From 3c1b7a1589c6b6dbd89ceba50d3b83cdf624aa9c Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Oct 08 2009 19:51:55 +0000 Subject: - Allow xdm to unlink xauth_home_t --- diff --git a/policy-F12.patch b/policy-F12.patch index a0e3e92..b444d26 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -1568,8 +1568,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.32/policy/modules/admin/vbetool.te --- nsaserefpolicy/policy/modules/admin/vbetool.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/vbetool.te 2009-09-30 16:12:48.000000000 -0400 -@@ -15,15 +15,22 @@ ++++ serefpolicy-3.6.32/policy/modules/admin/vbetool.te 2009-10-08 14:37:24.000000000 -0400 +@@ -15,15 +15,20 @@ # Local policy # @@ -1588,13 +1588,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +domain_mmap_low_type(vbetool_t) +tunable_policy(`mmap_low_allowed',` domain_mmap_low(vbetool_t) -+', ` -+dontaudit vbetool_t self:memprotect mmap_zero; +') term_use_unallocated_ttys(vbetool_t) -@@ -34,3 +41,8 @@ +@@ -34,3 +39,8 @@ hal_write_log(vbetool_t) hal_dontaudit_append_lib_files(vbetool_t) ') @@ -1809,8 +1807,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.6.32/policy/modules/apps/execmem.fc --- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/execmem.fc 2009-10-06 16:12:55.000000000 -0400 -@@ -0,0 +1,33 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/execmem.fc 2009-10-08 10:58:36.000000000 -0400 +@@ -0,0 +1,34 @@ +/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0) @@ -1820,6 +1818,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/bin/skype -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/sbin/vboxadd-service -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/sbin/VBox.* -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) + @@ -1846,7 +1845,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.6.32/policy/modules/apps/execmem.if --- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/execmem.if 2009-10-02 10:33:33.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/apps/execmem.if 2009-10-08 09:29:38.000000000 -0400 @@ -0,0 +1,70 @@ +## execmem domain + @@ -8391,8 +8390,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-10-05 09:44:21.000000000 -0400 -@@ -0,0 +1,401 @@ ++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-10-08 15:41:51.000000000 -0400 +@@ -0,0 +1,410 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -8702,6 +8701,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` ++ vbetool_run(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` + vpn_run(unconfined_t, unconfined_r) +') + @@ -8766,6 +8769,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + gen_require(` + type mplayer_exec_t; ++ type unconfined_execmem_t; + ') + domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t) +') @@ -8774,14 +8778,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +tunable_policy(`allow_unconfined_nsplugin_transition',`', ` + gen_require(` + type mozilla_exec_t; ++ type unconfined_execmem_t; ++ type nsplugin_exec_t; + ') + domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t) ++ domtrans_pattern(unconfined_t, nsplugin_exec_t, unconfined_execmem_t) +') +') + +optional_policy(` + gen_require(` + type openoffice_exec_t; ++ type unconfined_execmem_t; + ') + domtrans_pattern(unconfined_t, openoffice_exec_t, unconfined_execmem_t) +') @@ -8947,8 +8955,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.32/policy/modules/roles/xguest.te --- nsaserefpolicy/policy/modules/roles/xguest.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2009-10-06 15:49:56.000000000 -0400 -@@ -36,11 +36,17 @@ ++++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2009-10-08 15:30:50.000000000 -0400 +@@ -31,16 +31,37 @@ + + userdom_restricted_xwindows_user_template(xguest) + ++ifndef(`enable_mls',` ++ fs_exec_noxattr(xguest_t) ++ ++ tunable_policy(`user_rw_noexattrfile',` ++ fs_manage_noxattr_fs_files(xguest_t) ++ fs_manage_noxattr_fs_dirs(xguest_t) ++ # Write floppies ++ storage_raw_read_removable_device(xguest_t) ++ storage_raw_write_removable_device(xguest_t) ++ ',` ++ storage_raw_read_removable_device(xguest_t) ++ ') ++') ++storage_rw_fuse(xguest_t) ++ + ######################################## + # # Local policy # @@ -8966,7 +8994,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_dontaudit_getattr_boot_dirs(xguest_t) files_search_mnt(xguest_t) -@@ -49,6 +55,7 @@ +@@ -49,6 +70,7 @@ fs_manage_noxattr_fs_dirs(xguest_t) fs_getattr_noxattr_fs(xguest_t) fs_read_noxattr_fs_symlinks(xguest_t) @@ -8974,7 +9002,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_list_pam_console_data(xguest_t) -@@ -67,7 +74,11 @@ +@@ -67,7 +89,11 @@ ') optional_policy(` @@ -8987,7 +9015,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -75,9 +86,15 @@ +@@ -75,9 +101,15 @@ ') optional_policy(` @@ -18949,7 +18977,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te 2009-10-05 11:42:06.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te 2009-10-08 12:25:22.000000000 -0400 @@ -22,13 +22,19 @@ type setroubleshoot_var_run_t; files_pid_file(setroubleshoot_var_run_t) @@ -19011,7 +19039,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) -@@ -94,23 +113,74 @@ +@@ -94,23 +113,75 @@ locallogin_dontaudit_use_fds(setroubleshootd_t) @@ -19062,6 +19090,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +corecmd_exec_shell(setroubleshoot_fixit_t) + +seutil_domtrans_restorecon(setroubleshoot_fixit_t) ++seutil_domtrans_setsebool(setroubleshoot_fixit_t) + +files_read_usr_files(setroubleshoot_fixit_t) +files_read_etc_files(setroubleshoot_fixit_t) @@ -19715,7 +19744,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.32/policy/modules/services/ssh.if --- nsaserefpolicy/policy/modules/services/ssh.if 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/ssh.if 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/ssh.if 2009-10-08 09:12:21.000000000 -0400 @@ -36,6 +36,7 @@ gen_require(` attribute ssh_server; @@ -19830,15 +19859,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; term_create_pty($1_t,$1_devpts_t) -@@ -206,6 +198,7 @@ +@@ -206,6 +198,8 @@ allow $1_t sshd_key_t:file read_file_perms; kernel_read_kernel_sysctls($1_t) + kernel_read_network_state($1_t) ++ kernel_request_load_module(ssh_t) corenet_all_recvfrom_unlabeled($1_t) corenet_all_recvfrom_netlabel($1_t) -@@ -221,7 +214,12 @@ +@@ -221,7 +215,12 @@ corenet_udp_bind_generic_node($1_t) corenet_tcp_bind_ssh_port($1_t) corenet_tcp_connect_all_ports($1_t) @@ -19851,7 +19881,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_dontaudit_getattr_all_fs($1_t) -@@ -237,18 +235,23 @@ +@@ -237,18 +236,23 @@ files_read_etc_files($1_t) files_read_etc_runtime_files($1_t) @@ -19877,7 +19907,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`use_samba_home_dirs',` -@@ -257,15 +260,11 @@ +@@ -257,15 +261,11 @@ optional_policy(` kerberos_use($1_t) @@ -19895,7 +19925,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -337,6 +336,7 @@ +@@ -337,6 +337,7 @@ allow ssh_t $3:unix_stream_socket connectto; # user can manage the keys and config @@ -19903,7 +19933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern($3, home_ssh_t, home_ssh_t) manage_lnk_files_pattern($3, home_ssh_t, home_ssh_t) manage_sock_files_pattern($3, home_ssh_t, home_ssh_t) -@@ -446,6 +446,24 @@ +@@ -446,6 +447,24 @@ ######################################## ## @@ -19928,7 +19958,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read a ssh server unnamed pipe. ## ## -@@ -461,6 +479,23 @@ +@@ -461,6 +480,23 @@ allow $1 sshd_t:fifo_file { getattr read }; ') @@ -19952,7 +19982,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## -@@ -603,3 +638,83 @@ +@@ -603,3 +639,83 @@ dontaudit $1 sshd_key_t:file { getattr read }; ') @@ -20038,7 +20068,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2009-10-08 09:12:07.000000000 -0400 @@ -41,6 +41,9 @@ files_tmp_file(sshd_tmp_t) files_poly_parent(sshd_tmp_t) @@ -20994,7 +21024,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2009-10-02 07:35:59.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2009-10-08 09:26:09.000000000 -0400 @@ -3,12 +3,17 @@ # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) @@ -21035,7 +21065,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) ifdef(`distro_debian', ` -@@ -89,16 +91,29 @@ +@@ -89,16 +91,31 @@ /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) @@ -21043,6 +21073,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/[gxkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) +/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0) ++ ++/var/cache/gdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) -/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) -/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) @@ -21755,7 +21787,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-08-28 14:58:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-10-08 08:58:37.000000000 -0400 @@ -34,6 +34,13 @@ ## @@ -21935,7 +21967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t self:appletalk_socket create_socket_perms; allow xdm_t self:key { search link write }; -+allow xdm_t xauth_home_t:file rw_file_perms; ++allow xdm_t xauth_home_t:file manage_file_perms; + allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; +manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) @@ -23238,7 +23270,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/init.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/init.te 2009-10-08 12:27:01.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart, false) @@ -23756,13 +23788,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domain(initrc_t) ifdef(`distro_redhat',` -@@ -764,6 +880,13 @@ +@@ -764,6 +880,21 @@ optional_policy(` mono_domtrans(initrc_t) ') + + # Allow SELinux aware applications to request rpm_script_t execution + rpm_transition_script(initrc_t) ++ ++ ++ optional_policy(` ++ gen_require(` ++ type unconfined_execmem_t, execmem_exec_t; ++ ') ++ init_system_domain(unconfined_execmem_t, execmem_exec_t) ++ ') +') + +optional_policy(` @@ -23770,7 +23810,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -789,3 +912,31 @@ +@@ -789,3 +920,31 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -25620,7 +25660,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.32/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.if 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.if 2009-10-08 15:35:18.000000000 -0400 @@ -351,6 +351,27 @@ ######################################## @@ -25978,7 +26018,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.32/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te 2009-10-08 12:25:39.000000000 -0400 @@ -23,6 +23,9 @@ type selinux_config_t; files_type(selinux_config_t) @@ -26207,7 +26247,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files -@@ -499,111 +482,40 @@ +@@ -499,111 +482,41 @@ userdom_read_user_tmp_files(semanage_t) ') @@ -26337,6 +26377,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - unconfined_dontaudit_rw_tcp_sockets(setfiles_t) - ') + setroubleshoot_dontaudit_rw_dgram_sockets(setfiles_t) ++ setroubleshoot_dontaudit_rw_dgram_sockets(setsebool_t) ') optional_policy(` @@ -27723,7 +27764,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.gvfs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-07 16:37:24.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-08 15:35:26.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -28131,17 +28172,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dev_read_video_dev($1) + dev_write_video_dev($1) + dev_rw_wireless($1) - -- xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) -- xserver_xsession_entry_type($1_t) -- xserver_dontaudit_write_log($1_t) -- xserver_stream_connect_xdm($1_t) ++ + miscfiles_dontaudit_write_fonts($1) + + optional_policy(` + udev_read_db($1) + ') -+ + +- xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) +- xserver_xsession_entry_type($1_t) +- xserver_dontaudit_write_log($1_t) +- xserver_stream_connect_xdm($1_t) + optional_policy(` + xserver_user_client($1, user_tmpfs_t) + xserver_xsession_entry_type($1) @@ -28170,7 +28211,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -508,182 +515,214 @@ +@@ -508,182 +515,213 @@ # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -28275,7 +28316,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_exec_checkpolicy($1_t) - seutil_exec_setfiles($1_t) + seutil_exec_setfiles($1_usertype) -+ seutil_exec_restorecond($1_usertype) # for when the network connection is killed # this is needed when a login role can change # to this one. @@ -28284,27 +28324,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`user_direct_mouse',` - dev_read_mouse($1_t) + dev_read_mouse($1_usertype) ++ ') ++ ++ optional_policy(` ++ alsa_read_rw_config($1_usertype) ') - tunable_policy(`user_ttyfile_stat',` - term_getattr_all_user_ttys($1_t) + optional_policy(` -+ alsa_read_rw_config($1_usertype) ++ # Allow graphical boot to check battery lifespan ++ apm_stream_connect($1_usertype) ') optional_policy(` - alsa_read_rw_config($1_t) -+ # Allow graphical boot to check battery lifespan -+ apm_stream_connect($1_usertype) ++ canna_stream_connect($1_usertype) ') optional_policy(` - # Allow graphical boot to check battery lifespan - apm_stream_connect($1_t) -+ canna_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` + chrome_role($1_r, $1_usertype) + ') + @@ -28384,21 +28424,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - modutils_read_module_config($1_t) + modutils_read_module_config($1_usertype) -+ ') -+ -+ optional_policy(` -+ mta_rw_spool($1_usertype) -+ mta_manage_queue($1_usertype) ') optional_policy(` - mta_rw_spool($1_t) -+ nsplugin_role($1_r, $1_usertype) ++ mta_rw_spool($1_usertype) ++ mta_manage_queue($1_usertype) ') optional_policy(` - tunable_policy(`allow_user_mysql_connect',` - mysql_stream_connect($1_t) ++ nsplugin_role($1_r, $1_usertype) ++ ') ++ ++ optional_policy(` + tunable_policy(`allow_user_postgresql_connect',` + postgresql_stream_connect($1_usertype) ') @@ -28458,23 +28498,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -711,13 +750,26 @@ +@@ -711,13 +749,26 @@ userdom_base_user_template($1) - userdom_manage_home_role($1_r, $1_t) + userdom_manage_home_role($1_r, $1_usertype) -+ -+ userdom_manage_tmp_role($1_r, $1_usertype) -+ userdom_manage_tmpfs_role($1_r, $1_usertype) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) ++ userdom_manage_tmp_role($1_r, $1_usertype) ++ userdom_manage_tmpfs_role($1_r, $1_usertype) ++ + ifelse(`$1',`unconfined',`',` + gen_tunable(allow_$1_exec_content, true) - -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) ++ + tunable_policy(`allow_$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -28482,7 +28520,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') -+ + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) + tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') @@ -28490,7 +28530,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_change_password_template($1) -@@ -735,70 +787,72 @@ +@@ -735,70 +786,72 @@ allow $1_t self:context contains; @@ -28596,7 +28636,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -826,6 +880,7 @@ +@@ -826,6 +879,7 @@ ') userdom_login_user_template($1) @@ -28604,7 +28644,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) -@@ -835,6 +890,32 @@ +@@ -835,6 +889,32 @@ # Local policy # @@ -28637,7 +28677,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` loadkeys_run($1_t,$1_r) ') -@@ -865,51 +946,81 @@ +@@ -865,51 +945,83 @@ userdom_restricted_user_template($1) @@ -28654,12 +28694,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_role($1_r, $1_t) - auth_search_pam_console_data($1_t) + auth_search_pam_console_data($1_usertype) -+ -+ xserver_role($1_r, $1_t) -+ xserver_communicate($1_usertype, $1_usertype) - dev_read_sound($1_t) - dev_write_sound($1_t) ++ xserver_role($1_r, $1_t) ++ xserver_communicate($1_usertype, $1_usertype) ++ + dev_read_sound($1_usertype) + dev_write_sound($1_usertype) # gnome keyring wants to read this. @@ -28678,8 +28718,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Need to to this just so screensaver will work. Should be moved to screensaver domain logging_send_audit_msgs($1_t) selinux_get_enforce_mode($1_t) - -- xserver_restricted_role($1_r, $1_t) ++ seutil_exec_restorecond($1_t) ++ seutil_read_file_contexts($1_t) ++ + optional_policy(` + alsa_read_rw_config($1_usertype) + ') @@ -28687,7 +28728,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + optional_policy(` + apache_role($1_r, $1_usertype) + ') -+ + +- xserver_restricted_role($1_r, $1_t) + optional_policy(` + devicekit_dbus_chat($1_usertype) + devicekit_dbus_chat_disk($1_usertype) @@ -28732,7 +28774,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -943,8 +1054,8 @@ +@@ -943,8 +1055,8 @@ # Declarations # @@ -28742,7 +28784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -953,11 +1064,12 @@ +@@ -953,58 +1065,67 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -28752,66 +28794,73 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_xserver_port($1_t) - files_exec_usr_files($1_t) +- # cjp: why? +- files_read_kernel_symbol_table($1_t) + storage_rw_fuse($1_t) -+ - # cjp: why? - files_read_kernel_symbol_table($1_t) -@@ -975,36 +1087,61 @@ +- ifndef(`enable_mls',` +- fs_exec_noxattr($1_t) ++ # Allow users to run TCP servers (bind to ports and accept connection from ++ # the same domain and outside users) disabling this forces FTP passive mode ++ # and may change other protocols ++ tunable_policy(`user_tcp_server',` ++ corenet_tcp_bind_all_nodes($1_usertype) ++ corenet_tcp_bind_all_unreserved_ports($1_usertype) ++ ') + +- tunable_policy(`user_rw_noexattrfile',` +- fs_manage_noxattr_fs_files($1_t) +- fs_manage_noxattr_fs_dirs($1_t) +- # Write floppies +- storage_raw_read_removable_device($1_t) +- storage_raw_write_removable_device($1_t) +- ',` +- storage_raw_read_removable_device($1_t) ++ optional_policy(` ++ cdrecord_role($1_r, $1_t) ') ++ ++ optional_policy(` ++ cron_role($1_r, $1_t) ') - tunable_policy(`user_dmesg',` - kernel_read_ring_buffer($1_t) - ',` - kernel_dontaudit_read_ring_buffer($1_t) -- ') -- - # Allow users to run TCP servers (bind to ports and accept connection from - # the same domain and outside users) disabling this forces FTP passive mode - # and may change other protocols - tunable_policy(`user_tcp_server',` ++ optional_policy(` ++ games_rw_data($1_usertype) + ') + +- # Allow users to run TCP servers (bind to ports and accept connection from +- # the same domain and outside users) disabling this forces FTP passive mode +- # and may change other protocols +- tunable_policy(`user_tcp_server',` - corenet_tcp_bind_generic_node($1_t) - corenet_tcp_bind_generic_port($1_t) -+ corenet_tcp_bind_all_nodes($1_usertype) -+ corenet_tcp_bind_all_unreserved_ports($1_usertype) ++ optional_policy(` ++ gpg_role($1_r, $1_usertype) ') optional_policy(` - netutils_run_ping_cond($1_t,$1_r) - netutils_run_traceroute_cond($1_t,$1_r) -+ cdrecord_role($1_r, $1_t) ++ gpm_stream_connect($1_usertype) ') optional_policy(` - postgresql_role($1_r,$1_t) -+ cron_role($1_r, $1_t) ++ execmem_role_template($1, $1_r, $1_t) ') - # Run pppd in pppd_t by default for user optional_policy(` - ppp_run_cond($1_t,$1_r) -+ games_rw_data($1_usertype) ++ java_role_template($1, $1_r, $1_t) ') optional_policy(` - setroubleshoot_stream_connect($1_t) -+ gpg_role($1_r, $1_usertype) -+ ') -+ -+ optional_policy(` -+ gpm_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` -+ execmem_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` -+ java_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` + mono_role_template($1, $1_r, $1_t) + ') + @@ -28833,7 +28882,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1040,7 +1177,7 @@ +@@ -1040,7 +1161,7 @@ template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -28842,7 +28891,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1049,8 +1186,7 @@ +@@ -1049,8 +1170,7 @@ # # Inherit rules for ordinary users. @@ -28852,7 +28901,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1075,6 +1211,9 @@ +@@ -1075,6 +1195,9 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -28862,7 +28911,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1089,6 +1228,7 @@ +@@ -1089,6 +1212,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -28870,7 +28919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1096,8 +1236,6 @@ +@@ -1096,8 +1220,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -28879,7 +28928,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1124,6 +1262,8 @@ +@@ -1124,6 +1246,8 @@ files_exec_usr_src_files($1_t) fs_getattr_all_fs($1_t) @@ -28888,7 +28937,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) -@@ -1152,20 +1292,6 @@ +@@ -1152,20 +1276,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -28909,7 +28958,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1211,6 +1337,7 @@ +@@ -1211,6 +1321,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -28917,7 +28966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1276,11 +1403,15 @@ +@@ -1276,11 +1387,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -28933,7 +28982,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1391,12 +1522,13 @@ +@@ -1391,12 +1506,13 @@ ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -28948,7 +28997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1429,6 +1561,14 @@ +@@ -1429,6 +1545,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -28963,7 +29012,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1444,9 +1584,11 @@ +@@ -1444,9 +1568,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -28975,7 +29024,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1503,6 +1645,25 @@ +@@ -1503,6 +1629,25 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -29001,7 +29050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1577,6 +1738,8 @@ +@@ -1577,6 +1722,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -29010,7 +29059,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1670,6 +1833,7 @@ +@@ -1670,6 +1817,7 @@ type user_home_dir_t, user_home_t; ') @@ -29018,7 +29067,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1797,19 +1961,32 @@ +@@ -1797,19 +1945,32 @@ # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -29058,7 +29107,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1844,6 +2021,7 @@ +@@ -1844,6 +2005,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -29066,7 +29115,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2391,27 +2569,7 @@ +@@ -2391,27 +2553,7 @@ ######################################## ## @@ -29095,7 +29144,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2765,11 +2923,32 @@ +@@ -2765,11 +2907,32 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -29130,7 +29179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2897,7 +3076,25 @@ +@@ -2897,7 +3060,25 @@ type user_tmp_t; ') @@ -29157,7 +29206,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2934,6 +3131,7 @@ +@@ -2934,6 +3115,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -29165,7 +29214,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -3064,3 +3262,559 @@ +@@ -3064,3 +3246,559 @@ allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index ae44649..76e1129 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -13,14 +13,14 @@ %if %{?BUILD_MLS:0}%{!?BUILD_MLS:1} %define BUILD_MLS 1 %endif -%define POLICYVER 23 +%define POLICYVER 24 %define libsepolver 2.0.20-1 %define POLICYCOREUTILSVER 2.0.71-2 %define CHECKPOLICYVER 2.0.16-3 Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 22%{?dist} +Release: 23%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -449,6 +449,9 @@ exit 0 %endif %changelog +* Wed Oct 8 2009 Dan Walsh 3.6.32-23 +- Allow xdm to unlink xauth_home_t + * Wed Oct 7 2009 Dan Walsh 3.6.32-22 - Allow polickit to read meminfo