From ec4fb1ce994f85e5d005ec73779a142d925af37d Mon Sep 17 00:00:00 2001
From: Daniel J Walsh
Date: Sep 21 2007 23:46:18 +0000
Subject: - Allow also to search var_lib
- New context for dbus launcher
---
diff --git a/policy-20070703.patch b/policy-20070703.patch
index a24e1c5..053cbaf 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -314,8 +314,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc
+/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.0.8/policy/modules/admin/alsa.te
--- nsaserefpolicy/policy/modules/admin/alsa.te 2007-07-25 10:37:43.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/alsa.te 2007-09-19 10:54:14.000000000 -0400
-@@ -14,25 +14,35 @@
++++ serefpolicy-3.0.8/policy/modules/admin/alsa.te 2007-09-21 19:08:24.000000000 -0400
+@@ -14,25 +14,36 @@
type alsa_etc_rw_t;
files_type(alsa_etc_rw_t)
@@ -342,6 +342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
manage_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
manage_lnk_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
++files_search_var_lib(alsa_t)
+manage_dirs_pattern(alsa_t,alsa_var_lib_t,alsa_var_lib_t)
+manage_files_pattern(alsa_t,alsa_var_lib_t,alsa_var_lib_t)
+
@@ -354,7 +355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
libs_use_ld_so(alsa_t)
libs_use_shared_libs(alsa_t)
-@@ -43,7 +53,13 @@
+@@ -43,7 +54,13 @@
userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
@@ -2838,7 +2839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-09-21 19:16:08.000000000 -0400
@@ -271,45 +271,6 @@
########################################
@@ -9977,7 +9978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-09-20 15:44:32.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-09-21 19:21:31.000000000 -0400
@@ -16,6 +16,13 @@
##
@@ -9992,11 +9993,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Allow xdm logins as sysadm
##
##
-@@ -132,15 +139,19 @@
+@@ -132,15 +139,20 @@
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+fs_rw_tmpfs_files(xdm_xserver_t)
++fs_getattr_all_fs(xdm_t)
manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
@@ -10013,7 +10015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -185,6 +196,7 @@
+@@ -185,6 +197,7 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_all_nodes(xdm_t)
corenet_udp_bind_all_nodes(xdm_t)
@@ -10021,7 +10023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
corenet_tcp_connect_all_ports(xdm_t)
corenet_sendrecv_all_client_packets(xdm_t)
# xdm tries to bind to biff_port_t
-@@ -246,6 +258,7 @@
+@@ -246,6 +259,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -10029,7 +10031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -257,6 +270,7 @@
+@@ -257,6 +271,7 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
@@ -10037,7 +10039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
miscfiles_read_localization(xdm_t)
miscfiles_read_fonts(xdm_t)
-@@ -268,9 +282,14 @@
+@@ -268,9 +283,14 @@
userdom_create_all_users_keys(xdm_t)
# for .dmrc
userdom_read_unpriv_users_home_content_files(xdm_t)
@@ -10052,7 +10054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
-@@ -306,6 +325,11 @@
+@@ -306,6 +326,11 @@
optional_policy(`
consolekit_dbus_chat(xdm_t)
@@ -10064,7 +10066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -348,12 +372,8 @@
+@@ -348,12 +373,8 @@
')
optional_policy(`
@@ -10078,7 +10080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
-@@ -385,7 +405,7 @@
+@@ -385,7 +406,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -10087,7 +10089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -425,6 +445,10 @@
+@@ -425,6 +446,10 @@
')
optional_policy(`
@@ -10098,7 +10100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
resmgr_stream_connect(xdm_t)
')
-@@ -434,47 +458,19 @@
+@@ -434,47 +459,20 @@
')
optional_policy(`
@@ -10113,6 +10115,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+optional_policy(`
+ unconfined_rw_shm(xdm_xserver_t)
+ unconfined_execmem_rw_shm(xdm_xserver_t)
++ unconfined_rw_tmpfs_files(xdm_xserver_t)
+')
- ifdef(`distro_rhel4',`
@@ -10188,7 +10191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic
##
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.0.8/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc 2007-09-21 16:38:32.000000000 -0400
@@ -14,6 +14,7 @@
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
@@ -10197,9 +10200,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
ifdef(`distro_suse', `
/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
')
+@@ -40,3 +41,5 @@
+ /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
+
+ /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
++
++/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-20 16:27:52.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-21 19:32:00.000000000 -0400
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -10230,7 +10239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
domain_type($1)
domain_subj_id_change_exemption($1)
-@@ -176,11 +177,23 @@
+@@ -176,11 +177,28 @@
domain_obj_id_change_exemption($1)
role system_r types $1;
@@ -10244,6 +10253,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+ files_list_var_lib($1)
+ manage_files_pattern($1, var_auth_t, var_auth_t)
+
++ manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
++ manage_files_pattern($1, auth_cache_t, auth_cache_t)
++ manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
++ files_var_filetrans($1,auth_cache_t,dir)
++
# for SSP/ProPolice
dev_read_urand($1)
@@ -10254,7 +10268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
selinux_get_fs_mount($1)
selinux_validate_context($1)
selinux_compute_access_vector($1)
-@@ -196,22 +209,33 @@
+@@ -196,22 +214,33 @@
mls_fd_share_all_levels($1)
auth_domtrans_chk_passwd($1)
@@ -10289,7 +10303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
')
-@@ -309,9 +333,6 @@
+@@ -309,9 +338,6 @@
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
')
@@ -10299,7 +10313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
corecmd_search_bin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
-@@ -329,6 +350,7 @@
+@@ -329,6 +355,7 @@
optional_policy(`
kerberos_use($1)
@@ -10307,7 +10321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
optional_policy(`
-@@ -347,6 +369,37 @@
+@@ -347,6 +374,37 @@
########################################
##
@@ -10345,7 +10359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
## Get the attributes of the shadow passwords file.
##
##
-@@ -695,6 +748,24 @@
+@@ -695,6 +753,24 @@
########################################
##
@@ -10370,7 +10384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
## Execute pam programs in the PAM domain.
##
##
-@@ -1318,14 +1389,9 @@
+@@ -1318,14 +1394,9 @@
##
#
interface(`auth_use_nsswitch',`
@@ -10385,7 +10399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
files_list_var_lib($1)
miscfiles_read_certs($1)
-@@ -1381,3 +1447,163 @@
+@@ -1381,3 +1452,163 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -10551,7 +10565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.8/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-08-22 07:14:12.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2007-09-21 16:37:58.000000000 -0400
@@ -9,6 +9,13 @@
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
@@ -10566,7 +10580,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
type chkpwd_exec_t;
application_executable_file(chkpwd_exec_t)
-@@ -67,6 +74,10 @@
+@@ -53,6 +60,9 @@
+ type utempter_exec_t;
+ application_domain(utempter_t,utempter_exec_t)
+
++type auth_cache_t;
++logging_log_file(auth_cache_t)
++
+ #
+ # var_auth_t is the type of /var/lib/auth, usually
+ # used for auth data in pam_able
+@@ -67,6 +77,10 @@
authlogin_common_auth_domain_template(system)
role system_r types system_chkpwd_t;
@@ -10577,7 +10601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
########################################
#
# PAM local policy
-@@ -159,6 +170,8 @@
+@@ -159,6 +173,8 @@
dev_setattr_mouse_dev(pam_console_t)
dev_getattr_power_mgmt_dev(pam_console_t)
dev_setattr_power_mgmt_dev(pam_console_t)
@@ -10586,7 +10610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
dev_getattr_scanner_dev(pam_console_t)
dev_setattr_scanner_dev(pam_console_t)
dev_getattr_sound_dev(pam_console_t)
-@@ -236,7 +249,7 @@
+@@ -236,7 +252,7 @@
optional_policy(`
xserver_read_xdm_pid(pam_console_t)
@@ -10595,7 +10619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
########################################
-@@ -302,3 +315,28 @@
+@@ -302,3 +318,28 @@
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
@@ -12977,7 +13001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+/usr/bin/rhythmbox -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-09-17 16:20:18.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-09-21 19:31:25.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -13032,7 +13056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
read_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t)
read_lnk_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t)
')
-@@ -601,3 +605,149 @@
+@@ -601,3 +605,175 @@
allow $1 unconfined_tmp_t:file { getattr write append };
')
@@ -13182,6 +13206,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+
+ allow $1 unconfined_t:process rlimitinh;
+')
++
++########################################
++##
++## Read/write unconfined tmpfs files.
++##
++##
++##
++## Read/write unconfined tmpfs files.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_rw_tmpfs_files',`
++ gen_require(`
++ type unconfined_tmpfs_t;
++ ')
++
++ fs_search_tmpfs($1)
++ allow $1 unconfined_tmpfs_t:dir list_dir_perms;
++ rw_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
++ read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-09-21 06:44:58.000000000 -0400
@@ -13400,7 +13450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-20 18:02:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-21 19:20:56.000000000 -0400
@@ -29,8 +29,9 @@
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 5fcd68e..31e3fc7 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 7%{?dist}
+Release: 8%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -362,6 +362,10 @@ exit 0
%endif
%changelog
+* Fri Sep 21 2007 Dan Walsh 3.0.8-8
+- Allow also to search var_lib
+- New context for dbus launcher
+
* Fri Sep 21 2007 Dan Walsh 3.0.8-7
- Allow cupsd_config_t to read/write usb_device_t
- Support for finger print reader,