From 93df8504c9fafc542adb300fe91c4540aa930393 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jun 12 2008 18:26:59 +0000 Subject: - Update to upstream --- diff --git a/policy-20080509.patch b/policy-20080509.patch index 4c95814..e0bd342 100644 --- a/policy-20080509.patch +++ b/policy-20080509.patch @@ -25914,7 +25914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.4.2/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2008-05-19 10:26:38.000000000 -0400 -+++ serefpolicy-3.4.2/policy/modules/services/xserver.if 2008-06-12 10:36:55.251920000 -0400 ++++ serefpolicy-3.4.2/policy/modules/services/xserver.if 2008-06-12 12:10:32.884486000 -0400 @@ -16,7 +16,8 @@ gen_require(` type xkb_var_lib_t, xserver_exec_t, xserver_log_t; @@ -26204,7 +26204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -643,11 +623,81 @@ +@@ -643,13 +623,175 @@ xserver_read_xdm_tmp_files($2) @@ -26246,7 +26246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + attribute x_domain; + type $1_xserver_t; +# type $2_input_xevent_t; - ') ++ ') + +# typeattribute $2_input_xevent_t $1_input_xevent_type; + @@ -26266,10 +26266,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + # manage: xhost X11:ChangeHosts + # freeze: metacity X11:GrabKey + # force_cursor: metacity X11:GrabPointer -+ allow $3 $1_xserver_t:x_device { manage freeze force_cursor }; ++ allow $3 $1_xserver_t:x_device { read manage freeze force_cursor }; + allow $3 $1_xserver_t:x_device { getfocus setfocus grab use getattr setattr bell }; + -+ + # gnome-settings-daemon XKEYBOARD:SetControls + allow $3 $1_xserver_t:x_server { manage grab }; + @@ -26287,13 +26286,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + + # setattr: metacity X11:InstallColormap + allow $3 $1_xserver_t:x_screen { getattr saver_setattr saver_getattr setattr }; - ') - - ####################################### -@@ -662,6 +712,99 @@ - ## is the prefix for user_t). - ## - ## ++') ++ ++####################################### ++## ++## Interface to provide X object permissions on a given X server to ++## an X client domain. Provides the minimal set required by a basic ++## X client application. ++## ++## ++## ++## The prefix of the X server domain (e.g., user ++## is the prefix for user_t). ++## ++## +## +## +## Client domain allowed access. @@ -26333,7 +26339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + type manage_xevent_t, output_xext_t, property_xevent_t; + type shmem_xext_t, xselection_t; + attribute xevent_type, xextension_type; -+ ') + ') + # can receive certain root window events + allow $2 self:x_cursor { destroy create use setattr }; + allow $2 self:x_drawable { write getattr read destroy create add_child }; @@ -26341,7 +26347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + allow $2 self:x_resource { write read }; + + allow $2 input_xevent_t:x_synthetic_event receive; -+ allow $2 client_xevent_t:x_synthetic_event receive; ++ allow $2 client_xevent_t:x_synthetic_event { send receive }; + allow $2 focus_xevent_t:x_event receive; + allow $2 info_xproperty_t:x_property read; + allow $2 manage_xevent_t:x_event receive; @@ -26372,25 +26378,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + +# xserver_use($1,$1,$2) + xserver_use(xdm,$1,$2) -+') -+ + ') + + -+####################################### -+## -+## Interface to provide X object permissions on a given X server to -+## an X client domain. Provides the minimal set required by a basic -+## X client application. -+## -+## -+## -+## The prefix of the X server domain (e.g., user -+## is the prefix for user_t). -+## -+## - ## - ## - ## The prefix of the X client domain (e.g., user -@@ -676,7 +819,7 @@ + ####################################### + ## + ## Interface to provide X object permissions on a given X server to +@@ -676,7 +818,7 @@ # template(`xserver_common_x_domain_template',` gen_require(` @@ -26399,7 +26393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser type xproperty_t, info_xproperty_t, clipboard_xproperty_t; type input_xevent_t, focus_xevent_t, property_xevent_t, manage_xevent_t; type xevent_t, client_xevent_t; -@@ -685,7 +828,6 @@ +@@ -685,7 +827,6 @@ attribute x_server_domain, x_domain; attribute xproperty_type; attribute xevent_type, xextension_type; @@ -26407,7 +26401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser class x_drawable all_x_drawable_perms; class x_screen all_x_screen_perms; -@@ -709,20 +851,22 @@ +@@ -709,20 +850,22 @@ # Declarations # @@ -26433,7 +26427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ############################## # # Local Policy -@@ -740,7 +884,7 @@ +@@ -740,7 +883,7 @@ allow $3 x_server_domain:x_server getattr; # everyone can do override-redirect windows. # this could be used to spoof labels @@ -26442,7 +26436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # everyone can receive management events on the root window # allows to know when new windows appear, among other things allow $3 manage_xevent_t:x_event receive; -@@ -749,7 +893,7 @@ +@@ -749,7 +892,7 @@ # can read server-owned resources allow $3 x_server_domain:x_resource read; # can mess with own clients @@ -26451,7 +26445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # X Protocol Extensions allow $3 std_xext_t:x_extension { query use }; -@@ -758,27 +902,17 @@ +@@ -758,27 +901,17 @@ # X Properties # can read and write client properties @@ -26484,20 +26478,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # X Input # can receive own events -@@ -805,6 +939,12 @@ +@@ -805,6 +938,12 @@ allow $3 manage_xevent_t:x_synthetic_event send; allow $3 client_xevent_t:x_synthetic_event send; + allow $3 input_xevent_t:x_event receive; + allow $3 input_xevent_t:x_synthetic_event send; + allow $3 $2_client_xevent_t:x_synthetic_event send; -+ allow $3 xproperty_t:x_property read; ++ allow $3 xproperty_t:x_property { read destroy }; + allow $3 xselection_t:x_selection setattr; + # X Selections # can use the clipboard allow $3 clipboard_xselection_t:x_selection { getattr setattr read }; -@@ -813,13 +953,15 @@ +@@ -813,13 +952,15 @@ # Other X Objects # can create and use cursors @@ -26517,7 +26511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined($3), -@@ -879,17 +1021,17 @@ +@@ -879,17 +1020,17 @@ # template(`xserver_user_x_domain_template',` gen_require(` @@ -26542,7 +26536,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $3 xdm_t:fd use; -@@ -916,11 +1058,9 @@ +@@ -916,11 +1057,9 @@ # X object manager xserver_common_x_domain_template($1,$2,$3) @@ -26557,7 +26551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -952,26 +1092,43 @@ +@@ -952,26 +1091,43 @@ # template(`xserver_use_user_fonts',` gen_require(` @@ -26608,7 +26602,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -1005,6 +1162,73 @@ +@@ -1005,6 +1161,73 @@ ######################################## ## @@ -26682,7 +26676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -1030,10 +1254,10 @@ +@@ -1030,10 +1253,10 @@ # template(`xserver_user_home_dir_filetrans_user_xauth',` gen_require(` @@ -26695,7 +26689,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1219,6 +1443,25 @@ +@@ -1219,6 +1442,25 @@ ######################################## ## @@ -26721,7 +26715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Read xdm-writable configuration files. ## ## -@@ -1273,6 +1516,7 @@ +@@ -1273,6 +1515,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t) @@ -26729,7 +26723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1291,7 +1535,7 @@ +@@ -1291,7 +1534,7 @@ ') files_search_pids($1) @@ -26738,7 +26732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1314,6 +1558,24 @@ +@@ -1314,6 +1557,24 @@ ######################################## ## @@ -26763,7 +26757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Execute the X server in the XDM X server domain. ## ## -@@ -1324,15 +1586,47 @@ +@@ -1324,15 +1585,47 @@ # interface(`xserver_domtrans_xdm_xserver',` gen_require(` @@ -26812,7 +26806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1482,7 +1776,7 @@ +@@ -1482,7 +1775,7 @@ type xdm_xserver_tmp_t; ') @@ -26821,7 +26815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1674,6 +1968,65 @@ +@@ -1674,6 +1967,65 @@ ######################################## ## @@ -26887,7 +26881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. -@@ -1686,8 +2039,87 @@ +@@ -1686,8 +2038,87 @@ # interface(`xserver_unconfined',` gen_require(` @@ -30469,7 +30463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.4.2/policy/modules/system/selinuxutil.fc --- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2008-05-19 10:26:42.000000000 -0400 -+++ serefpolicy-3.4.2/policy/modules/system/selinuxutil.fc 2008-06-12 10:36:55.473696000 -0400 ++++ serefpolicy-3.4.2/policy/modules/system/selinuxutil.fc 2008-06-12 14:04:10.162698000 -0400 @@ -38,7 +38,7 @@ /usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0) /usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0) @@ -30479,6 +30473,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu /usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0) /usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0) +@@ -46,3 +46,8 @@ + # /var/run + # + /var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0) ++ ++# ++# /var/lib ++# ++/var/lib/selinux(/.*)? gen_context(system_u:object_r:selinux_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.4.2/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2008-05-29 15:55:43.000000000 -0400 +++ serefpolicy-3.4.2/policy/modules/system/selinuxutil.if 2008-06-12 10:36:55.480688000 -0400 @@ -30986,8 +30989,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.4.2/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-05-29 15:55:43.000000000 -0400 -+++ serefpolicy-3.4.2/policy/modules/system/selinuxutil.te 2008-06-12 10:36:55.485685000 -0400 -@@ -75,7 +75,6 @@ ++++ serefpolicy-3.4.2/policy/modules/system/selinuxutil.te 2008-06-12 14:05:15.662484000 -0400 +@@ -23,6 +23,9 @@ + type selinux_config_t; + files_type(selinux_config_t) + ++type selinux_var_lib_t; ++files_type(selinux_var_lib_t) ++ + type checkpolicy_t, can_write_binary_policy; + type checkpolicy_exec_t; + application_domain(checkpolicy_t, checkpolicy_exec_t) +@@ -75,7 +78,6 @@ type restorecond_exec_t; init_daemon_domain(restorecond_t,restorecond_exec_t) domain_obj_id_change_exemption(restorecond_t) @@ -30995,7 +31008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu type restorecond_var_run_t; files_pid_file(restorecond_var_run_t) -@@ -92,6 +91,10 @@ +@@ -92,6 +94,10 @@ domain_interactive_fd(semanage_t) role system_r types semanage_t; @@ -31006,7 +31019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu type semanage_store_t; files_type(semanage_store_t) -@@ -109,6 +112,11 @@ +@@ -109,6 +115,11 @@ init_system_domain(setfiles_t,setfiles_exec_t) domain_obj_id_change_exemption(setfiles_t) @@ -31018,7 +31031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ######################################## # # Checkpolicy local policy -@@ -168,6 +176,7 @@ +@@ -168,6 +179,7 @@ files_read_etc_runtime_files(load_policy_t) fs_getattr_xattr_fs(load_policy_t) @@ -31026,7 +31039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu mls_file_read_all_levels(load_policy_t) -@@ -195,15 +204,6 @@ +@@ -195,15 +207,6 @@ ') ') @@ -31042,7 +31055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ######################################## # # Newrole local policy -@@ -221,7 +221,7 @@ +@@ -221,7 +224,7 @@ allow newrole_t self:msg { send receive }; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -31051,7 +31064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu read_files_pattern(newrole_t,default_context_t,default_context_t) read_lnk_files_pattern(newrole_t,default_context_t,default_context_t) -@@ -277,6 +277,7 @@ +@@ -277,6 +280,7 @@ libs_use_ld_so(newrole_t) libs_use_shared_libs(newrole_t) @@ -31059,7 +31072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu logging_send_syslog_msg(newrole_t) miscfiles_read_localization(newrole_t) -@@ -347,6 +348,8 @@ +@@ -347,6 +351,8 @@ seutil_libselinux_linked(restorecond_t) @@ -31068,7 +31081,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(restorecond_t) -@@ -365,7 +368,7 @@ +@@ -365,7 +371,7 @@ allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; @@ -31077,7 +31090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # often the administrator runs such programs from a directory that is owned # by a different user or has restrictive SE permissions, do not want to audit -@@ -396,7 +399,6 @@ +@@ -396,7 +402,6 @@ auth_use_nsswitch(run_init_t) auth_domtrans_chk_passwd(run_init_t) @@ -31085,7 +31098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu auth_dontaudit_read_shadow(run_init_t) init_spec_domtrans_script(run_init_t) -@@ -435,64 +437,17 @@ +@@ -435,64 +440,22 @@ # semodule local policy # @@ -31104,9 +31117,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu -kernel_read_kernel_sysctls(semanage_t) - -corecmd_exec_bin(semanage_t) -- ++seutil_semanage_policy(semanage_t) ++allow semanage_t self:fifo_file rw_fifo_file_perms; + -dev_read_urand(semanage_t) -- ++manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) ++manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) + -domain_use_interactive_fds(semanage_t) - -files_read_etc_files(semanage_t) @@ -31121,7 +31138,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu -selinux_get_enforce_mode(semanage_t) -selinux_getattr_fs(semanage_t) -# for setsebool: -+seutil_semanage_policy(semanage_t) selinux_set_boolean(semanage_t) +can_exec(semanage_t, semanage_exec_t) @@ -31155,7 +31171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # netfilter_contexts: seutil_manage_default_contexts(semanage_t) -@@ -501,12 +456,21 @@ +@@ -501,12 +464,21 @@ files_read_var_lib_symlinks(semanage_t) ') @@ -31177,7 +31193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files -@@ -514,121 +478,40 @@ +@@ -514,121 +486,40 @@ # Handle pp files created in homedir and /tmp sysadm_read_home_content_files(semanage_t) sysadm_read_tmp_files(semanage_t)