diff --git a/booleans-targeted.conf b/booleans-targeted.conf index a970450..3003143 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -245,3 +245,12 @@ samba_run_unconfined = true # Allows XServer to execute writable memory # allow_xserver_execmem = true + +# disallow guest accounts to execute files that they can create +# +allow_guest_exec_content = false +allow_xguest_exec_content = false + +# Only allow browser to use the web +# +browser_confine_xguest=true diff --git a/policy-20070703.patch b/policy-20070703.patch index f529417..df09305 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -567,7 +567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.0.3/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2007-06-15 14:54:34.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/admin/prelink.te 2007-07-17 15:46:25.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/admin/prelink.te 2007-07-24 08:59:27.000000000 -0400 @@ -26,7 +26,7 @@ # Local policy # @@ -577,7 +577,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink allow prelink_t self:process { execheap execmem execstack signal }; allow prelink_t self:fifo_file rw_fifo_file_perms; -@@ -49,8 +49,7 @@ +@@ -40,17 +40,17 @@ + read_lnk_files_pattern(prelink_t,prelink_log_t,prelink_log_t) + logging_log_filetrans(prelink_t, prelink_log_t, file) + +-allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom }; ++allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod }; + files_tmp_filetrans(prelink_t, prelink_tmp_t, file) + fs_tmpfs_filetrans(prelink_t, prelink_tmp_t, file) + ++ + # prelink misc objects that are not system + # libraries or entrypoints allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom }; kernel_read_system_state(prelink_t) @@ -587,7 +598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink corecmd_manage_all_executables(prelink_t) corecmd_relabel_all_executables(prelink_t) -@@ -65,6 +64,8 @@ +@@ -65,6 +65,8 @@ files_read_etc_files(prelink_t) files_read_etc_runtime_files(prelink_t) files_dontaudit_read_all_symlinks(prelink_t) @@ -596,7 +607,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink fs_getattr_xattr_fs(prelink_t) -@@ -84,6 +85,13 @@ +@@ -81,9 +83,17 @@ + libs_manage_lib_files(prelink_t) + libs_relabel_lib_files(prelink_t) + libs_delete_lib_symlinks(prelink_t) ++libs_legacy_use_shared_libs(prelink_t) miscfiles_read_localization(prelink_t) @@ -1739,7 +1754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.3/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-07-03 07:05:43.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/apps/mozilla.if 2007-07-23 16:25:26.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/apps/mozilla.if 2007-07-24 10:14:15.000000000 -0400 @@ -36,6 +36,8 @@ gen_require(` type mozilla_conf_t, mozilla_exec_t; @@ -10407,7 +10422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +corecmd_exec_all_executables(unconfined_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.3/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-07-03 07:06:32.000000000 -0400 -+++ serefpolicy-3.0.3/policy/modules/system/userdomain.if 2007-07-23 16:30:24.000000000 -0400 ++++ serefpolicy-3.0.3/policy/modules/system/userdomain.if 2007-07-24 10:14:54.000000000 -0400 @@ -62,6 +62,10 @@ allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms }; @@ -10445,7 +10460,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo tunable_policy(`use_nfs_home_dirs',` fs_list_nfs_dirs($1_t) fs_read_nfs_files($1_t) -@@ -517,10 +517,6 @@ +@@ -323,13 +323,19 @@ + ## + # + template(`userdom_exec_home_template',` +- can_exec($1_t,$1_home_t) + +- tunable_policy(`use_nfs_home_dirs',` ++ tunable_policy(`allow_$1_exec_content', ` ++ can_exec($1_t,$1_home_t) ++ ',` ++ dontaudit $1_t $1_home_t:file execute; ++ ') ++ ++ ++ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_t) + ') + +- tunable_policy(`use_samba_home_dirs',` ++ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_t) + ') + ') +@@ -403,7 +409,9 @@ + ## + # + template(`userdom_exec_tmp_template',` +- exec_files_pattern($1_t,$1_tmp_t,$1_tmp_t) ++ tunable_policy(`allow_$1_exec_content', ` ++ exec_files_pattern($1_t,$1_tmp_t,$1_tmp_t) ++ ') + ') + + ####################################### +@@ -517,10 +525,6 @@ ## # template(`userdom_exec_generic_pgms_template',` @@ -10456,7 +10505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo corecmd_exec_bin($1_t) ') -@@ -538,9 +534,6 @@ +@@ -538,9 +542,6 @@ ## # template(`userdom_basic_networking_template',` @@ -10466,7 +10515,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; -@@ -555,6 +548,12 @@ +@@ -555,6 +556,12 @@ corenet_udp_sendrecv_all_ports($1_t) corenet_tcp_connect_all_ports($1_t) corenet_sendrecv_all_client_packets($1_t) @@ -10479,7 +10528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -571,32 +570,29 @@ +@@ -571,32 +578,29 @@ # template(`userdom_xwindows_client_template',` gen_require(` @@ -10533,7 +10582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -672,67 +668,39 @@ +@@ -672,67 +676,39 @@ attribute unpriv_userdomain; ') @@ -10604,7 +10653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo files_exec_etc_files($1_t) files_search_locks($1_t) # Check to see if cdrom is mounted -@@ -745,12 +713,6 @@ +@@ -745,12 +721,6 @@ # Stat lost+found. files_getattr_lost_found_dirs($1_t) @@ -10617,7 +10666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) selinux_validate_context($1_t) -@@ -763,31 +725,16 @@ +@@ -763,31 +733,16 @@ storage_getattr_fixed_disk_dev($1_t) auth_read_login_records($1_t) @@ -10651,7 +10700,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) seutil_exec_checkpolicy($1_t) seutil_exec_setfiles($1_t) -@@ -802,19 +749,12 @@ +@@ -802,19 +757,12 @@ files_read_default_symlinks($1_t) files_read_default_sockets($1_t) files_read_default_pipes($1_t) @@ -10671,7 +10720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo optional_policy(` alsa_read_rw_config($1_t) ') -@@ -829,34 +769,14 @@ +@@ -829,34 +777,14 @@ ') optional_policy(` @@ -10706,7 +10755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') optional_policy(` -@@ -884,17 +804,19 @@ +@@ -884,17 +812,19 @@ ') optional_policy(` @@ -10732,7 +10781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') optional_policy(` -@@ -908,39 +830,210 @@ +@@ -908,45 +838,170 @@ ') optional_policy(` @@ -10763,7 +10812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - rpm_read_db($1_t) - rpm_dontaudit_manage_db($1_t) + usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) -+ ') + ') +') + +####################################### @@ -10820,11 +10869,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + userdom_base_user_template($1) + + userdom_manage_home_template($1) -+ userdom_exec_home_template($1) + userdom_manage_tmp_template($1) -+ userdom_exec_tmp_template($1) + userdom_manage_tmpfs_template($1) + ++ gen_tunable(allow_$1_exec_content,true) ++ ++ userdom_exec_tmp_template($1) ++ userdom_exec_home_template($1) ++ + userdom_change_password_template($1) + + role $1_r types $1_t; @@ -10845,12 +10897,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + auth_dontaudit_write_login_records($1_t) + -+ # Find CDROM devices: -+ kernel_read_device_sysctls($1_t) -+ kernel_read_network_state($1_t) -+ kernel_read_net_sysctls($1_t) -+ kernel_read_system_state($1_t) -+ + dev_read_sysfs($1_t) + dev_read_urand($1_t) + @@ -10888,19 +10934,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + + userdom_poly_home_template($1) + userdom_poly_tmp_template($1) -+ -+ optional_policy(` + + optional_policy(` +- samba_stream_connect_winbind($1_t) + cups_stream_connect($1_t) + cups_stream_connect_ptal($1_t) ') optional_policy(` -- samba_stream_connect_winbind($1_t) +- slrnpull_search_spool($1_t) + kerberos_use($1_t) ') optional_policy(` -- slrnpull_search_spool($1_t) +- usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) + quota_dontaudit_getattr_db($1_t) + ') + @@ -10908,12 +10955,50 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + rpm_read_db($1_t) + rpm_dontaudit_manage_db($1_t) ') -+') + ') + ++ + ####################################### + ## +-## The template for creating a unprivileged user. ++## The template for creating a unprivileged login user. + ## + ## + ##

+@@ -962,11 +1017,58 @@ + ## + ## + # +-template(`userdom_unpriv_user_template', ` +- ++template(`userdom_unpriv_login_user', ` + gen_require(` ++ attribute unpriv_userdomain; + attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode; + ') ++ userdom_login_user_template($1) ++ userdom_privhome_user_template($1) ++ ++ typeattribute $1_t unpriv_userdomain; ++ ++ domain_interactive_fd($1_t) ++ ++ typeattribute $1_devpts_t user_ptynode; ++ typeattribute $1_home_dir_t user_home_dir_type; ++ typeattribute $1_home_t user_home_type; ++ typeattribute $1_tmp_t user_tmpfile; ++ typeattribute $1_tty_device_t user_ttynode; + ++ auth_exec_pam($1_t) ++ ++ optional_policy(` ++ loadkeys_run($1_t,$1_r,$1_tty_device_t) ++ ') ++') + +####################################### +##

-+## The template for creating a unprivileged login user. ++## The template for creating a unprivileged user. +## +## +##

@@ -10929,44 +11014,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +## +## +# -+template(`userdom_unpriv_login_user', ` -+ gen_require(` -+ attribute unpriv_userdomain; -+ attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode; -+ ') -+ userdom_login_user_template($1) -+ userdom_privhome_user_template($1) -+ -+ typeattribute $1_t unpriv_userdomain; ++template(`userdom_unpriv_user_template', ` + -+ domain_interactive_fd($1_t) -+ -+ typeattribute $1_devpts_t user_ptynode; -+ typeattribute $1_home_dir_t user_home_dir_type; -+ typeattribute $1_home_t user_home_type; -+ typeattribute $1_tmp_t user_tmpfile; -+ typeattribute $1_tty_device_t user_ttynode; -+ -+ auth_exec_pam($1_t) - - optional_policy(` -- usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) -+ loadkeys_run($1_t,$1_r,$1_tty_device_t) - ') - ') - -@@ -964,9 +1057,7 @@ - # - template(`userdom_unpriv_user_template', ` - -- gen_require(` -- attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode; -- ') + userdom_unpriv_login_user($1) ++ ++ # Find CDROM devices: ++ kernel_read_device_sysctls($1_t) ++ kernel_read_network_state($1_t) ++ kernel_read_net_sysctls($1_t) ++ kernel_read_system_state($1_t) ############################## # -@@ -976,25 +1067,11 @@ +@@ -976,25 +1078,11 @@ # Inherit rules for ordinary users. userdom_common_user_template($1) @@ -10992,7 +11052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo # port access is audited even if dac would not have allowed it, so dontaudit it here corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) # Need the following rule to allow users to run vpnc -@@ -1033,14 +1110,6 @@ +@@ -1033,14 +1121,6 @@ ') optional_policy(` @@ -11007,7 +11067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) ') -@@ -1054,17 +1123,6 @@ +@@ -1054,17 +1134,6 @@ setroubleshoot_stream_connect($1_t) ') @@ -11025,7 +11085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ####################################### -@@ -1102,6 +1160,8 @@ +@@ -1102,6 +1171,8 @@ class passwd { passwd chfn chsh rootok crontab }; ') @@ -11034,7 +11094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ############################## # # Declarations -@@ -1127,7 +1187,7 @@ +@@ -1127,7 +1198,7 @@ # $1_t local policy # @@ -11043,16 +11103,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo allow $1_t self:process { setexec setfscreate }; # Set password information for other users. -@@ -1139,8 +1199,6 @@ +@@ -1139,7 +1210,11 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; - allow $1_t self:netlink_audit_socket nlmsg_readpriv; -- ++ # Find CDROM devices: ++ kernel_read_device_sysctls($1_t) ++ kernel_read_network_state($1_t) ++ kernel_read_net_sysctls($1_t) ++ kernel_read_system_state($1_t) + kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) - kernel_getattr_message_if($1_t) -@@ -1902,6 +1960,41 @@ +@@ -1902,6 +1977,41 @@ ######################################## ##

@@ -11094,7 +11158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -3078,7 +3171,7 @@ +@@ -3078,7 +3188,7 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -11103,7 +11167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_tmp_filetrans($2,$1_tmp_t,$3) -@@ -5323,7 +5416,7 @@ +@@ -5323,7 +5433,7 @@ attribute user_tmpfile; ') @@ -11112,7 +11176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5548,6 +5641,26 @@ +@@ -5548,6 +5658,26 @@ ######################################## ## @@ -11139,7 +11203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ## Unconfined access to user domains. (Deprecated) ## ## -@@ -5559,3 +5672,233 @@ +@@ -5559,3 +5689,233 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 2c3b1f7..ae096d2 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.3 -Release: 5%{?dist} +Release: 6%{?dist} License: GPL Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -359,6 +359,9 @@ exit 0 %endif %changelog +* Tue Jul 23 2007 Dan Walsh 3.0.3-6 +- Fix prelink to handle execmod + * Mon Jul 23 2007 Dan Walsh 3.0.3-5 - Add ntpd_key_t to handle secret data