From 41f8e385a198a04bd1f50046e52a23401460477b Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sep 20 2009 14:32:30 +0000 Subject: - Remove allow_exec* booleans for confined users. Only available for unconfined_t --- diff --git a/policy-F12.patch b/policy-F12.patch index 9c5ee39..1c5bb64 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -7579,8 +7579,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-09-18 09:45:33.000000000 -0400 -@@ -0,0 +1,392 @@ ++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-09-20 08:49:01.000000000 -0400 +@@ -0,0 +1,402 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -7686,6 +7686,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +usermanage_run_passwd(unconfined_t, unconfined_r) +usermanage_run_chfn(unconfined_t, unconfined_r) + ++tunable_policy(`allow_execmem',` ++ allow unconfined_t self:process execmem; ++') ++ ++tunable_policy(`allow_execmem && allow_execstack',` ++ allow unconfined_t self:process execstack; ++') ++ +tunable_policy(`unconfined_login',` + corecmd_shell_domtrans(unconfined_login_domain,unconfined_t) + allow unconfined_t unconfined_login_domain:fd use; @@ -7973,6 +7981,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# + +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) ++ ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.32/policy/modules/roles/unprivuser.te --- nsaserefpolicy/policy/modules/roles/unprivuser.te 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/roles/unprivuser.te 2009-09-16 10:03:09.000000000 -0400 @@ -17882,7 +17892,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te --- nsaserefpolicy/policy/modules/services/ssh.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2009-09-18 21:47:14.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2009-09-19 07:07:53.000000000 -0400 @@ -41,6 +41,9 @@ files_tmp_file(sshd_tmp_t) files_poly_parent(sshd_tmp_t) @@ -17920,7 +17930,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow the ssh program to communicate with ssh-agent. stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) -@@ -126,11 +129,12 @@ +@@ -126,11 +129,13 @@ read_lnk_files_pattern(ssh_t, home_ssh_t, home_ssh_t) # ssh servers can read the user keys and config @@ -17930,13 +17940,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_dirs_pattern(ssh_server, home_ssh_t, home_ssh_t) +manage_files_pattern(ssh_server, home_ssh_t, home_ssh_t) +userdom_user_home_dir_filetrans(ssh_server, home_ssh_t, dir) ++userdom_admin_home_dir_filetrans(ssh_server, home_ssh_t, dir) kernel_read_kernel_sysctls(ssh_t) +kernel_read_system_state(ssh_t) corenet_all_recvfrom_unlabeled(ssh_t) corenet_all_recvfrom_netlabel(ssh_t) -@@ -139,6 +143,8 @@ +@@ -139,6 +144,8 @@ corenet_tcp_sendrecv_all_ports(ssh_t) corenet_tcp_connect_ssh_port(ssh_t) corenet_sendrecv_ssh_client_packets(ssh_t) @@ -17945,7 +17956,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_urand(ssh_t) -@@ -160,19 +166,19 @@ +@@ -160,19 +167,19 @@ logging_send_syslog_msg(ssh_t) logging_read_generic_logs(ssh_t) @@ -17968,7 +17979,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`allow_ssh_keysign',` domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) -@@ -194,23 +200,13 @@ +@@ -194,23 +201,13 @@ # for port forwarding tunable_policy(`user_tcp_server',` corenet_tcp_bind_ssh_port(ssh_t) @@ -17994,7 +18005,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -301,6 +297,7 @@ +@@ -301,6 +298,7 @@ kernel_search_key(sshd_t) kernel_link_key(sshd_t) @@ -18002,7 +18013,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_all_user_ptys(sshd_t) term_setattr_all_user_ptys(sshd_t) -@@ -310,16 +307,34 @@ +@@ -310,16 +308,34 @@ corenet_tcp_bind_xserver_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) @@ -18039,7 +18050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -331,6 +346,10 @@ +@@ -331,6 +347,10 @@ ') optional_policy(` @@ -18050,7 +18061,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpm_use_script_fds(sshd_t) ') -@@ -341,7 +360,11 @@ +@@ -341,7 +361,11 @@ ') optional_policy(` @@ -18063,7 +18074,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_shell_domtrans(sshd_t) ') -@@ -400,15 +423,13 @@ +@@ -400,15 +424,13 @@ init_use_fds(ssh_keygen_t) init_use_script_ptys(ssh_keygen_t) @@ -25429,7 +25440,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.gvfs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-09-18 21:52:11.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-09-20 08:32:58.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -25441,7 +25452,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_type($1_t) corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) -@@ -41,71 +42,88 @@ +@@ -41,80 +42,93 @@ allow system_r $1_r; term_user_pty($1_t, user_devpts_t) @@ -25554,47 +25565,43 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - files_dontaudit_getattr_non_security_symlinks($1_t) - files_dontaudit_getattr_non_security_pipes($1_t) - files_dontaudit_getattr_non_security_sockets($1_t) -- -- libs_exec_ld_so($1_t) -- -- miscfiles_read_localization($1_t) -- miscfiles_read_certs($1_t) -- -- sysnet_read_config($1_t) + files_dontaudit_getattr_all_dirs($1_usertype) + files_dontaudit_list_non_security($1_usertype) + files_dontaudit_getattr_all_files($1_usertype) + files_dontaudit_getattr_non_security_symlinks($1_usertype) + files_dontaudit_getattr_non_security_pipes($1_usertype) + files_dontaudit_getattr_non_security_sockets($1_usertype) -+ + +- libs_exec_ld_so($1_t) + storage_rw_fuse($1_usertype) -+ + +- miscfiles_read_localization($1_t) +- miscfiles_read_certs($1_t) + auth_use_nsswitch($1_usertype) -+ + +- sysnet_read_config($1_t) + libs_exec_ld_so($1_usertype) -+ + +- tunable_policy(`allow_execmem',` +- # Allow loading DSOs that require executable stack. +- allow $1_t self:process execmem; +- ') + miscfiles_read_certs($1_usertype) + miscfiles_read_localization($1_usertype) + miscfiles_read_man_pages($1_usertype) + miscfiles_read_public_files($1_usertype) - tunable_policy(`allow_execmem',` - # Allow loading DSOs that require executable stack. -@@ -116,6 +134,12 @@ - # Allow making the stack executable via mprotect. - allow $1_t self:process execstack; - ') -+ +- tunable_policy(`allow_execmem && allow_execstack',` +- # Allow making the stack executable via mprotect. +- allow $1_t self:process execstack; + optional_policy(` + ssh_rw_stream_sockets($1_usertype) + ssh_delete_tmp($1_t) + ssh_signal($1_t) -+ ') + ') ') - ####################################### -@@ -147,6 +171,7 @@ +@@ -147,6 +161,7 @@ interface(`userdom_ro_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -25602,7 +25609,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') role $1 types { user_home_t user_home_dir_t }; -@@ -157,6 +182,7 @@ +@@ -157,6 +172,7 @@ # type_member $2 user_home_dir_t:dir user_home_dir_t; @@ -25610,7 +25617,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # read-only home directory allow $2 user_home_dir_t:dir list_dir_perms; -@@ -168,27 +194,6 @@ +@@ -168,27 +184,6 @@ read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) @@ -25638,7 +25645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -220,9 +225,10 @@ +@@ -220,9 +215,10 @@ interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -25650,7 +25657,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -232,17 +238,20 @@ +@@ -232,17 +228,20 @@ type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory @@ -25681,7 +25688,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) files_list_home($2) -@@ -250,25 +259,23 @@ +@@ -250,25 +249,23 @@ allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` @@ -25711,7 +25718,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -303,6 +310,7 @@ +@@ -303,6 +300,7 @@ manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) @@ -25719,7 +25726,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -322,6 +330,7 @@ +@@ -322,6 +320,7 @@ ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -25727,7 +25734,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_tmp($1) ') -@@ -368,46 +377,41 @@ +@@ -368,46 +367,41 @@ ####################################### ## @@ -25794,7 +25801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -412,7 +416,7 @@ +@@ -412,7 +406,7 @@ ####################################### ## @@ -25803,7 +25810,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -420,35 +424,48 @@ +@@ -420,35 +414,48 @@ ## is the prefix for user_t). ## ## @@ -25841,17 +25848,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dev_read_video_dev($1) + dev_write_video_dev($1) + dev_rw_wireless($1) -+ -+ miscfiles_dontaudit_write_fonts($1) -+ -+ optional_policy(` -+ udev_read_db($1) -+ ') - xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) - xserver_xsession_entry_type($1_t) - xserver_dontaudit_write_log($1_t) - xserver_stream_connect_xdm($1_t) ++ miscfiles_dontaudit_write_fonts($1) ++ ++ optional_policy(` ++ udev_read_db($1) ++ ') ++ + optional_policy(` + xserver_user_client($1, user_tmpfs_t) + xserver_xsession_entry_type($1) @@ -25871,7 +25878,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -498,7 +515,7 @@ +@@ -498,7 +505,7 @@ attribute unpriv_userdomain; ') @@ -25880,7 +25887,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -508,182 +525,208 @@ +@@ -508,182 +515,208 @@ # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -26011,19 +26018,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - # Allow graphical boot to check battery lifespan - apm_stream_connect($1_t) + canna_stream_connect($1_usertype) - ') - - optional_policy(` -- canna_stream_connect($1_t) ++ ') ++ ++ optional_policy(` + dbus_system_bus_client($1_usertype) + + allow $1_usertype $1_usertype:dbus send_msg; + + optional_policy(` + avahi_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- canna_stream_connect($1_t) + bluetooth_dbus_chat($1_usertype) ') @@ -26162,7 +26169,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -711,13 +754,26 @@ +@@ -711,13 +744,26 @@ userdom_base_user_template($1) @@ -26173,9 +26180,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - userdom_manage_tmpfs_role($1_r, $1_t) + userdom_manage_tmp_role($1_r, $1_usertype) + userdom_manage_tmpfs_role($1_r, $1_usertype) - -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) ++ + ifelse(`$1',`unconfined',`',` + gen_tunable(allow_$1_exec_content, true) + @@ -26186,7 +26191,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') -+ + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) + tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') @@ -26194,7 +26201,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_change_password_template($1) -@@ -735,70 +791,71 @@ +@@ -735,70 +781,71 @@ allow $1_t self:context contains; @@ -26299,7 +26306,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -835,6 +892,32 @@ +@@ -835,6 +882,32 @@ # Local policy # @@ -26332,7 +26339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` loadkeys_run($1_t,$1_r) ') -@@ -865,51 +948,81 @@ +@@ -865,51 +938,81 @@ userdom_restricted_user_template($1) @@ -26427,7 +26434,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -943,8 +1056,8 @@ +@@ -943,8 +1046,8 @@ # Declarations # @@ -26437,7 +26444,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -953,11 +1066,12 @@ +@@ -953,11 +1056,12 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -26452,7 +26459,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -975,36 +1089,53 @@ +@@ -975,36 +1079,53 @@ ') ') @@ -26520,7 +26527,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1040,7 +1171,7 @@ +@@ -1040,7 +1161,7 @@ template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -26529,7 +26536,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1049,8 +1180,7 @@ +@@ -1049,8 +1170,7 @@ # # Inherit rules for ordinary users. @@ -26539,7 +26546,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1075,6 +1205,9 @@ +@@ -1075,6 +1195,9 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -26549,7 +26556,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1089,6 +1222,7 @@ +@@ -1089,6 +1212,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -26557,7 +26564,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1096,8 +1230,6 @@ +@@ -1096,8 +1220,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -26566,7 +26573,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1124,6 +1256,8 @@ +@@ -1124,6 +1246,8 @@ files_exec_usr_src_files($1_t) fs_getattr_all_fs($1_t) @@ -26575,7 +26582,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) -@@ -1152,20 +1286,6 @@ +@@ -1152,20 +1276,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -26596,7 +26603,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1211,6 +1331,7 @@ +@@ -1211,6 +1321,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -26604,7 +26611,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1276,11 +1397,15 @@ +@@ -1276,11 +1387,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -26620,7 +26627,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1391,12 +1516,13 @@ +@@ -1391,12 +1506,13 @@ ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -26635,7 +26642,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1429,6 +1555,14 @@ +@@ -1429,6 +1545,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -26650,7 +26657,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1444,9 +1578,11 @@ +@@ -1444,9 +1568,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -26662,7 +26669,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1503,6 +1639,25 @@ +@@ -1503,6 +1629,25 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -26688,7 +26695,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1577,6 +1732,8 @@ +@@ -1577,6 +1722,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -26697,7 +26704,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1670,6 +1827,7 @@ +@@ -1670,6 +1817,7 @@ type user_home_dir_t, user_home_t; ') @@ -26705,7 +26712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1797,19 +1955,32 @@ +@@ -1797,19 +1945,32 @@ # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -26745,7 +26752,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1844,6 +2015,7 @@ +@@ -1844,6 +2005,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -26753,7 +26760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2391,27 +2563,7 @@ +@@ -2391,27 +2553,7 @@ ######################################## ## @@ -26782,7 +26789,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2765,11 +2917,32 @@ +@@ -2765,11 +2907,32 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -26817,7 +26824,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2897,7 +3070,25 @@ +@@ -2897,7 +3060,25 @@ type user_tmp_t; ') @@ -26844,7 +26851,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2934,6 +3125,7 @@ +@@ -2934,6 +3115,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -26852,7 +26859,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -3064,3 +3256,559 @@ +@@ -3064,3 +3246,559 @@ allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 8333333..f592d4d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -447,6 +447,9 @@ exit 0 %endif %changelog +* Sun Sep 20 2009 Dan Walsh 3.6.32-7 +- Remove allow_exec* booleans for confined users. Only available for unconfined_t + * Fri Sep 18 2009 Dan Walsh 3.6.32-6 - More fixes for sandbox_web_t