- Allow xserver to write to ramfs mounted by rhgb

2007-07-30 14:37:54 +00:00 · 2007-07-30 14:37:54 +00:00 · 07351eb493
parent 9c038630bf
commit 07351eb493
2 changed files with 97 additions and 24 deletions
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -434,7 +434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.t
 optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.0.4/policy/modules/admin/logrotate.te
 --- nsaserefpolicy/policy/modules/admin/logrotate.te	2007-07-25 10:37:43.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/admin/logrotate.te	2007-07-25 13:27:51.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/admin/logrotate.te	2007-07-28 10:42:11.000000000 -0400
@@ -75,11 +75,13 @@
 mls_file_read_up(logrotate_t)
 mls_file_write_down(logrotate_t)
@ -449,7 +449,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
 # Run helper programs.
 corecmd_exec_bin(logrotate_t)
-@@ -114,8 +116,6 @@
+@@ -95,6 +97,7 @@
 files_read_etc_files(logrotate_t)
 files_read_etc_runtime_files(logrotate_t)
 files_read_all_pids(logrotate_t)
 +files_search_all(logrotate_t)
 # Write to /var/spool/slrnpull - should be moved into its own type.
 files_manage_generic_spool(logrotate_t)
 files_manage_generic_spool_dirs(logrotate_t)
@@ -114,8 +117,6 @@
 seutil_dontaudit_read_config(logrotate_t)
@ -458,7 +466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
 userdom_dontaudit_search_sysadm_home_dirs(logrotate_t)
 userdom_use_unpriv_users_fds(logrotate_t)
-@@ -177,14 +177,6 @@
+@@ -177,14 +178,6 @@
 ')
 optional_policy(`
@ -2135,6 +2143,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelp
 	auth_manage_pam_pid($1_userhelper_t)
 	auth_manage_var_auth($1_userhelper_t)
 	auth_search_pam_console_data($1_userhelper_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/usernetctl.te serefpolicy-3.0.4/policy/modules/apps/usernetctl.te
 --- nsaserefpolicy/policy/modules/apps/usernetctl.te	2007-07-25 10:37:37.000000000 -0400
 +++ serefpolicy-3.0.4/policy/modules/apps/usernetctl.te	2007-07-28 11:05:08.000000000 -0400
@@ -6,14 +6,6 @@
 # Declarations
 #
 -## <desc>
 -## <p>
 -## Allow users to control network interfaces
 -## (also needs USERCTL=true)
 -## </p>
 -## </desc>
 -gen_tunable(user_net_control,false)
 -
 type usernetctl_t;
 type usernetctl_exec_t;
 application_domain(usernetctl_t,usernetctl_exec_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.0.4/policy/modules/apps/vmware.fc
 --- nsaserefpolicy/policy/modules/apps/vmware.fc	2007-07-03 07:05:43.000000000 -0400
 +++ serefpolicy-3.0.4/policy/modules/apps/vmware.fc	2007-07-25 13:27:51.000000000 -0400
@ -2630,6 +2656,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 +	allow $1 root_t:dir rw_dir_perms;
 +	allow $1 root_t:file { create getattr write };
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.4/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2007-07-03 07:05:38.000000000 -0400
 +++ serefpolicy-3.0.4/policy/modules/kernel/filesystem.if	2007-07-30 10:20:15.000000000 -0400
@@ -1192,6 +1192,24 @@
 ########################################
 ## <summary>
 +##      unmount a FUSE filesystem.
 +## </summary>
 +## <param name="domain">
 +##      <summary>
 +##      Domain allowed access.
 +##      </summary>
 +## </param>
 +#
 +interface(`fs_unmount_fusefs',`
 +        gen_require(`
 +                type fusefs_t;
 +        ')
 +
 +        allow $1 fusefs_t:filesystem unmount;
 +')
 +
 +########################################
 +## <summary>
 ##	Search inotifyfs filesystem. 
 ## </summary>
 ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.4/policy/modules/kernel/filesystem.te
 --- nsaserefpolicy/policy/modules/kernel/filesystem.te	2007-07-25 10:37:36.000000000 -0400
 +++ serefpolicy-3.0.4/policy/modules/kernel/filesystem.te	2007-07-25 13:27:51.000000000 -0400
@ -6561,8 +6615,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
 	fs_search_auto_mountpoints($1_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.4/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/services/rpc.te	2007-07-25 13:27:51.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/services/rpc.te	2007-07-30 09:46:58.000000000 -0400
-@@ -59,6 +59,8 @@
+@@ -59,10 +59,13 @@
 manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
 files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@ -6571,7 +6625,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
 kernel_read_system_state(rpcd_t) 
 kernel_search_network_state(rpcd_t) 
 # for rpc.rquotad
-@@ -76,9 +78,11 @@
+ kernel_read_sysctl(rpcd_t)  
 +kernel_getattr_core_if(nfsd_t)
 fs_list_rpc(rpcd_t)
 fs_read_rpc_files(rpcd_t)
@@ -76,9 +79,11 @@
 miscfiles_read_certs(rpcd_t)
 seutil_dontaudit_search_config(rpcd_t)
@ -6583,7 +6642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
 ')
 ########################################
-@@ -91,9 +95,13 @@
+@@ -91,9 +96,13 @@
 allow nfsd_t exports_t:file { getattr read };
 allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
@ -6597,7 +6656,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
 corenet_tcp_bind_all_rpc_ports(nfsd_t)
 corenet_udp_bind_all_rpc_ports(nfsd_t)
-@@ -123,6 +131,7 @@
+@@ -123,6 +132,7 @@
 tunable_policy(`nfs_export_all_rw',`
 	fs_read_noxattr_fs_files(nfsd_t) 
 	auth_manage_all_files_except_shadow(nfsd_t)
@ -6605,7 +6664,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
 ')
 tunable_policy(`nfs_export_all_ro',`
-@@ -143,6 +152,8 @@
+@@ -143,6 +153,8 @@
 manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
 files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@ -6614,7 +6673,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
 kernel_read_network_state(gssd_t)
 kernel_read_network_state_symlinks(gssd_t)	
 kernel_search_network_sysctl(gssd_t)	
-@@ -158,6 +169,11 @@
+@@ -158,6 +170,11 @@
 miscfiles_read_certs(gssd_t)
@ -7260,7 +7319,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.4/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/services/xserver.if	2007-07-25 13:27:51.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/services/xserver.if	2007-07-30 10:01:38.000000000 -0400
@@ -141,7 +141,7 @@
 	fs_getattr_xattr_fs($1_xserver_t)
 	fs_search_nfs($1_xserver_t)
 	fs_search_auto_mountpoints($1_xserver_t)
 -	fs_search_ramfs($1_xserver_t)
 +	fs_manage_ramfs_files($1_xserver_t)
 	init_getpgid($1_xserver_t)
@@ -353,12 +353,6 @@
 	# allow ps to show xauth
 	ps_process_pattern($2,$1_xauth_t)
@ -10523,7 +10591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +corecmd_exec_all_executables(unconfined_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.4/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/system/userdomain.if	2007-07-26 10:11:38.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/system/userdomain.if	2007-07-28 11:09:17.000000000 -0400
@@ -62,6 +62,10 @@
 	allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
@ -11159,21 +11227,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	# port access is audited even if dac would not have allowed it, so dontaudit it here
 	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
 	# Need the following rule to allow users to run vpnc
-@@ -1033,14 +1127,6 @@
+@@ -1029,15 +1123,7 @@
- 	')
+ 	# and may change other protocols
- 
+ 	tunable_policy(`user_tcp_server',`
- 	optional_policy(`
+ 		corenet_tcp_bind_all_nodes($1_t)
 -		corenet_tcp_bind_generic_port($1_t)
 -	')
 -
 -	optional_policy(`
 -		kerberos_use($1_t)
 -	')
 -
 -	optional_policy(`
 -		loadkeys_run($1_t,$1_r,$1_tty_device_t)
-	')
+		corenet_tcp_bind_all_unreserved_ports($1_t)
 -
 -	optional_policy(`
 		netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 	')
 	optional_policy(`
@@ -1054,17 +1140,6 @@
 		setroubleshoot_stream_connect($1_t)
 	')
@ -11806,7 +11876,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.
 +## <summary>Policy for webadm user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.0.4/policy/modules/users/webadm.te
 --- nsaserefpolicy/policy/modules/users/webadm.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.4/policy/modules/users/webadm.te	2007-07-25 13:27:51.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/users/webadm.te	2007-07-27 14:44:20.000000000 -0400
@@ -0,0 +1,70 @@
 +policy_module(webadm,1.0.0)
 +
@ -11815,7 +11885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.
 +# webadmin local policy
 +#
 +
-+userdom_login_user_template(webadm)
+userdom_base_user_template(webadm)
 +allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
 +
 +# Allow webadm_t to restart the apache service
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.4
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -359,6 +359,9 @@ exit 0
 %endif
 %changelog
 * Mon Jul 30 2007 Dan Walsh <dwalsh@redhat.com> 3.0.4-3
 - Allow xserver to write to ramfs mounted by rhgb
 * Tue Jul 23 2007 Dan Walsh <dwalsh@redhat.com> 3.0.4-2
 - Add context for dbus machine id