diff --git a/policy-20071130.patch b/policy-20071130.patch index e9e5e8a..b0f80dd 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -1209,7 +1209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.2.1/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/admin/rpm.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.1/policy/modules/admin/rpm.te 2007-12-03 13:19:43.000000000 -0500 @@ -139,6 +139,7 @@ auth_relabel_all_files_except_shadow(rpm_t) auth_manage_all_files_except_shadow(rpm_t) @@ -1248,6 +1248,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te ') ifdef(`TODO',` +@@ -221,7 +229,7 @@ + # + + allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; +-allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; ++allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap }; + allow rpm_script_t self:fd use; + allow rpm_script_t self:fifo_file rw_fifo_file_perms; + allow rpm_script_t self:unix_dgram_socket create_socket_perms; @@ -289,6 +297,7 @@ auth_dontaudit_getattr_shadow(rpm_script_t) # ideally we would not need this @@ -1275,6 +1284,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te tzdata_domtrans(rpm_t) tzdata_domtrans(rpm_script_t) ') +@@ -350,6 +356,7 @@ + optional_policy(` + unconfined_domain(rpm_script_t) + unconfined_domtrans(rpm_script_t) ++ unconfined_execmem_domtrans(rpm_script_t) + + optional_policy(` + java_domtrans(rpm_script_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.2.1/policy/modules/admin/sudo.if --- nsaserefpolicy/policy/modules/admin/sudo.if 2007-07-23 10:20:14.000000000 -0400 +++ serefpolicy-3.2.1/policy/modules/admin/sudo.if 2007-11-30 11:23:56.000000000 -0500 @@ -3436,8 +3453,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.i +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.2.1/policy/modules/apps/vmware.te --- nsaserefpolicy/policy/modules/apps/vmware.te 2007-10-12 08:56:02.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/apps/vmware.te 2007-11-30 11:23:56.000000000 -0500 -@@ -22,6 +22,9 @@ ++++ serefpolicy-3.2.1/policy/modules/apps/vmware.te 2007-12-02 21:31:37.000000000 -0500 +@@ -22,17 +22,21 @@ type vmware_var_run_t; files_pid_file(vmware_var_run_t) @@ -3447,25 +3464,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t ######################################## # # VMWare host local policy -@@ -29,7 +32,7 @@ + # - allow vmware_host_t self:capability { setuid net_raw }; +-allow vmware_host_t self:capability { setuid net_raw }; ++allow vmware_host_t self:capability { setgid setuid net_raw }; dontaudit vmware_host_t self:capability sys_tty_config; -allow vmware_host_t self:process signal_perms; +allow vmware_host_t self:process { execstack execmem signal_perms }; allow vmware_host_t self:fifo_file rw_fifo_file_perms; allow vmware_host_t self:unix_stream_socket create_stream_socket_perms; allow vmware_host_t self:rawip_socket create_socket_perms; -@@ -41,6 +44,9 @@ ++allow vmware_host_t self:tcp_socket create_socket_perms; + + # cjp: the ro and rw files should be split up + manage_files_pattern(vmware_host_t,vmware_sys_conf_t,vmware_sys_conf_t) +@@ -41,6 +45,11 @@ manage_sock_files_pattern(vmware_host_t,vmware_var_run_t,vmware_var_run_t) files_pid_filetrans(vmware_host_t,vmware_var_run_t,{ file sock_file }) +manage_files_pattern(vmware_host_t,vmware_log_t,vmware_log_t) +logging_log_filetrans(vmware_host_t,vmware_log_t,{ file dir }) + ++files_search_home(vmware_host_t) ++ kernel_read_kernel_sysctls(vmware_host_t) kernel_list_proc(vmware_host_t) kernel_read_proc_symlinks(vmware_host_t) +@@ -63,6 +72,7 @@ + corenet_sendrecv_all_server_packets(vmware_host_t) + + dev_read_sysfs(vmware_host_t) ++dev_read_urand(vmware_host_t) + dev_rw_vmware(vmware_host_t) + + domain_use_interactive_fds(vmware_host_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.2.1/policy/modules/apps/wine.if --- nsaserefpolicy/policy/modules/apps/wine.if 2007-09-12 10:34:17.000000000 -0400 +++ serefpolicy-3.2.1/policy/modules/apps/wine.if 2007-11-30 11:23:56.000000000 -0500 @@ -5844,7 +5876,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +/usr/local/Printer/[^/]*/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.2.1/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2007-11-16 15:30:49.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/services/cups.te 2007-12-02 18:58:51.000000000 -0500 ++++ serefpolicy-3.2.1/policy/modules/services/cups.te 2007-12-02 19:07:25.000000000 -0500 @@ -1,5 +1,5 @@ -policy_module(cups,1.8.2) @@ -5925,17 +5957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups allow cupsd_t hplip_var_run_t:file { read getattr }; stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t) -@@ -133,8 +139,7 @@ - kernel_read_network_state(cupsd_t) - kernel_read_all_sysctls(cupsd_t) - --corenet_all_recvfrom_unlabeled(cupsd_t) --corenet_all_recvfrom_netlabel(cupsd_t) -+corenet_non_ipsec_sendrecv(cupsd_t) - corenet_tcp_sendrecv_all_if(cupsd_t) - corenet_udp_sendrecv_all_if(cupsd_t) - corenet_raw_sendrecv_all_if(cupsd_t) -@@ -150,31 +155,39 @@ +@@ -150,31 +156,39 @@ corenet_tcp_bind_reserved_port(cupsd_t) corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) @@ -5978,7 +6000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp corecmd_exec_shell(cupsd_t) -@@ -187,7 +200,7 @@ +@@ -187,7 +201,7 @@ # read python modules files_read_usr_files(cupsd_t) # for /var/lib/defoma @@ -5987,7 +6009,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups files_list_world_readable(cupsd_t) files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) -@@ -196,15 +209,14 @@ +@@ -196,15 +210,14 @@ files_read_var_symlinks(cupsd_t) # for /etc/printcap files_dontaudit_write_etc_files(cupsd_t) @@ -6006,7 +6028,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups libs_use_ld_so(cupsd_t) libs_use_shared_libs(cupsd_t) # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.* -@@ -221,14 +233,37 @@ +@@ -221,14 +234,37 @@ sysnet_read_config(cupsd_t) @@ -6044,7 +6066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -241,6 +276,7 @@ +@@ -241,6 +277,7 @@ optional_policy(` dbus_system_bus_client_template(cupsd,cupsd_t) @@ -6052,7 +6074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups userdom_dbus_send_all_users(cupsd_t) -@@ -262,7 +298,7 @@ +@@ -262,7 +299,7 @@ ') optional_policy(` @@ -6061,17 +6083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -319,8 +355,7 @@ - kernel_read_system_state(cupsd_config_t) - kernel_read_kernel_sysctls(cupsd_config_t) - --corenet_all_recvfrom_unlabeled(cupsd_config_t) --corenet_all_recvfrom_netlabel(cupsd_config_t) -+corenet_non_ipsec_sendrecv(cupsd_config_t) - corenet_tcp_sendrecv_all_if(cupsd_config_t) - corenet_tcp_sendrecv_all_nodes(cupsd_config_t) - corenet_tcp_sendrecv_all_ports(cupsd_config_t) -@@ -330,11 +365,13 @@ +@@ -330,11 +367,13 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) @@ -6085,7 +6097,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups corecmd_exec_shell(cupsd_config_t) domain_use_interactive_fds(cupsd_config_t) -@@ -376,12 +413,17 @@ +@@ -376,12 +415,17 @@ ') optional_policy(` @@ -6103,7 +6115,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups optional_policy(` hal_dbus_chat(cupsd_config_t) -@@ -391,6 +433,7 @@ +@@ -391,6 +435,7 @@ optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) @@ -6111,17 +6123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ') optional_policy(` -@@ -461,8 +504,7 @@ - kernel_read_system_state(cupsd_lpd_t) - kernel_read_network_state(cupsd_lpd_t) - --corenet_all_recvfrom_unlabeled(cupsd_lpd_t) --corenet_all_recvfrom_netlabel(cupsd_lpd_t) -+corenet_non_ipsec_sendrecv(cupsd_lpd_t) - corenet_tcp_sendrecv_all_if(cupsd_lpd_t) - corenet_udp_sendrecv_all_if(cupsd_lpd_t) - corenet_tcp_sendrecv_all_nodes(cupsd_lpd_t) -@@ -480,6 +522,8 @@ +@@ -480,6 +525,8 @@ files_read_etc_files(cupsd_lpd_t) @@ -6130,7 +6132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups libs_use_ld_so(cupsd_lpd_t) libs_use_shared_libs(cupsd_lpd_t) -@@ -487,22 +531,12 @@ +@@ -487,22 +534,12 @@ miscfiles_read_localization(cupsd_lpd_t) @@ -6153,7 +6155,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ######################################## # # HPLIP local policy -@@ -520,14 +554,12 @@ +@@ -520,14 +557,12 @@ allow hplip_t self:udp_socket create_socket_perms; allow hplip_t self:rawip_socket create_socket_perms; @@ -6172,17 +6174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t) files_pid_filetrans(hplip_t,hplip_var_run_t,file) -@@ -535,8 +567,7 @@ - kernel_read_system_state(hplip_t) - kernel_read_kernel_sysctls(hplip_t) - --corenet_all_recvfrom_unlabeled(hplip_t) --corenet_all_recvfrom_netlabel(hplip_t) -+corenet_non_ipsec_sendrecv(hplip_t) - corenet_tcp_sendrecv_all_if(hplip_t) - corenet_udp_sendrecv_all_if(hplip_t) - corenet_raw_sendrecv_all_if(hplip_t) -@@ -558,13 +589,15 @@ +@@ -558,13 +593,15 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -6199,7 +6191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups domain_use_interactive_fds(hplip_t) -@@ -586,6 +619,7 @@ +@@ -586,6 +623,7 @@ userdom_dontaudit_search_all_users_home_content(hplip_t) lpd_read_config(cupsd_t) @@ -6207,16 +6199,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups optional_policy(` seutil_sigchld_newrole(hplip_t) -@@ -627,8 +661,7 @@ - kernel_list_proc(ptal_t) - kernel_read_proc_symlinks(ptal_t) - --corenet_all_recvfrom_unlabeled(ptal_t) --corenet_all_recvfrom_netlabel(ptal_t) -+corenet_non_ipsec_sendrecv(ptal_t) - corenet_tcp_sendrecv_all_if(ptal_t) - corenet_tcp_sendrecv_all_nodes(ptal_t) - corenet_tcp_sendrecv_all_ports(ptal_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.2.1/policy/modules/services/cvs.te --- nsaserefpolicy/policy/modules/services/cvs.te 2007-11-15 13:40:14.000000000 -0500 +++ serefpolicy-3.2.1/policy/modules/services/cvs.te 2007-11-30 11:23:56.000000000 -0500 @@ -7993,7 +7975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw +/var/log/wpa_supplicant\.log -- gen_context(system_u:object_r:NetworkManager_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.1/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-10-29 07:52:49.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/networkmanager.te 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.1/policy/modules/services/networkmanager.te 2007-12-02 21:09:24.000000000 -0500 @@ -13,6 +13,9 @@ type NetworkManager_var_run_t; files_pid_file(NetworkManager_var_run_t) @@ -8009,7 +7991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw # networkmanager will ptrace itself if gdb is installed # and it receives a unexpected signal (rh bug #204161) -allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock }; -+allow NetworkManager_t self:capability { chown kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock }; ++allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock }; dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace }; allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms }; allow NetworkManager_t self:fifo_file rw_fifo_file_perms; @@ -11746,7 +11728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.2.1/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-10-15 16:11:05.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/services/xserver.te 2007-12-01 06:51:49.000000000 -0500 ++++ serefpolicy-3.2.1/policy/modules/services/xserver.te 2007-12-03 19:02:05.000000000 -0500 @@ -16,6 +16,13 @@ ## @@ -11824,13 +11806,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -132,15 +166,21 @@ +@@ -132,15 +166,22 @@ manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t) fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) +fs_rw_tmpfs_files(xdm_xserver_t) +fs_getattr_all_fs(xdm_t) +fs_search_inotifyfs(xdm_t) ++fs_list_all(xdm_t) manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t) manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t) @@ -11847,7 +11830,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser allow xdm_t xdm_xserver_t:process signal; allow xdm_t xdm_xserver_t:unix_stream_socket connectto; -@@ -185,6 +225,7 @@ +@@ -154,6 +195,7 @@ + allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; + + allow xdm_t xdm_xserver_t:shm rw_shm_perms; ++read_files_pattern(xdm_t, xdm_xserver_t, xdm_xserver_t) + + # connect to xdm xserver over stream socket + stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) +@@ -185,6 +227,7 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_all_nodes(xdm_t) corenet_udp_bind_all_nodes(xdm_t) @@ -11855,7 +11846,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser corenet_tcp_connect_all_ports(xdm_t) corenet_sendrecv_all_client_packets(xdm_t) # xdm tries to bind to biff_port_t -@@ -197,6 +238,7 @@ +@@ -197,6 +240,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -11863,7 +11854,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -209,8 +251,8 @@ +@@ -209,8 +253,8 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -11874,7 +11865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser dev_getattr_power_mgmt_dev(xdm_t) dev_setattr_power_mgmt_dev(xdm_t) -@@ -246,6 +288,7 @@ +@@ -246,6 +290,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -11882,7 +11873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -257,12 +300,11 @@ +@@ -257,12 +302,11 @@ libs_exec_lib_files(xdm_t) logging_read_generic_logs(xdm_t) @@ -11896,7 +11887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_dontaudit_search_sysadm_home_dirs(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -271,6 +313,10 @@ +@@ -271,6 +315,10 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -11907,7 +11898,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t) -@@ -306,6 +352,11 @@ +@@ -306,6 +354,11 @@ optional_policy(` consolekit_dbus_chat(xdm_t) @@ -11919,7 +11910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -323,6 +374,10 @@ +@@ -323,6 +376,10 @@ ') optional_policy(` @@ -11930,7 +11921,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser loadkeys_exec(xdm_t) ') -@@ -336,10 +391,6 @@ +@@ -336,10 +393,6 @@ ') optional_policy(` @@ -11941,7 +11932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser seutil_sigchld_newrole(xdm_t) ') -@@ -348,8 +399,8 @@ +@@ -348,8 +401,8 @@ ') optional_policy(` @@ -11951,7 +11942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -385,7 +436,7 @@ +@@ -385,7 +438,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -11960,7 +11951,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t) -@@ -397,6 +448,15 @@ +@@ -397,6 +450,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -11976,7 +11967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -409,6 +469,7 @@ +@@ -409,6 +471,7 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_unpriv_users_home_content_files(xdm_xserver_t) @@ -11984,7 +11975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_use_all_users_fonts(xdm_xserver_t) -@@ -425,6 +486,14 @@ +@@ -425,6 +488,14 @@ ') optional_policy(` @@ -11999,7 +11990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser resmgr_stream_connect(xdm_t) ') -@@ -434,47 +503,30 @@ +@@ -434,47 +505,30 @@ ') optional_policy(` @@ -12261,7 +12252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.2.1/policy/modules/system/authlogin.te --- nsaserefpolicy/policy/modules/system/authlogin.te 2007-10-29 18:02:31.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/system/authlogin.te 2007-11-30 11:33:09.000000000 -0500 ++++ serefpolicy-3.2.1/policy/modules/system/authlogin.te 2007-12-03 18:47:11.000000000 -0500 @@ -59,6 +59,9 @@ type utempter_exec_t; application_domain(utempter_t,utempter_exec_t) @@ -12282,15 +12273,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ######################################## # # PAM local policy -@@ -121,6 +127,7 @@ +@@ -121,19 +127,14 @@ logging_send_syslog_msg(pam_t) userdom_use_unpriv_users_fds(pam_t) +userdom_write_unpriv_users_tmp_files(pam_t) ++userdom_dontaudit_read_unpriv_users_home_content_files(pam_t) ++userdom_unlink_unpriv_users_tmp_files(pam_t) optional_policy(` locallogin_use_fds(pam_t) -@@ -287,8 +294,10 @@ + ') + +-optional_policy(` +- nis_use_ypbind(pam_t) +-') +- +-optional_policy(` +- nscd_socket_use(pam_t) +-') +- + ######################################## + # + # PAM console local policy +@@ -287,8 +288,10 @@ files_manage_etc_files(updpwd_t) term_dontaudit_use_console(updpwd_t) @@ -12302,7 +12308,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo auth_manage_shadow(updpwd_t) auth_use_nsswitch(updpwd_t) -@@ -337,11 +346,6 @@ +@@ -337,11 +340,6 @@ ') optional_policy(` @@ -14493,16 +14499,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.2.1/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-10-12 08:56:08.000000000 -0400 -+++ serefpolicy-3.2.1/policy/modules/system/unconfined.fc 2007-11-30 11:23:56.000000000 -0500 -@@ -10,3 +10,5 @@ ++++ serefpolicy-3.2.1/policy/modules/system/unconfined.fc 2007-12-03 13:36:12.000000000 -0500 +@@ -10,3 +10,6 @@ /usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/bin/rhythmbox -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ++/usr/bin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.2.1/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2007-11-16 15:30:49.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/system/unconfined.if 2007-11-30 11:23:56.000000000 -0500 ++++ serefpolicy-3.2.1/policy/modules/system/unconfined.if 2007-12-03 13:19:33.000000000 -0500 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -14537,19 +14544,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf kernel_unconfined($1) corenet_unconfined($1) -@@ -589,7 +589,101 @@ +@@ -589,7 +589,7 @@ ######################################## ## -## Read files in unconfined users home directories. +## Allow ptrace of unconfined domain -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -597,20 +597,53 @@ + ## + ## + # +-interface(`unconfined_read_home_content_files',` +interface(`unconfined_ptrace',` + gen_require(` + type unconfined_t; @@ -14569,15 +14577,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +## +# +interface(`unconfined_rw_shm',` -+ gen_require(` + gen_require(` +- type unconfined_home_dir_t, unconfined_home_t; + type unconfined_t; -+ ') -+ + ') + +- files_search_home($1) +- allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms; +- read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t) +- read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t) + allow $1 unconfined_t:shm rw_shm_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read unconfined users temporary files. +## Read and write to unconfined execmem shared memory. +## +## @@ -14596,10 +14610,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + +######################################## +## ++## Transition to the unconfined_execmem domain. + ## + ## + ## +@@ -618,31 +651,132 @@ + ## + ## + # +-interface(`unconfined_read_tmp_files',` ++interface(`unconfined_execmem_domtrans',` ++ + gen_require(` +- type unconfined_tmp_t; ++ type unconfined_execmem_t, unconfined_execmem_exec_t; + ') + +- files_search_tmp($1) +- allow $1 unconfined_tmp_t:dir list_dir_perms; +- read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t) +- read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t) ++ domtrans_pattern($1,unconfined_execmem_exec_t,unconfined_execmem_t) + ') + + ######################################## + ## +-## Write unconfined users temporary files. +## allow attempts to use unconfined ttys and ptys. -+## -+## -+## + ## + ## + ## +## Domain to not audit. +## +## @@ -14637,65 +14677,51 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf +######################################## +## +## Allow apps to set rlimits on userdomain - ## - ## - ## -@@ -597,20 +691,18 @@ - ## - ## - # --interface(`unconfined_read_home_content_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`unconfined_set_rlimitnh',` - gen_require(` -- type unconfined_home_dir_t, unconfined_home_t; ++ gen_require(` + type unconfined_t; - ') - -- files_search_home($1) -- allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms; -- read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t) -- read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t) ++ ') ++ + allow $1 unconfined_t:process rlimitinh; - ') - - ######################################## - ## --## Read unconfined users temporary files. ++') ++ ++######################################## ++## +## Allow the specified domain to read/write to +## unconfined with a unix domain stream sockets. - ## - ## - ## -@@ -618,31 +710,54 @@ - ## - ## - # --interface(`unconfined_read_tmp_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`unconfined_rw_stream_sockets',` - gen_require(` -- type unconfined_tmp_t; ++ gen_require(` + type unconfined_t; - ') - -- files_search_tmp($1) -- allow $1 unconfined_tmp_t:dir list_dir_perms; -- read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t) -- read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t) ++ ') ++ + allow $1 unconfined_t:unix_stream_socket { read write }; - ') - - ######################################## - ## --## Write unconfined users temporary files. ++') ++ ++######################################## ++## +## Read/write unconfined tmpfs files. - ## ++## +## +##

+## Read/write unconfined tmpfs files. +##

+##
- ## - ## ++## ++## ## Domain allowed access. ## ## @@ -14733,8 +14759,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.1/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2007-11-16 15:30:49.000000000 -0500 -+++ serefpolicy-3.2.1/policy/modules/system/unconfined.te 2007-11-30 11:23:56.000000000 -0500 -@@ -9,13 +9,15 @@ ++++ serefpolicy-3.2.1/policy/modules/system/unconfined.te 2007-12-03 13:35:11.000000000 -0500 +@@ -9,32 +9,46 @@ # usage in this module of types created by these # calls is not correct, however we dont currently # have another method to add access to these types @@ -14754,7 +14780,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf type unconfined_execmem_t; type unconfined_execmem_exec_t; -@@ -27,14 +29,21 @@ + init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) + role unconfined_r types unconfined_execmem_t; + ++type unconfined_notrans_t; ++type unconfined_notrans_exec_t; ++init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t) ++role unconfined_r types unconfined_notrans_t; ++ + ######################################## + # # Local policy # @@ -14776,7 +14811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -@@ -42,7 +51,10 @@ +@@ -42,7 +56,10 @@ logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) @@ -14787,7 +14822,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -@@ -51,13 +63,13 @@ +@@ -51,13 +68,13 @@ userdom_priveleged_home_dir_manager(unconfined_t) optional_policy(` @@ -14803,7 +14838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf unconfined_domain(httpd_unconfined_script_t) ') -@@ -71,8 +83,8 @@ +@@ -71,8 +88,8 @@ optional_policy(` cron_per_role_template(unconfined, unconfined_t, unconfined_r) @@ -14814,7 +14849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -107,6 +119,10 @@ +@@ -107,6 +124,10 @@ optional_policy(` oddjob_dbus_chat(unconfined_t) ') @@ -14825,7 +14860,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -118,11 +134,11 @@ +@@ -118,11 +139,11 @@ ') optional_policy(` @@ -14839,7 +14874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -134,11 +150,7 @@ +@@ -134,11 +155,7 @@ ') optional_policy(` @@ -14852,7 +14887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -154,33 +166,20 @@ +@@ -154,33 +171,20 @@ ') optional_policy(` @@ -14890,15 +14925,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -205,11 +204,22 @@ +@@ -205,11 +209,22 @@ ') optional_policy(` - wine_domtrans(unconfined_t) + wine_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- xserver_domtrans_xdm_xserver(unconfined_t) + mozilla_per_role_template(unconfined, unconfined_t, unconfined_r) + unconfined_domain(unconfined_mozilla_t) + allow unconfined_mozilla_t self:process { execstack execmem }; @@ -14906,16 +14942,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + +optional_policy(` + kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t }) - ') - - optional_policy(` -- xserver_domtrans_xdm_xserver(unconfined_t) ++') ++ ++optional_policy(` + xserver_run_xdm_xserver(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t }) + xserver_xdm_rw_shm(unconfined_t) ') ######################################## -@@ -219,14 +229,26 @@ +@@ -219,14 +234,35 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -14942,6 +14977,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + + ') ') ++ ++######################################## ++# ++# Unconfined Execmem Local policy ++# ++ ++allow unconfined_notrans_t self:process { execstack execmem }; ++unconfined_domain_noaudit(unconfined_notrans_t) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.2.1/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2007-02-19 11:32:53.000000000 -0500 +++ serefpolicy-3.2.1/policy/modules/system/userdomain.fc 2007-11-30 11:23:56.000000000 -0500 diff --git a/selinux-policy.spec b/selinux-policy.spec index 3256b69..49c7b42 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.2.1 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -379,7 +379,9 @@ exit 0 %endif %changelog -* Sun Dec 2 2007 Dan Walsh 3.2.1-2 +* Mon Dec 3 2007 Dan Walsh 3.2.1-3 +- Allow rpm_script to transition to unconfined_execmem_t + * Fri Nov 30 2007 Dan Walsh 3.2.1-1 - Remove user based home directory separation