diff --git a/policy-20100106.patch b/policy-20100106.patch index f06d9a5..b0a68c0 100644 --- a/policy-20100106.patch +++ b/policy-20100106.patch @@ -1,3 +1,14 @@ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.32/policy/modules/apps/mozilla.fc +--- nsaserefpolicy/policy/modules/apps/mozilla.fc 2010-01-06 11:05:50.000000000 +0100 ++++ serefpolicy-3.6.32/policy/modules/apps/mozilla.fc 2010-01-11 18:21:26.000000000 +0100 +@@ -11,6 +11,7 @@ + /usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0) + /usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0) + /usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0) + /usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) + /usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) + /usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 2010-01-06 11:05:50.000000000 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2010-01-11 13:38:03.000000000 +0100 @@ -276,6 +287,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type v4l_device_t; dev_node(v4l_device_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc +--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 2010-01-06 11:05:50.000000000 +0100 ++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc 2010-01-12 13:41:16.000000000 +0100 +@@ -2,7 +2,7 @@ + # e.g.: + # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) + # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t +-/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) ++/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) + /usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) + /usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te +--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 2010-01-06 11:05:50.000000000 +0100 ++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2010-01-12 13:42:23.000000000 +0100 +@@ -39,6 +39,8 @@ + type unconfined_exec_t; + init_system_domain(unconfined_t, unconfined_exec_t) + role unconfined_r types unconfined_t; ++role_transition system_r unconfined_exec_t unconfined_r; ++allow system_r unconfined_r; + + domain_user_exemption_target(unconfined_t) + allow system_r unconfined_r; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-06 11:05:50.000000000 +0100 +++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-01-08 14:42:10.000000000 +0100 @@ -584,6 +619,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## All of the rules required to administrate +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te +--- nsaserefpolicy/policy/modules/services/ssh.te 2010-01-06 11:05:50.000000000 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2010-01-12 18:08:14.000000000 +0100 +@@ -477,8 +477,8 @@ + + ssh_sigchld(sftpd_t) + +-files_read_all_files(sftpd_t) +-files_read_all_symlinks(sftpd_t) ++auth_read_all_files_except_shadow(sftpd_t) ++auth_read_all_symlinks_except_shadow(sftpd_t) + + fs_read_noxattr_fs_files(sftpd_t) + fs_read_nfs_files(sftpd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.32/policy/modules/services/sssd.if --- nsaserefpolicy/policy/modules/services/sssd.if 2010-01-06 11:05:50.000000000 +0100 +++ serefpolicy-3.6.32/policy/modules/services/sssd.if 2010-01-11 13:46:50.000000000 +0100 @@ -674,6 +723,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(xauth_t) dev_rw_xserver_misc(xauth_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te +--- nsaserefpolicy/policy/modules/system/init.te 2010-01-06 11:05:50.000000000 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-01-12 13:43:28.000000000 +0100 +@@ -872,6 +872,7 @@ + + optional_policy(` + unconfined_domain(initrc_t) ++ domain_role_change_exemption(initrc_t) + + ifdef(`distro_redhat',` + # system-config-services causes avc messages that should be dontaudited diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.6.32/policy/modules/system/iscsi.fc --- nsaserefpolicy/policy/modules/system/iscsi.fc 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/system/iscsi.fc 2010-01-09 20:37:29.000000000 +0100 @@ -849,3 +909,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Xen store local policy +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.32/policy/users +--- nsaserefpolicy/policy/users 2010-01-06 11:05:51.000000000 +0100 ++++ serefpolicy-3.6.32/policy/users 2010-01-12 13:48:30.000000000 +0100 +@@ -15,7 +15,7 @@ + # and a user process should never be assigned the system user + # identity. + # +-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) ++gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) + + # + # user_u is a generic user identity for Linux users who have no diff --git a/selinux-policy.spec b/selinux-policy.spec index c3cc70a..f5c7630 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 69%{?dist} +Release: 70%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -46,6 +46,10 @@ Source18: setrans-minimum.conf Source19: securetty_types-minimum Source20: customizable_types Source21: config.tgz +Source22: users-mls +Source23: users-targeted +Source24: users-olpc +Source25: users-minimum Url: http://oss.tresys.com/repos/refpolicy/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -98,6 +102,7 @@ make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOL make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 conf \ cp -f $RPM_SOURCE_DIR/modules-%1.conf ./policy/modules.conf \ cp -f $RPM_SOURCE_DIR/booleans-%1.conf ./policy/booleans.conf \ +cp -f $RPM_SOURCE_DIR/users-%1 ./policy/users \ %define moduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \ awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp.bz2 ", $1 }' %{_sourcedir}/modules-%{1}.conf ) @@ -451,6 +456,10 @@ exit 0 %endif %changelog +* Tue Jan 12 2010 Miroslav Grepl 3.6.32-70 +- Move users file to selection by spec file. +- Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t + * Mon Jan 11 2010 Miroslav Grepl 3.6.32-69 - Fixes for iscsid - Allow openvpn to bind to http port diff --git a/users-minimum b/users-minimum new file mode 100644 index 0000000..8207eed --- /dev/null +++ b/users-minimum @@ -0,0 +1,38 @@ +################################## +# +# Core User configuration. +# + +# +# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) +# +# Note: Identities without a prefix wil not be listed +# in the users_extra file used by genhomedircon. + +# +# system_u is the user identity for system processes and objects. +# There should be no corresponding Unix user identity for system, +# and a user process should never be assigned the system user +# identity. +# +gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# user_u is a generic user identity for Linux users who have no +# SELinux user identity defined. The modified daemons will use +# this user identity in the security context if there is no matching +# SELinux user identity for a Linux user. If you do not want to +# permit any access to such users, then remove this entry. +# +gen_user(user_u, user, user_r, s0, s0) +gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# The following users correspond to Unix identities. +# These identities are typically assigned as the user attribute +# when login starts the user shell. Users with access to the sysadm_r +# role should use the staff_r role instead of the user_r role when +# not in the sysadm_r. +# +gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/users-mls b/users-mls new file mode 100644 index 0000000..05d2671 --- /dev/null +++ b/users-mls @@ -0,0 +1,38 @@ +################################## +# +# Core User configuration. +# + +# +# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) +# +# Note: Identities without a prefix wil not be listed +# in the users_extra file used by genhomedircon. + +# +# system_u is the user identity for system processes and objects. +# There should be no corresponding Unix user identity for system, +# and a user process should never be assigned the system user +# identity. +# +gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# user_u is a generic user identity for Linux users who have no +# SELinux user identity defined. The modified daemons will use +# this user identity in the security context if there is no matching +# SELinux user identity for a Linux user. If you do not want to +# permit any access to such users, then remove this entry. +# +gen_user(user_u, user, user_r, s0, s0) +gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# The following users correspond to Unix identities. +# These identities are typically assigned as the user attribute +# when login starts the user shell. Users with access to the sysadm_r +# role should use the staff_r role instead of the user_r role when +# not in the sysadm_r. +# +gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/users-olpc b/users-olpc new file mode 100644 index 0000000..8207eed --- /dev/null +++ b/users-olpc @@ -0,0 +1,38 @@ +################################## +# +# Core User configuration. +# + +# +# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) +# +# Note: Identities without a prefix wil not be listed +# in the users_extra file used by genhomedircon. + +# +# system_u is the user identity for system processes and objects. +# There should be no corresponding Unix user identity for system, +# and a user process should never be assigned the system user +# identity. +# +gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# user_u is a generic user identity for Linux users who have no +# SELinux user identity defined. The modified daemons will use +# this user identity in the security context if there is no matching +# SELinux user identity for a Linux user. If you do not want to +# permit any access to such users, then remove this entry. +# +gen_user(user_u, user, user_r, s0, s0) +gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# The following users correspond to Unix identities. +# These identities are typically assigned as the user attribute +# when login starts the user shell. Users with access to the sysadm_r +# role should use the staff_r role instead of the user_r role when +# not in the sysadm_r. +# +gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/users-targeted b/users-targeted new file mode 100644 index 0000000..8207eed --- /dev/null +++ b/users-targeted @@ -0,0 +1,38 @@ +################################## +# +# Core User configuration. +# + +# +# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) +# +# Note: Identities without a prefix wil not be listed +# in the users_extra file used by genhomedircon. + +# +# system_u is the user identity for system processes and objects. +# There should be no corresponding Unix user identity for system, +# and a user process should never be assigned the system user +# identity. +# +gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# user_u is a generic user identity for Linux users who have no +# SELinux user identity defined. The modified daemons will use +# this user identity in the security context if there is no matching +# SELinux user identity for a Linux user. If you do not want to +# permit any access to such users, then remove this entry. +# +gen_user(user_u, user, user_r, s0, s0) +gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) + +# +# The following users correspond to Unix identities. +# These identities are typically assigned as the user attribute +# when login starts the user shell. Users with access to the sysadm_r +# role should use the staff_r role instead of the user_r role when +# not in the sysadm_r. +# +gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)