From f18a482d7d562cc0b66ee4748322671e1be3c031 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: May 24 2010 21:07:03 +0000 Subject: Monu May 24 2010 Dan Walsh 3.7.19-21 - Allow login programs to read krb5_home_t Resolves: #594833 - Add obsoletes for cachefilesfd-selinux package Resolves: #575084 --- diff --git a/policy-F13.patch b/policy-F13.patch index 51f7920..ed5a490 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -384,6 +384,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console role system_r types consoletype_t; ######################################## +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.7.19/policy/modules/admin/dmesg.te +--- nsaserefpolicy/policy/modules/admin/dmesg.te 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/admin/dmesg.te 2010-05-24 12:17:32.000000000 -0400 +@@ -51,6 +51,11 @@ + userdom_use_user_terminals(dmesg_t) + + optional_policy(` ++ abrt_rw_fifo_file(dmesg_t) ++ abrt_manage_pid_files(dmesg_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(dmesg_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.19/policy/modules/admin/firstboot.te --- nsaserefpolicy/policy/modules/admin/firstboot.te 2010-03-18 06:48:09.000000000 -0400 +++ serefpolicy-3.7.19/policy/modules/admin/firstboot.te 2010-04-14 10:48:18.000000000 -0400 @@ -3405,7 +3420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s /usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.7.19/policy/modules/apps/gpg.if --- nsaserefpolicy/policy/modules/apps/gpg.if 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/apps/gpg.if 2010-04-28 12:18:06.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/apps/gpg.if 2010-05-24 17:06:20.000000000 -0400 @@ -21,6 +21,7 @@ type gpg_agent_t, gpg_agent_exec_t; type gpg_agent_tmp_t; @@ -3438,7 +3453,51 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s ') ') -@@ -95,3 +102,65 @@ +@@ -78,6 +85,43 @@ + domtrans_pattern($1, gpg_exec_t, gpg_t) + ') + ++###################################### ++## ++## Transition to a gpg web domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gpg_domtrans_web',` ++ gen_require(` ++ type gpg_web_t, gpg_exec_t; ++ ') ++ ++ domtrans_pattern($1, gpg_exec_t, gpg_web_t) ++') ++ ++###################################### ++## ++## Make gpg an entrypoint for ++## the specified domain. ++## ++## ++## ++## The domain for which cifs_t is an entrypoint. ++## ++## ++# ++interface(`gpg_entry_type',` ++ gen_require(` ++ type gpg_exec_t; ++ ') ++ ++ domain_entry_file($1, gpg_exec_t) ++') ++ + ######################################## + ## + ## Send generic signals to user gpg processes. +@@ -95,3 +139,65 @@ allow $1 gpg_t:process signal; ') @@ -3506,7 +3565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.19/policy/modules/apps/gpg.te --- nsaserefpolicy/policy/modules/apps/gpg.te 2009-12-04 09:43:33.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/apps/gpg.te 2010-05-13 10:54:06.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/apps/gpg.te 2010-05-24 17:06:20.000000000 -0400 @@ -5,6 +5,7 @@ # # Declarations @@ -3515,11 +3574,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s ## ##

-@@ -14,12 +15,13 @@ +@@ -14,12 +15,21 @@ ## gen_tunable(gpg_agent_env_file, false) -type gpg_t; ++## ++##

++## Allow gpg web domain to modify public files ++## used for public file transfer services. ++##

++## ++gen_tunable(gpg_web_anon_write, false) ++ +type gpg_t, gpgdomain; type gpg_exec_t; typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t }; @@ -3530,7 +3597,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s type gpg_agent_t; type gpg_agent_exec_t; -@@ -45,6 +47,7 @@ +@@ -45,6 +55,7 @@ typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t }; application_domain(gpg_helper_t, gpg_helper_exec_t) ubac_constrained(gpg_helper_t) @@ -3538,7 +3605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s type gpg_pinentry_t; type pinentry_exec_t; -@@ -53,22 +56,33 @@ +@@ -53,22 +64,38 @@ application_domain(gpg_pinentry_t, pinentry_exec_t) ubac_constrained(gpg_pinentry_t) @@ -3550,6 +3617,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s +files_tmpfs_file(gpg_pinentry_tmpfs_t) +ubac_constrained(gpg_pinentry_tmpfs_t) + ++type gpg_web_t; ++domain_type(gpg_web_t) ++gpg_entry_type(gpg_web_t) ++role system_r types gpg_web_t; ++ ######################################## # # GPG local policy @@ -3577,7 +3649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s # transition from the gpg domain to the helper domain domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) -@@ -79,6 +93,9 @@ +@@ -79,6 +106,9 @@ kernel_read_sysctl(gpg_t) @@ -3587,7 +3659,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s corenet_all_recvfrom_unlabeled(gpg_t) corenet_all_recvfrom_netlabel(gpg_t) corenet_tcp_sendrecv_generic_if(gpg_t) -@@ -95,6 +112,7 @@ +@@ -95,6 +125,7 @@ dev_read_generic_usb_dev(gpg_t) fs_getattr_xattr_fs(gpg_t) @@ -3595,7 +3667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s domain_use_interactive_fds(gpg_t) -@@ -112,6 +130,8 @@ +@@ -112,6 +143,8 @@ # sign/encrypt user files userdom_manage_user_tmp_files(gpg_t) userdom_manage_user_home_content_files(gpg_t) @@ -3604,7 +3676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s mta_write_config(gpg_t) -@@ -126,15 +146,20 @@ +@@ -126,15 +159,20 @@ ') optional_policy(` @@ -3629,7 +3701,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s ######################################## # # GPG helper local policy -@@ -184,6 +209,7 @@ +@@ -184,6 +222,7 @@ # # GPG agent local policy # @@ -3637,7 +3709,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s # rlimit: gpg-agent wants to prevent coredumps allow gpg_agent_t self:process setrlimit; -@@ -202,10 +228,16 @@ +@@ -202,10 +241,16 @@ manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t) files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) @@ -3654,7 +3726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s domain_use_interactive_fds(gpg_agent_t) -@@ -215,6 +247,10 @@ +@@ -215,6 +260,10 @@ userdom_use_user_terminals(gpg_agent_t) # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) userdom_search_user_home_dirs(gpg_agent_t) @@ -3665,7 +3737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s tunable_policy(`gpg_agent_env_file',` # write ~/.gpg-agent-info or a similar to the users home dir -@@ -237,31 +273,74 @@ +@@ -237,31 +286,74 @@ fs_manage_cifs_symlinks(gpg_agent_t) ') @@ -3741,7 +3813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(gpg_pinentry_t) ') -@@ -271,5 +350,25 @@ +@@ -271,5 +363,46 @@ ') optional_policy(` @@ -3767,7 +3839,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s +optional_policy(` + xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) + ++') ++ ++############################# ++# ++# gpg web local policy ++# ++ ++allow gpg_web_t self:process setrlimit; ++ ++can_exec(gpg_web_t, gpg_exec_t) ++ ++files_read_usr_files(gpg_web_t) ++ ++miscfiles_read_localization(gpg_web_t) ++ ++apache_dontaudit_rw_tmp_files(gpg_web_t) ++apache_manage_sys_content_rw(gpg_web_t) ++ ++tunable_policy(`gpg_web_anon_write',` ++ miscfiles_manage_public_files(gpg_web_t) ') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc serefpolicy-3.7.19/policy/modules/apps/irc.fc --- nsaserefpolicy/policy/modules/apps/irc.fc 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.7.19/policy/modules/apps/irc.fc 2010-04-14 10:48:18.000000000 -0400 @@ -9958,22 +10051,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditad ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.19/policy/modules/roles/guest.te --- nsaserefpolicy/policy/modules/roles/guest.te 2010-03-05 17:14:56.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/roles/guest.te 2010-04-14 10:48:18.000000000 -0400 -@@ -16,6 +16,10 @@ ++++ serefpolicy-3.7.19/policy/modules/roles/guest.te 2010-05-24 14:22:21.000000000 -0400 +@@ -16,11 +16,7 @@ # optional_policy(` +- java_role_template(guest, guest_r, guest_t) + apache_role(guest_r, guest_t) -+') -+ -+optional_policy(` - java_role_template(guest, guest_r, guest_t) - ') - -@@ -23,4 +27,4 @@ - mono_role_template(guest, guest_r, guest_t) ') +-optional_policy(` +- mono_role_template(guest, guest_r, guest_t) +-') +- -#gen_user(guest_u,, guest_r, s0, s0) +gen_user(guest_u, user, guest_r, s0, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.te serefpolicy-3.7.19/policy/modules/roles/secadm.te @@ -9990,7 +10080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm. # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.19/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2010-03-10 15:27:26.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/roles/staff.te 2010-05-12 09:01:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/roles/staff.te 2010-05-24 14:24:22.000000000 -0400 @@ -9,25 +9,56 @@ role staff_r; @@ -11873,7 +11963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt +/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.19/policy/modules/services/abrt.if --- nsaserefpolicy/policy/modules/services/abrt.if 2010-03-01 15:12:54.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/abrt.if 2010-05-20 09:42:12.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/abrt.if 2010-05-24 12:15:09.000000000 -0400 @@ -19,6 +19,28 @@ domtrans_pattern($1, abrt_exec_t, abrt_t) ') @@ -12815,7 +12905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.19/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2010-04-06 15:15:38.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-05-19 14:04:37.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-05-24 17:06:20.000000000 -0400 @@ -13,17 +13,13 @@ # template(`apache_content_template',` @@ -13040,10 +13130,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac files_search_var($1) ') -@@ -843,6 +878,31 @@ +@@ -841,6 +876,54 @@ + manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) + ') - ######################################## - ## ++###################################### ++## ++## Allow the specified domain to manage ++## apache system content rw files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`apache_manage_sys_content_rw',` ++ gen_require(` ++ type httpd_sys_rw_content_t; ++ ') ++ ++ files_search_var($1) ++ manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ++ manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ++ manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ++') ++ ++######################################## ++## +## Allow the specified domain to delete +## apache system content rw files. +## @@ -13067,12 +13182,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) +') + -+######################################## -+## + ######################################## + ## ## Execute all web scripts in the system - ## script domain. - ## -@@ -858,6 +918,11 @@ +@@ -858,6 +941,11 @@ gen_require(` attribute httpdcontent; type httpd_sys_script_t; @@ -13084,7 +13197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -945,7 +1010,7 @@ +@@ -945,7 +1033,7 @@ type httpd_squirrelmail_t; ') @@ -13093,7 +13206,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -1102,7 +1167,7 @@ +@@ -1086,6 +1174,25 @@ + read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) + ') + ++###################################### ++## ++## Dontaudit attempts to read and write ++## apache tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`apache_dontaudit_rw_tmp_files',` ++ gen_require(` ++ type httpd_tmp_t; ++ ') ++ ++ dontaudit $1 httpd_tmp_t:file { read write }; ++') ++ + ######################################## + ## + ## Dontaudit attempts to write +@@ -1102,7 +1209,7 @@ type httpd_tmp_t; ') @@ -13102,7 +13241,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') ######################################## -@@ -1172,7 +1237,7 @@ +@@ -1172,7 +1279,7 @@ type httpd_modules_t, httpd_lock_t; type httpd_var_run_t, httpd_php_tmp_t; type httpd_suexec_tmp_t, httpd_tmp_t; @@ -13111,7 +13250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') allow $1 httpd_t:process { getattr ptrace signal_perms }; -@@ -1202,12 +1267,44 @@ +@@ -1202,12 +1309,44 @@ kernel_search_proc($1) allow $1 httpd_t:dir list_dir_perms; @@ -13159,7 +13298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-04-06 15:15:38.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-05-19 11:32:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-05-24 17:06:20.000000000 -0400 @@ -19,11 +19,13 @@ # Declarations # @@ -13231,6 +13370,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ## Unify HTTPD to communicate with the terminal. ## Needed for entering the passphrase for certificates at ## the terminal. +@@ -131,7 +161,7 @@ + + ## + ##

+-## Allow httpd to run gpg ++## Allow httpd to run gpg in gpg-web domain + ##

+ ## + gen_tunable(httpd_use_gpg, false) @@ -143,6 +173,13 @@ ## gen_tunable(httpd_use_nfs, false) @@ -13445,7 +13593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,6 +642,10 @@ +@@ -537,8 +642,12 @@ ') optional_policy(` @@ -13454,8 +13602,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + +optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_use_gpg',` - gpg_domtrans(httpd_t) +- gpg_domtrans(httpd_t) ++ gpg_domtrans_web(httpd_t) ') + ') + @@ -557,6 +666,7 @@ optional_policy(` @@ -16554,7 +16705,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron tunable_policy(`fcron_crond', ` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.19/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/cups.fc 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/cups.fc 2010-05-24 11:06:51.000000000 -0400 @@ -13,10 +13,14 @@ /etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0) @@ -16578,7 +16729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups /usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) /usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0) -@@ -52,13 +57,22 @@ +@@ -52,13 +57,23 @@ /var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0) /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -16597,6 +16748,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0) /var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) + ++/usr/local/Brother/fax/.*\.log gen_context(system_u:object_r:cupsd_log_t,s0) +/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) + @@ -19427,7 +19579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.19/policy/modules/services/kerberos.if --- nsaserefpolicy/policy/modules/services/kerberos.if 2010-03-18 06:48:09.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/services/kerberos.if 2010-04-14 10:48:18.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/kerberos.if 2010-05-24 10:53:14.000000000 -0400 @@ -74,7 +74,7 @@ ') @@ -27213,7 +27365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.19/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-11 09:40:36.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/sendmail.te 2010-04-30 09:53:00.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/sendmail.te 2010-05-21 10:39:51.000000000 -0400 @@ -20,6 +20,9 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -27294,9 +27446,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send udev_read_db(sendmail_t) ') -@@ -184,3 +197,4 @@ +@@ -182,5 +195,6 @@ + + optional_policy(` mta_etc_filetrans_aliases(unconfined_sendmail_t) - unconfined_domain(unconfined_sendmail_t) +- unconfined_domain(unconfined_sendmail_t) ++ unconfined_domain_noaudit(unconfined_sendmail_t) ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.7.19/policy/modules/services/setroubleshoot.fc @@ -28724,6 +28879,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucsp + daemontools_sigchld_run(ucspitcp_t) +') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.19/policy/modules/services/usbmuxd.fc +--- nsaserefpolicy/policy/modules/services/usbmuxd.fc 2010-04-05 14:44:26.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/usbmuxd.fc 2010-05-24 12:21:35.000000000 -0400 +@@ -1,3 +1,3 @@ + /usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0) + +-/var/run/usbmuxd -s gen_context(system_u:object_r:usbmuxd_var_run_t,s0) ++/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.if serefpolicy-3.7.19/policy/modules/services/varnishd.if --- nsaserefpolicy/policy/modules/services/varnishd.if 2009-07-23 14:11:04.000000000 -0400 +++ serefpolicy-3.7.19/policy/modules/services/varnishd.if 2010-04-14 10:48:18.000000000 -0400 @@ -29894,7 +30057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.19/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2010-02-12 10:33:09.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-05-17 08:29:34.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-05-24 10:43:35.000000000 -0400 @@ -36,6 +36,13 @@ ## @@ -30172,7 +30335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) -@@ -305,20 +400,32 @@ +@@ -305,20 +400,33 @@ # XDM Local policy # @@ -30205,10 +30368,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +#Handle mislabeled files in homedir +userdom_delete_user_home_content_files(xdm_t) +userdom_signull_unpriv_users(xdm_t) ++userdom_dontaudit_read_admin_home_lnk_files(xdm_t) # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -326,32 +433,53 @@ +@@ -326,32 +434,53 @@ allow xdm_t xdm_lock_t:file manage_file_perms; files_lock_filetrans(xdm_t, xdm_lock_t, file) @@ -30267,7 +30431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t xserver_t:unix_stream_socket connectto; allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms; -@@ -359,10 +487,13 @@ +@@ -359,10 +488,13 @@ # transition to the xdm xserver domtrans_pattern(xdm_t, xserver_exec_t, xserver_t) @@ -30281,7 +30445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -371,15 +502,21 @@ +@@ -371,15 +503,21 @@ delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -30304,7 +30468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser corecmd_exec_shell(xdm_t) corecmd_exec_bin(xdm_t) -@@ -394,11 +531,14 @@ +@@ -394,11 +532,14 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -30319,7 +30483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -406,6 +546,7 @@ +@@ -406,6 +547,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -30327,7 +30491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -414,18 +555,22 @@ +@@ -414,18 +556,22 @@ dev_getattr_misc_dev(xdm_t) dev_setattr_misc_dev(xdm_t) dev_dontaudit_rw_misc(xdm_t) @@ -30353,7 +30517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -436,9 +581,17 @@ +@@ -436,9 +582,17 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -30371,7 +30535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -447,14 +600,19 @@ +@@ -447,14 +601,19 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -30391,7 +30555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -465,10 +623,12 @@ +@@ -465,10 +624,12 @@ logging_read_generic_logs(xdm_t) @@ -30406,7 +30570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -477,6 +637,11 @@ +@@ -477,6 +638,11 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -30418,7 +30582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -509,10 +674,12 @@ +@@ -509,10 +675,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -30431,7 +30595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -520,12 +687,50 @@ +@@ -520,12 +688,50 @@ ') optional_policy(` @@ -30482,7 +30646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser hostname_exec(xdm_t) ') -@@ -543,20 +748,59 @@ +@@ -543,20 +749,59 @@ ') optional_policy(` @@ -30544,7 +30708,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -565,7 +809,6 @@ +@@ -565,7 +810,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -30552,7 +30716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -576,6 +819,10 @@ +@@ -576,6 +820,10 @@ ') optional_policy(` @@ -30563,7 +30727,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xfs_stream_connect(xdm_t) ') -@@ -600,10 +847,9 @@ +@@ -600,10 +848,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -30575,7 +30739,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -615,6 +861,18 @@ +@@ -615,6 +862,18 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -30594,7 +30758,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -634,12 +892,19 @@ +@@ -634,12 +893,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -30616,7 +30780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -673,7 +938,6 @@ +@@ -673,7 +939,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -30624,7 +30788,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -683,9 +947,12 @@ +@@ -683,9 +948,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -30638,7 +30802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -700,8 +967,13 @@ +@@ -700,8 +968,13 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -30652,7 +30816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -723,11 +995,14 @@ +@@ -723,11 +996,14 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -30667,7 +30831,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -779,12 +1054,24 @@ +@@ -779,12 +1055,24 @@ ') optional_policy(` @@ -30693,7 +30857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser unconfined_domtrans(xserver_t) ') -@@ -811,7 +1098,7 @@ +@@ -811,7 +1099,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -30702,7 +30866,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -832,9 +1119,14 @@ +@@ -832,9 +1120,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -30717,7 +30881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -849,11 +1141,14 @@ +@@ -849,11 +1142,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -30734,7 +30898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -999,3 +1294,33 @@ +@@ -999,3 +1295,33 @@ allow xserver_unconfined_type xextension_type:x_extension *; allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -30807,7 +30971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ifdef(`distro_suse', ` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.19/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2010-03-18 10:35:11.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-05-21 09:15:58.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-05-24 10:53:23.000000000 -0400 @@ -41,7 +41,6 @@ ## # @@ -30841,7 +31005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo auth_use_pam($1) init_rw_utmp($1) -@@ -151,6 +154,36 @@ +@@ -151,6 +154,40 @@ seutil_read_config($1) seutil_read_default_contexts($1) @@ -30855,6 +31019,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + ') + + optional_policy(` ++ kerberos_read_config($1) ++ ') ++ ++ optional_policy(` + oddjob_dbus_chat($1) + oddjob_domtrans_mkhomedir($1) + ') @@ -30878,7 +31046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo tunable_policy(`allow_polyinstantiation',` files_polyinstantiate_all($1) ') -@@ -365,13 +398,15 @@ +@@ -365,13 +402,15 @@ ') optional_policy(` @@ -30895,7 +31063,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -418,6 +453,7 @@ +@@ -418,6 +457,7 @@ auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -30903,7 +31071,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -1500,6 +1536,8 @@ +@@ -1500,6 +1540,8 @@ # interface(`auth_use_nsswitch',` @@ -30912,7 +31080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo files_list_var_lib($1) # read /etc/nsswitch.conf -@@ -1531,7 +1569,15 @@ +@@ -1531,7 +1573,15 @@ ') optional_policy(` @@ -32814,6 +32982,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.19/policy/modules/system/miscfiles.if +--- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-03-09 15:39:06.000000000 -0500 ++++ serefpolicy-3.7.19/policy/modules/system/miscfiles.if 2010-05-21 10:32:22.000000000 -0400 +@@ -305,9 +305,6 @@ + allow $1 locale_t:dir list_dir_perms; + read_files_pattern($1, locale_t, locale_t) + read_lnk_files_pattern($1, locale_t, locale_t) +- +- # why? +- libs_read_lib_files($1) + ') + + ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.19/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2010-03-18 06:48:09.000000000 -0400 +++ serefpolicy-3.7.19/policy/modules/system/modutils.te 2010-04-14 10:48:18.000000000 -0400 @@ -35652,8 +35833,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.19/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.19/policy/modules/system/userdomain.fc 2010-04-14 10:48:18.000000000 -0400 -@@ -1,4 +1,11 @@ ++++ serefpolicy-3.7.19/policy/modules/system/userdomain.fc 2010-05-24 14:15:38.000000000 -0400 +@@ -1,4 +1,12 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) @@ -35663,12 +35844,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0) +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) ++HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0) +HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.gvfs(/.*)? <> diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-05-17 09:19:46.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2010-05-24 14:25:06.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -35927,8 +36109,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` -+ fs_mount_nfs($2) -+ fs_mounton_nfs($2) ++ fs_mount_nfs($2) ++ fs_mounton_nfs($2) fs_manage_nfs_dirs($2) fs_manage_nfs_files($2) fs_manage_nfs_symlinks($2) @@ -35940,8 +36122,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') tunable_policy(`use_samba_home_dirs',` -+ fs_mount_cifs($2) -+ fs_mounton_cifs($2) ++ fs_mount_cifs($2) ++ fs_mounton_cifs($2) fs_manage_cifs_dirs($2) fs_manage_cifs_files($2) fs_manage_cifs_symlinks($2) @@ -35953,15 +36135,55 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -303,6 +319,7 @@ +@@ -303,6 +319,47 @@ manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) + relabel_files_pattern($2, user_tmp_t, user_tmp_t) ++') ++ ++####################################### ++## ++## Execute user bin files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_exec_user_bin_files',` ++ gen_require(` ++ attribute user_home_type; ++ type home_bin_t, user_home_dir_t; ++ ') ++ ++ exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t) ++ files_search_home($1) ++') ++ ++####################################### ++## ++## Execute user bin files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_exec_user_bin_files',` ++ gen_require(` ++ attribute user_home_type; ++ type home_bin_t, user_home_dir_t; ++ ') ++ ++ exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t) ++ files_search_home($1) ') ####################################### -@@ -322,6 +339,7 @@ +@@ -322,6 +379,7 @@ ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -35969,7 +36191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_tmp($1) ') -@@ -368,46 +386,41 @@ +@@ -368,46 +426,41 @@ ####################################### ## @@ -36036,7 +36258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -438,6 +451,7 @@ +@@ -438,6 +491,7 @@ dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) @@ -36044,7 +36266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) -@@ -498,7 +512,7 @@ +@@ -498,7 +552,7 @@ attribute unpriv_userdomain; ') @@ -36053,7 +36275,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # -@@ -508,71 +522,78 @@ +@@ -508,71 +562,78 @@ # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -36170,7 +36392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') tunable_policy(`user_ttyfile_stat',` -@@ -580,65 +601,104 @@ +@@ -580,65 +641,108 @@ ') optional_policy(` @@ -36210,49 +36432,53 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + optional_policy(` + bluetooth_dbus_chat($1_usertype) + ') -+ -+ optional_policy(` -+ consolekit_dbus_chat($1_usertype) -+ consolekit_read_log($1_usertype) -+ ') -+ -+ optional_policy(` -+ devicekit_dbus_chat($1_usertype) -+ devicekit_dbus_chat_power($1_usertype) -+ devicekit_dbus_chat_disk($1_usertype) -+ ') optional_policy(` - bluetooth_dbus_chat($1_t) -+ evolution_dbus_chat($1_usertype) -+ evolution_alarm_dbus_chat($1_usertype) ++ consolekit_dbus_chat($1_usertype) ++ consolekit_read_log($1_usertype) ') optional_policy(` - evolution_dbus_chat($1_t) - evolution_alarm_dbus_chat($1_t) -+ gnome_dbus_chat_gconfdefault($1_usertype) ++ devicekit_dbus_chat($1_usertype) ++ devicekit_dbus_chat_power($1_usertype) ++ devicekit_dbus_chat_disk($1_usertype) ') optional_policy(` - cups_dbus_chat_config($1_t) -+ hal_dbus_chat($1_usertype) ++ evolution_dbus_chat($1_usertype) ++ evolution_alarm_dbus_chat($1_usertype) ') optional_policy(` - hal_dbus_chat($1_t) -+ modemmanager_dbus_chat($1_usertype) ++ gnome_dbus_chat_gconfdefault($1_usertype) ') optional_policy(` - networkmanager_dbus_chat($1_t) ++ hal_dbus_chat($1_usertype) + ') ++ ++ optional_policy(` ++ modemmanager_dbus_chat($1_usertype) ++ ') ++ ++ optional_policy(` + networkmanager_dbus_chat($1_usertype) + networkmanager_read_var_lib_files($1_usertype) + ') + + optional_policy(` + vpn_dbus_chat($1_usertype) - ') ++ ') ++ ') ++ ++ optional_policy(` ++ git_session_role($1_r, $1_usertype) ') optional_policy(` @@ -36280,20 +36506,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` - modutils_read_module_config($1_t) + modutils_read_module_config($1_usertype) -+ ') -+ -+ optional_policy(` -+ mta_rw_spool($1_usertype) -+ mta_manage_queue($1_usertype) ') optional_policy(` - mta_rw_spool($1_t) ++ mta_rw_spool($1_usertype) ++ mta_manage_queue($1_usertype) ++ ') ++ ++ optional_policy(` + nsplugin_role($1_r, $1_usertype) ') optional_policy(` -@@ -649,41 +709,50 @@ +@@ -649,41 +753,50 @@ optional_policy(` # to allow monitoring of pcmcia status @@ -36355,7 +36581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -711,13 +780,26 @@ +@@ -711,13 +824,26 @@ userdom_base_user_template($1) @@ -36364,12 +36590,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + userdom_manage_tmp_role($1_r, $1_usertype) + userdom_manage_tmpfs_role($1_r, $1_usertype) ++ ++ ifelse(`$1',`unconfined',`',` ++ gen_tunable(allow_$1_exec_content, true) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) -+ ifelse(`$1',`unconfined',`',` -+ gen_tunable(allow_$1_exec_content, true) -+ + tunable_policy(`allow_$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -36387,7 +36613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_change_password_template($1) -@@ -735,70 +817,73 @@ +@@ -735,70 +861,73 @@ allow $1_t self:context contains; @@ -36452,10 +36678,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - miscfiles_exec_tetex_data($1_t) + miscfiles_read_tetex_data($1_usertype) + miscfiles_exec_tetex_data($1_usertype) -+ -+ seutil_read_config($1_usertype) - seutil_read_config($1_t) ++ seutil_read_config($1_usertype) ++ + optional_policy(` + cups_read_config($1_usertype) + cups_stream_connect($1_usertype) @@ -36494,7 +36720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -830,12 +915,35 @@ +@@ -830,12 +959,35 @@ typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -36530,7 +36756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo loadkeys_run($1_t,$1_r) ') ') -@@ -871,45 +979,83 @@ +@@ -871,45 +1023,83 @@ # auth_role($1_r, $1_t) @@ -36605,14 +36831,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + optional_policy(` + policykit_role($1_r, $1_usertype) -+ ') -+ -+ optional_policy(` -+ pulseaudio_role($1_r, $1_usertype) ') optional_policy(` - java_role($1_r, $1_t) ++ pulseaudio_role($1_r, $1_usertype) ++ ') ++ ++ optional_policy(` + rtkit_scheduled($1_usertype) ') @@ -36629,7 +36855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ') -@@ -944,7 +1090,7 @@ +@@ -944,7 +1134,7 @@ # # Inherit rules for ordinary users. @@ -36638,7 +36864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_common_user_template($1) ############################## -@@ -953,54 +1099,73 @@ +@@ -953,54 +1143,73 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -36687,13 +36913,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - netutils_run_ping_cond($1_t,$1_r) - netutils_run_traceroute_cond($1_t,$1_r) + cdrecord_role($1_r, $1_t) -+ ') -+ -+ optional_policy(` + ') + +- # Run pppd in pppd_t by default for user + optional_policy(` +- ppp_run_cond($1_t,$1_r) + cron_role($1_r, $1_t) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- setroubleshoot_stream_connect($1_t) + games_rw_data($1_usertype) + ') + @@ -36727,22 +36956,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + optional_policy(` + wine_role_template($1, $1_r, $1_t) - ') - -- # Run pppd in pppd_t by default for user - optional_policy(` -- ppp_run_cond($1_t,$1_r) ++ ') ++ ++ optional_policy(` + postfix_run_postdrop($1_t, $1_r) - ') - ++ ') ++ + # Run pppd in pppd_t by default for user - optional_policy(` -- setroubleshoot_stream_connect($1_t) ++ optional_policy(` + ppp_run_cond($1_t, $1_r) ') ') -@@ -1036,7 +1201,7 @@ +@@ -1036,7 +1245,7 @@ template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -36751,7 +36977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ############################## -@@ -1071,6 +1236,9 @@ +@@ -1071,6 +1280,9 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -36761,7 +36987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1085,6 +1253,7 @@ +@@ -1085,6 +1297,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -36769,7 +36995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1116,10 +1285,13 @@ +@@ -1116,10 +1329,13 @@ domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -36783,7 +37009,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) -@@ -1139,6 +1311,7 @@ +@@ -1139,6 +1355,7 @@ logging_send_syslog_msg($1_t) modutils_domtrans_insmod($1_t) @@ -36791,7 +37017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1207,6 +1380,8 @@ +@@ -1207,6 +1424,8 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -36800,7 +37026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1234,6 +1409,7 @@ +@@ -1234,6 +1453,7 @@ seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) @@ -36808,7 +37034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo seutil_run_setfiles($1, $2) optional_policy(` -@@ -1272,11 +1448,15 @@ +@@ -1272,11 +1492,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -36824,7 +37050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1387,6 +1567,7 @@ +@@ -1387,6 +1611,7 @@ ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -36832,7 +37058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_search_home($1) ') -@@ -1433,6 +1614,14 @@ +@@ -1433,6 +1658,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -36847,7 +37073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1448,9 +1637,11 @@ +@@ -1448,9 +1681,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -36859,7 +37085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1507,6 +1698,42 @@ +@@ -1507,6 +1742,42 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -36902,7 +37128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ######################################## ## ## Create directories in the home dir root with -@@ -1581,6 +1808,8 @@ +@@ -1581,6 +1852,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -36911,7 +37137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1595,10 +1824,12 @@ +@@ -1595,10 +1868,12 @@ # interface(`userdom_list_user_home_content',` gen_require(` @@ -36926,7 +37152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1641,6 +1872,24 @@ +@@ -1641,6 +1916,24 @@ ######################################## ## @@ -36951,7 +37177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1692,6 +1941,7 @@ +@@ -1692,6 +1985,7 @@ type user_home_dir_t, user_home_t; ') @@ -36959,7 +37185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1708,11 +1958,14 @@ +@@ -1708,11 +2002,14 @@ # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -36977,7 +37203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1802,8 +2055,7 @@ +@@ -1802,8 +2099,7 @@ type user_home_dir_t, user_home_t; ') @@ -36987,7 +37213,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -1819,20 +2071,14 @@ +@@ -1815,24 +2111,17 @@ + ## Domain allowed access. + ## + ## +-## # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -37012,7 +37242,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ######################################## ## -@@ -1866,6 +2112,7 @@ +@@ -1866,6 +2155,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -37020,7 +37250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2102,6 +2349,25 @@ +@@ -2102,6 +2392,25 @@ ######################################## ## @@ -37046,72 +37276,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Do not audit attempts to list user ## temporary directories. ## -@@ -2218,7 +2484,7 @@ +@@ -2218,6 +2527,25 @@ ######################################## ## --## Do not audit attempts to manage users +## Do not audit attempts to write users - ## temporary files. - ## - ## -@@ -2227,30 +2493,49 @@ - ## - ## - # --interface(`userdom_dontaudit_manage_user_tmp_files',` -+interface(`userdom_dontaudit_write_user_tmp_files',` - gen_require(` - type user_tmp_t; - ') - -- dontaudit $1 user_tmp_t:file manage_file_perms; -+ dontaudit $1 user_tmp_t:file write; - ') - - ######################################## - ## --## Read user temporary symbolic links. -+## Do not audit attempts to manage users +## temporary files. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`userdom_read_user_tmp_symlinks',` -+interface(`userdom_dontaudit_manage_user_tmp_files',` - gen_require(` - type user_tmp_t; - ') - -- read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) -+ dontaudit $1 user_tmp_t:file manage_file_perms; -+') -+ -+######################################## -+## -+## Read user temporary symbolic links. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`userdom_read_user_tmp_symlinks',` ++interface(`userdom_dontaudit_write_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + -+ read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) - allow $1 user_tmp_t:dir list_dir_perms; - files_search_tmp($1) - ') -@@ -2427,13 +2712,14 @@ ++ dontaudit $1 user_tmp_t:file write; ++') ++ ++######################################## ++## + ## Do not audit attempts to manage users + ## temporary files. + ## +@@ -2427,13 +2755,14 @@ ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -37127,7 +37318,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## ## ## -@@ -2454,6 +2740,24 @@ +@@ -2454,6 +2783,24 @@ ######################################## ## @@ -37152,7 +37343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Get the attributes of a user domain tty. ## ## -@@ -2747,6 +3051,25 @@ +@@ -2747,6 +3094,25 @@ ######################################## ## @@ -37178,7 +37369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Execute bin_t in the unprivileged user domains. This ## is an explicit transition, requiring the ## caller to use setexeccon(). -@@ -2787,7 +3110,7 @@ +@@ -2787,7 +3153,7 @@ domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -37187,7 +37378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow unpriv_userdomain $1:process sigchld; ') -@@ -2803,11 +3126,13 @@ +@@ -2803,11 +3169,13 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -37203,7 +37394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2944,7 +3269,7 @@ +@@ -2944,7 +3312,7 @@ type user_tmp_t; ') @@ -37212,7 +37403,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -2981,6 +3306,7 @@ +@@ -2981,6 +3349,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -37220,7 +37411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_search_proc($1) ') -@@ -3111,3 +3437,664 @@ +@@ -3111,3 +3480,682 @@ allow $1 userdomain:dbus send_msg; ') @@ -37304,7 +37495,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +## Domain allowed access. +## +## -+## +# +interface(`userdom_ptrace_all_users',` + gen_require(` @@ -37793,6 +37983,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + dontaudit $1 admin_home_t:file getattr; +') ++ ++######################################## ++## ++## dontaudit read /root lnk files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_dontaudit_read_admin_home_lnk_files',` ++ gen_require(` ++ type admin_home_t; ++ ') ++ ++ dontaudit $1 admin_home_t:lnk_file read; ++') ++ +######################################## +## +## Create, read, write, and delete user @@ -37887,7 +38096,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.19/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2010-03-03 23:26:37.000000000 -0500 -+++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2010-04-15 10:24:19.000000000 -0400 ++++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2010-05-24 14:17:00.000000000 -0400 @@ -29,13 +29,6 @@ ## @@ -37933,13 +38142,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo userdom_user_home_content(user_home_t) fs_associate_tmpfs(user_home_t) files_associate_tmp(user_home_t) -@@ -97,3 +100,32 @@ +@@ -97,3 +100,36 @@ type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t) + -+type home_cert_t, user_home_type; -+files_type(home_cert_t) ++type home_bin_t; ++userdom_user_home_content(home_bin_t) ++ubac_constrained(home_bin_t) ++ ++type home_cert_t; ++userdom_user_home_content(home_cert_t) +ubac_constrained(home_cert_t) + +tunable_policy(`allow_console_login',` diff --git a/selinux-policy.spec b/selinux-policy.spec index f3b549c..dd589d6 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 20%{?dist} +Release: 21%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -316,6 +316,7 @@ Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} Conflicts: audispd-plugins <= 1.7.7-1 Obsoletes: mod_fcgid-selinux <= %{version}-%{release} +Obsoletes: cachefilesd-selinux <= 0.10-1 Conflicts: seedit %description targeted @@ -468,6 +469,12 @@ exit 0 %endif %changelog +* Monu May 24 2010 Dan Walsh 3.7.19-21 +- Allow login programs to read krb5_home_t +Resolves: #594833 +- Add obsoletes for cachefilesfd-selinux package +Resolves: #575084 + * Thu May 20 2010 Dan Walsh 3.7.19-20 - Allow mount to r/w abrt fifo file Resolves: #594014