From d892091bc79c3dd7641d8f851fa17ebb89107529 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 02 2008 20:47:51 +0000 Subject: - Allow kismet to kill itself --- diff --git a/policy-20080710.patch b/policy-20080710.patch index d0e7e7c..0891e4c 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -515,11 +515,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol init_use_fds(consoletype_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.5.13/policy/modules/admin/kismet.te --- nsaserefpolicy/policy/modules/admin/kismet.te 2008-10-17 08:49:14.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/admin/kismet.te 2008-11-24 10:49:49.000000000 -0500 -@@ -26,10 +26,12 @@ ++++ serefpolicy-3.5.13/policy/modules/admin/kismet.te 2008-12-02 11:02:32.000000000 -0500 +@@ -25,11 +25,13 @@ + # kismet local policy # - allow kismet_t self:capability { net_admin net_raw setuid setgid }; +-allow kismet_t self:capability { net_admin net_raw setuid setgid }; ++allow kismet_t self:capability { kill net_admin net_raw setuid setgid }; +allow kismet_t self:process signal; allow kismet_t self:fifo_file rw_file_perms; allow kismet_t self:packet_socket create_socket_perms; @@ -2195,8 +2197,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.5.13/policy/modules/apps/gnome.te --- nsaserefpolicy/policy/modules/apps/gnome.te 2008-10-17 08:49:14.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/apps/gnome.te 2008-11-24 10:49:49.000000000 -0500 -@@ -8,8 +8,34 @@ ++++ serefpolicy-3.5.13/policy/modules/apps/gnome.te 2008-12-02 15:46:33.000000000 -0500 +@@ -8,8 +8,33 @@ attribute gnomedomain; @@ -2220,7 +2222,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +typealias gconf_home_t alias unconfined_gconf_home_t; +typealias gconf_tmp_t alias unconfined_gconf_tmp_t; + -+ +############################## +# +# Declarations @@ -14091,7 +14092,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.5.13/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/cups.te 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/cups.te 2008-12-02 10:19:35.000000000 -0500 @@ -20,6 +20,12 @@ type cupsd_etc_t; files_config_file(cupsd_etc_t) @@ -14423,7 +14424,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(hplip_t) fs_search_auto_mountpoints(hplip_t) -@@ -564,12 +626,14 @@ +@@ -552,6 +614,8 @@ + files_read_etc_runtime_files(hplip_t) + files_read_usr_files(hplip_t) + ++fs_read_anon_inodefs_files(hplip_t) ++ + libs_use_ld_so(hplip_t) + libs_use_shared_libs(hplip_t) + +@@ -564,12 +628,14 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_all_users_home_content(hplip_t) @@ -14439,7 +14449,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -651,3 +715,44 @@ +@@ -651,3 +717,44 @@ optional_policy(` udev_read_db(ptal_t) ') @@ -17366,7 +17376,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.5.13/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2008-10-17 08:49:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/munin.te 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/munin.te 2008-12-02 15:11:02.000000000 -0500 @@ -13,6 +13,9 @@ type munin_etc_t alias lrrd_etc_t; files_config_file(munin_etc_t) @@ -17461,7 +17471,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sysadm_dontaudit_search_home_dirs(munin_t) optional_policy(` -@@ -109,7 +127,21 @@ +@@ -109,7 +127,30 @@ ') optional_policy(` @@ -17472,6 +17482,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + mta_read_config(munin_t) + mta_send_mail(munin_t) ++ mta_read_queue(munin_t) +') + +optional_policy(` @@ -17480,11 +17491,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` ++ postfix_list_spool(munin_t) ++') ++ ++optional_policy(` ++ rpc_search_nfs_state_data(munin_t) ++') ++ ++optional_policy(` + sendmail_read_log(munin_t) ') optional_policy(` -@@ -119,3 +151,9 @@ +@@ -119,3 +160,9 @@ optional_policy(` udev_read_db(munin_t) ') @@ -17889,7 +17908,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.13/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te 2008-11-27 17:38:06.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te 2008-12-02 11:37:43.000000000 -0500 @@ -33,9 +33,9 @@ # networkmanager will ptrace itself if gdb is installed @@ -17956,7 +17975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_ld_so(NetworkManager_t) libs_use_shared_libs(NetworkManager_t) -@@ -119,27 +131,41 @@ +@@ -119,27 +131,42 @@ seutil_read_config(NetworkManager_t) @@ -17979,6 +17998,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +sysnet_read_dhcpc_state(NetworkManager_t) +sysnet_signal_dhcpc(NetworkManager_t) ++userdom_dgram_send(NetworkManager_t) userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t) # Read gnome-keyring @@ -18005,7 +18025,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -151,8 +177,25 @@ +@@ -151,8 +178,25 @@ ') optional_policy(` @@ -18033,7 +18053,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -160,23 +203,48 @@ +@@ -160,23 +204,48 @@ ') optional_policy(` @@ -18084,7 +18104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -194,7 +262,9 @@ +@@ -194,7 +263,9 @@ optional_policy(` vpn_domtrans(NetworkManager_t) @@ -26648,7 +26668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.13/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/xserver.if 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/xserver.if 2008-12-02 15:46:34.000000000 -0500 @@ -16,6 +16,7 @@ gen_require(` type xkb_var_lib_t, xserver_exec_t, xserver_log_t; @@ -27930,7 +27950,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.13/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/xserver.te 2008-11-27 06:38:45.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/xserver.te 2008-12-02 15:46:42.000000000 -0500 @@ -8,6 +8,14 @@ ## @@ -28003,7 +28023,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # type for /var/lib/xkb type xkb_var_lib_t; files_type(xkb_var_lib_t) -@@ -122,6 +150,31 @@ +@@ -122,6 +150,37 @@ type xserver_log_t; logging_log_file(xserver_log_t) @@ -28032,10 +28052,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +type xauth_tmp_t; +files_tmp_file(xauth_tmp_t) + ++typealias fonts_home_t alias unconfined_fonts_t; ++typealias fonts_cache_home_t alias unconfined_fonts_cache_t; ++typealias fonts_config_home_t alias unconfined_fonts_config_t; ++typealias iceauth_home_t alias uncofined_iceauth_home_t; ++typealias xauth_home_t alias unconfiend_xauth_rw_t; ++ xserver_common_domain_template(xdm) xserver_common_x_domain_template(xdm, xdm, xdm_t) init_system_domain(xdm_xserver_t, xserver_exec_t) -@@ -140,13 +193,14 @@ +@@ -140,13 +199,14 @@ # XDM Local policy # @@ -28053,7 +28079,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t self:tcp_socket create_stream_socket_perms; allow xdm_t self:udp_socket create_socket_perms; allow xdm_t self:socket create_socket_perms; -@@ -154,6 +208,12 @@ +@@ -154,6 +214,12 @@ allow xdm_t self:key { search link write }; allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; @@ -28066,7 +28092,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -169,6 +229,8 @@ +@@ -169,6 +235,8 @@ manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file }) @@ -28075,7 +28101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) -@@ -176,15 +238,32 @@ +@@ -176,15 +244,32 @@ manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) @@ -28110,7 +28136,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t xdm_xserver_t:process signal; allow xdm_t xdm_xserver_t:unix_stream_socket connectto; -@@ -198,6 +277,7 @@ +@@ -198,6 +283,7 @@ allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xdm_xserver_t:shm rw_shm_perms; @@ -28118,7 +28144,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xdm_xserver_tmp_t, xdm_xserver_tmp_t, xdm_xserver_t) -@@ -229,11 +309,13 @@ +@@ -229,11 +315,13 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_all_nodes(xdm_t) corenet_udp_bind_all_nodes(xdm_t) @@ -28132,7 +28158,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -241,6 +323,7 @@ +@@ -241,6 +329,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -28140,7 +28166,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -253,14 +336,17 @@ +@@ -253,14 +342,17 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -28160,7 +28186,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -271,9 +357,13 @@ +@@ -271,9 +363,13 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -28174,7 +28200,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -282,6 +372,7 @@ +@@ -282,6 +378,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -28182,7 +28208,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -290,6 +381,7 @@ +@@ -290,6 +387,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -28190,7 +28216,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -301,21 +393,26 @@ +@@ -301,21 +399,26 @@ libs_exec_lib_files(xdm_t) logging_read_generic_logs(xdm_t) @@ -28222,7 +28248,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_rw_session_template(xdm, xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -348,10 +445,12 @@ +@@ -348,10 +451,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -28235,7 +28261,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -359,6 +458,22 @@ +@@ -359,6 +464,22 @@ ') optional_policy(` @@ -28258,7 +28284,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Talk to the console mouse server. gpm_stream_connect(xdm_t) gpm_setattr_gpmctl(xdm_t) -@@ -382,16 +497,34 @@ +@@ -382,16 +503,34 @@ ') optional_policy(` @@ -28294,7 +28320,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -411,6 +544,10 @@ +@@ -411,6 +550,10 @@ ') optional_policy(` @@ -28305,7 +28331,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -427,7 +564,7 @@ +@@ -427,7 +570,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -28314,7 +28340,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -439,6 +576,15 @@ +@@ -439,6 +582,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -28330,7 +28356,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -450,10 +596,19 @@ +@@ -450,10 +602,19 @@ # xdm_xserver_t may no longer have any reason # to read ROLE_home_t - examine this in more detail # (xauth?) @@ -28351,7 +28377,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_xserver_t) fs_manage_nfs_files(xdm_xserver_t) -@@ -468,8 +623,19 @@ +@@ -468,8 +629,19 @@ optional_policy(` dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t) @@ -28371,7 +28397,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` resmgr_stream_connect(xdm_t) -@@ -481,8 +647,25 @@ +@@ -481,8 +653,25 @@ ') optional_policy(` @@ -28399,7 +28425,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_xserver_t self:process { execheap execmem }; -@@ -491,7 +674,6 @@ +@@ -491,7 +680,6 @@ ifdef(`distro_rhel4',` allow xdm_xserver_t self:process { execheap execmem }; ') @@ -28407,7 +28433,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -@@ -512,6 +694,27 @@ +@@ -512,6 +700,27 @@ allow xserver_unconfined_type { x_domain x_server_domain }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -28435,7 +28461,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`TODO',` # Need to further investigate these permissions and # perhaps define derived types. -@@ -544,3 +747,73 @@ +@@ -544,3 +753,73 @@ # allow pam_t xdm_t:fifo_file { getattr ioctl write }; ') dnl end TODO @@ -32519,8 +32545,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.5.13/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2008-11-24 10:49:49.000000000 -0500 -@@ -6,35 +6,76 @@ ++++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2008-12-02 14:32:28.000000000 -0500 +@@ -6,35 +6,77 @@ # Declarations # @@ -32555,6 +32581,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +userdom_restricted_user_template(unconfined) +#userdom_common_user_template(unconfined) +#userdom_xwindows_client_template(unconfined) ++userdom_execmod_user_home_files(unconfined_t) type unconfined_exec_t; init_system_domain(unconfined_t, unconfined_exec_t) @@ -32604,7 +32631,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -@@ -42,28 +83,39 @@ +@@ -42,28 +84,39 @@ logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) @@ -32648,7 +32675,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -75,12 +127,6 @@ +@@ -75,12 +128,6 @@ ') optional_policy(` @@ -32661,7 +32688,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol init_dbus_chat_script(unconfined_t) dbus_stub(unconfined_t) -@@ -106,12 +152,24 @@ +@@ -106,12 +153,24 @@ ') optional_policy(` @@ -32686,7 +32713,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -123,31 +181,33 @@ +@@ -123,31 +182,33 @@ ') optional_policy(` @@ -32727,7 +32754,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -159,43 +219,49 @@ +@@ -159,43 +220,49 @@ ') optional_policy(` @@ -32793,7 +32820,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -203,7 +269,7 @@ +@@ -203,7 +270,7 @@ ') optional_policy(` @@ -32802,7 +32829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -215,11 +281,12 @@ +@@ -215,11 +282,12 @@ ') optional_policy(` @@ -32817,7 +32844,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -229,14 +296,61 @@ +@@ -229,14 +297,61 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -32896,7 +32923,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-11-25 10:39:06.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-12-02 14:58:41.000000000 -0500 @@ -28,10 +28,14 @@ class context contains; ') @@ -35078,7 +35105,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send a dbus message to all user domains. ## ## -@@ -5513,3 +5667,546 @@ +@@ -5513,3 +5667,584 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -35625,6 +35652,44 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_fifo_files_pattern($1, user_tmpfs_t, user_tmpfs_t) + fs_tmpfs_filetrans($1, user_tmpfs_t, { dir file lnk_file sock_file fifo_file }) +') ++ ++######################################## ++## ++## Send a message to unpriv users over a unix domain ++## datagram socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_dgram_send',` ++ gen_require(` ++ attribute unpriv_userdomain; ++ ') ++ ++ allow $1 unpriv_userdomain:unix_dgram_socket sendto; ++') ++ ++####################################### ++## ++## Allow execmod on files in homedirectory ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_execmod_user_home_files',` ++ gen_require(` ++ type user_home_t; ++ ') ++ ++ allow $1 user_home_t:file execmod; ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.5.13/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2008-10-17 08:49:13.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/system/userdomain.te 2008-11-24 10:49:49.000000000 -0500 diff --git a/selinux-policy.spec b/selinux-policy.spec index d5f5f08..72326da 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.5.13 -Release: 27%{?dist} +Release: 28%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -457,6 +457,9 @@ exit 0 %endif %changelog +* Tue Dec 2 2008 Dan Walsh 3.5.13-28 +- Allow kismet to kill itself + * Thu Nov 27 2008 Dan Walsh 3.5.13-27 - Allow iptables dac permissions - Allow awstates to use inotify