diff --git a/execmem.patch b/execmem.patch new file mode 100644 index 0000000..82343be --- /dev/null +++ b/execmem.patch @@ -0,0 +1,379 @@ +diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te +index 8d3c1d8..a7b1b65 100644 +--- a/policy/modules/admin/rpm.te ++++ b/policy/modules/admin/rpm.te +@@ -416,14 +416,6 @@ optional_policy(` + unconfined_domain_noaudit(rpm_script_t) + unconfined_domtrans(rpm_script_t) + unconfined_execmem_domtrans(rpm_script_t) +- +- optional_policy(` +- java_domtrans_unconfined(rpm_script_t) +- ') +- +- optional_policy(` +- mono_domtrans(rpm_script_t) +- ') + ') + + optional_policy(` +diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc +index 6f3570a..70c661e 100644 +--- a/policy/modules/apps/execmem.fc ++++ b/policy/modules/apps/execmem.fc +@@ -46,3 +46,48 @@ ifdef(`distro_gentoo',` + /opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0) + /opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0) + /usr/local/Wolfram/Mathematica(/.*)?MathKernel -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ ++# ++# /opt ++# ++/opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/opt/local/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/opt/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ ++# ++# /usr ++# ++/usr/Aptana[^/]*/AptanaStudio -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/fastjar -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/frysk -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/gappletviewer -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/gij -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/gjarsigner -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/gkeytool -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/grmic -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/grmiregistry -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/jv-convert -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ ++/usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ ++/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ ++/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ ++/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/opt/ibm(/.*)?/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ ++ifdef(`distro_redhat',` ++/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:execmem_exec_t,s0) ++') ++/usr/bin/mono.* -- gen_context(system_u:object_r:execmem_exec_t,s0) +diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if +index e23f640..a78bec0 100644 +--- a/policy/modules/apps/execmem.if ++++ b/policy/modules/apps/execmem.if +@@ -129,4 +129,3 @@ interface(`execmem_execmod',` + + allow $1 execmem_exec_t:file execmod; + ') +- +diff --git a/policy/modules/apps/execmem.te b/policy/modules/apps/execmem.te +index a7d37e2..fd8450f 100644 +--- a/policy/modules/apps/execmem.te ++++ b/policy/modules/apps/execmem.te +@@ -4,7 +4,25 @@ policy_module(execmem, 1.0.0) + # + # Declarations + # ++attribute execmem_type; + +-type execmem_exec_t alias unconfined_execmem_exec_t; ++type execmem_exec_t; ++typealias execmem_exec_t alias { unconfined_execmem_exec_t mono_exec_t java_exec_t }; + application_executable_file(execmem_exec_t) + ++allow execmem_type self:process { execmem execstack }; ++files_execmod_tmp(execmem_type) ++execmem_execmod(execmem_type) ++ ++optional_policy(` ++ gnome_read_usr_config(execmem_type) ++') ++ ++optional_policy(` ++ mozilla_execmod_user_home_files(execmem_type) ++') ++ ++optional_policy(` ++ nsplugin_rw_shm(execmem_type) ++ nsplugin_rw_semaphores(execmem_type) ++') +diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te +index d1b1280..f93103b 100644 +--- a/policy/modules/apps/mozilla.te ++++ b/policy/modules/apps/mozilla.te +@@ -273,10 +273,6 @@ optional_policy(` + ') + + optional_policy(` +- java_domtrans(mozilla_t) +-') +- +-optional_policy(` + lpd_domtrans_lpr(mozilla_t) + ') + +@@ -456,7 +452,7 @@ optional_policy(` + ') + + optional_policy(` +- java_exec(mozilla_plugin_t) ++ execmem_exec(mozilla_plugin_t) + ') + + optional_policy(` +diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te +index ccc15ab..9d0e298 100644 +--- a/policy/modules/apps/podsleuth.te ++++ b/policy/modules/apps/podsleuth.te +@@ -85,5 +85,5 @@ optional_policy(` + ') + + optional_policy(` +- mono_exec(podsleuth_t) ++ execmem_exec(podsleuth_t) + ') +diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te +index bfabe3f..fbbce55 100644 +--- a/policy/modules/roles/staff.te ++++ b/policy/modules/roles/staff.te +@@ -268,10 +268,6 @@ ifndef(`distro_redhat',` + ') + + optional_policy(` +- java_role(staff_r, staff_t) +- ') +- +- optional_policy(` + lockdev_role(staff_r, staff_t) + ') + +diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te +index 7cd6d4f..e120bbc 100644 +--- a/policy/modules/roles/sysadm.te ++++ b/policy/modules/roles/sysadm.te +@@ -524,10 +524,6 @@ ifndef(`distro_redhat',` + ') + + optional_policy(` +- java_role(sysadm_r, sysadm_t) +- ') +- +- optional_policy(` + lockdev_role(sysadm_r, sysadm_t) + ') + +diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te +index fcc8949..6f1425f 100644 +--- a/policy/modules/roles/unconfineduser.te ++++ b/policy/modules/roles/unconfineduser.te +@@ -337,10 +337,6 @@ optional_policy(` + ') + + optional_policy(` +- java_run_unconfined(unconfined_t, unconfined_r) +-') +- +-optional_policy(` + kerberos_filetrans_named_content(unconfined_t) + ') + +@@ -361,13 +357,6 @@ optional_policy(` + ') + + optional_policy(` +- mono_role_template(unconfined, unconfined_r, unconfined_t) +- unconfined_domain_noaudit(unconfined_mono_t) +- role system_r types unconfined_mono_t; +-') +- +- +-optional_policy(` + mozilla_role_plugin(unconfined_r) + + tunable_policy(`unconfined_mozilla_plugin_transition', ` +diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te +index e5a8559..68013b7 100644 +--- a/policy/modules/roles/unprivuser.te ++++ b/policy/modules/roles/unprivuser.te +@@ -148,10 +148,6 @@ ifndef(`distro_redhat',` + ') + + optional_policy(` +- java_role(user_r, user_t) +- ') +- +- optional_policy(` + lockdev_role(user_r, user_t) + ') + +diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te +index 1cd57fd..a1db79d 100644 +--- a/policy/modules/roles/xguest.te ++++ b/policy/modules/roles/xguest.te +@@ -107,14 +107,6 @@ optional_policy(` + ') + + optional_policy(` +- java_role_template(xguest, xguest_r, xguest_t) +-') +- +-optional_policy(` +- mono_role_template(xguest, xguest_r, xguest_t) +-') +- +-optional_policy(` + mozilla_run_plugin(xguest_usertype, xguest_r) + ') + +diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te +index 1442451..add9ada 100644 +--- a/policy/modules/services/boinc.te ++++ b/policy/modules/services/boinc.te +@@ -168,5 +168,5 @@ miscfiles_read_fonts(boinc_project_t) + miscfiles_read_localization(boinc_project_t) + + optional_policy(` +- java_exec(boinc_project_t) ++ execmem_exec(boinc_project_t) + ') +diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te +index 86ea0ba..a2c41fd 100644 +--- a/policy/modules/services/cron.te ++++ b/policy/modules/services/cron.te +@@ -299,10 +299,6 @@ optional_policy(` + ') + + optional_policy(` +- mono_domtrans(crond_t) +-') +- +-optional_policy(` + amanda_search_var_lib(crond_t) + ') + +@@ -553,10 +549,6 @@ optional_policy(` + ') + + optional_policy(` +- mono_domtrans(system_cronjob_t) +-') +- +-optional_policy(` + mrtg_append_create_logs(system_cronjob_t) + ') + +@@ -709,11 +701,6 @@ tunable_policy(`fcron_crond',` + allow crond_t user_cron_spool_t:file manage_file_perms; + ') + +-# need a per-role version of this: +-#optional_policy(` +-# mono_domtrans(cronjob_t) +-#') +- + optional_policy(` + nis_use_ypbind(cronjob_t) + ') +diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if +index 1e40c00..ae34382 100644 +--- a/policy/modules/services/hadoop.if ++++ b/policy/modules/services/hadoop.if +@@ -127,7 +127,7 @@ template(`hadoop_domain_template',` + + hadoop_exec_config(hadoop_$1_t) + +- java_exec(hadoop_$1_t) ++ execmem_exec(hadoop_$1_t) + + kerberos_use(hadoop_$1_t) + +diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te +index 3889dc9..32dc803 100644 +--- a/policy/modules/services/hadoop.te ++++ b/policy/modules/services/hadoop.te +@@ -167,7 +167,7 @@ miscfiles_read_localization(hadoop_t) + + userdom_use_inherited_user_terminals(hadoop_t) + +-java_exec(hadoop_t) ++execmem_exec(hadoop_t) + + kerberos_use(hadoop_t) + +@@ -342,7 +342,7 @@ sysnet_read_config(zookeeper_t) + userdom_use_inherited_user_terminals(zookeeper_t) + userdom_dontaudit_search_user_home_dirs(zookeeper_t) + +-java_exec(zookeeper_t) ++execmem_exec(zookeeper_t) + + ######################################## + # +@@ -427,4 +427,4 @@ miscfiles_read_localization(zookeeper_server_t) + + sysnet_read_config(zookeeper_server_t) + +-java_exec(zookeeper_server_t) ++execmem_exec(zookeeper_server_t) +diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te +index 60e0e2d..d14f2d6 100644 +--- a/policy/modules/services/xserver.te ++++ b/policy/modules/services/xserver.te +@@ -1247,10 +1247,6 @@ optional_policy(` + ') + + optional_policy(` +- mono_rw_shm(xserver_t) +-') +- +-optional_policy(` + rhgb_rw_shm(xserver_t) + rhgb_rw_tmpfs_files(xserver_t) + ') +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 53f3bfe..20dd3a0 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -1190,10 +1190,6 @@ optional_policy(` + unconfined_dontaudit_rw_pipes(daemon) + ') + +- optional_policy(` +- mono_domtrans(initrc_t) +- ') +- + # Allow SELinux aware applications to request rpm_script_t execution + rpm_transition_script(initrc_t) + +diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if +index e7a65ae..a001ce9 100644 +--- a/policy/modules/system/userdomain.if ++++ b/policy/modules/system/userdomain.if +@@ -1281,14 +1281,6 @@ template(`userdom_unpriv_user_template', ` + ') + + optional_policy(` +- java_role_template($1, $1_r, $1_t) +- ') +- +- optional_policy(` +- mono_role_template($1, $1_r, $1_t) +- ') +- +- optional_policy(` + mount_run_fusermount($1_t, $1_r) + mount_read_pid_files($1_t) + ') diff --git a/modules-mls.conf b/modules-mls.conf index 9706ffb..28ac668 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -733,13 +733,6 @@ i18n_input = off # jabber = module -# Layer: apps -# Module: java -# -# java executable -# -java = module - # Layer: admin # Module: kdump # @@ -925,13 +918,6 @@ modutils = module # mojomojo = module -# Layer: apps -# Module: mono -# -# mono executable -# -mono = module - # Layer: system # Module: mount # diff --git a/modules-targeted.conf b/modules-targeted.conf index 35bbfa6..6930073 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -844,13 +844,6 @@ i18n_input = off jabber = module # Layer: apps -# Module: java -# -# java executable -# -java = module - -# Layer: apps # Module: execmem # # execmem executable @@ -1071,13 +1064,6 @@ mojomojo = module # modutils = module -# Layer: apps -# Module: mono -# -# mono executable -# -mono = module - # Layer: system # Module: mount # diff --git a/policy-F16.patch b/policy-F16.patch index 922b4d2..29e1ca4 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -66791,7 +66791,7 @@ index 808ba93..ed84884 100644 ######################################## diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te -index e5836d3..c76046b 100644 +index e5836d3..eae9427 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot }; @@ -66834,7 +66834,17 @@ index e5836d3..c76046b 100644 ifdef(`hide_broken_symptoms',` ifdef(`distro_gentoo',` # leaked fds from portage -@@ -131,6 +139,10 @@ optional_policy(` +@@ -114,6 +122,9 @@ ifdef(`hide_broken_symptoms',` + ') + ') + ++ dev_dontaudit_rw_lvm_control(ldconfig_t) ++ term_dontaudit_use_unallocated_ttys(ldconfig_t) ++ + optional_policy(` + unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) + ') +@@ -131,6 +142,10 @@ optional_policy(` ') optional_policy(` @@ -66845,7 +66855,7 @@ index e5836d3..c76046b 100644 puppet_rw_tmp(ldconfig_t) ') -@@ -141,6 +153,3 @@ optional_policy(` +@@ -141,6 +156,3 @@ optional_policy(` rpm_manage_script_tmp_files(ldconfig_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index b772eb9..e2bc246 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 34.6%{?dist} +Release: 36%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -214,7 +214,7 @@ fi; if [ -e /etc/selinux/%2/.rebuild ]; then \ rm /etc/selinux/%2/.rebuild; \ if [ %1 -ne 1 ]; then \ - /usr/sbin/semodule -n -s %2 -r moilscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \ + /usr/sbin/semodule -n -s %2 -r java mono moilscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \ fi \ /usr/sbin/semodule -B -s %2; \ else \ @@ -240,6 +240,7 @@ Based off of reference policy: Checked out revision 2.20091117 %patch -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 %install mkdir selinux_config @@ -471,6 +472,27 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Oct 3 2011 Miroslav Grepl 3.10.0-36 +- Allow logrotate setuid and setgid since logrotate is supposed to do it +- Fixes for thumb policy by grift +- Add new nfsd ports +- Added fix to allow confined apps to execmod on chrome +- Add labeling for additional vdsm directories +- Allow Exim and Dovecot SASL +- Add label for /var/run/nmbd +- Add fixes to make virsh and xen working together +- Colord executes ls +- /var/spool/cron is now labeled as user_cron_spool_t + +* Mon Oct 3 2011 Dan Walsh 3.10.0-35 +- Stop complaining about leaked file descriptors during install + +* Fri Sep 29 2011 Dan Walsh 3.10.0-34.7 +- Remove java and mono module and merge into execmem + +* Fri Sep 29 2011 Dan Walsh 3.10.0-34.6 +- Fixes for thumb policy and passwd_file_t + * Fri Sep 29 2011 Dan Walsh 3.10.0-34.4 - Fixes caused by the labeling of /etc/passwd - Add thumb.patch to transition unconfined_t to thumb_t for Rawhide diff --git a/thumb.patch b/thumb.patch index df9d9da..97ff409 100644 --- a/thumb.patch +++ b/thumb.patch @@ -6,7 +6,7 @@ index 1105ff5..620e17b 100644 rtkit_scheduled(unconfined_usertype) ') -+ # Might remove later if this proves to be problematic, but would like to gather AVC's ++ # Might remove later if this proves to be problematic, but would like to gather AVCs + optional_policy(` + thumb_role(unconfined_r, unconfined_usertype) + ')