From 9850f4d30d872f15d88889f6e3bfed202f5dd8d9 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jun 24 2009 13:15:55 +0000 Subject: - Allow kpropd to create tmp files --- diff --git a/modules-targeted.conf b/modules-targeted.conf index 199a810..6581e79 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -836,6 +836,13 @@ mount = base # mozilla = module +# Layer: services +# Module: nslcd +# +# Policy for nslcd +# +nslcd = module + # Layer: apps # Module: nsplugin # diff --git a/policy-F12.patch b/policy-F12.patch index dadf3e9..652aaf1 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -2832,7 +2832,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.18/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-01-19 11:03:28.000000000 -0500 -+++ serefpolicy-3.6.18/policy/modules/apps/mozilla.te 2009-06-20 06:49:47.000000000 -0400 ++++ serefpolicy-3.6.18/policy/modules/apps/mozilla.te 2009-06-24 08:35:55.000000000 -0400 @@ -105,6 +105,7 @@ # Should not need other ports corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t) @@ -2849,7 +2849,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(mozilla_t) -@@ -243,6 +245,8 @@ +@@ -143,6 +145,7 @@ + userdom_manage_user_tmp_dirs(mozilla_t) + userdom_manage_user_tmp_files(mozilla_t) + userdom_manage_user_tmp_sockets(mozilla_t) ++userdom_use_user_ptys(mozilla_t) + + xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) + xserver_dontaudit_read_xdm_tmp_files(mozilla_t) +@@ -243,6 +246,8 @@ optional_policy(` gnome_stream_connect_gconf(mozilla_t) @@ -2858,7 +2866,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -263,5 +267,10 @@ +@@ -263,5 +268,10 @@ ') optional_policy(` @@ -14343,7 +14351,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.18/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2009-03-23 13:47:11.000000000 -0400 -+++ serefpolicy-3.6.18/policy/modules/services/kerberos.te 2009-06-20 06:49:47.000000000 -0400 ++++ serefpolicy-3.6.18/policy/modules/services/kerberos.te 2009-06-23 16:51:48.000000000 -0400 @@ -33,6 +33,7 @@ type kpropd_t; type kpropd_exec_t; @@ -14362,13 +14370,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # kadmind local policy -@@ -281,7 +285,9 @@ +@@ -281,7 +285,13 @@ allow kpropd_t krb5_keytab_t:file read_file_perms; +manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t) manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t) +filetrans_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t, file) ++ ++manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t) ++manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t) ++files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) corecmd_exec_bin(kpropd_t) @@ -16949,8 +16961,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:polkit_reload_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.18/policy/modules/services/polkit.if --- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.18/policy/modules/services/polkit.if 2009-06-20 06:49:47.000000000 -0400 -@@ -0,0 +1,241 @@ ++++ serefpolicy-3.6.18/policy/modules/services/polkit.if 2009-06-24 08:29:05.000000000 -0400 +@@ -0,0 +1,242 @@ + +## policy for polkit_auth + @@ -17170,6 +17182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + polkit_run_grant($2, $1) + polkit_read_lib($2) + polkit_read_reload($2) ++ polkit_dbus_chat($2) +') + +######################################## @@ -23396,7 +23409,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.18/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.18/policy/modules/services/xserver.if 2009-06-20 06:49:47.000000000 -0400 ++++ serefpolicy-3.6.18/policy/modules/services/xserver.if 2009-06-24 08:47:55.000000000 -0400 @@ -90,7 +90,7 @@ allow $2 xauth_home_t:file manage_file_perms; allow $2 xauth_home_t:file { relabelfrom relabelto }; @@ -23689,7 +23702,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern($1, xserver_exec_t, xserver_t) ') -@@ -1159,6 +1263,275 @@ +@@ -1159,6 +1263,276 @@ ######################################## ## @@ -23859,6 +23872,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_read_xdm_tmp_files($1) + xserver_xdm_stream_connect($1) + xserver_setattr_xdm_tmp_dirs($1) ++ xserver_read_xdm_pid($1) + + allow $1 xdm_t:x_client { getattr destroy }; + allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child add_child }; @@ -23965,7 +23979,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. -@@ -1172,7 +1545,103 @@ +@@ -1172,7 +1546,103 @@ interface(`xserver_unconfined',` gen_require(` attribute xserver_unconfined_type; @@ -29177,7 +29191,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.18/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.18/policy/modules/system/userdomain.if 2009-06-20 06:49:47.000000000 -0400 ++++ serefpolicy-3.6.18/policy/modules/system/userdomain.if 2009-06-24 08:35:26.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -30100,19 +30114,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -899,28 +961,33 @@ +@@ -899,28 +961,43 @@ selinux_get_enforce_mode($1_t) optional_policy(` - alsa_read_rw_config($1_t) + alsa_read_rw_config($1_usertype) ++ ') ++ ++ optional_policy(` ++ apache_role($1_r, $1_usertype) ++ ') ++ ++ optional_policy(` ++ devicekit_dbus_chat($1_usertype) ++ devicekit_power_dbus_chat($1_usertype) ++ devicekit_disk_dbus_chat($1_usertype) ') optional_policy(` - dbus_role_template($1, $1_r, $1_t) - dbus_system_bus_client($1_t) -+ apache_role($1_r, $1_usertype) -+ ') ++ gnomeclock_dbus_chat($1_t) ++ ') optional_policy(` - consolekit_dbus_chat($1_t) @@ -30141,7 +30165,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -954,8 +1021,8 @@ +@@ -954,8 +1031,8 @@ # Declarations # @@ -30151,7 +30175,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -964,11 +1031,12 @@ +@@ -964,11 +1041,12 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -30166,7 +30190,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -986,37 +1054,55 @@ +@@ -986,37 +1064,55 @@ ') ') @@ -30236,7 +30260,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -1050,7 +1136,7 @@ +@@ -1050,7 +1146,7 @@ # template(`userdom_admin_user_template',` gen_require(` @@ -30245,7 +30269,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1059,8 +1145,7 @@ +@@ -1059,8 +1155,7 @@ # # Inherit rules for ordinary users. @@ -30255,7 +30279,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1083,7 +1168,8 @@ +@@ -1083,7 +1178,8 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -30265,7 +30289,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1099,6 +1185,7 @@ +@@ -1099,6 +1195,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -30273,7 +30297,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1106,8 +1193,6 @@ +@@ -1106,8 +1203,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -30282,7 +30306,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1162,20 +1247,6 @@ +@@ -1162,20 +1257,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -30303,7 +30327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1221,6 +1292,7 @@ +@@ -1221,6 +1302,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -30311,7 +30335,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1286,11 +1358,15 @@ +@@ -1286,11 +1368,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -30327,7 +30351,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1387,7 +1463,7 @@ +@@ -1387,7 +1473,7 @@ ######################################## ## @@ -30336,7 +30360,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1420,6 +1496,14 @@ +@@ -1420,6 +1506,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -30351,7 +30375,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1435,9 +1519,11 @@ +@@ -1435,9 +1529,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -30363,7 +30387,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1494,6 +1580,25 @@ +@@ -1494,6 +1590,25 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -30389,7 +30413,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1568,6 +1673,8 @@ +@@ -1568,6 +1683,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -30398,7 +30422,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1643,6 +1750,7 @@ +@@ -1643,6 +1760,7 @@ type user_home_dir_t, user_home_t; ') @@ -30406,7 +30430,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1741,30 +1849,80 @@ +@@ -1741,30 +1859,80 @@ ######################################## ## @@ -30497,7 +30521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1787,6 +1945,46 @@ +@@ -1787,6 +1955,46 @@ ######################################## ## @@ -30544,7 +30568,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete files ## in a user home subdirectory. ## -@@ -1799,6 +1997,7 @@ +@@ -1799,6 +2007,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -30552,7 +30576,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2328,7 +2527,7 @@ +@@ -2328,7 +2537,7 @@ ######################################## ## @@ -30561,7 +30585,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2682,16 +2881,17 @@ +@@ -2682,11 +2891,32 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -30573,35 +30597,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_list_home($1) - allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms; + allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms; - ') - - ######################################## - ## --## Send general signals to unprivileged user domains. -+## List users home directories. - ## - ## - ## -@@ -2699,12 +2899,32 @@ - ## - ## - # --interface(`userdom_signal_unpriv_users',` -+interface(`userdom_list_user_home_content',` - gen_require(` -- attribute unpriv_userdomain; -+ type user_home_dir_t; -+ attribute user_home_type; - ') - -- allow $1 unpriv_userdomain:process signal; -+ files_list_home($1) -+ allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms; +') + +######################################## +## -+## Send general signals to unprivileged user domains. ++## List users home directories. +## +## +## @@ -30609,16 +30609,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`userdom_signal_unpriv_users',` ++interface(`userdom_list_user_home_content',` + gen_require(` -+ attribute unpriv_userdomain; ++ type user_home_dir_t; ++ attribute user_home_type; + ') + -+ allow $1 unpriv_userdomain:process signal; ++ files_list_home($1) ++ allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms; ') ######################################## -@@ -2814,7 +3034,25 @@ +@@ -2814,7 +3044,25 @@ type user_tmp_t; ') @@ -30645,7 +30647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2851,6 +3089,7 @@ +@@ -2851,6 +3099,7 @@ ') read_files_pattern($1,userdomain,userdomain) @@ -30653,7 +30655,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -2981,3 +3220,481 @@ +@@ -2981,3 +3230,481 @@ allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 02f6305..bd8a784 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.19 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -295,7 +295,7 @@ Summary: SELinux targeted base policy Provides: selinux-policy-base Group: System Environment/Base Obsoletes: selinux-policy-targeted-sources < 2 -Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} +Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER} Requires(pre): coreutils Requires(pre): selinux-policy = %{version}-%{release} Conflicts: audispd-plugins <= 1.7.7-1 @@ -381,7 +381,7 @@ exit 0 Summary: SELinux minimum base policy Provides: selinux-policy-base Group: System Environment/Base -Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} +Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER} Requires(pre): coreutils Requires(pre): selinux-policy = %{version}-%{release} @@ -415,7 +415,7 @@ exit 0 Summary: SELinux olpc base policy Group: System Environment/Base Provides: selinux-policy-base -Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} +Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER} Requires(pre): coreutils Requires(pre): selinux-policy = %{version}-%{release} @@ -446,7 +446,7 @@ Group: System Environment/Base Provides: selinux-policy-base Obsoletes: selinux-policy-mls-sources < 2 Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd -Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} +Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER} Requires(pre): coreutils Requires(pre): selinux-policy = %{version}-%{release} @@ -473,6 +473,9 @@ exit 0 %endif %changelog +* Tue Jun 23 2009 Dan Walsh 3.6.19-3 +- Allow kpropd to create tmp files + * Tue Jun 23 2009 Dan Walsh 3.6.19-2 - Fix last duplicate /var/log/rpmpkgs