0500 @@ -29,8 +29,9 @@ ') @@ -18077,7 +18088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # port access is audited even if dac would not have allowed it, so dontaudit it here corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) -@@ -1029,15 +1135,11 @@ +@@ -1029,23 +1135,14 @@ # and may change other protocols tunable_policy(`user_tcp_server',` corenet_tcp_bind_all_nodes($1_t) @@ -18087,15 +18098,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` - kerberos_use($1_t) -- ') -- -- optional_policy(` -- loadkeys_run($1_t,$1_r,$1_tty_device_t) + hal_dbus_chat($1_t) ') +- optional_policy(` +- loadkeys_run($1_t,$1_r,$1_tty_device_t) +- ') +- +- optional_policy(` +- netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) +- netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) +- ') +- +- # Run pppd in pppd_t by default for user ++ # Run pppd in pppd_t by default for user optional_policy(` -@@ -1054,17 +1156,6 @@ + ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) + ') +@@ -1054,17 +1151,6 @@ setroubleshoot_stream_connect($1_t) ') @@ -18113,7 +18133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1102,6 +1193,8 @@ +@@ -1102,6 +1188,8 @@ class passwd { passwd chfn chsh rootok crontab }; ') @@ -18122,7 +18142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # # Declarations -@@ -1127,7 +1220,7 @@ +@@ -1127,7 +1215,7 @@ # $1_t local policy # @@ -18131,7 +18151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1_t self:process { setexec setfscreate }; # Set password information for other users. -@@ -1139,7 +1232,11 @@ +@@ -1139,7 +1227,11 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -18144,7 +18164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1277,6 +1374,7 @@ +@@ -1277,6 +1369,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -18152,7 +18172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1642,9 +1740,13 @@ +@@ -1642,9 +1735,13 @@ template(`userdom_user_home_content',` gen_require(` attribute $1_file_type; @@ -18166,7 +18186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_type($2) ') -@@ -1894,10 +1996,46 @@ +@@ -1894,10 +1991,46 @@ template(`userdom_manage_user_home_content_dirs',` gen_require(` type $1_home_dir_t, $1_home_t; @@ -18214,7 +18234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -3078,7 +3216,7 @@ +@@ -3078,7 +3211,7 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -18223,7 +18243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_tmp_filetrans($2,$1_tmp_t,$3) -@@ -4609,11 +4747,29 @@ +@@ -4609,11 +4742,29 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -18254,7 +18274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -4633,6 +4789,14 @@ +@@ -4633,6 +4784,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -18269,7 +18289,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5323,7 +5487,7 @@ +@@ -5323,7 +5482,7 @@ attribute user_tmpfile; ') @@ -18278,7 +18298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5529,6 +5693,24 @@ +@@ -5529,6 +5688,24 @@ ######################################## ## @@ -18303,7 +18323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Send a dbus message to all user domains. ## ## -@@ -5559,3 +5741,386 @@ +@@ -5559,3 +5736,386 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -18692,7 +18712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.8/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/userdomain.te 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/userdomain.te 2007-11-06 16:05:52.000000000 -0500 @@ -24,13 +24,6 @@ ## @@ -18812,7 +18832,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ', ` userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal) ') -@@ -494,3 +497,7 @@ +@@ -494,3 +497,15 @@ optional_policy(` yam_run(sysadm_t,sysadm_r,admin_terminal) ') @@ -18820,6 +18840,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +tunable_policy(`allow_console_login', ` + term_use_console(userdomain) +') ++ ++optional_policy(` ++ netutils_run_ping_cond(user_t,user_r,{ user_tty_device_t user_devpts_t }) ++ netutils_run_ping_cond(staff_t,staff_r,{ staff_tty_device_t staff_devpts_t }) ++ netutils_run_traceroute_cond(user_t,user_r,{ user_tty_device_t user_devpts_t }) ++ netutils_run_traceroute_cond(staff_t,staff_r,{ staff_tty_device_t staff_devpts_t }) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.fc serefpolicy-3.0.8/policy/modules/system/virt.fc --- nsaserefpolicy/policy/modules/system/virt.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.0.8/policy/modules/system/virt.fc 2007-10-29 23:59:29.000000000 -0400