From 42f9effee71a1ef5bd6aa0943a5237a135721e1c Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Aug 26 2009 20:19:02 +0000 Subject: - Add back in unconfined.pp and unconfineduser.pp - Add Sandbox unshare --- diff --git a/modules-minimum.conf b/modules-minimum.conf index 135381e..12ae763 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -1301,6 +1301,13 @@ selinuxutil = base # sendmail = base +# Layer: apps +# Module: seunshare +# +# seunshare executable +# +seunshare = module + # Layer: services # Module: shorewall # diff --git a/modules-targeted.conf b/modules-targeted.conf index 135381e..12ae763 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1301,6 +1301,13 @@ selinuxutil = base # sendmail = base +# Layer: apps +# Module: seunshare +# +# seunshare executable +# +seunshare = module + # Layer: services # Module: shorewall # diff --git a/policy-F12.patch b/policy-F12.patch index 9fd17bd..8bdfd36 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -3604,8 +3604,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.28/policy/modules/apps/pulseaudio.te --- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2009-07-23 14:11:04.000000000 -0400 -+++ serefpolicy-3.6.28/policy/modules/apps/pulseaudio.te 2009-08-26 08:11:55.000000000 -0400 -@@ -22,7 +22,11 @@ ++++ serefpolicy-3.6.28/policy/modules/apps/pulseaudio.te 2009-08-26 11:42:50.000000000 -0400 +@@ -22,7 +22,12 @@ allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms }; allow pulseaudio_t self:tcp_socket create_stream_socket_perms; allow pulseaudio_t self:udp_socket create_socket_perms; @@ -3613,11 +3613,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +can_exec(pulseaudio_t, pulseaudio_exec_t) + ++kernel_getattr_proc(pulseaudio_t) +kernel_read_system_state(pulseaudio_t) kernel_read_kernel_sysctls(pulseaudio_t) corecmd_exec_bin(pulseaudio_t) -@@ -47,6 +51,7 @@ +@@ -47,6 +52,7 @@ fs_rw_anon_inodefs_files(pulseaudio_t) fs_getattr_tmpfs(pulseaudio_t) @@ -3625,7 +3626,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_all_user_ttys(pulseaudio_t) term_use_all_user_ptys(pulseaudio_t) -@@ -78,6 +83,15 @@ +@@ -78,6 +84,15 @@ policykit_domtrans_auth(pulseaudio_t) policykit_read_lib(pulseaudio_t) policykit_read_reload(pulseaudio_t) @@ -3641,7 +3642,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -85,8 +99,7 @@ +@@ -85,8 +100,7 @@ ') optional_policy(` @@ -4155,8 +4156,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# No types are sandbox_exec_t diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.28/policy/modules/apps/sandbox.if --- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.28/policy/modules/apps/sandbox.if 2009-08-21 18:56:07.000000000 -0400 -@@ -0,0 +1,143 @@ ++++ serefpolicy-3.6.28/policy/modules/apps/sandbox.if 2009-08-26 15:34:36.000000000 -0400 +@@ -0,0 +1,167 @@ + +## policy for sandbox + @@ -4180,12 +4181,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + gen_require(` + type sandbox_xserver_t; + attribute sandbox_domain; ++ attribute sandbox_x_domain; ++ attribute sandbox_file_type; + ') + + allow $1 sandbox_domain:process transition; + dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh }; + role $2 types sandbox_domain; ++ allow sandbox_domain $1:process sigchld; ++ ++ allow $1 sandbox_x_domain:process transition; ++ dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh }; ++ role $2 types sandbox_x_domain; + role $2 types sandbox_xserver_t; ++ allow sandbox_x_domain $1:process sigchld; ++ ++ manage_files_pattern($1, sandbox_file_type, sandbox_file_type); ++ manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type); ++ manage_sock_files_pattern($1, sandbox_file_type, sandbox_file_type); ++ manage_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type); ++ manage_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type); ++ allow $1 sandbox_file_type:dir relabelto; +') + +######################################## @@ -4203,12 +4219,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + gen_require(` + attribute sandbox_domain; ++ attribute sandbox_file_type; + ') + + type $1_t, sandbox_domain; + domain_type($1_t) + -+ type $1_file_t; ++ type $1_file_t, sandbox_file_type; + files_type($1_file_t) + + can_exec($1_t, $1_file_t) @@ -4237,16 +4254,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + attribute sandbox_domain, sandbox_x_domain; + ') + -+ sandbox_domain_template($1) ++ type $1_t, sandbox_x_domain; ++ domain_type($1_t) + -+ -+ typeattribute $1_t sandbox_x_domain; ++ type $1_file_t, sandbox_file_type; ++ files_type($1_file_t) ++ ++ can_exec($1_t, $1_file_t) ++ manage_dirs_pattern($1_t, $1_file_t, $1_file_t) ++ manage_files_pattern($1_t, $1_file_t, $1_file_t) ++ manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t) ++ manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t) ++ manage_sock_files_pattern($1_t, $1_file_t, $1_file_t) + + # window manager + miscfiles_setattr_fonts($1_t) + allow $1_t self:capability setuid; + -+ type $1_client_t, sandbox_x_domain, sandbox_domain; ++ type $1_client_t, sandbox_x_domain; + domain_type($1_client_t) + + type $1_client_tmpfs_t; @@ -4302,12 +4327,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.28/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.28/policy/modules/apps/sandbox.te 2009-08-21 18:56:07.000000000 -0400 -@@ -0,0 +1,274 @@ ++++ serefpolicy-3.6.28/policy/modules/apps/sandbox.te 2009-08-26 16:12:59.000000000 -0400 +@@ -0,0 +1,302 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; +attribute sandbox_x_domain; ++attribute sandbox_file_type; + +######################################## +# @@ -4337,7 +4363,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms; +allow sandbox_xserver_t self:shm create_shm_perms; -+allow sandbox_xserver_t self:tcp_socket create_socket_perms; ++allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) +manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t) @@ -4392,10 +4418,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# + +## internal communication is often done using fifo and unix sockets. -+allow sandbox_domain self:fifo_file rw_file_perms; ++allow sandbox_domain self:fifo_file manage_file_perms; +allow sandbox_domain self:unix_stream_socket create_stream_socket_perms; + -+files_rw_all_inherited_files(sandbox_domain) ++gen_require(` ++ type usr_t, lib_t, locale_t; ++ attribute exec_type; ++') ++ ++files_rw_all_inherited_files(sandbox_domain, -exec_type -usr_t -lib_t -locale_t ) +files_entrypoint_all_files(sandbox_domain) + +miscfiles_read_localization(sandbox_domain) @@ -4403,11 +4434,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +kernel_dontaudit_read_system_state(sandbox_domain) +corecmd_exec_all_executables(sandbox_domain) + ++userdom_dontaudit_use_user_terminals(sandbox_domain) + +######################################## +# +# sandbox_x_domain local policy +# ++## internal communication is often done using fifo and unix sockets. ++allow sandbox_x_domain self:fifo_file manage_file_perms; ++allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms; ++ +allow sandbox_x_domain self:process { signal_perms getsched setpgid }; +allow sandbox_x_domain self:shm create_shm_perms; +allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms }; @@ -4415,20 +4451,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto; +dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; + ++files_search_home(sandbox_x_domain) ++ ++kernel_read_system_state(sandbox_x_domain) ++ ++corecmd_exec_all_executables(sandbox_x_domain) ++ ++ +dev_read_urand(sandbox_x_domain) +dev_dontaudit_read_rand(sandbox_x_domain) + ++files_entrypoint_all_files(sandbox_x_domain) +files_read_etc_files(sandbox_x_domain) +files_read_usr_files(sandbox_x_domain) +files_read_usr_symlinks(sandbox_x_domain) + +fs_getattr_tmpfs(sandbox_x_domain) +fs_getattr_xattr_fs(sandbox_x_domain) ++fs_list_inotifyfs(sandbox_x_domain) + +auth_dontaudit_read_login_records(sandbox_x_domain) ++auth_use_nsswitch(sandbox_x_domain) + +init_read_utmp(sandbox_x_domain) + ++miscfiles_read_localization(sandbox_x_domain) ++ +term_getattr_pty_fs(sandbox_x_domain) +term_use_ptmx(sandbox_x_domain) + @@ -4445,6 +4493,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + cups_read_rw_config(sandbox_x_domain) +') + ++#============= sandbox_x_t ============== ++allow sandbox_x_t home_root_t:dir search; ++allow sandbox_x_t user_devpts_t:chr_file { read write }; ++ ++ +######################################## +# +# sandbox_x_client_t local policy @@ -4623,6 +4676,133 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_lnk_files_pattern($1,screen_var_run_t,screen_var_run_t) + manage_fifo_files_pattern($1,screen_var_run_t,screen_var_run_t) +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.fc serefpolicy-3.6.28/policy/modules/apps/seunshare.fc +--- nsaserefpolicy/policy/modules/apps/seunshare.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.28/policy/modules/apps/seunshare.fc 2009-08-26 11:10:13.000000000 -0400 +@@ -0,0 +1,2 @@ ++ ++/usr/sbin/seunshare -- gen_context(system_u:object_r:seunshare_exec_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.6.28/policy/modules/apps/seunshare.if +--- nsaserefpolicy/policy/modules/apps/seunshare.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.28/policy/modules/apps/seunshare.if 2009-08-26 11:46:03.000000000 -0400 +@@ -0,0 +1,76 @@ ++ ++## policy for seunshare ++ ++######################################## ++## ++## Execute a domain transition to run seunshare. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`seunshare_domtrans',` ++ gen_require(` ++ type seunshare_t; ++ type seunshare_exec_t; ++ ') ++ ++ domtrans_pattern($1,seunshare_exec_t,seunshare_t) ++') ++ ++ ++######################################## ++## ++## Execute seunshare in the seunshare domain, and ++## allow the specified role the seunshare domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the seunshare domain. ++## ++## ++# ++interface(`seunshare_run',` ++ gen_require(` ++ type seunshare_t; ++ ') ++ ++ seunshare_domtrans($1) ++ sandbox_transition(seunshare_t, $2) ++ role $2 types seunshare_t; ++') ++ ++######################################## ++## ++## Role access for seunshare ++## ++## ++## ++## Role allowed access ++## ++## ++## ++## ++## User domain for the role ++## ++## ++# ++interface(`seunshare_role',` ++ gen_require(` ++ type seunshare_t; ++ ') ++ ++ role $2 types seunshare_t; ++ ++ seunshare_domtrans($1) ++ ++ ps_process_pattern($2, seunshare_t) ++ allow $2 seunshare_t:process signal; ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.6.28/policy/modules/apps/seunshare.te +--- nsaserefpolicy/policy/modules/apps/seunshare.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.28/policy/modules/apps/seunshare.te 2009-08-26 16:07:56.000000000 -0400 +@@ -0,0 +1,37 @@ ++policy_module(seunshare,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type seunshare_t; ++type seunshare_exec_t; ++application_domain(seunshare_t, seunshare_exec_t) ++role system_r types seunshare_t; ++ ++permissive seunshare_t; ++ ++######################################## ++# ++# seunshare local policy ++# ++ ++allow seunshare_t self:process { fork setexec signal }; ++allow seunshare_t self:capability setpcap; ++allow seunshare_t self:process { getcap setcap }; ++ ++allow seunshare_t self:fifo_file rw_file_perms; ++allow seunshare_t self:unix_stream_socket create_stream_socket_perms; ++ ++files_read_etc_files(seunshare_t) ++files_mounton_all_poly_members(seunshare_t) ++ ++corecmd_exec_shell(seunshare_t) ++corecmd_exec_bin(seunshare_t) ++ ++auth_use_nsswitch(seunshare_t) ++ ++miscfiles_read_localization(seunshare_t) ++ ++userdom_use_user_terminals(seunshare_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.28/policy/modules/apps/vmware.fc --- nsaserefpolicy/policy/modules/apps/vmware.fc 2009-07-28 13:28:33.000000000 -0400 +++ serefpolicy-3.6.28/policy/modules/apps/vmware.fc 2009-08-21 18:56:07.000000000 -0400 @@ -4795,7 +4975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.28/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-07-30 13:09:10.000000000 -0400 -+++ serefpolicy-3.6.28/policy/modules/kernel/corecommands.fc 2009-08-21 18:56:07.000000000 -0400 ++++ serefpolicy-3.6.28/policy/modules/kernel/corecommands.fc 2009-08-26 13:56:26.000000000 -0400 @@ -54,6 +54,7 @@ /etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cron.monthly/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -4822,7 +5002,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /usr # -@@ -315,3 +320,21 @@ +@@ -221,6 +226,7 @@ + /usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) +@@ -315,3 +321,21 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -5582,7 +5770,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.28/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.28/policy/modules/kernel/files.if 2009-08-22 09:30:11.000000000 -0400 ++++ serefpolicy-3.6.28/policy/modules/kernel/files.if 2009-08-26 15:56:29.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -5957,11 +6145,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + attribute file_type; + ') + -+ allow $1 file_type:dir search_dir_perms; -+ allow $1 file_type:file { getattr read write append lock }; -+ allow $1 file_type:fifo_file { getattr read write append ioctl lock }; -+ allow $1 file_type:sock_file { getattr read write append ioctl lock }; -+ allow $1 file_type:chr_file { getattr read write append ioctl lock }; ++ allow $1 { file_type $2 }:dir search_dir_perms; ++ allow $1 { file_type $2 }:file { getattr read write append lock }; ++ allow $1 { file_type $2 }:fifo_file { getattr read write append ioctl lock }; ++ allow $1 { file_type $2 }:sock_file { getattr read write append ioctl lock }; ++ allow $1 { file_type $2 }:chr_file { getattr read write append ioctl lock }; +') + +######################################## @@ -15176,7 +15364,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.28/policy/modules/services/postgresql.te --- nsaserefpolicy/policy/modules/services/postgresql.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.28/policy/modules/services/postgresql.te 2009-08-21 18:56:07.000000000 -0400 ++++ serefpolicy-3.6.28/policy/modules/services/postgresql.te 2009-08-26 14:57:08.000000000 -0400 @@ -32,6 +32,9 @@ type postgresql_etc_t; files_config_file(postgresql_etc_t) @@ -15207,7 +15395,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_sendrecv_postgresql_server_packets(postgresql_t) corenet_sendrecv_auth_client_packets(postgresql_t) -@@ -247,6 +253,7 @@ +@@ -242,11 +248,12 @@ + files_read_etc_runtime_files(postgresql_t) + files_read_usr_files(postgresql_t) + +-auth_use_nsswitch(postgresql_t) ++auth_use_pam(postgresql_t) + init_read_utmp(postgresql_t) logging_send_syslog_msg(postgresql_t) @@ -26139,7 +26333,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.gvfs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.28/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.6.28/policy/modules/system/userdomain.if 2009-08-25 09:28:37.000000000 -0400 ++++ serefpolicy-3.6.28/policy/modules/system/userdomain.if 2009-08-26 16:12:51.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -26584,7 +26778,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -511,182 +525,195 @@ +@@ -511,182 +525,203 @@ # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -26695,157 +26889,163 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`user_direct_mouse',` - dev_read_mouse($1_t) -- ') -- ++ dev_read_mouse($1_usertype) + ') + - tunable_policy(`user_ttyfile_stat',` - term_getattr_all_user_ttys($1_t) -+ dev_read_mouse($1_usertype) ++ optional_policy(` ++ alsa_read_rw_config($1_usertype) ') optional_policy(` - alsa_read_rw_config($1_t) -+ alsa_read_rw_config($1_usertype) ++ # Allow graphical boot to check battery lifespan ++ apm_stream_connect($1_usertype) ') optional_policy(` - # Allow graphical boot to check battery lifespan +- # Allow graphical boot to check battery lifespan - apm_stream_connect($1_t) -+ apm_stream_connect($1_usertype) ++ canna_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` ++ dbus_system_bus_client($1_usertype) ++ ++ allow $1_usertype $1_usertype:dbus send_msg; ++ ++ optional_policy(` ++ avahi_dbus_chat($1_usertype) ') optional_policy(` - canna_stream_connect($1_t) -+ canna_stream_connect($1_usertype) ++ bluetooth_dbus_chat($1_usertype) ') optional_policy(` - dbus_system_bus_client($1_t) -+ dbus_system_bus_client($1_usertype) -+ -+ allow $1_usertype $1_usertype:dbus send_msg; ++ consolekit_dbus_chat($1_usertype) ++ consolekit_read_log($1_usertype) ++ ') optional_policy(` - bluetooth_dbus_chat($1_t) -+ avahi_dbus_chat($1_usertype) ++ devicekit_dbus_chat($1_usertype) ++ devicekit_dbus_chat_disk($1_usertype) ++ devicekit_dbus_chat_power($1_usertype) ') optional_policy(` - evolution_dbus_chat($1_t) - evolution_alarm_dbus_chat($1_t) -+ bluetooth_dbus_chat($1_usertype) ++ evolution_dbus_chat($1_usertype) ++ evolution_alarm_dbus_chat($1_usertype) ') optional_policy(` - cups_dbus_chat_config($1_t) -+ consolekit_dbus_chat($1_usertype) -+ consolekit_read_log($1_usertype) ++ hal_dbus_chat($1_usertype) ') optional_policy(` - hal_dbus_chat($1_t) -+ devicekit_dbus_chat($1_usertype) -+ devicekit_dbus_chat_disk($1_usertype) -+ devicekit_dbus_chat_power($1_usertype) ++ networkmanager_dbus_chat($1_usertype) ') optional_policy(` - networkmanager_dbus_chat($1_t) -- ') -+ evolution_dbus_chat($1_usertype) -+ evolution_alarm_dbus_chat($1_usertype) ++ vpnc_dbus_chat($1_usertype) + ') ') optional_policy(` - inetd_use_fds($1_t) - inetd_rw_tcp_sockets($1_t) -+ hal_dbus_chat($1_usertype) ++ inetd_use_fds($1_usertype) ++ inetd_rw_tcp_sockets($1_usertype) ') optional_policy(` - inn_read_config($1_t) - inn_read_news_lib($1_t) - inn_read_news_spool($1_t) -+ networkmanager_dbus_chat($1_usertype) ++ inn_read_config($1_usertype) ++ inn_read_news_lib($1_usertype) ++ inn_read_news_spool($1_usertype) ') optional_policy(` - locate_read_lib_files($1_t) -+ vpnc_dbus_chat($1_usertype) -+ ') ++ locate_read_lib_files($1_usertype) ') -- # for running depmod as part of the kernel packaging process + # for running depmod as part of the kernel packaging process optional_policy(` - modutils_read_module_config($1_t) -+ inetd_use_fds($1_usertype) -+ inetd_rw_tcp_sockets($1_usertype) ++ modutils_read_module_config($1_usertype) ++ ') ++ ++ optional_policy(` ++ mta_rw_spool($1_usertype) ++ mta_manage_queue($1_usertype) ') optional_policy(` - mta_rw_spool($1_t) -+ inn_read_config($1_usertype) -+ inn_read_news_lib($1_usertype) -+ inn_read_news_spool($1_usertype) ++ nsplugin_role($1_r, $1_usertype) ') optional_policy(` - tunable_policy(`allow_user_mysql_connect',` - mysql_stream_connect($1_t) -+ locate_read_lib_files($1_usertype) ++ tunable_policy(`allow_user_postgresql_connect',` ++ postgresql_stream_connect($1_usertype) ') -+ -+ # for running depmod as part of the kernel packaging process -+ optional_policy(` -+ modutils_read_module_config($1_usertype) ') optional_policy(` -- # to allow monitoring of pcmcia status + # to allow monitoring of pcmcia status - pcmcia_read_pid($1_t) -+ mta_rw_spool($1_usertype) -+ mta_manage_queue($1_usertype) ++ pcmcia_read_pid($1_usertype) ') optional_policy(` - pcscd_read_pub_files($1_t) - pcscd_stream_connect($1_t) -+ nsplugin_role($1_r, $1_usertype) ++ pcscd_read_pub_files($1_usertype) ++ pcscd_stream_connect($1_usertype) ') optional_policy(` - tunable_policy(`allow_user_postgresql_connect',` +- tunable_policy(`allow_user_postgresql_connect',` - postgresql_stream_connect($1_t) - postgresql_tcp_connect($1_t) -+ postgresql_stream_connect($1_usertype) -+ ') - ') -+ -+ optional_policy(` -+ # to allow monitoring of pcmcia status -+ pcmcia_read_pid($1_usertype) +- ') ++ resmgr_stream_connect($1_usertype) ') optional_policy(` - resmgr_stream_connect($1_t) -+ pcscd_read_pub_files($1_usertype) -+ pcscd_stream_connect($1_usertype) ++ rpc_dontaudit_getattr_exports($1_usertype) ++ rpc_manage_nfs_rw_content($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) -+ resmgr_stream_connect($1_usertype) ++ samba_stream_connect_winbind($1_usertype) ') optional_policy(` - samba_stream_connect_winbind($1_t) -+ rpc_dontaudit_getattr_exports($1_usertype) -+ rpc_manage_nfs_rw_content($1_usertype) ++ sandbox_transition($1_t, $1_r) ') optional_policy(` - slrnpull_search_spool($1_t) -+ samba_stream_connect_winbind($1_usertype) ++ seunshare_run($1_t, $1_r) ') optional_policy(` @@ -26856,23 +27056,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -714,13 +741,26 @@ +@@ -714,13 +749,26 @@ userdom_base_user_template($1) - userdom_manage_home_role($1_r, $1_t) + userdom_manage_home_role($1_r, $1_usertype) - -- userdom_manage_tmp_role($1_r, $1_t) -- userdom_manage_tmpfs_role($1_r, $1_t) ++ + userdom_manage_tmp_role($1_r, $1_usertype) + userdom_manage_tmpfs_role($1_r, $1_usertype) - -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) ++ + ifelse(`$1',`unconfined',`',` + gen_tunable(allow_$1_exec_content, true) -+ + +- userdom_manage_tmp_role($1_r, $1_t) +- userdom_manage_tmpfs_role($1_r, $1_t) + tunable_policy(`allow_$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -26880,7 +27078,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') -+ + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) + tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') @@ -26888,7 +27088,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_change_password_template($1) -@@ -738,70 +778,71 @@ +@@ -738,70 +786,71 @@ allow $1_t self:context contains; @@ -26993,7 +27193,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -838,6 +879,28 @@ +@@ -838,6 +887,28 @@ # Local policy # @@ -27022,7 +27222,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` loadkeys_run($1_t,$1_r) ') -@@ -868,7 +931,10 @@ +@@ -868,7 +939,10 @@ userdom_restricted_user_template($1) @@ -27034,7 +27234,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -876,14 +942,19 @@ +@@ -876,14 +950,19 @@ # auth_role($1_r, $1_t) @@ -27059,7 +27259,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -891,28 +962,47 @@ +@@ -891,28 +970,47 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -27075,15 +27275,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + devicekit_dbus_chat($1_usertype) + devicekit_dbus_chat_disk($1_usertype) + devicekit_dbus_chat_power($1_usertype) ++ ') ++ ++ optional_policy(` ++ fprintd_dbus_chat($1_t) ') optional_policy(` - dbus_role_template($1, $1_r, $1_t) - dbus_system_bus_client($1_t) -+ fprintd_dbus_chat($1_t) -+ ') -+ -+ optional_policy(` + gnomeclock_dbus_chat($1_t) + ') @@ -27114,7 +27314,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -946,8 +1036,8 @@ +@@ -946,8 +1044,8 @@ # Declarations # @@ -27124,7 +27324,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -956,11 +1046,12 @@ +@@ -956,11 +1054,12 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -27139,7 +27339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -978,36 +1069,53 @@ +@@ -978,36 +1077,53 @@ ') ') @@ -27207,7 +27407,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1042,7 +1150,7 @@ +@@ -1042,7 +1158,7 @@ # template(`userdom_admin_user_template',` gen_require(` @@ -27216,7 +27416,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1051,8 +1159,7 @@ +@@ -1051,8 +1167,7 @@ # # Inherit rules for ordinary users. @@ -27226,7 +27426,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1075,7 +1182,8 @@ +@@ -1075,7 +1190,8 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -27236,7 +27436,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1091,6 +1199,7 @@ +@@ -1091,6 +1207,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -27244,7 +27444,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1098,8 +1207,6 @@ +@@ -1098,8 +1215,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -27253,7 +27453,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1126,6 +1233,7 @@ +@@ -1126,6 +1241,7 @@ files_exec_usr_src_files($1_t) fs_getattr_all_fs($1_t) @@ -27261,7 +27461,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) -@@ -1154,20 +1262,6 @@ +@@ -1154,20 +1270,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -27282,7 +27482,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1213,6 +1307,7 @@ +@@ -1213,6 +1315,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -27290,7 +27490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1278,11 +1373,15 @@ +@@ -1278,11 +1381,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -27306,7 +27506,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1374,12 +1473,13 @@ +@@ -1374,12 +1481,13 @@ ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -27321,7 +27521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1412,6 +1512,14 @@ +@@ -1412,6 +1520,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -27336,7 +27536,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1427,9 +1535,11 @@ +@@ -1427,9 +1543,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -27348,7 +27548,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1486,6 +1596,25 @@ +@@ -1486,6 +1604,25 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -27374,7 +27574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1560,6 +1689,8 @@ +@@ -1560,6 +1697,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -27383,7 +27583,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1653,6 +1784,7 @@ +@@ -1653,6 +1792,7 @@ type user_home_dir_t, user_home_t; ') @@ -27391,7 +27591,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1780,19 +1912,32 @@ +@@ -1780,19 +1920,32 @@ # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -27431,7 +27631,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1827,6 +1972,7 @@ +@@ -1827,6 +1980,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -27439,7 +27639,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2374,7 +2520,7 @@ +@@ -2374,7 +2528,7 @@ ######################################## ## @@ -27448,7 +27648,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2728,11 +2874,32 @@ +@@ -2728,11 +2882,32 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -27483,7 +27683,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2860,7 +3027,25 @@ +@@ -2860,7 +3035,25 @@ type user_tmp_t; ') @@ -27510,7 +27710,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2897,6 +3082,7 @@ +@@ -2897,6 +3090,7 @@ ') read_files_pattern($1, userdomain, userdomain) @@ -27518,7 +27718,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -3027,3 +3213,559 @@ +@@ -3027,3 +3221,559 @@ allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index ff63d14..0e1fbe7 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -443,6 +443,7 @@ exit 0 %changelog * Wed Aug 26 2009 Dan Walsh 3.6.28-8 - Add back in unconfined.pp and unconfineduser.pp +- Add Sandbox unshare * Tue Aug 25 2009 Dan Walsh 3.6.28-7 - Fixes for cdrecord, mdadm, and others