From 221642f17f98f3fbf887fbc90759cccb97f68d02 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jun 25 2009 21:43:36 +0000 Subject: - Add rtkit policy --- diff --git a/modules-targeted.conf b/modules-targeted.conf index 6581e79..212fb79 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1186,6 +1186,13 @@ rshd = module rsync = module # Layer: services +# Module: rtkit_daemon +# +# Real Time Kit Daemon +# +rtkit_daemon = module + +# Layer: services # Module: rwho # # who is logged in on local machines diff --git a/policy-F12.patch b/policy-F12.patch index 3766723..882bb03 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -2058,7 +2058,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.18/policy/modules/apps/gnome.te --- nsaserefpolicy/policy/modules/apps/gnome.te 2008-11-11 16:13:42.000000000 -0500 -+++ serefpolicy-3.6.18/policy/modules/apps/gnome.te 2009-06-24 16:20:30.000000000 -0400 ++++ serefpolicy-3.6.18/policy/modules/apps/gnome.te 2009-06-25 15:55:41.000000000 -0400 @@ -9,16 +9,18 @@ attribute gnomedomain; @@ -5890,7 +5890,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.18/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2009-06-12 09:08:48.000000000 -0400 -+++ serefpolicy-3.6.18/policy/modules/kernel/domain.te 2009-06-22 17:32:55.000000000 -0400 ++++ serefpolicy-3.6.18/policy/modules/kernel/domain.te 2009-06-25 09:30:09.000000000 -0400 @@ -5,6 +5,13 @@ # # Declarations @@ -5961,7 +5961,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -153,3 +174,73 @@ +@@ -153,3 +174,75 @@ # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) @@ -6001,7 +6001,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +ifdef(`hide_broken_symptoms',` + fs_list_inotifyfs(domain) ++ dontaudit domain self:udp_socket listen; + allow domain domain:key { link search }; ++ dbus_dontaudit_system_bus_rw_tcp_sockets(domain) +') +') + @@ -6070,7 +6072,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.18/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-06-12 09:08:48.000000000 -0400 -+++ serefpolicy-3.6.18/policy/modules/kernel/files.if 2009-06-20 06:49:47.000000000 -0400 ++++ serefpolicy-3.6.18/policy/modules/kernel/files.if 2009-06-25 08:54:01.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -6096,7 +6098,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # satisfy the assertions: seutil_relabelto_bin_policy($1) -@@ -1715,6 +1718,25 @@ +@@ -1331,6 +1334,24 @@ + + ######################################## + ## ++## Remove file entries from the root directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_root_file',` ++ gen_require(` ++ type root_t; ++ ') ++ ++ allow $1 root_t:file unlink; ++') ++ ++######################################## ++## + ## Remove entries from the root directory. + ## + ## +@@ -1715,6 +1736,25 @@ ######################################## ## @@ -6122,7 +6149,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Mount a filesystem on a directory with the default file type. ## ## -@@ -1931,6 +1953,27 @@ +@@ -1931,6 +1971,27 @@ allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -6150,7 +6177,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2418,6 +2461,11 @@ +@@ -2418,6 +2479,11 @@ ') delete_files_pattern($1, file_t, file_t) @@ -6162,7 +6189,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3449,6 +3497,24 @@ +@@ -3449,6 +3515,24 @@ ######################################## ## @@ -6187,7 +6214,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Read all tmp files. ## ## -@@ -3515,6 +3581,8 @@ +@@ -3515,6 +3599,8 @@ delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -6196,7 +6223,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3623,7 +3691,12 @@ +@@ -3623,7 +3709,12 @@ type usr_t; ') @@ -6210,7 +6237,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3662,6 +3735,7 @@ +@@ -3662,6 +3753,7 @@ allow $1 usr_t:dir list_dir_perms; read_files_pattern($1, usr_t, usr_t) read_lnk_files_pattern($1, usr_t, usr_t) @@ -6218,7 +6245,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4955,7 +5029,7 @@ +@@ -4955,7 +5047,7 @@ selinux_compute_member($1) # Need sys_admin capability for mounting @@ -6227,7 +6254,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Need to give access to the directories to be polyinstantiated allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -@@ -4977,12 +5051,15 @@ +@@ -4977,12 +5069,15 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -6244,7 +6271,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -5003,3 +5080,173 @@ +@@ -5003,3 +5098,173 @@ typeattribute $1 files_unconfined_type; ') @@ -6770,8 +6797,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +gen_user(guest_u, user, guest_r, s0, s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.18/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.18/policy/modules/roles/staff.te 2009-06-20 06:49:47.000000000 -0400 -@@ -15,156 +15,103 @@ ++++ serefpolicy-3.6.18/policy/modules/roles/staff.te 2009-06-25 17:28:57.000000000 -0400 +@@ -15,156 +15,107 @@ # Local policy # @@ -6794,11 +6821,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - cdrecord_role(staff_r, staff_t) -') -+kernel_read_ring_buffer(staff_t) -+kernel_getattr_core_if(staff_t) -+kernel_getattr_message_if(staff_t) -+kernel_read_software_raid_state(staff_t) - +- -optional_policy(` - cron_role(staff_r, staff_t) -') @@ -6806,13 +6829,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - dbus_role_template(staff, staff_r, staff_t) -') -+auth_domtrans_pam_console(staff_t) ++kernel_read_ring_buffer(staff_t) ++kernel_getattr_core_if(staff_t) ++kernel_getattr_message_if(staff_t) ++kernel_read_software_raid_state(staff_t) -optional_policy(` - ethereal_role(staff_r, staff_t) -') -+libs_manage_shared_libs(staff_t) - +- -optional_policy(` - evolution_role(staff_r, staff_t) -') @@ -6820,101 +6845,104 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - games_role(staff_r, staff_t) -') -- ++auth_domtrans_pam_console(staff_t) + -optional_policy(` - gift_role(staff_r, staff_t) -') ++libs_manage_shared_libs(staff_t) + +-optional_policy(` +- gnome_role(staff_r, staff_t) +-') +seutil_run_newrole(staff_t, staff_r) +netutils_run_ping(staff_t, staff_r) optional_policy(` -- gnome_role(staff_r, staff_t) +- gpg_role(staff_r, staff_t) + sudo_role_template(staff, staff_r, staff_t) ') optional_policy(` -- gpg_role(staff_r, staff_t) +- irc_role(staff_r, staff_t) + auditadm_role_change(staff_r) ') optional_policy(` -- irc_role(staff_r, staff_t) +- java_role(staff_r, staff_t) + kerneloops_manage_tmp_files(staff_t) ') optional_policy(` -- java_role(staff_r, staff_t) +- lockdev_role(staff_r, staff_t) + logadm_role_change(staff_r) ') optional_policy(` -- lockdev_role(staff_r, staff_t) +- lpd_role(staff_r, staff_t) + postgresql_role(staff_r, staff_t) ') optional_policy(` -- lpd_role(staff_r, staff_t) +- mozilla_role(staff_r, staff_t) ++ rtkit_daemon_system_domain(staff_t) + ') + + optional_policy(` +- mplayer_role(staff_r, staff_t) + secadm_role_change(staff_r) ') optional_policy(` -- mozilla_role(staff_r, staff_t) +- mta_role(staff_r, staff_t) + ssh_role_template(staff, staff_r, staff_t) ') optional_policy(` -- mplayer_role(staff_r, staff_t) +- oident_manage_user_content(staff_t) +- oident_relabel_user_content(staff_t) + sysadm_role_change(staff_r) ') optional_policy(` -- mta_role(staff_r, staff_t) +- pyzor_role(staff_r, staff_t) + usernetctl_run(staff_t, staff_r) ') optional_policy(` -- oident_manage_user_content(staff_t) -- oident_relabel_user_content(staff_t) +- razor_role(staff_r, staff_t) + unconfined_role_change(staff_r) ') optional_policy(` -- pyzor_role(staff_r, staff_t) +- rssh_role(staff_r, staff_t) + webadm_role_change(staff_r) ') -optional_policy(` -- razor_role(staff_r, staff_t) +- screen_role_template(staff, staff_r, staff_t) -') +domain_read_all_domains_state(staff_t) +domain_getattr_all_domains(staff_t) +domain_obj_id_change_exemption(staff_t) -optional_policy(` -- rssh_role(staff_r, staff_t) +- secadm_role_change(staff_r) -') +files_read_kernel_modules(staff_t) -optional_policy(` -- screen_role_template(staff, staff_r, staff_t) +- spamassassin_role(staff_r, staff_t) -') +kernel_read_fs_sysctls(staff_t) -optional_policy(` -- secadm_role_change(staff_r) +- ssh_role_template(staff, staff_r, staff_t) -') +modutils_read_module_config(staff_t) +modutils_read_module_deps(staff_t) -optional_policy(` -- spamassassin_role(staff_r, staff_t) --') -- --optional_policy(` -- ssh_role_template(staff, staff_r, staff_t) --') -- --optional_policy(` - su_role_template(staff, staff_r, staff_t) -') +miscfiles_read_hwdata(staff_t) @@ -7937,8 +7965,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.18/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.18/policy/modules/roles/unconfineduser.te 2009-06-20 06:49:47.000000000 -0400 -@@ -0,0 +1,407 @@ ++++ serefpolicy-3.6.18/policy/modules/roles/unconfineduser.te 2009-06-25 17:28:35.000000000 -0400 +@@ -0,0 +1,411 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -8217,6 +8245,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` ++ rtkit_daemon_system_domain(unconfined_t) ++') ++ ++optional_policy(` + samba_role_notrans(unconfined_r) + samba_run_unconfined_net(unconfined_t, unconfined_r) + samba_run_winbind_helper(unconfined_t, unconfined_r) @@ -8348,8 +8380,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.18/policy/modules/roles/unprivuser.te --- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.18/policy/modules/roles/unprivuser.te 2009-06-20 06:49:47.000000000 -0400 -@@ -14,142 +14,17 @@ ++++ serefpolicy-3.6.18/policy/modules/roles/unprivuser.te 2009-06-25 17:29:15.000000000 -0400 +@@ -14,142 +14,21 @@ userdom_unpriv_user_template(user) optional_policy(` @@ -8364,14 +8396,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` - bluetooth_role(user_r, user_t) -+ sandbox_transition(user_t, user_r) ++ rtkit_daemon_system_domain(user_t) ') optional_policy(` - cdrecord_role(user_r, user_t) --') -- --optional_policy(` ++ sandbox_transition(user_t, user_r) + ') + + optional_policy(` - cron_role(user_r, user_t) -') - @@ -15942,7 +15975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.18/policy/modules/services/nis.te --- nsaserefpolicy/policy/modules/services/nis.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.18/policy/modules/services/nis.te 2009-06-20 06:49:47.000000000 -0400 ++++ serefpolicy-3.6.18/policy/modules/services/nis.te 2009-06-24 17:22:48.000000000 -0400 @@ -13,6 +13,9 @@ type ypbind_exec_t; init_daemon_domain(ypbind_t, ypbind_exec_t) @@ -15963,7 +15996,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # ypbind local policy -@@ -111,6 +117,16 @@ +@@ -65,9 +71,8 @@ + + manage_files_pattern(ypbind_t, var_yp_t, var_yp_t) + ++kernel_read_system_state(ypbind_t) + kernel_read_kernel_sysctls(ypbind_t) +-kernel_list_proc(ypbind_t) +-kernel_read_proc_symlinks(ypbind_t) + + corenet_all_recvfrom_unlabeled(ypbind_t) + corenet_all_recvfrom_netlabel(ypbind_t) +@@ -111,6 +116,16 @@ userdom_dontaudit_search_user_home_dirs(ypbind_t) optional_policy(` @@ -15980,7 +16024,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(ypbind_t) ') -@@ -123,6 +139,7 @@ +@@ -123,6 +138,7 @@ # yppasswdd local policy # @@ -15988,7 +16032,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit yppasswdd_t self:capability sys_tty_config; allow yppasswdd_t self:fifo_file rw_fifo_file_perms; allow yppasswdd_t self:process { setfscreate signal_perms }; -@@ -153,8 +170,8 @@ +@@ -153,8 +169,8 @@ corenet_udp_sendrecv_all_ports(yppasswdd_t) corenet_tcp_bind_generic_node(yppasswdd_t) corenet_udp_bind_generic_node(yppasswdd_t) @@ -15999,7 +16043,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t) corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t) corenet_sendrecv_generic_server_packets(yppasswdd_t) -@@ -241,6 +258,8 @@ +@@ -241,6 +257,8 @@ corenet_udp_bind_generic_node(ypserv_t) corenet_tcp_bind_reserved_port(ypserv_t) corenet_udp_bind_reserved_port(ypserv_t) @@ -16008,7 +16052,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t) corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t) corenet_sendrecv_generic_server_packets(ypserv_t) -@@ -306,6 +325,8 @@ +@@ -306,6 +324,8 @@ corenet_udp_bind_generic_node(ypxfr_t) corenet_tcp_bind_reserved_port(ypxfr_t) corenet_udp_bind_reserved_port(ypxfr_t) @@ -16970,8 +17014,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:polkit_reload_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.18/policy/modules/services/polkit.if --- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.18/policy/modules/services/polkit.if 2009-06-24 08:29:05.000000000 -0400 -@@ -0,0 +1,242 @@ ++++ serefpolicy-3.6.18/policy/modules/services/polkit.if 2009-06-25 17:34:50.000000000 -0400 +@@ -0,0 +1,245 @@ + +## policy for polkit_auth + @@ -17187,6 +17231,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +# +template(`polkit_role',` ++ + polkit_run_auth($2, $1) + polkit_run_grant($2, $1) + polkit_read_lib($2) @@ -17211,12 +17256,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + class dbus send_msg; + ') + ++ ps_process_pattern(polkit_t, $1) ++ + allow $1 polkit_t:dbus send_msg; + allow polkit_t $1:dbus send_msg; +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.6.18/policy/modules/services/polkit.te --- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.18/policy/modules/services/polkit.te 2009-06-20 06:49:47.000000000 -0400 ++++ serefpolicy-3.6.18/policy/modules/services/polkit.te 2009-06-25 17:33:00.000000000 -0400 @@ -0,0 +1,235 @@ +policy_module(polkit_auth, 1.0.0) + @@ -17260,7 +17307,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +allow polkit_t self:unix_dgram_socket create_socket_perms; +allow polkit_t self:fifo_file rw_file_perms; -+allow polkit_t self:unix_stream_socket create_stream_socket_perms; ++allow polkit_t self:unix_stream_socket { create_stream_socket_perms connectto }; + +polkit_domtrans_auth(polkit_t) +polkit_domtrans_resolve(polkit_t) @@ -19556,6 +19603,117 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + auth_can_read_shadow_passwords(rsync_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.fc serefpolicy-3.6.18/policy/modules/services/rtkit_daemon.fc +--- nsaserefpolicy/policy/modules/services/rtkit_daemon.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.18/policy/modules/services/rtkit_daemon.fc 2009-06-25 17:25:15.000000000 -0400 +@@ -0,0 +1,2 @@ ++ ++/usr/libexec/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.if serefpolicy-3.6.18/policy/modules/services/rtkit_daemon.if +--- nsaserefpolicy/policy/modules/services/rtkit_daemon.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.18/policy/modules/services/rtkit_daemon.if 2009-06-25 17:27:07.000000000 -0400 +@@ -0,0 +1,64 @@ ++ ++## policy for rtkit_daemon ++ ++######################################## ++## ++## Execute a domain transition to run rtkit_daemon. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rtkit_daemon_domtrans',` ++ gen_require(` ++ type rtkit_daemon_t; ++ type rtkit_daemon_exec_t; ++ ') ++ ++ domtrans_pattern($1,rtkit_daemon_exec_t,rtkit_daemon_t) ++') ++ ++ ++######################################## ++## ++## Send and receive messages from ++## rtkit_daemon over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rtkit_daemon_dbus_chat',` ++ gen_require(` ++ type rtkit_daemon_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 rtkit_daemon_t:dbus send_msg; ++ allow rtkit_daemon_t $1:dbus send_msg; ++') ++ ++######################################## ++## ++## Send and receive messages from ++## rtkit_daemon over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rtkit_daemon_system_domain',` ++ gen_require(` ++ type rtkit_daemon_t; ++ ') ++ ++ ps_process_pattern(rtkit_daemon_t, $1) ++ allow rtkit_daemon_t $1:process { getsched setsched }; ++ rtkit_daemon_dbus_chat($1) ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.te serefpolicy-3.6.18/policy/modules/services/rtkit_daemon.te +--- nsaserefpolicy/policy/modules/services/rtkit_daemon.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.18/policy/modules/services/rtkit_daemon.te 2009-06-25 17:29:28.000000000 -0400 +@@ -0,0 +1,33 @@ ++policy_module(rtkit_daemon,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type rtkit_daemon_t; ++type rtkit_daemon_exec_t; ++dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) ++ ++permissive rtkit_daemon_t; ++ ++######################################## ++# ++# rtkit_daemon local policy ++# ++ ++allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace }; ++allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit }; ++allow rtkit_daemon_t self:capability sys_nice; ++ ++fs_rw_anon_inodefs_files(rtkit_daemon_t) ++ ++auth_use_nsswitch(rtkit_daemon_t) ++ ++logging_send_syslog_msg(rtkit_daemon_t) ++ ++miscfiles_read_localization(locale_t) ++ ++optional_policy(` ++ polkit_dbus_chat(rtkit_daemon_t) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.18/policy/modules/services/samba.fc --- nsaserefpolicy/policy/modules/services/samba.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.18/policy/modules/services/samba.fc 2009-06-20 06:49:47.000000000 -0400 @@ -24148,7 +24306,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.18/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.18/policy/modules/services/xserver.te 2009-06-24 16:23:32.000000000 -0400 ++++ serefpolicy-3.6.18/policy/modules/services/xserver.te 2009-06-25 17:27:14.000000000 -0400 @@ -34,6 +34,13 @@ ## @@ -24573,7 +24731,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_exec(xdm_t) ') -@@ -542,6 +648,24 @@ +@@ -542,6 +648,28 @@ ') optional_policy(` @@ -24595,10 +24753,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +optional_policy(` ++ rtkit_daemon_system_domain(xdm_t) ++') ++ ++optional_policy(` seutil_sigchld_newrole(xdm_t) ') -@@ -550,8 +674,9 @@ +@@ -550,8 +678,9 @@ ') optional_policy(` @@ -24610,7 +24772,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -560,7 +685,6 @@ +@@ -560,7 +689,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -24618,7 +24780,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -571,6 +695,10 @@ +@@ -571,6 +699,10 @@ ') optional_policy(` @@ -24629,7 +24791,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -587,7 +715,7 @@ +@@ -587,7 +719,7 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -24638,7 +24800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:memprotect mmap_zero; -@@ -602,9 +730,11 @@ +@@ -602,9 +734,11 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -24650,7 +24812,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t { input_xevent_t input_xevent_type }:x_event send; -@@ -616,13 +746,14 @@ +@@ -616,13 +750,14 @@ type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t; allow xserver_t { rootwindow_t x_domain }:x_drawable send; @@ -24666,7 +24828,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -635,9 +766,19 @@ +@@ -635,9 +770,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -24686,7 +24848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -680,9 +821,14 @@ +@@ -680,9 +825,14 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -24701,7 +24863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -697,8 +843,12 @@ +@@ -697,8 +847,12 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -24714,7 +24876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -720,6 +870,7 @@ +@@ -720,6 +874,7 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -24722,7 +24884,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol modutils_domtrans_insmod(xserver_t) -@@ -742,7 +893,7 @@ +@@ -742,7 +897,7 @@ ') ifdef(`enable_mls',` @@ -24731,7 +24893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; ') -@@ -774,12 +925,20 @@ +@@ -774,12 +929,20 @@ ') optional_policy(` @@ -24753,7 +24915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domtrans(xserver_t) ') -@@ -806,7 +965,7 @@ +@@ -806,7 +969,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -24762,7 +24924,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -827,9 +986,14 @@ +@@ -827,9 +990,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -24777,7 +24939,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -844,11 +1008,14 @@ +@@ -844,11 +1012,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -24793,7 +24955,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -856,6 +1023,11 @@ +@@ -856,6 +1027,11 @@ rhgb_rw_tmpfs_files(xserver_t) ') @@ -24805,7 +24967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Rules common to all X window domains -@@ -881,6 +1053,8 @@ +@@ -881,6 +1057,8 @@ # X Server # can read server-owned resources allow x_domain xserver_t:x_resource read; @@ -24814,7 +24976,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # can mess with own clients allow x_domain self:x_client { manage destroy }; -@@ -905,6 +1079,8 @@ +@@ -905,6 +1083,8 @@ # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -24823,7 +24985,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Colormaps # can use the default colormap allow x_domain rootwindow_t:x_colormap { read use add_color }; -@@ -972,17 +1148,49 @@ +@@ -972,17 +1152,49 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -25539,7 +25701,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.18/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.18/policy/modules/system/init.te 2009-06-20 06:49:47.000000000 -0400 ++++ serefpolicy-3.6.18/policy/modules/system/init.te 2009-06-25 09:03:05.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart,false) @@ -25701,7 +25863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -343,14 +384,14 @@ +@@ -343,14 +384,15 @@ files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -25709,6 +25871,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +files_manage_all_locks(initrc_t) +files_manage_boot_files(initrc_t) files_read_all_pids(initrc_t) ++files_delete_root_file(initrc_t) files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) @@ -25718,7 +25881,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_exec_etc_files(initrc_t) files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) -@@ -366,7 +407,9 @@ +@@ -366,7 +408,9 @@ libs_rw_ld_so_cache(initrc_t) libs_exec_lib_files(initrc_t) @@ -25728,7 +25891,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(initrc_t) logging_manage_generic_logs(initrc_t) logging_read_all_logs(initrc_t) -@@ -451,7 +494,7 @@ +@@ -451,11 +495,9 @@ # Red Hat systems seem to have a stray # fd open from the initrd @@ -25736,8 +25899,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + kernel_use_fds(initrc_t) files_dontaudit_read_root_files(initrc_t) - selinux_set_enforce_mode(initrc_t) -@@ -465,6 +508,7 @@ +- selinux_set_enforce_mode(initrc_t) +- + # These seem to be from the initrd + # during device initialization: + dev_create_generic_dirs(initrc_t) +@@ -465,6 +507,7 @@ storage_raw_read_fixed_disk(initrc_t) storage_raw_write_fixed_disk(initrc_t) @@ -25745,7 +25912,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) # wants to read /.fonts directory -@@ -498,6 +542,7 @@ +@@ -498,6 +541,7 @@ optional_policy(` #for /etc/rc.d/init.d/nfs to create /etc/exports rpc_write_exports(initrc_t) @@ -25753,7 +25920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -516,6 +561,33 @@ +@@ -516,6 +560,33 @@ ') ') @@ -25787,7 +25954,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -570,6 +642,10 @@ +@@ -570,6 +641,10 @@ dbus_read_config(initrc_t) optional_policy(` @@ -25798,7 +25965,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol networkmanager_dbus_chat(initrc_t) ') ') -@@ -591,6 +667,10 @@ +@@ -591,6 +666,10 @@ ') optional_policy(` @@ -25809,7 +25976,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_usbfs(initrc_t) # init scripts run /etc/hotplug/usb.rc -@@ -647,20 +727,20 @@ +@@ -647,20 +726,20 @@ ') optional_policy(` @@ -25836,7 +26003,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ifdef(`distro_redhat',` -@@ -669,6 +749,7 @@ +@@ -669,6 +748,7 @@ mysql_stream_connect(initrc_t) mysql_write_log(initrc_t) @@ -25844,7 +26011,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -719,8 +800,6 @@ +@@ -719,8 +799,6 @@ # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -25853,7 +26020,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -733,10 +812,12 @@ +@@ -733,10 +811,12 @@ squid_manage_logs(initrc_t) ') @@ -25866,7 +26033,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -754,6 +835,11 @@ +@@ -754,6 +834,11 @@ uml_setattr_util_sockets(initrc_t) ') @@ -25878,7 +26045,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` unconfined_domain(initrc_t) -@@ -765,6 +851,13 @@ +@@ -765,6 +850,13 @@ optional_policy(` mono_domtrans(initrc_t) ') @@ -25892,7 +26059,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -790,3 +883,35 @@ +@@ -790,3 +882,35 @@ optional_policy(` zebra_read_config(initrc_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 7a3cdd9..49f0912 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.19 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -473,6 +473,9 @@ exit 0 %endif %changelog +* Thu Jun 25 2009 Dan Walsh 3.6.19-5 +- Add rtkit policy + * Wed Jun 24 2009 Dan Walsh 3.6.19-4 - Allow rpcd_t to stream connect to rpcbind