From 35a05d0eefd45d12a9a83f95ef0937d158e03d42 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 6 Sep 2007 12:25:31 +0000 Subject: [PATCH] * Wed Sep 4 2007 Dan Walsh 2.0.25-9 - Bump libsemanage version for disable dontaudit - New gui features for creating admin users --- policycoreutils-gui.patch | 206 ++++++++++++++++++++++++++++---------- policycoreutils.spec | 10 +- 2 files changed, 159 insertions(+), 57 deletions(-) diff --git a/policycoreutils-gui.patch b/policycoreutils-gui.patch index 38d2500..18c63a7 100644 --- a/policycoreutils-gui.patch +++ b/policycoreutils-gui.patch @@ -914,8 +914,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/modulesPage.py polic + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policycoreutils-2.0.25/gui/polgen.glade --- nsapolicycoreutils/gui/polgen.glade 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.25/gui/polgen.glade 2007-08-31 15:06:49.000000000 -0400 -@@ -0,0 +1,2313 @@ ++++ policycoreutils-2.0.25/gui/polgen.glade 2007-09-05 22:33:12.000000000 -0400 +@@ -0,0 +1,2312 @@ + + + @@ -1028,8 +1028,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + True -+ True -+ True ++ False + True + GTK_POS_TOP + False @@ -3231,8 +3230,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policycoreutils-2.0.25/gui/polgengui.py --- nsapolicycoreutils/gui/polgengui.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.25/gui/polgengui.py 2007-08-31 15:06:45.000000000 -0400 -@@ -0,0 +1,444 @@ ++++ policycoreutils-2.0.25/gui/polgengui.py 2007-09-05 22:33:06.000000000 -0400 +@@ -0,0 +1,432 @@ +#!/usr/bin/python +# +# system-config-selinux.py - GUI for SELinux Config tool in system-config-selinux @@ -3265,8 +3264,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc +import gnome +import sys +import polgen -+import sepolgen.interfaces as interfaces -+import sepolgen.defaults as defaults +import re + +## @@ -3305,13 +3302,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc +else: + xml = gtk.glade.XML ("/usr/share/system-config-selinux/polgen.glade", domain=PROGNAME) + -+fn = defaults.interface_info() -+try: -+ fd = open(fn) -+except: -+ sys.stderr.write("could not open interface info [%s]\n" % fn) -+ sys.exit(1) -+ +FILE = 1 +DIR = 2 + @@ -3400,11 +3390,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + col = gtk.TreeViewColumn(_("Application"), gtk.CellRendererText(), text = 0) + self.admin_treeview.append_column(col) + -+ # List of per_role_template interfaces -+ ifs = interfaces.InterfaceSet() -+ ifs.from_file(fd) -+ fd.close() -+ for i in ifs.interfaces.keys(): ++ for i in polgen.methods: ++ print i + m = re.findall("(.*)%s" % polgen.USER_TRANSITION_INTERFACE, i) + if len(m) > 0: + iter = self.transition_store.append() @@ -3442,7 +3429,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + self.forward_button.set_label(gtk.STOCK_APPLY) + + def back(self,arg): -+ type = self.confine_application() ++ type = self.get_type() + if self.pages[type][self.current_page] == self.FINISH_PAGE: + self.forward_button.set_label(gtk.STOCK_GO_FORWARD) + @@ -3679,8 +3666,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + app.stand_alone() diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycoreutils-2.0.25/gui/polgen.py --- nsapolicycoreutils/gui/polgen.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.25/gui/polgen.py 2007-08-31 15:06:41.000000000 -0400 -@@ -0,0 +1,656 @@ ++++ policycoreutils-2.0.25/gui/polgen.py 2007-09-05 22:26:53.000000000 -0400 +@@ -0,0 +1,715 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# @@ -3715,6 +3702,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore +from templates import script +from templates import user +import seobject ++import sepolgen.interfaces as interfaces ++import sepolgen.defaults as defaults + +## +## I18N @@ -3733,6 +3722,20 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + import __builtin__ + __builtin__.__dict__['_'] = unicode + ++methods = [] ++fn = defaults.interface_info() ++try: ++ fd = open(fn) ++ # List of per_role_template interfaces ++ ifs = interfaces.InterfaceSet() ++ ifs.from_file(fd) ++ fd.close() ++ methods = ifs.interfaces.keys() ++except: ++ sys.stderr.write("could not open interface info [%s]\n" % fn) ++ sys.exit(1) ++ ++ +ALL = 0 +RESERVED = 1 +UNRESERVED = 2 @@ -3792,6 +3795,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + self.need_udp_type=False + self.admin_domains = [] + self.transition_domains = [] ++ self.roles = [] + + def __isnetset(self, l): + return l[ALL] or l[RESERVED] or l[UNRESERVED] or len(l[PORTS]) > 0 @@ -3799,6 +3803,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + def set_admin_domains(self, admin_domains): + self.admin_domains = admin_domains + ++ def set_admin_roles(self, roles): ++ self.roles = roles ++ + def set_transition_domains(self, transition_domains): + self.transition_domains = transition_domains + @@ -3906,7 +3913,21 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + if self.use_pam: + newte = re.sub("TEMPLATETYPE", self.name, executable.te_pam_rules) + return newte -+ ++ ++ def generate_network_action(self, protocol, action, port_name): ++ line = "" ++ method = "corenet_%s_%s_%s" % (protocol, action, port_name) ++ if method in methods: ++ line = "%s(%s_t)\n" % (method, self.name) ++ else: ++ line = """ ++gen_require(` ++ type %s_t; ++') ++allow %s_t %s_t:%s_socket name_%s; ++""" % (port_name, self.name, port_name, protocol, action) ++ return line ++ + def generate_network_types(self): + for i in self.in_tcp[PORTS]: + rec = self.find_port(int(i)) @@ -3914,7 +3935,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + self.need_tcp_type = True; + else: + port_name = rec[0][:-2] -+ line = "corenet_tcp_bind_%s(%s_t)\n" % (port_name, self.name) ++ line = self.generate_network_action("tcp", "bind", port_name) ++# line = "corenet_tcp_bind_%s(%s_t)\n" % (port_name, self.name) + if line not in self.found_tcp_ports: + self.found_tcp_ports.append(line) + @@ -3924,7 +3946,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + self.need_tcp_type = True; + else: + port_name = rec[0][:-2] -+ line = "corenet_tcp_connect_%s(%s_t)\n" % (port_name, self.name) ++ line = self.generate_network_action("tcp", "connect", port_name) ++# line = "corenet_tcp_connect_%s(%s_t)\n" % (port_name, self.name) + if line not in self.found_tcp_ports: + self.found_tcp_ports.append(line) + @@ -3934,7 +3957,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + self.need_udp_type = True; + else: + port_name = rec[0][:-2] -+ line = "corenet_udp_bind_%s(%s_t)\n" % (port_name, self.name) ++ line = self.generate_network_action("udp", "bind", port_name) ++# line = "corenet_udp_bind_%s(%s_t)\n" % (port_name, self.name) + if line not in self.found_udp_ports: + self.found_udp_ports.append(line) + @@ -4022,8 +4046,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + + def generate_admin_rules(self): + newte = "" ++ newte += re.sub("TEMPLATETYPE", self.name, user.te_admin_rules) ++ + for app in self.admin_domains: -+ tmp = re.sub("TEMPLATETYPE", self.name, user.te_admin_rules) ++ tmp = re.sub("TEMPLATETYPE", self.name, user.te_admin_domain_rules) + newte += re.sub("APPLICATION", app, tmp) + return newte + @@ -4132,6 +4158,17 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + def generate_default_rules(self): + return self.DEFAULT_TYPES[self.type][1]() + ++ def generate_roles_rules(self): ++ newte = "" ++ if self.type in ( TUSER, XUSER): ++ roles = "" ++ if len(self.roles) > 0: ++ newte += re.sub("TEMPLATETYPE", self.name, user.te_newrole_rules) ++ for role in self.roles: ++ tmp = re.sub("TEMPLATETYPE", self.name, user.te_roles_rules) ++ newte += re.sub("ROLE", role, tmp) ++ return newte ++ + def generate_te(self): + newte = self.generate_default_types() + for d in self.DEFAULT_DIRS: @@ -4157,6 +4194,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + newte += self.generate_uid_rules() + newte += self.generate_syslog_rules() + newte += self.generate_pam_rules() ++ newte += self.generate_roles_rules() + newte += self.generate_transition_rules() + newte += self.generate_admin_rules() + return newte @@ -4188,6 +4226,18 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + + return newfc + ++ def generate_user_sh(self): ++ newsh = "" ++ if self.type in ( TUSER, XUSER): ++ roles = "" ++ for role in self.roles: ++ roles += " %s_r" % role ++ if roles != "": ++ roles += " system_r" ++ tmp = re.sub("TEMPLATETYPE", self.name, script.users) ++ newsh += re.sub("ROLES", roles, tmp) ++ return newsh ++ + def generate_sh(self): + newsh = re.sub("TEMPLATETYPE", self.name, script.compile) + newsh = re.sub("PACKAGEFILENAME", self.file_name, newsh) @@ -4208,6 +4258,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + if self.find_port(i) == None: + t1 = re.sub("PORTNUM", "%d" % i, script.udp_ports) + newsh += re.sub("TEMPLATETYPE", self.name, t1) ++ ++ newsh += self.generate_user_sh() + + return newsh + @@ -4265,7 +4317,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + mypolicy.set_use_syslog(True) + mypolicy.set_use_pam(True) + mypolicy.set_out_tcp(0,"8000") -+ print mypolicy.generate("/tmp") ++ print mypolicy.generate("/var/tmp") + + mypolicy = policy("myuser", USER) + mypolicy.set_program("/usr/bin/myuser") @@ -4277,7 +4329,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + mypolicy.set_use_pam(True) + mypolicy.add_file("/var/lib/myuser/myuser.sock") + mypolicy.set_out_tcp(0,"8000") -+ print mypolicy.generate("/tmp") ++ print mypolicy.generate("/var/tmp") + + + mypolicy = policy("myrwho", DAEMON) @@ -4290,7 +4342,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + mypolicy.set_use_pam(True) + mypolicy.add_dir("/var/run/myrwho") + mypolicy.add_dir("/var/lib/myrwho") -+ print mypolicy.generate("/tmp") ++ print mypolicy.generate("/var/tmp") + + mypolicy = policy("myinetd", INETD) + mypolicy.set_program("/usr/bin/mytest") @@ -4308,16 +4360,12 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + mypolicy.add_dir("/etc/daemon") + mypolicy.add_dir("/etc/daemon/special") + mypolicy.set_out_tcp(0,"8000") -+ print mypolicy.generate("/tmp") ++ print mypolicy.generate("/var/tmp") + + mypolicy = policy("mytuser", TUSER) -+ mypolicy.set_in_tcp(1, 0, 0, "513") -+ mypolicy.set_in_udp(1, 0, 0, "1513") -+ mypolicy.set_use_uid(True) -+ mypolicy.set_use_syslog(True) -+ mypolicy.set_use_pam(True) -+ mypolicy.set_transition_domains(["mozilla", "ssh"]) -+ print mypolicy.generate("/tmp") ++ mypolicy.set_transition_domains(["sudo"]) ++ mypolicy.set_admin_roles(["mydbadm"]) ++ print mypolicy.generate("/var/tmp") + + mypolicy = policy("myxuser", XUSER) + mypolicy.set_in_tcp(1, 1, 1, "") @@ -4326,13 +4374,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + mypolicy.set_use_syslog(True) + mypolicy.set_use_pam(True) + mypolicy.set_transition_domains(["mozilla"]) -+ print mypolicy.generate("/tmp") ++ print mypolicy.generate("/var/tmp") + -+ mypolicy = policy("myruser", RUSER) -+ mypolicy.set_in_tcp(1, 0, 0, "513") -+ mypolicy.set_in_udp(1, 0, 0, "1513") -+ mypolicy.set_admin_domains(["postgresql", "mysql", "apache"]) -+ print mypolicy.generate("/tmp") ++ mypolicy = policy("mydbadm", RUSER) ++ mypolicy.set_admin_domains(["postgresql", "mysql"]) ++ print mypolicy.generate("/var/tmp") + + sys.exit(0) + @@ -8762,8 +8808,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinu + app.stand_alone() diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable.py policycoreutils-2.0.25/gui/templates/executable.py --- nsapolicycoreutils/gui/templates/executable.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.25/gui/templates/executable.py 2007-08-31 15:41:21.000000000 -0400 -@@ -0,0 +1,222 @@ ++++ policycoreutils-2.0.25/gui/templates/executable.py 2007-09-05 22:25:10.000000000 -0400 +@@ -0,0 +1,229 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# @@ -8906,7 +8952,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable +# +interface(`TEMPLATETYPE_domtrans',` + gen_require(` -+ type TEMPLATETYPE_t, TEMPLATETYPE_exec_t; ++ type TEMPLATETYPE_t; ++ type TEMPLATETYPE_exec_t; + ') + + domain_auto_trans($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t) @@ -8961,13 +9008,19 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable +## +# +interface(`TEMPLATETYPE_admin',` ++ gen_require(` ++ type TEMPLATETYPE_t; ++ ') ++ ++ allow $1 TEMPLATETYPE_t:process { ptrace signal_perms getattr }; ++ read_files_pattern($1, TEMPLATETYPE_t, TEMPLATETYPE_t) ++ +""" + +if_initscript_admin=""" + # Allow $1 to restart the apache service + TEMPLATETYPE_script_domtrans($1) -+ domain_role_change_exemption($1) -+ domain_obj_id_change_exemption($1) ++ domain_system_change_exemption($1) + role_transition $2 TEMPLATETYPE_script_exec_t system_r; + allow $2 system_r; +""" @@ -9226,8 +9279,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py poli +""" diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py policycoreutils-2.0.25/gui/templates/script.py --- nsapolicycoreutils/gui/templates/script.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.25/gui/templates/script.py 2007-08-31 15:07:36.000000000 -0400 -@@ -0,0 +1,42 @@ ++++ policycoreutils-2.0.25/gui/templates/script.py 2007-09-05 22:25:46.000000000 -0400 +@@ -0,0 +1,45 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# @@ -9270,6 +9323,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py +/usr/sbin/semanage port -a -t TEMPLATETYPE_port_t -p udp PORTNUM +""" + ++users="""\ ++/usr/sbin/semanage user -a -P TEMPLATETYPE -R "TEMPLATETYPE_rROLES" TEMPLATETYPE_u ++""" diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/semodule.py policycoreutils-2.0.25/gui/templates/semodule.py --- nsapolicycoreutils/gui/templates/semodule.py 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/templates/semodule.py 2007-08-31 15:07:36.000000000 -0400 @@ -9418,8 +9474,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py pol + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py policycoreutils-2.0.25/gui/templates/user.py --- nsapolicycoreutils/gui/templates/user.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.25/gui/templates/user.py 2007-08-31 15:07:36.000000000 -0400 -@@ -0,0 +1,97 @@ ++++ policycoreutils-2.0.25/gui/templates/user.py 2007-09-05 22:25:03.000000000 -0400 +@@ -0,0 +1,139 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# @@ -9511,11 +9567,53 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py po +""" + +te_admin_rules=""" ++allow TEMPLATETYPE_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; ++files_dontaudit_search_all_dirs(TEMPLATETYPE_t) ++ ++selinux_get_enforce_mode(TEMPLATETYPE_t) ++seutil_domtrans_restorecon(TEMPLATETYPE_t) ++seutil_search_default_contexts(mydbadm_t) ++ ++logging_send_syslog_msg(TEMPLATETYPE_t) ++ ++kernel_read_system_state(TEMPLATETYPE_t) ++ ++domain_dontaudit_search_all_domains_state(TEMPLATETYPE_t) ++domain_dontaudit_ptrace_all_domains(TEMPLATETYPE_t) ++ ++userdom_dontaudit_search_sysadm_home_dirs(TEMPLATETYPE_t) ++userdom_dontaudit_search_generic_user_home_dirs(TEMPLATETYPE_t) ++ ++bool TEMPLATETYPE_read_user_files false; ++bool TEMPLATETYPE_manage_user_files false; ++ ++if (TEMPLATETYPE_read_user_files) { ++ userdom_read_unpriv_users_home_content_files(TEMPLATETYPE_t) ++ userdom_read_unpriv_users_tmp_files(TEMPLATETYPE_t) ++} ++ ++if (TEMPLATETYPE_manage_user_files) { ++ userdom_manage_unpriv_users_home_content_dirs(TEMPLATETYPE_t) ++ userdom_read_unpriv_users_tmp_files(TEMPLATETYPE_t) ++ userdom_write_unpriv_users_tmp_files(TEMPLATETYPE_t) ++} ++ ++""" ++ ++te_admin_domain_rules=""" +optional_policy(` + APPLICATION_admin(TEMPLATETYPE_t,TEMPLATETYPE_r, { TEMPLATETYPE_tty_device_t TEMPLATETYPE_devpts_t }) +') +""" + ++te_roles_rules=""" ++userdom_role_change_template(TEMPLATETYPE, ROLE) ++""" ++ ++te_newrole_rules=""" ++seutil_run_newrole(TEMPLATETYPE_t,TEMPLATETYPE_r,{ TEMPLATETYPE_devpts_t TEMPLATETYPE_tty_device_t }) ++""" ++ + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py policycoreutils-2.0.25/gui/templates/var_lib.py --- nsapolicycoreutils/gui/templates/var_lib.py 1969-12-31 19:00:00.000000000 -0500 diff --git a/policycoreutils.spec b/policycoreutils.spec index 2a7181c..157b242 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,12 +1,12 @@ %define libauditver 1.4.2-1 -%define libsepolver 2.0.6-1 -%define libsemanagever 2.0.4-1 +%define libsepolver 2.0.9-1 +%define libsemanagever 2.0.5-1 %define libselinuxver 2.0.23-3 %define sepolgenver 1.0.9 Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.25 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2+ Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -200,6 +200,10 @@ if [ "$1" -ge "1" ]; then fi %changelog +* Wed Sep 4 2007 Dan Walsh 2.0.25-9 +- Bump libsemanage version for disable dontaudit +- New gui features for creating admin users + * Fri Aug 31 2007 Dan Walsh 2.0.25-8 - Fix generated code for admin policy