From bf332025345d7996fad0fccca8d86e6ff9d80a62 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Aug 10 2007 16:10:27 +0000 Subject: - Fix dbus chat to not happen for xguest and guest users --- diff --git a/policy-20070703.patch b/policy-20070703.patch index cb78277..670e3cd 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -594,7 +594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.0.5/policy/modules/admin/logwatch.te --- nsaserefpolicy/policy/modules/admin/logwatch.te 2007-07-25 10:37:43.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/admin/logwatch.te 2007-08-07 10:18:57.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/admin/logwatch.te 2007-08-10 11:56:22.000000000 -0400 @@ -29,7 +29,6 @@ allow logwatch_t self:process signal; allow logwatch_t self:fifo_file rw_file_perms; @@ -608,7 +608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc dev_read_urand(logwatch_t) -dev_search_sysfs(logwatch_t) -+dev_list_sysfs(logwatch_t) ++dev_read_sysfs(logwatch_t) # Read /proc/PID directories for all domains. domain_read_all_domains_state(logwatch_t) @@ -4119,17 +4119,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind corenet_sendrecv_rndc_client_packets(ndc_t) fs_getattr_xattr_fs(ndc_t) -diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.0.5/policy/modules/services/bluetooth.te ---- nsaserefpolicy/policy/modules/services/bluetooth.te 2007-08-02 08:17:27.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/services/bluetooth.te 2007-08-07 09:39:49.000000000 -0400 -@@ -128,6 +128,7 @@ - dbus_system_bus_client_template(bluetooth,bluetooth_t) - dbus_connect_system_bus(bluetooth_t) - dbus_send_system_bus(bluetooth_t) -+ userdom_dbus_chat_all_users(bluetooth_t) - ') - - optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.0.5/policy/modules/services/clamav.fc --- nsaserefpolicy/policy/modules/services/clamav.fc 2007-05-29 14:10:57.000000000 -0400 +++ serefpolicy-3.0.5/policy/modules/services/clamav.fc 2007-08-07 09:39:49.000000000 -0400 @@ -4192,7 +4181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.0.5/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/services/consolekit.te 2007-08-07 09:39:49.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/services/consolekit.te 2007-08-10 11:40:51.000000000 -0400 @@ -10,7 +10,6 @@ type consolekit_exec_t; init_daemon_domain(consolekit_t, consolekit_exec_t) @@ -4233,12 +4222,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons optional_policy(` dbus_system_bus_client_template(consolekit, consolekit_t) dbus_send_system_bus(consolekit_t) -@@ -62,9 +68,17 @@ +@@ -62,9 +68,16 @@ optional_policy(` unconfined_dbus_chat(consolekit_t) ') + -+ userdom_dbus_chat_all_users(consolekit_t) ') optional_policy(` @@ -4671,7 +4659,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.5/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/services/cups.te 2007-08-07 09:39:49.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/services/cups.te 2007-08-10 11:32:15.000000000 -0400 @@ -81,12 +81,11 @@ # /usr/lib/cups/backend/serial needs sys_admin(?!) allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config }; @@ -4784,18 +4772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups cron_system_entry(cupsd_t, cupsd_exec_t) ') -@@ -250,6 +278,10 @@ - optional_policy(` - hal_dbus_chat(cupsd_t) - ') -+ -+ optional_policy(` -+ userdom_dbus_chat_all_users(cupsd_t) -+ ') - ') - - optional_policy(` -@@ -265,16 +297,16 @@ +@@ -265,16 +293,16 @@ ') optional_policy(` @@ -4816,7 +4793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups seutil_sigchld_newrole(cupsd_t) ') -@@ -379,6 +411,14 @@ +@@ -379,6 +407,14 @@ ') optional_policy(` @@ -4831,7 +4808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') -@@ -562,7 +602,7 @@ +@@ -562,7 +598,7 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -4840,7 +4817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups fs_getattr_all_fs(hplip_t) fs_search_auto_mountpoints(hplip_t) -@@ -589,8 +629,6 @@ +@@ -589,8 +625,6 @@ userdom_dontaudit_search_sysadm_home_dirs(hplip_t) userdom_dontaudit_search_all_users_home_content(hplip_t) @@ -5431,7 +5408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.5/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/services/hal.te 2007-08-09 14:46:39.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/services/hal.te 2007-08-10 11:34:53.000000000 -0400 @@ -22,6 +22,12 @@ type hald_log_t; files_type(hald_log_t) @@ -5495,18 +5472,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. alsa_read_rw_config(hald_t) ') -@@ -228,6 +242,10 @@ +@@ -228,6 +242,7 @@ optional_policy(` networkmanager_dbus_chat(hald_t) ') + -+ optional_policy(` -+ userdom_dbus_chat_all_users(hald_t) -+ ') ') optional_policy(` -@@ -283,6 +301,7 @@ +@@ -283,6 +298,7 @@ # allow hald_acl_t self:capability { dac_override fowner }; @@ -5514,7 +5488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. allow hald_acl_t self:fifo_file read_fifo_file_perms; domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t) -@@ -296,7 +315,10 @@ +@@ -296,7 +312,10 @@ corecmd_exec_bin(hald_acl_t) dev_getattr_all_chr_files(hald_acl_t) @@ -5525,7 +5499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. dev_setattr_sound_dev(hald_acl_t) dev_setattr_generic_usb_dev(hald_acl_t) dev_setattr_usbfs_files(hald_acl_t) -@@ -358,3 +380,25 @@ +@@ -358,3 +377,25 @@ libs_use_shared_libs(hald_sonypic_t) miscfiles_read_localization(hald_sonypic_t) @@ -5987,7 +5961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.5/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/services/networkmanager.te 2007-08-07 09:39:49.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/services/networkmanager.te 2007-08-10 11:35:13.000000000 -0400 @@ -41,6 +41,8 @@ kernel_read_kernel_sysctls(NetworkManager_t) kernel_load_module(NetworkManager_t) @@ -5997,15 +5971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw corenet_all_recvfrom_unlabeled(NetworkManager_t) corenet_all_recvfrom_netlabel(NetworkManager_t) corenet_tcp_sendrecv_all_if(NetworkManager_t) -@@ -136,6 +138,7 @@ - dbus_system_bus_client_template(NetworkManager,NetworkManager_t) - dbus_connect_system_bus(NetworkManager_t) - dbus_send_system_bus(NetworkManager_t) -+ userdom_dbus_chat_all_users(NetworkManager_t) - ') - - optional_policy(` -@@ -152,6 +155,11 @@ +@@ -152,6 +154,11 @@ ') optional_policy(` @@ -6017,7 +5983,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ppp_domtrans(NetworkManager_t) ppp_read_pid_files(NetworkManager_t) ppp_signal(NetworkManager_t) -@@ -166,6 +174,7 @@ +@@ -166,6 +173,7 @@ ') optional_policy(` @@ -11153,7 +11119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +corecmd_exec_all_executables(unconfined_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.5/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-07-03 07:06:32.000000000 -0400 -+++ serefpolicy-3.0.5/policy/modules/system/userdomain.if 2007-08-07 10:28:24.000000000 -0400 ++++ serefpolicy-3.0.5/policy/modules/system/userdomain.if 2007-08-10 11:57:57.000000000 -0400 @@ -62,6 +62,10 @@ allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; @@ -11451,7 +11417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` alsa_read_rw_config($1_t) ') -@@ -829,34 +777,14 @@ +@@ -829,11 +777,6 @@ ') optional_policy(` @@ -11463,56 +11429,59 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1_t self:dbus send_msg; dbus_system_bus_client_template($1,$1_t) +@@ -842,21 +785,18 @@ + ') + optional_policy(` -- bluetooth_dbus_chat($1_t) -- ') -- -- optional_policy(` - evolution_dbus_chat($1,$1_t) - evolution_alarm_dbus_chat($1,$1_t) +- evolution_dbus_chat($1,$1_t) +- evolution_alarm_dbus_chat($1,$1_t) ++ consolekit_dbus_chat($1_t) ') -- optional_policy(` + optional_policy(` - cups_dbus_chat_config($1_t) -- ') -- -- optional_policy(` ++ networkmanager_dbus_chat($1_t) + ') + + optional_policy(` - hal_dbus_chat($1_t) -- ') -- ++ evolution_dbus_chat($1,$1_t) ++ evolution_alarm_dbus_chat($1,$1_t) + ') + - optional_policy(` - networkmanager_dbus_chat($1_t) - ') ') optional_policy(` -@@ -884,17 +812,19 @@ +@@ -884,17 +824,17 @@ ') optional_policy(` - nis_use_ypbind($1_t) -- ') -- -- optional_policy(` - tunable_policy(`allow_user_mysql_connect',` - mysql_stream_connect($1_t) - ') ++ alsa_read_rw_config($1_t) ') - optional_policy(` -- nscd_socket_use($1_t) +- tunable_policy(`allow_user_mysql_connect',` +- mysql_stream_connect($1_t) +- ') +- ') + optional_policy(` + tunable_policy(`allow_user_postgresql_connect',` + postgresql_stream_connect($1_t) + ') + ') -+ + +- optional_policy(` +- nscd_socket_use($1_t) + tunable_policy(`user_ttyfile_stat',` + term_getattr_all_user_ttys($1_t) ') optional_policy(` -@@ -908,16 +838,6 @@ +@@ -908,16 +848,6 @@ ') optional_policy(` @@ -11529,7 +11498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo resmgr_stream_connect($1_t) ') -@@ -927,11 +847,6 @@ +@@ -927,11 +857,6 @@ ') optional_policy(` @@ -11541,7 +11510,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo samba_stream_connect_winbind($1_t) ') -@@ -962,21 +877,162 @@ +@@ -962,21 +887,162 @@ ## ## # @@ -11710,7 +11679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo domain_interactive_fd($1_t) typeattribute $1_devpts_t user_ptynode; -@@ -985,15 +1041,53 @@ +@@ -985,15 +1051,53 @@ typeattribute $1_tmp_t user_tmpfile; typeattribute $1_tty_device_t user_ttynode; @@ -11768,10 +11737,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # port access is audited even if dac would not have allowed it, so dontaudit it here corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) -@@ -1029,15 +1123,7 @@ - # and may change other protocols - tunable_policy(`user_tcp_server',` - corenet_tcp_bind_all_nodes($1_t) +@@ -1024,20 +1128,12 @@ + kernel_dontaudit_read_ring_buffer($1_t) + ') + +- # Allow users to run TCP servers (bind to ports and accept connection from +- # the same domain and outside users) disabling this forces FTP passive mode +- # and may change other protocols +- tunable_policy(`user_tcp_server',` +- corenet_tcp_bind_all_nodes($1_t) - corenet_tcp_bind_generic_port($1_t) - ') - @@ -11781,11 +11755,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - - optional_policy(` - loadkeys_run($1_t,$1_r,$1_tty_device_t) ++ # Allow users to run TCP servers (bind to ports and accept connection from ++ # the same domain and outside users) disabling this forces FTP passive mode ++ # and may change other protocols ++ tunable_policy(`user_tcp_server',` ++ corenet_tcp_bind_all_nodes($1_t) + corenet_tcp_bind_all_unreserved_ports($1_t) ') optional_policy(` -@@ -1054,17 +1140,6 @@ +@@ -1054,17 +1150,6 @@ setroubleshoot_stream_connect($1_t) ') @@ -11803,7 +11782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1102,6 +1177,8 @@ +@@ -1102,6 +1187,8 @@ class passwd { passwd chfn chsh rootok crontab }; ') @@ -11812,7 +11791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # # Declarations -@@ -1127,7 +1204,7 @@ +@@ -1127,7 +1214,7 @@ # $1_t local policy # @@ -11821,7 +11800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1_t self:process { setexec setfscreate }; # Set password information for other users. -@@ -1139,7 +1216,11 @@ +@@ -1139,7 +1226,11 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -11834,7 +11813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1902,6 +1983,41 @@ +@@ -1902,6 +1993,41 @@ ######################################## ## @@ -11876,7 +11855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -3078,7 +3194,7 @@ +@@ -3078,7 +3204,7 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -11885,7 +11864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_tmp_filetrans($2,$1_tmp_t,$3) -@@ -5323,7 +5439,7 @@ +@@ -5323,7 +5449,7 @@ attribute user_tmpfile; ') @@ -11894,34 +11873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5548,6 +5664,26 @@ - - ######################################## - ## -+## Send a dbus message to all user domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_dbus_chat_all_users',` -+ gen_require(` -+ attribute userdomain; -+ class dbus send_msg; -+ ') -+ -+ allow $1 userdomain:dbus send_msg; -+ allow userdomain $1:dbus send_msg; -+') -+ -+######################################## -+## - ## Unconfined access to user domains. (Deprecated) - ## - ## -@@ -5559,3 +5695,275 @@ +@@ -5559,3 +5685,280 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -12113,6 +12065,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + dbus_per_role_template($1, $1_t, $1_r) + dbus_system_bus_client_template($1, $1_t) + allow $1_t self:dbus send_msg; ++ ++ optional_policy(` ++ cups_dbus_chat($1_t) ++ ') ++ +') + +optional_policy(` @@ -12396,13 +12353,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.i +## Policy for guest user diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.0.5/policy/modules/users/guest.te --- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.0.5/policy/modules/users/guest.te 2007-08-07 09:39:49.000000000 -0400 -@@ -0,0 +1,5 @@ ++++ serefpolicy-3.0.5/policy/modules/users/guest.te 2007-08-10 11:34:33.000000000 -0400 +@@ -0,0 +1,9 @@ +policy_module(guest,1.0.0) +userdom_unpriv_login_user(guest) +userdom_unpriv_login_user(gadmin) +userdom_unpriv_xwindows_login_user(xguest) +mozilla_per_role_template(xguest, xguest_t, xguest_r) ++# Allow mounting of file systems ++optional_policy(` ++ hal_dbus_chat(xguest_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.0.5/policy/modules/users/logadm.fc --- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.0.5/policy/modules/users/logadm.fc 2007-08-07 09:39:49.000000000 -0400 diff --git a/selinux-policy.spec b/selinux-policy.spec index 4e525d5..3641446 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.5 -Release: 3%{?dist} +Release: 4%{?dist} License: GPL Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -360,6 +360,9 @@ exit 0 %endif %changelog +* Fri Aug 10 2007 Dan Walsh 3.0.5-4 +- Fix dbus chat to not happen for xguest and guest users + * Mon Aug 6 2007 Dan Walsh 3.0.5-3 - Fix nagios cgi - allow squid to communicate with winbind