From 123ae9957db40ca9f4f2d7f779500acc82970d36 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sep 08 2009 14:30:36 +0000 Subject: - Lots of fixes for initrc and other unconfined domains --- diff --git a/policy-F12.patch b/policy-F12.patch index 141e251..ade4d43 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -989,7 +989,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol locallogin_dontaudit_use_fds(tzdata_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.6.30/policy/modules/admin/usermanage.if --- nsaserefpolicy/policy/modules/admin/usermanage.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.30/policy/modules/admin/usermanage.if 2009-08-31 13:40:47.000000000 -0400 ++++ serefpolicy-3.6.30/policy/modules/admin/usermanage.if 2009-09-08 07:14:39.000000000 -0400 @@ -274,6 +274,11 @@ usermanage_domtrans_useradd($1) role $2 types useradd_t; @@ -1004,7 +1004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.30/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.30/policy/modules/admin/usermanage.te 2009-08-31 13:40:47.000000000 -0400 ++++ serefpolicy-3.6.30/policy/modules/admin/usermanage.te 2009-09-08 07:19:05.000000000 -0400 @@ -209,6 +209,7 @@ files_manage_etc_files(groupadd_t) files_relabel_etc_files(groupadd_t) @@ -1046,7 +1046,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_manage_etc_files(useradd_t) files_search_var_lib(useradd_t) -@@ -468,15 +468,12 @@ +@@ -465,18 +465,16 @@ + selinux_compute_relabel_context(useradd_t) + selinux_compute_user_contexts(useradd_t) + ++term_use_console(useradd_t) term_use_all_user_ttys(useradd_t) term_use_all_user_ptys(useradd_t) @@ -1065,19 +1069,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol init_use_fds(useradd_t) init_rw_utmp(useradd_t) -@@ -494,10 +491,7 @@ +@@ -494,10 +492,8 @@ userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories -userdom_manage_user_home_content_dirs(useradd_t) -userdom_manage_user_home_content_files(useradd_t) --userdom_home_filetrans_user_home_dir(useradd_t) + userdom_home_filetrans_user_home_dir(useradd_t) -userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set) +userdom_manage_home_role(system_r, useradd_t) mta_manage_spool(useradd_t) -@@ -521,6 +515,12 @@ +@@ -521,6 +517,12 @@ ') optional_policy(` @@ -1398,7 +1402,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.30/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.30/policy/modules/apps/gnome.if 2009-08-31 13:40:47.000000000 -0400 ++++ serefpolicy-3.6.30/policy/modules/apps/gnome.if 2009-09-08 07:07:37.000000000 -0400 @@ -89,5 +89,175 @@ allow $1 gnome_home_t:dir manage_dir_perms; @@ -4395,12 +4399,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.30/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.30/policy/modules/apps/wine.te 2009-09-02 09:37:57.000000000 -0400 -@@ -9,20 +9,36 @@ ++++ serefpolicy-3.6.30/policy/modules/apps/wine.te 2009-09-08 07:24:41.000000000 -0400 +@@ -9,20 +9,46 @@ type wine_t; type wine_exec_t; application_domain(wine_t, wine_exec_t) +role system_r types wine_t; ++ ++type wine_tmp_t; ++files_tmp_file(wine_tmp_t) ++ubac_constrained(wine_tmp_t) ######################################## # @@ -4414,6 +4422,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - unconfined_domain_noaudit(wine_t) +allow wine_t self:fifo_file manage_fifo_file_perms; + ++can_exec(wine_t, wine_exec_t) ++ ++manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t) ++manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t) ++files_tmp_filetrans(wine_t, wine_tmp_t,{ file dir }) ++ +domain_mmap_low_type(wine_t) +tunable_policy(`mmap_low_allowed',` + domain_mmap_low(wine_t) @@ -4428,7 +4442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') + +optional_policy(` -+ unconfined_domain(wine_t) ++ unconfined_domain_noaudit(wine_t) +') + +optional_policy(` @@ -4513,7 +4527,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.30/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.30/policy/modules/kernel/corecommands.if 2009-08-31 13:40:47.000000000 -0400 ++++ serefpolicy-3.6.30/policy/modules/kernel/corecommands.if 2009-09-07 07:16:21.000000000 -0400 @@ -893,6 +893,7 @@ read_lnk_files_pattern($1, bin_t, bin_t) @@ -4522,6 +4536,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## +@@ -973,6 +974,7 @@ + type bin_t; + ') + ++ manage_dirs_pattern($1, bin_t, exec_type) + manage_files_pattern($1, bin_t, exec_type) + manage_lnk_files_pattern($1, bin_t, bin_t) + ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.30/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-08-14 16:14:31.000000000 -0400 +++ serefpolicy-3.6.30/policy/modules/kernel/corenetwork.te.in 2009-08-31 13:40:47.000000000 -0400 @@ -5246,7 +5268,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.30/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.30/policy/modules/kernel/files.if 2009-08-31 13:40:47.000000000 -0400 ++++ serefpolicy-3.6.30/policy/modules/kernel/files.if 2009-09-07 06:40:00.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -5683,7 +5705,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.30/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.30/policy/modules/kernel/filesystem.if 2009-09-04 11:37:45.000000000 -0400 ++++ serefpolicy-3.6.30/policy/modules/kernel/filesystem.if 2009-09-08 07:44:43.000000000 -0400 @@ -1537,6 +1537,24 @@ ######################################## @@ -6142,7 +6164,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.30/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.30/policy/modules/kernel/terminal.if 2009-08-31 13:40:47.000000000 -0400 ++++ serefpolicy-3.6.30/policy/modules/kernel/terminal.if 2009-09-08 07:17:17.000000000 -0400 @@ -173,7 +173,7 @@ dev_list_all_dev_nodes($1) @@ -8028,14 +8050,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +gen_user(xguest_u, user, xguest_r, s0, s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.6.30/policy/modules/services/abrt.fc --- nsaserefpolicy/policy/modules/services/abrt.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.30/policy/modules/services/abrt.fc 2009-08-31 13:40:47.000000000 -0400 ++++ serefpolicy-3.6.30/policy/modules/services/abrt.fc 2009-09-07 13:12:20.000000000 -0400 @@ -0,0 +1,13 @@ + +/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) + +/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) + -+/usr/sbin/abrt -- gen_context(system_u:object_r:abrt_exec_t,s0) ++/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) + +/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) + @@ -11273,7 +11295,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1 devicekit_t:process { ptrace signal_perms getattr }; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.30/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.6.30/policy/modules/services/devicekit.te 2009-08-31 13:40:47.000000000 -0400 ++++ serefpolicy-3.6.30/policy/modules/services/devicekit.te 2009-09-07 07:18:47.000000000 -0400 @@ -36,12 +36,15 @@ manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) @@ -11295,7 +11317,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # -allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio }; -+allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin sys_nice sys_ptrace sys_rawio }; ++allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_nice sys_ptrace sys_rawio }; +allow devicekit_disk_t self:process signal_perms; + allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; @@ -11495,8 +11517,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # dovecot deliver local policy diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.30/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.30/policy/modules/services/exim.te 2009-08-31 13:40:47.000000000 -0400 -@@ -191,6 +191,10 @@ ++++ serefpolicy-3.6.30/policy/modules/services/exim.te 2009-09-07 06:39:57.000000000 -0400 +@@ -111,6 +111,7 @@ + files_search_var(exim_t) + files_read_etc_files(exim_t) + files_read_etc_runtime_files(exim_t) ++files_getattr_all_mountpoints(exim_t) + + fs_getattr_xattr_fs(exim_t) + fs_list_inotifyfs(exim_t) +@@ -191,6 +192,10 @@ ') optional_policy(` @@ -11945,7 +11975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.30/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.30/policy/modules/services/hal.te 2009-08-31 13:40:47.000000000 -0400 ++++ serefpolicy-3.6.30/policy/modules/services/hal.te 2009-09-07 07:18:31.000000000 -0400 @@ -55,6 +55,9 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -12184,6 +12214,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +permissive hddtemp_t; + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.6.30/policy/modules/services/inetd.te +--- nsaserefpolicy/policy/modules/services/inetd.te 2009-08-14 16:14:31.000000000 -0400 ++++ serefpolicy-3.6.30/policy/modules/services/inetd.te 2009-09-08 06:38:44.000000000 -0400 +@@ -138,6 +138,8 @@ + files_read_etc_files(inetd_t) + files_read_etc_runtime_files(inetd_t) + ++auth_use_nsswitch(inetd_t) ++ + logging_send_syslog_msg(inetd_t) + + miscfiles_read_localization(inetd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.30/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2009-08-14 16:14:31.000000000 -0400 +++ serefpolicy-3.6.30/policy/modules/services/kerberos.te 2009-08-31 13:40:47.000000000 -0400 @@ -18321,7 +18363,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.30/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.30/policy/modules/services/virt.te 2009-08-31 13:57:44.000000000 -0400 ++++ serefpolicy-3.6.30/policy/modules/services/virt.te 2009-09-08 10:19:57.000000000 -0400 @@ -20,6 +20,28 @@ ## gen_tunable(virt_use_samba, false) @@ -18367,7 +18409,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type virt_log_t; logging_log_file(virt_log_t) -@@ -48,18 +75,38 @@ +@@ -48,27 +75,58 @@ type virtd_initrc_exec_t; init_script_file(virtd_initrc_exec_t) @@ -18408,7 +18450,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -69,6 +116,14 @@ ++manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t) ++manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t) ++ + manage_dirs_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) + manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) + manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -18423,7 +18470,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -87,6 +142,7 @@ +@@ -87,6 +145,7 @@ kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) kernel_load_module(virtd_t) @@ -18431,7 +18478,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -97,30 +153,52 @@ +@@ -97,30 +156,52 @@ corenet_tcp_sendrecv_generic_node(virtd_t) corenet_tcp_sendrecv_all_ports(virtd_t) corenet_tcp_bind_generic_node(virtd_t) @@ -18487,7 +18534,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) -@@ -130,7 +208,14 @@ +@@ -130,7 +211,14 @@ logging_send_syslog_msg(virtd_t) @@ -18502,7 +18549,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -168,22 +253,35 @@ +@@ -168,22 +256,35 @@ dnsmasq_domtrans(virtd_t) dnsmasq_signal(virtd_t) dnsmasq_kill(virtd_t) @@ -18525,16 +18572,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + lvm_domtrans(virtd_t) +') - - optional_policy(` -- qemu_domtrans(virtd_t) ++ ++optional_policy(` + policykit_dbus_chat(virtd_t) + policykit_domtrans_auth(virtd_t) + policykit_domtrans_resolve(virtd_t) + policykit_read_lib(virtd_t) +') -+ -+optional_policy(` + + optional_policy(` +- qemu_domtrans(virtd_t) + qemu_spec_domtrans(virtd_t, svirt_t) qemu_read_state(virtd_t) qemu_signal(virtd_t) @@ -18543,7 +18590,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -196,8 +294,159 @@ +@@ -196,8 +297,159 @@ xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) @@ -21415,7 +21462,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.30/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.30/policy/modules/system/init.te 2009-08-31 13:40:47.000000000 -0400 ++++ serefpolicy-3.6.30/policy/modules/system/init.te 2009-09-08 07:47:24.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart, false) @@ -21587,7 +21634,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +fs_unmount_all_fs(initrc_t) +fs_remount_all_fs(initrc_t) +fs_getattr_all_fs(initrc_t) -+fs_search_nfsd_fs(initrc_t) ++fs_search_all(initrc_t) +fs_getattr_nfsd_files(initrc_t) + +# initrc_t needs to do a pidof which requires ptrace @@ -21649,9 +21696,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_exec_etc_files(initrc_t) files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) -@@ -325,47 +415,13 @@ +@@ -324,48 +414,16 @@ + files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) ++files_manage_mnt_dirs(initrc_t) ++files_manage_mnt_files(initrc_t) -fs_register_binary_executable_type(initrc_t) -# rhgb-console writes to ramfs @@ -21699,7 +21749,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(initrc_t) logging_manage_generic_logs(initrc_t) logging_read_all_logs(initrc_t) -@@ -374,13 +430,14 @@ +@@ -374,19 +432,22 @@ miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -21715,7 +21765,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such -@@ -422,8 +479,6 @@ + # started from init should be placed in their own domain. + userdom_use_user_terminals(initrc_t) + ++usermanage_domtrans_passwd(initrc_t) ++ + ifdef(`distro_debian',` + dev_setattr_generic_dirs(initrc_t) + +@@ -422,8 +483,6 @@ # init scripts touch this clock_dontaudit_write_adjtime(initrc_t) @@ -21724,7 +21782,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for integrated run_init to read run_init_type. # happens during boot (/sbin/rc execs init scripts) seutil_read_default_contexts(initrc_t) -@@ -450,11 +505,9 @@ +@@ -450,11 +509,9 @@ # Red Hat systems seem to have a stray # fd open from the initrd @@ -21737,7 +21795,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # These seem to be from the initrd # during device initialization: dev_create_generic_dirs(initrc_t) -@@ -464,6 +517,7 @@ +@@ -464,6 +521,7 @@ storage_raw_read_fixed_disk(initrc_t) storage_raw_write_fixed_disk(initrc_t) @@ -21745,11 +21803,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) # wants to read /.fonts directory -@@ -492,11 +546,13 @@ +@@ -492,11 +550,17 @@ optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) + bind_setattr_zone_dirs(initrc_t) ++ ') ++ ++ optional_policy(` ++ gnome_manage_gconf_config(initrc_t) ') optional_policy(` @@ -21759,7 +21821,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -515,6 +571,33 @@ +@@ -515,6 +579,33 @@ ') ') @@ -21793,7 +21855,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -567,10 +650,19 @@ +@@ -567,10 +658,19 @@ dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -21813,7 +21875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -590,6 +682,10 @@ +@@ -590,6 +690,10 @@ ') optional_policy(` @@ -21824,7 +21886,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_usbfs(initrc_t) # init scripts run /etc/hotplug/usb.rc -@@ -646,20 +742,20 @@ +@@ -646,20 +750,20 @@ ') optional_policy(` @@ -21851,7 +21913,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ifdef(`distro_redhat',` -@@ -668,6 +764,7 @@ +@@ -668,6 +772,7 @@ mysql_stream_connect(initrc_t) mysql_write_log(initrc_t) @@ -21859,7 +21921,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -696,7 +793,6 @@ +@@ -696,7 +801,6 @@ ') optional_policy(` @@ -21867,7 +21929,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -718,8 +814,6 @@ +@@ -718,8 +822,6 @@ # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -21876,7 +21938,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -732,13 +826,16 @@ +@@ -732,13 +834,16 @@ squid_manage_logs(initrc_t) ') @@ -21893,7 +21955,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -747,6 +844,7 @@ +@@ -747,6 +852,7 @@ optional_policy(` udev_rw_db(initrc_t) @@ -21901,7 +21963,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -754,6 +852,15 @@ +@@ -754,6 +860,15 @@ ') optional_policy(` @@ -21917,7 +21979,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domain(initrc_t) ifdef(`distro_redhat',` -@@ -764,6 +871,13 @@ +@@ -764,6 +879,13 @@ optional_policy(` mono_domtrans(initrc_t) ') @@ -21931,7 +21993,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -789,3 +903,31 @@ +@@ -789,3 +911,31 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -23636,6 +23698,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.30/policy/modules/system/mount.if +--- nsaserefpolicy/policy/modules/system/mount.if 2009-07-29 15:15:33.000000000 -0400 ++++ serefpolicy-3.6.30/policy/modules/system/mount.if 2009-09-08 06:58:15.000000000 -0400 +@@ -84,9 +84,11 @@ + interface(`mount_signal',` + gen_require(` + type mount_t; ++ type unconfined_mount_t; + ') + + allow $1 mount_t:process signal; ++ allow $1 unconfined_mount_t:process signal; + ') + + ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.30/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400 +++ serefpolicy-3.6.30/policy/modules/system/mount.te 2009-08-31 13:40:47.000000000 -0400 @@ -26011,7 +26088,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.gvfs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.30/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.30/policy/modules/system/userdomain.if 2009-09-01 07:40:59.000000000 -0400 ++++ serefpolicy-3.6.30/policy/modules/system/userdomain.if 2009-09-07 06:34:54.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -27140,15 +27217,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1124,6 +1247,7 @@ +@@ -1124,6 +1247,8 @@ files_exec_usr_src_files($1_t) fs_getattr_all_fs($1_t) ++ fs_getattr_all_files($1_t) + fs_list_all($1_t) fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) -@@ -1152,20 +1276,6 @@ +@@ -1152,20 +1277,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -27169,7 +27247,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1211,6 +1321,7 @@ +@@ -1211,6 +1322,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -27177,7 +27255,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1276,11 +1387,15 @@ +@@ -1276,11 +1388,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -27193,7 +27271,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1391,12 +1506,13 @@ +@@ -1391,12 +1507,13 @@ ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -27208,7 +27286,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1429,6 +1545,14 @@ +@@ -1429,6 +1546,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -27223,7 +27301,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1444,9 +1568,11 @@ +@@ -1444,9 +1569,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -27235,7 +27313,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1503,6 +1629,25 @@ +@@ -1503,6 +1630,25 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -27261,7 +27339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1577,6 +1722,8 @@ +@@ -1577,6 +1723,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -27270,7 +27348,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1670,6 +1817,7 @@ +@@ -1670,6 +1818,7 @@ type user_home_dir_t, user_home_t; ') @@ -27278,7 +27356,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1797,19 +1945,32 @@ +@@ -1797,19 +1946,32 @@ # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -27318,7 +27396,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1844,6 +2005,7 @@ +@@ -1844,6 +2006,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -27326,7 +27404,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2391,27 +2553,7 @@ +@@ -2391,27 +2554,7 @@ ######################################## ## @@ -27355,7 +27433,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2765,11 +2907,32 @@ +@@ -2765,11 +2908,32 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -27390,7 +27468,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2897,7 +3060,25 @@ +@@ -2897,7 +3061,25 @@ type user_tmp_t; ') @@ -27417,7 +27495,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2934,6 +3115,7 @@ +@@ -2934,6 +3116,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -27425,7 +27503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -3064,3 +3246,559 @@ +@@ -3064,3 +3247,559 @@ allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 78aa6eb..7e3aba7 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.30 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -443,6 +443,9 @@ exit 0 %endif %changelog +* Tue Sep 8 2009 Dan Walsh 3.6.30-5 +- Lots of fixes for initrc and other unconfined domains + * Fri Sep 4 2009 Dan Walsh 3.6.30-4 - Allow xserver to use netlink_kobject_uevent_socket