From ec4fb1ce994f85e5d005ec73779a142d925af37d Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sep 21 2007 23:46:18 +0000 Subject: - Allow also to search var_lib - New context for dbus launcher --- diff --git a/policy-20070703.patch b/policy-20070703.patch index a24e1c5..053cbaf 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -314,8 +314,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc +/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.0.8/policy/modules/admin/alsa.te --- nsaserefpolicy/policy/modules/admin/alsa.te 2007-07-25 10:37:43.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/admin/alsa.te 2007-09-19 10:54:14.000000000 -0400 -@@ -14,25 +14,35 @@ ++++ serefpolicy-3.0.8/policy/modules/admin/alsa.te 2007-09-21 19:08:24.000000000 -0400 +@@ -14,25 +14,36 @@ type alsa_etc_rw_t; files_type(alsa_etc_rw_t) @@ -342,6 +342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te manage_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t) manage_lnk_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t) ++files_search_var_lib(alsa_t) +manage_dirs_pattern(alsa_t,alsa_var_lib_t,alsa_var_lib_t) +manage_files_pattern(alsa_t,alsa_var_lib_t,alsa_var_lib_t) + @@ -354,7 +355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te libs_use_ld_so(alsa_t) libs_use_shared_libs(alsa_t) -@@ -43,7 +53,13 @@ +@@ -43,7 +54,13 @@ userdom_manage_unpriv_user_semaphores(alsa_t) userdom_manage_unpriv_user_shared_mem(alsa_t) @@ -2838,7 +2839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-08-22 07:14:06.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-09-21 19:16:08.000000000 -0400 @@ -271,45 +271,6 @@ ######################################## @@ -9977,7 +9978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-08-22 07:14:07.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-09-20 15:44:32.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-09-21 19:21:31.000000000 -0400 @@ -16,6 +16,13 @@ ## @@ -9992,11 +9993,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Allow xdm logins as sysadm ##

##
-@@ -132,15 +139,19 @@ +@@ -132,15 +139,20 @@ manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) +fs_rw_tmpfs_files(xdm_xserver_t) ++fs_getattr_all_fs(xdm_t) manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t) manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t) @@ -10013,7 +10015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t xdm_xserver_t:process signal; allow xdm_t xdm_xserver_t:unix_stream_socket connectto; -@@ -185,6 +196,7 @@ +@@ -185,6 +197,7 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_all_nodes(xdm_t) corenet_udp_bind_all_nodes(xdm_t) @@ -10021,7 +10023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser corenet_tcp_connect_all_ports(xdm_t) corenet_sendrecv_all_client_packets(xdm_t) # xdm tries to bind to biff_port_t -@@ -246,6 +258,7 @@ +@@ -246,6 +259,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -10029,7 +10031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -257,6 +270,7 @@ +@@ -257,6 +271,7 @@ libs_exec_lib_files(xdm_t) logging_read_generic_logs(xdm_t) @@ -10037,7 +10039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser miscfiles_read_localization(xdm_t) miscfiles_read_fonts(xdm_t) -@@ -268,9 +282,14 @@ +@@ -268,9 +283,14 @@ userdom_create_all_users_keys(xdm_t) # for .dmrc userdom_read_unpriv_users_home_content_files(xdm_t) @@ -10052,7 +10054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t) -@@ -306,6 +325,11 @@ +@@ -306,6 +326,11 @@ optional_policy(` consolekit_dbus_chat(xdm_t) @@ -10064,7 +10066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -348,12 +372,8 @@ +@@ -348,12 +373,8 @@ ') optional_policy(` @@ -10078,7 +10080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; -@@ -385,7 +405,7 @@ +@@ -385,7 +406,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -10087,7 +10089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) -@@ -425,6 +445,10 @@ +@@ -425,6 +446,10 @@ ') optional_policy(` @@ -10098,7 +10100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser resmgr_stream_connect(xdm_t) ') -@@ -434,47 +458,19 @@ +@@ -434,47 +459,20 @@ ') optional_policy(` @@ -10113,6 +10115,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +optional_policy(` + unconfined_rw_shm(xdm_xserver_t) + unconfined_execmem_rw_shm(xdm_xserver_t) ++ unconfined_rw_tmpfs_files(xdm_xserver_t) +') - ifdef(`distro_rhel4',` @@ -10188,7 +10191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.0.8/policy/modules/system/authlogin.fc --- nsaserefpolicy/policy/modules/system/authlogin.fc 2007-05-29 14:10:58.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc 2007-09-21 16:38:32.000000000 -0400 @@ -14,6 +14,7 @@ /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) @@ -10197,9 +10200,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ifdef(`distro_suse', ` /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ') +@@ -40,3 +41,5 @@ + /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0) + + /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) ++ ++/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-20 16:27:52.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-21 19:32:00.000000000 -0400 @@ -26,7 +26,8 @@ type $1_chkpwd_t, can_read_shadow_passwords; application_domain($1_chkpwd_t,chkpwd_exec_t) @@ -10230,7 +10239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo domain_type($1) domain_subj_id_change_exemption($1) -@@ -176,11 +177,23 @@ +@@ -176,11 +177,28 @@ domain_obj_id_change_exemption($1) role system_r types $1; @@ -10244,6 +10253,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + files_list_var_lib($1) + manage_files_pattern($1, var_auth_t, var_auth_t) + ++ manage_dirs_pattern($1, auth_cache_t, auth_cache_t) ++ manage_files_pattern($1, auth_cache_t, auth_cache_t) ++ manage_sock_files_pattern($1, auth_cache_t, auth_cache_t) ++ files_var_filetrans($1,auth_cache_t,dir) ++ # for SSP/ProPolice dev_read_urand($1) @@ -10254,7 +10268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo selinux_get_fs_mount($1) selinux_validate_context($1) selinux_compute_access_vector($1) -@@ -196,22 +209,33 @@ +@@ -196,22 +214,33 @@ mls_fd_share_all_levels($1) auth_domtrans_chk_passwd($1) @@ -10289,7 +10303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ') -@@ -309,9 +333,6 @@ +@@ -309,9 +338,6 @@ type system_chkpwd_t, chkpwd_exec_t, shadow_t; ') @@ -10299,7 +10313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo corecmd_search_bin($1) domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t) -@@ -329,6 +350,7 @@ +@@ -329,6 +355,7 @@ optional_policy(` kerberos_use($1) @@ -10307,7 +10321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') optional_policy(` -@@ -347,6 +369,37 @@ +@@ -347,6 +374,37 @@ ######################################## ## @@ -10345,7 +10359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ## Get the attributes of the shadow passwords file. ## ## -@@ -695,6 +748,24 @@ +@@ -695,6 +753,24 @@ ######################################## ## @@ -10370,7 +10384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ## Execute pam programs in the PAM domain. ## ## -@@ -1318,14 +1389,9 @@ +@@ -1318,14 +1394,9 @@ ## # interface(`auth_use_nsswitch',` @@ -10385,7 +10399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo files_list_var_lib($1) miscfiles_read_certs($1) -@@ -1381,3 +1447,163 @@ +@@ -1381,3 +1452,163 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -10551,7 +10565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.8/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2007-08-22 07:14:12.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2007-09-21 16:37:58.000000000 -0400 @@ -9,6 +9,13 @@ attribute can_read_shadow_passwords; attribute can_write_shadow_passwords; @@ -10566,7 +10580,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo type chkpwd_exec_t; application_executable_file(chkpwd_exec_t) -@@ -67,6 +74,10 @@ +@@ -53,6 +60,9 @@ + type utempter_exec_t; + application_domain(utempter_t,utempter_exec_t) + ++type auth_cache_t; ++logging_log_file(auth_cache_t) ++ + # + # var_auth_t is the type of /var/lib/auth, usually + # used for auth data in pam_able +@@ -67,6 +77,10 @@ authlogin_common_auth_domain_template(system) role system_r types system_chkpwd_t; @@ -10577,7 +10601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ######################################## # # PAM local policy -@@ -159,6 +170,8 @@ +@@ -159,6 +173,8 @@ dev_setattr_mouse_dev(pam_console_t) dev_getattr_power_mgmt_dev(pam_console_t) dev_setattr_power_mgmt_dev(pam_console_t) @@ -10586,7 +10610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo dev_getattr_scanner_dev(pam_console_t) dev_setattr_scanner_dev(pam_console_t) dev_getattr_sound_dev(pam_console_t) -@@ -236,7 +249,7 @@ +@@ -236,7 +252,7 @@ optional_policy(` xserver_read_xdm_pid(pam_console_t) @@ -10595,7 +10619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ######################################## -@@ -302,3 +315,28 @@ +@@ -302,3 +318,28 @@ xserver_use_xdm_fds(utempter_t) xserver_rw_xdm_pipes(utempter_t) ') @@ -12977,7 +13001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +/usr/bin/rhythmbox -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2007-06-15 14:54:34.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-09-21 19:31:25.000000000 -0400 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -13032,7 +13056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf read_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t) read_lnk_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t) ') -@@ -601,3 +605,149 @@ +@@ -601,3 +605,175 @@ allow $1 unconfined_tmp_t:file { getattr write append }; ') @@ -13182,6 +13206,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + + allow $1 unconfined_t:process rlimitinh; +') ++ ++######################################## ++## ++## Read/write unconfined tmpfs files. ++## ++## ++##

++## Read/write unconfined tmpfs files. ++##

++##
++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_rw_tmpfs_files',` ++ gen_require(` ++ type unconfined_tmpfs_t; ++ ') ++ ++ fs_search_tmpfs($1) ++ allow $1 unconfined_tmpfs_t:dir list_dir_perms; ++ rw_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t) ++ read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2007-07-25 10:37:42.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-09-21 06:44:58.000000000 -0400 @@ -13400,7 +13450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-20 18:02:36.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-21 19:20:56.000000000 -0400 @@ -29,8 +29,9 @@ ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 5fcd68e..31e3fc7 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.8 -Release: 7%{?dist} +Release: 8%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -362,6 +362,10 @@ exit 0 %endif %changelog +* Fri Sep 21 2007 Dan Walsh 3.0.8-8 +- Allow also to search var_lib +- New context for dbus launcher + * Fri Sep 21 2007 Dan Walsh 3.0.8-7 - Allow cupsd_config_t to read/write usb_device_t - Support for finger print reader,