diff --git a/modules-targeted.conf b/modules-targeted.conf index 3164f2c..1a70e73 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -25,6 +25,13 @@ accountsd = module # acct = base +# Layer: services +# Module: ajaxterm +# +# Web Based Terminal +# +ajaxterm = module + # Layer: admin # Module: alsa # diff --git a/policy-F14.patch b/policy-F14.patch index 399f776..b7ea4eb 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -3777,7 +3777,7 @@ index 9a6d67d..47aa143 100644 ## mozilla over dbus. ## diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index cbf4bec..58899ca 100644 +index cbf4bec..ec6a1ff 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t) @@ -3850,7 +3850,7 @@ index cbf4bec..58899ca 100644 pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) -@@ -266,3 +291,78 @@ optional_policy(` +@@ -266,3 +291,79 @@ optional_policy(` optional_policy(` thunderbird_domtrans(mozilla_t) ') @@ -3918,6 +3918,7 @@ index cbf4bec..58899ca 100644 +optional_policy(` + nsplugin_domtrans(mozilla_plugin_t) + nsplugin_rw_exec(mozilla_plugin_t) ++ nsplugin_manage_home_dirs(mozilla_plugin_t) + nsplugin_manage_home_files(mozilla_plugin_t) +') + @@ -4031,10 +4032,10 @@ index 0000000..63abc5c +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if new file mode 100644 -index 0000000..4dd9d05 +index 0000000..c779d44 --- /dev/null +++ b/policy/modules/apps/nsplugin.if -@@ -0,0 +1,374 @@ +@@ -0,0 +1,392 @@ + +## policy for nsplugin + @@ -4321,6 +4322,24 @@ index 0000000..4dd9d05 + +######################################## +## ++## manage nnsplugin home dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nsplugin_manage_home_dirs',` ++ gen_require(` ++ type nsplugin_home_t; ++ ') ++ ++ manage_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t) ++') ++ ++######################################## ++## +## Allow attempts to read and write to +## nsplugin named pipes. +## @@ -6895,7 +6914,7 @@ index 82842a0..369c3b5 100644 dbus_system_bus_client($1_wm_t) dbus_session_bus_client($1_wm_t) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 0eb1d97..b267560 100644 +index 0eb1d97..b42af1b 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -9,8 +9,11 @@ @@ -6956,15 +6975,19 @@ index 0eb1d97..b267560 100644 /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -220,6 +234,7 @@ ifdef(`distro_gentoo',` +@@ -218,8 +232,11 @@ ifdef(`distro_gentoo',` + /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/share/ajaxterm/qweb.py.* -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/ajaxterm/ajaxterm.py.* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/dayplanner/dayplanner -- gen_context(system_u:object_r:bin_t,s0) /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/denyhosts/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -228,6 +243,8 @@ ifdef(`distro_gentoo',` +@@ -228,6 +245,8 @@ ifdef(`distro_gentoo',` /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -6973,7 +6996,7 @@ index 0eb1d97..b267560 100644 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -314,6 +331,7 @@ ifdef(`distro_redhat', ` +@@ -314,6 +333,7 @@ ifdef(`distro_redhat', ` /usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0) /usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0) /usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0) @@ -6981,7 +7004,7 @@ index 0eb1d97..b267560 100644 ') ifdef(`distro_suse', ` -@@ -340,3 +358,27 @@ ifdef(`distro_suse', ` +@@ -340,3 +360,27 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -7041,7 +7064,7 @@ index 9e5c83e..953e0e8 100644 +/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0) +/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 2ecdde8..bb4adcb 100644 +index 2ecdde8..f15e5ba 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -24,6 +24,7 @@ dev_node(ppp_device_t) @@ -7052,7 +7075,7 @@ index 2ecdde8..bb4adcb 100644 ######################################## # -@@ -64,6 +65,7 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type; +@@ -64,20 +65,25 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type; type server_packet_t, packet_type, server_packet_type; network_port(afs_bos, udp,7007,s0) @@ -7060,7 +7083,9 @@ index 2ecdde8..bb4adcb 100644 network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0) network_port(afs_ka, udp,7004,s0) network_port(afs_pt, udp,7002,s0) -@@ -72,12 +74,15 @@ network_port(agentx, udp,705,s0, tcp,705,s0) + network_port(afs_vl, udp,7003,s0) + network_port(agentx, udp,705,s0, tcp,705,s0) ++network_port(ajaxterm, tcp,8022,s0) network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) @@ -7076,7 +7101,7 @@ index 2ecdde8..bb4adcb 100644 type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict network_port(certmaster, tcp,51235,s0) network_port(chronyd, udp,323,s0) -@@ -85,6 +90,7 @@ network_port(clamd, tcp,3310,s0) +@@ -85,6 +91,7 @@ network_port(clamd, tcp,3310,s0) network_port(clockspeed, udp,4041,s0) network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0) network_port(cobbler, tcp,25151,s0) @@ -7084,7 +7109,7 @@ index 2ecdde8..bb4adcb 100644 network_port(comsat, udp,512,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) -@@ -97,7 +103,9 @@ network_port(dict, tcp,2628,s0) +@@ -97,7 +104,9 @@ network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) network_port(dns, udp,53,s0, tcp,53,s0) network_port(epmap, tcp,135,s0, udp,135,s0) @@ -7094,7 +7119,7 @@ index 2ecdde8..bb4adcb 100644 network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) -@@ -109,7 +117,7 @@ network_port(hddtemp, tcp,7634,s0) +@@ -109,7 +118,7 @@ network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port @@ -7103,7 +7128,7 @@ index 2ecdde8..bb4adcb 100644 network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0) -@@ -123,30 +131,34 @@ network_port(iscsi, tcp,3260,s0) +@@ -123,30 +132,34 @@ network_port(iscsi, tcp,3260,s0) network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -7142,7 +7167,7 @@ index 2ecdde8..bb4adcb 100644 network_port(ntp, udp,123,s0) network_port(ocsp, tcp,9080,s0) network_port(openvpn, tcp,1194,s0, udp,1194,s0) -@@ -154,12 +166,20 @@ network_port(pegasus_http, tcp,5988,s0) +@@ -154,12 +167,20 @@ network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) network_port(pingd, tcp,9125,s0) @@ -7163,7 +7188,7 @@ index 2ecdde8..bb4adcb 100644 network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -174,24 +194,28 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) +@@ -174,24 +195,28 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) @@ -7196,7 +7221,7 @@ index 2ecdde8..bb4adcb 100644 network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) -@@ -201,16 +225,17 @@ network_port(transproxy, tcp,8081,s0) +@@ -201,16 +226,17 @@ network_port(transproxy, tcp,8081,s0) network_port(ups, tcp,3493,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) @@ -8818,7 +8843,7 @@ index 437a42a..8d6d333 100644 +') + diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index 0dff98e..930062c 100644 +index 0dff98e..31ebaa7 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -52,6 +52,7 @@ type anon_inodefs_t; @@ -8842,7 +8867,14 @@ index 0dff98e..930062c 100644 genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0) type configfs_t; -@@ -106,6 +108,15 @@ fs_type(ibmasmfs_t) +@@ -100,12 +102,22 @@ type hugetlbfs_t; + fs_type(hugetlbfs_t) + files_mountpoint(hugetlbfs_t) + fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); ++dev_associate_sysfs(hugetlbfs_t) + + type ibmasmfs_t; + fs_type(ibmasmfs_t) allow ibmasmfs_t self:filesystem associate; genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0) @@ -8858,7 +8890,7 @@ index 0dff98e..930062c 100644 type inotifyfs_t; fs_type(inotifyfs_t) genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0) -@@ -148,6 +159,12 @@ fs_type(squash_t) +@@ -148,6 +160,12 @@ fs_type(squash_t) genfscon squash / gen_context(system_u:object_r:squash_t,s0) files_mountpoint(squash_t) @@ -8871,7 +8903,7 @@ index 0dff98e..930062c 100644 type vmblock_t; fs_noxattr_type(vmblock_t) files_mountpoint(vmblock_t) -@@ -168,6 +185,7 @@ fs_type(tmpfs_t) +@@ -168,6 +186,7 @@ fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) @@ -8879,7 +8911,7 @@ index 0dff98e..930062c 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -247,6 +265,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -247,6 +266,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -11746,6 +11778,158 @@ index 97c9cae..c24bd66 100644 optional_policy(` ccs_stream_connect(aisexec_t) ') +diff --git a/policy/modules/services/ajaxterm.fc b/policy/modules/services/ajaxterm.fc +new file mode 100644 +index 0000000..aeb1888 +--- /dev/null ++++ b/policy/modules/services/ajaxterm.fc +@@ -0,0 +1,6 @@ ++ ++/etc/rc\.d/init\.d/ajaxterm -- gen_context(system_u:object_r:ajaxterm_initrc_exec_t,s0) ++ ++/usr/share/ajaxterm/ajaxterm\.py -- gen_context(system_u:object_r:ajaxterm_exec_t,s0) ++ ++/var/run/ajaxterm\.pid -- gen_context(system_u:object_r:ajaxterm_var_run_t,s0) +diff --git a/policy/modules/services/ajaxterm.if b/policy/modules/services/ajaxterm.if +new file mode 100644 +index 0000000..581ae6e +--- /dev/null ++++ b/policy/modules/services/ajaxterm.if +@@ -0,0 +1,72 @@ ++ ++## policy for ajaxterm ++ ++######################################## ++## ++## Execute a domain transition to run ajaxterm. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ajaxterm_domtrans',` ++ gen_require(` ++ type ajaxterm_t, ajaxterm_exec_t; ++ ') ++ ++ domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t) ++') ++ ++ ++######################################## ++## ++## Execute ajaxterm server in the ajaxterm domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`ajaxterm_initrc_domtrans',` ++ gen_require(` ++ type ajaxterm_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, ajaxterm_initrc_exec_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an ajaxterm environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`ajaxterm_admin',` ++ gen_require(` ++ type ajaxterm_t; ++ type ajaxterm_initrc_exec_t; ++ ') ++ ++ allow $1 ajaxterm_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, ajaxterm_t) ++ ++ ajaxterm_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 ajaxterm_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++') +diff --git a/policy/modules/services/ajaxterm.te b/policy/modules/services/ajaxterm.te +new file mode 100644 +index 0000000..3441758 +--- /dev/null ++++ b/policy/modules/services/ajaxterm.te +@@ -0,0 +1,56 @@ ++policy_module(ajaxterm,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type ajaxterm_t; ++type ajaxterm_exec_t; ++init_daemon_domain(ajaxterm_t, ajaxterm_exec_t) ++ ++type ajaxterm_initrc_exec_t; ++init_script_file(ajaxterm_initrc_exec_t) ++ ++type ajaxterm_var_run_t; ++files_pid_file(ajaxterm_var_run_t) ++ ++type ajaxterm_devpts_t; ++term_login_pty(ajaxterm_devpts_t) ++ ++permissive ajaxterm_t; ++ ++######################################## ++# ++# ajaxterm local policy ++# ++allow ajaxterm_t self:capability setuid; ++allow ajaxterm_t self:process setpgid; ++allow ajaxterm_t self:fifo_file rw_fifo_file_perms; ++allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms; ++allow ajaxterm_t self:tcp_socket create_stream_socket_perms; ++ ++allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom }; ++term_create_pty(ajaxterm_t, ajaxterm_devpts_t) ++ ++manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t) ++manage_files_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t) ++files_pid_filetrans(ajaxterm_t, ajaxterm_var_run_t, { file dir }) ++ ++kernel_read_system_state(ajaxterm_t) ++ ++corecmd_exec_bin(ajaxterm_t) ++ ++corenet_tcp_bind_generic_node(ajaxterm_t) ++corenet_tcp_bind_ajaxterm_port(ajaxterm_t) ++ ++dev_read_urand(ajaxterm_t) ++ ++domain_use_interactive_fds(ajaxterm_t) ++ ++files_read_etc_files(ajaxterm_t) ++files_read_usr_files(ajaxterm_t) ++ ++miscfiles_read_localization(ajaxterm_t) ++ ++sysnet_dns_name_resolve(ajaxterm_t) diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if index adb3d5f..de26af5 100644 --- a/policy/modules/services/amavis.if @@ -15860,7 +16044,7 @@ index 2a0f1c1..ab82c3c 100644 snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) snmp_stream_connect(cyrus_t) diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if -index 39e901a..63c82b7 100644 +index 39e901a..87fc055 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -42,8 +42,10 @@ template(`dbus_role_template',` @@ -15971,7 +16155,7 @@ index 39e901a..63c82b7 100644 +# +interface(`dbus_delete_pid_files',` + gen_require(` -+ type dbus_var_run_t; ++ type system_dbusd_var_run_t; + ') + + delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) @@ -20764,7 +20948,7 @@ index 4996f62..975deca 100644 kernel_read_kernel_sysctls(openct_t) kernel_list_proc(openct_t) diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te -index f3d5790..196f2a2 100644 +index f3d5790..80161cd 100644 --- a/policy/modules/services/openvpn.te +++ b/policy/modules/services/openvpn.te @@ -24,6 +24,9 @@ files_config_file(openvpn_etc_t) @@ -20808,7 +20992,7 @@ index f3d5790..196f2a2 100644 corecmd_exec_bin(openvpn_t) corecmd_exec_shell(openvpn_t) -@@ -113,6 +121,8 @@ sysnet_manage_config(openvpn_t) +@@ -113,9 +121,11 @@ sysnet_manage_config(openvpn_t) sysnet_etc_filetrans_config(openvpn_t) userdom_use_user_terminals(openvpn_t) @@ -20816,7 +21000,11 @@ index f3d5790..196f2a2 100644 +userdom_attach_admin_tun_iface(openvpn_t) tunable_policy(`openvpn_enable_homedirs',` - userdom_read_user_home_content_files(openvpn_t) +- userdom_read_user_home_content_files(openvpn_t) ++ userdom_search_user_home_dirs(openvpn_t) + ') + + tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` @@ -138,3 +148,7 @@ optional_policy(` networkmanager_dbus_chat(openvpn_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index ad2d720..8974d7b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.3 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,9 @@ exit 0 %endif %changelog +* Thu Sep 8 2010 Dan Walsh 3.9.3-3 +- Add policy for ajaxterm + * Wed Sep 8 2010 Dan Walsh 3.9.3-2 - Handle /var/db/sudo - Allow pulseaudio to read alsa config