- Let all uncofined domains communicate with dbus unconfined

This commit is contained in:
Daniel J Walsh 2007-12-21 07:58:04 +00:00
parent 673eaaeafb
commit 0ec33db4ff
2 changed files with 72 additions and 12 deletions

View File

@ -6003,7 +6003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
-') -')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.5/policy/modules/services/dbus.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.5/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500 --- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/dbus.if 2007-12-19 05:38:09.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/dbus.if 2007-12-21 02:47:15.000000000 -0500
@@ -91,7 +91,7 @@ @@ -91,7 +91,7 @@
# SE-DBus specific permissions # SE-DBus specific permissions
allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg; allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
@ -6043,13 +6043,39 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t) read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($2) files_search_var_lib($2)
@@ -366,3 +367,35 @@ @@ -263,6 +264,7 @@
# For connecting to the bus
allow $3 $1_dbusd_t:unix_stream_socket connectto;
+ allow dbusd_unconfined $1_dbusd_t:dbus *;
')
########################################
@@ -366,3 +368,53 @@
allow $1 system_dbusd_t:dbus *; allow $1 system_dbusd_t:dbus *;
') ')
+ +
+######################################## +########################################
+## <summary> +## <summary>
+## Allow unconfined access to the system DBUS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_unconfined',`
+ gen_require(`
+ attribute dbusd_unconfined;
+ ')
+
+ typeattribute $1 dbusd_unconfined;
+')
+
+########################################
+## <summary>
+## Create a domain for processes +## Create a domain for processes
+## which can be started by the system dbus +## which can be started by the system dbus
+## </summary> +## </summary>
@ -6079,6 +6105,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+ +
+') +')
+ +
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.2.5/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/dbus.te 2007-12-21 02:47:39.000000000 -0500
@@ -9,6 +9,7 @@
#
# Delcarations
#
+attribute dbusd_unconfined;
type dbusd_etc_t alias etc_dbusd_t;
files_type(dbusd_etc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.2.5/policy/modules/services/dcc.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.2.5/policy/modules/services/dcc.if
--- nsaserefpolicy/policy/modules/services/dcc.if 2007-03-26 10:39:05.000000000 -0400 --- nsaserefpolicy/policy/modules/services/dcc.if 2007-03-26 10:39:05.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/dcc.if 2007-12-19 05:38:09.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/services/dcc.if 2007-12-19 05:38:09.000000000 -0500
@ -12898,7 +12935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) +/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.2.5/policy/modules/system/mount.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.2.5/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2007-12-19 05:32:17.000000000 -0500 --- nsaserefpolicy/policy/modules/system/mount.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/mount.te 2007-12-19 05:38:09.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/system/mount.te 2007-12-21 02:36:38.000000000 -0500
@@ -8,7 +8,7 @@ @@ -8,7 +8,7 @@
## <desc> ## <desc>
@ -12982,7 +13019,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
') ')
optional_policy(` optional_policy(`
@@ -192,4 +200,26 @@ @@ -175,6 +183,11 @@
')
')
+# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711
+optional_policy(`
+ lvm_domtrans(mount_t)
+')
+
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
@@ -192,4 +205,26 @@
optional_policy(` optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file) files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t) unconfined_domain(unconfined_mount_t)
@ -12995,9 +13044,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+# +#
+# ntfs local policy +# ntfs local policy
+# +#
+allow mount_t self:fifo_file { read write }; +allow mount_t self:fifo_file rw_fifo_file_perms;
+allow mount_t self:unix_stream_socket create_stream_socket_perms; +allow mount_t self:unix_stream_socket create_stream_socket_perms;
+allow mount_t self:unix_dgram_socket { connect create }; +allow mount_t self:unix_dgram_socket create_socket_perms;
+ +
+corecmd_exec_shell(mount_t) +corecmd_exec_shell(mount_t)
+ +
@ -13843,7 +13892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) +/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.2.5/policy/modules/system/unconfined.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.2.5/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-11-16 15:30:49.000000000 -0500 --- nsaserefpolicy/policy/modules/system/unconfined.if 2007-11-16 15:30:49.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/unconfined.if 2007-12-19 16:24:05.000000000 -0500 +++ serefpolicy-3.2.5/policy/modules/system/unconfined.if 2007-12-21 02:48:29.000000000 -0500
@@ -12,14 +12,13 @@ @@ -12,14 +12,13 @@
# #
interface(`unconfined_domain_noaudit',` interface(`unconfined_domain_noaudit',`
@ -13878,7 +13927,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
kernel_unconfined($1) kernel_unconfined($1)
corenet_unconfined($1) corenet_unconfined($1)
@@ -581,7 +581,6 @@ @@ -70,6 +70,7 @@
optional_policy(`
# Communicate via dbusd.
dbus_system_bus_unconfined($1)
+ dbus_unconfined($1)
')
optional_policy(`
@@ -581,7 +582,6 @@
interface(`unconfined_dbus_connect',` interface(`unconfined_dbus_connect',`
gen_require(` gen_require(`
type unconfined_t; type unconfined_t;
@ -13886,7 +13943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
') ')
allow $1 unconfined_t:dbus acquire_svc; allow $1 unconfined_t:dbus acquire_svc;
@@ -589,7 +588,7 @@ @@ -589,7 +589,7 @@
######################################## ########################################
## <summary> ## <summary>
@ -13895,7 +13952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -597,20 +596,53 @@ @@ -597,20 +597,53 @@
## </summary> ## </summary>
## </param> ## </param>
# #
@ -13956,7 +14013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -618,31 +650,132 @@ @@ -618,31 +651,132 @@
## </summary> ## </summary>
## </param> ## </param>
# #

View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.2.5 Version: 3.2.5
Release: 3%{?dist} Release: 4%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -386,6 +386,9 @@ exit 0
%endif %endif
%changelog %changelog
* Thu Dec 20 2007 Dan Walsh <dwalsh@redhat.com> 3.2.5-4
- Let all uncofined domains communicate with dbus unconfined
* Thu Dec 20 2007 Dan Walsh <dwalsh@redhat.com> 3.2.5-3 * Thu Dec 20 2007 Dan Walsh <dwalsh@redhat.com> 3.2.5-3
- Run rpm in system_r - Run rpm in system_r