- Fix prelink to handle execmod

2007-07-24 14:39:01 +00:00 · 2007-07-24 14:39:01 +00:00 · 0f8f545d1a
commit 0f8f545d1a
parent e0ae206813
3 changed files with 154 additions and 78 deletions
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@ -245,3 +245,12 @@ samba_run_unconfined = true
 # Allows XServer to execute writable memory
 # 
 allow_xserver_execmem = true
+
+# disallow guest accounts to execute files that they can create 
+# 
+allow_guest_exec_content = false
+allow_xguest_exec_content = false
+
+# Only allow browser to use the web
+# 
+browser_confine_xguest=true
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -567,7 +567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.0.3/policy/modules/admin/prelink.te
 --- nsaserefpolicy/policy/modules/admin/prelink.te	2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/admin/prelink.te	2007-07-17 15:46:25.000000000 -0400
+++ serefpolicy-3.0.3/policy/modules/admin/prelink.te	2007-07-24 08:59:27.000000000 -0400
@@ -26,7 +26,7 @@
 # Local policy
 #
@ -577,7 +577,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
 allow prelink_t self:process { execheap execmem execstack signal };
 allow prelink_t self:fifo_file rw_fifo_file_perms;
 
-@@ -49,8 +49,7 @@
+@@ -40,17 +40,17 @@
+ read_lnk_files_pattern(prelink_t,prelink_log_t,prelink_log_t)
+ logging_log_filetrans(prelink_t, prelink_log_t, file)
+ 
+-allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom };
+allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod };
+ files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
+ fs_tmpfs_filetrans(prelink_t, prelink_tmp_t, file)
+ 
+
+ # prelink misc objects that are not system
+ # libraries or entrypoints
 allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
 
 kernel_read_system_state(prelink_t)
@ -587,7 +598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
 
 corecmd_manage_all_executables(prelink_t)
 corecmd_relabel_all_executables(prelink_t)
-@@ -65,6 +64,8 @@
+@@ -65,6 +65,8 @@
 files_read_etc_files(prelink_t)
 files_read_etc_runtime_files(prelink_t)
 files_dontaudit_read_all_symlinks(prelink_t)
@ -596,7 +607,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
 
 fs_getattr_xattr_fs(prelink_t)
 
-@@ -84,6 +85,13 @@
+@@ -81,9 +83,17 @@
+ libs_manage_lib_files(prelink_t)
+ libs_relabel_lib_files(prelink_t)
+ libs_delete_lib_symlinks(prelink_t)
+libs_legacy_use_shared_libs(prelink_t)
 
 miscfiles_read_localization(prelink_t)
 
@ -1739,7 +1754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.3/policy/modules/apps/mozilla.if
 --- nsaserefpolicy/policy/modules/apps/mozilla.if	2007-07-03 07:05:43.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/apps/mozilla.if	2007-07-23 16:25:26.000000000 -0400
+++ serefpolicy-3.0.3/policy/modules/apps/mozilla.if	2007-07-24 10:14:15.000000000 -0400
@@ -36,6 +36,8 @@
 	gen_require(`
 		type mozilla_conf_t, mozilla_exec_t;
@ -10407,7 +10422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +corecmd_exec_all_executables(unconfined_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.3/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/system/userdomain.if	2007-07-23 16:30:24.000000000 -0400
+++ serefpolicy-3.0.3/policy/modules/system/userdomain.if	2007-07-24 10:14:54.000000000 -0400
@@ -62,6 +62,10 @@
 
 	allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
@ -10445,7 +10460,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	tunable_policy(`use_nfs_home_dirs',`
 		fs_list_nfs_dirs($1_t)
 		fs_read_nfs_files($1_t)
-@@ -517,10 +517,6 @@
+@@ -323,13 +323,19 @@
+ ## <rolebase/>
+ #
+ template(`userdom_exec_home_template',`
+-	can_exec($1_t,$1_home_t)
+ 
+-	tunable_policy(`use_nfs_home_dirs',`
+	tunable_policy(`allow_$1_exec_content', `
+		can_exec($1_t,$1_home_t)
+	',`
+		dontaudit $1_t $1_home_t:file execute;
+	')
+
+
+	tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ 		fs_exec_nfs_files($1_t)
+ 	')
+ 
+-	tunable_policy(`use_samba_home_dirs',`
+	tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ 		fs_exec_cifs_files($1_t)
+ 	')
+ ')
+@@ -403,7 +409,9 @@
+ ## <rolebase/>
+ #
+ template(`userdom_exec_tmp_template',`
+-	exec_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
+	tunable_policy(`allow_$1_exec_content', `
+		exec_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
+	')
+ ')
+ 
+ #######################################
+@@ -517,10 +525,6 @@
 ## <rolebase/>
 #
 template(`userdom_exec_generic_pgms_template',`
@ -10456,7 +10505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	corecmd_exec_bin($1_t)
 ')
 
-@@ -538,9 +534,6 @@
+@@ -538,9 +542,6 @@
 ## <rolebase/>
 #
 template(`userdom_basic_networking_template',`
@ -10466,7 +10515,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 
 	allow $1_t self:tcp_socket create_stream_socket_perms;
 	allow $1_t self:udp_socket create_socket_perms;
-@@ -555,6 +548,12 @@
+@@ -555,6 +556,12 @@
 	corenet_udp_sendrecv_all_ports($1_t)
 	corenet_tcp_connect_all_ports($1_t)
 	corenet_sendrecv_all_client_packets($1_t)
@ -10479,7 +10528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 #######################################
-@@ -571,32 +570,29 @@
+@@ -571,32 +578,29 @@
 #
 template(`userdom_xwindows_client_template',`
 	gen_require(`
@ -10533,7 +10582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 #######################################
-@@ -672,67 +668,39 @@
+@@ -672,67 +676,39 @@
 		attribute unpriv_userdomain;
 	')
 
@ -10604,7 +10653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	files_exec_etc_files($1_t)
 	files_search_locks($1_t)
 	# Check to see if cdrom is mounted
-@@ -745,12 +713,6 @@
+@@ -745,12 +721,6 @@
 	# Stat lost+found.
 	files_getattr_lost_found_dirs($1_t)
 
@ -10617,7 +10666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	# cjp: some of this probably can be removed
 	selinux_get_fs_mount($1_t)
 	selinux_validate_context($1_t)
-@@ -763,31 +725,16 @@
+@@ -763,31 +733,16 @@
 	storage_getattr_fixed_disk_dev($1_t)
 
 	auth_read_login_records($1_t)
@ -10651,7 +10700,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
 	seutil_exec_checkpolicy($1_t)
 	seutil_exec_setfiles($1_t)
-@@ -802,19 +749,12 @@
+@@ -802,19 +757,12 @@
 		files_read_default_symlinks($1_t)
 		files_read_default_sockets($1_t)
 		files_read_default_pipes($1_t)
@ -10671,7 +10720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	optional_policy(`
 		alsa_read_rw_config($1_t)
 	')
-@@ -829,34 +769,14 @@
+@@ -829,34 +777,14 @@
 	')
 
 	optional_policy(`
@ -10706,7 +10755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 
 	optional_policy(`
-@@ -884,17 +804,19 @@
+@@ -884,17 +812,19 @@
 	')
 
 	optional_policy(`
@ -10732,7 +10781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 
 	optional_policy(`
-@@ -908,39 +830,210 @@
+@@ -908,45 +838,170 @@
 	')
 
 	optional_policy(`
@ -10763,7 +10812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -		rpm_read_db($1_t)
 -		rpm_dontaudit_manage_db($1_t)
 +		usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
-+	')
+ 	')
 +')
 +
 +#######################################
@ -10820,11 +10869,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	userdom_base_user_template($1)
 +
 +	userdom_manage_home_template($1)
-+	userdom_exec_home_template($1)
 +	userdom_manage_tmp_template($1)
-+	userdom_exec_tmp_template($1)
 +	userdom_manage_tmpfs_template($1)
 +
+	gen_tunable(allow_$1_exec_content,true)
+
+	userdom_exec_tmp_template($1)
+	userdom_exec_home_template($1)
+
 +	userdom_change_password_template($1)
 +
 +	role $1_r types $1_t;
@ -10845,12 +10897,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 +	auth_dontaudit_write_login_records($1_t)
 +
-+	# Find CDROM devices:
-+	kernel_read_device_sysctls($1_t)
-+	kernel_read_network_state($1_t)
-+	kernel_read_net_sysctls($1_t)
-+	kernel_read_system_state($1_t)
-+
 +	dev_read_sysfs($1_t)
 +	dev_read_urand($1_t)
 +
@ -10888,19 +10934,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 +	userdom_poly_home_template($1)
 +	userdom_poly_tmp_template($1)
-+
-+	optional_policy(`
+ 
+ 	optional_policy(`
+-		samba_stream_connect_winbind($1_t)
 +		cups_stream_connect($1_t)
 +		cups_stream_connect_ptal($1_t)
 	')
 
 	optional_policy(`
-		samba_stream_connect_winbind($1_t)
+-		slrnpull_search_spool($1_t)
 +		kerberos_use($1_t)
 	')
 
 	optional_policy(`
-		slrnpull_search_spool($1_t)
+-		usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
 +		quota_dontaudit_getattr_db($1_t)
 +	')
 +
@ -10908,12 +10955,50 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +		rpm_read_db($1_t)
 +		rpm_dontaudit_manage_db($1_t)
 	')
-+')
+ ')
+ 
 +
+ #######################################
+ ## <summary>
+-##	The template for creating a unprivileged user.
+##	The template for creating a unprivileged login user.
+ ## </summary>
+ ## <desc>
+ ##	<p>
+@@ -962,11 +1017,58 @@
+ ##	</summary>
+ ## </param>
+ #
+-template(`userdom_unpriv_user_template', `
+-
+template(`userdom_unpriv_login_user', `
+ 	gen_require(`
+		attribute unpriv_userdomain;
+ 		attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
+ 	')
+	userdom_login_user_template($1)
+	userdom_privhome_user_template($1)
+
+	typeattribute $1_t unpriv_userdomain;
+
+	domain_interactive_fd($1_t)
+
+	typeattribute $1_devpts_t user_ptynode;
+	typeattribute $1_home_dir_t user_home_dir_type;
+	typeattribute $1_home_t user_home_type;
+	typeattribute $1_tmp_t user_tmpfile;
+	typeattribute $1_tty_device_t user_ttynode;
+
+	auth_exec_pam($1_t)
+
+	optional_policy(`
+		loadkeys_run($1_t,$1_r,$1_tty_device_t)
+	')
+')
 +
 +#######################################
 +## <summary>
-+##	The template for creating a unprivileged login user.
+##	The template for creating a unprivileged user.
 +## </summary>
 +## <desc>
 +##	<p>
@ -10929,44 +11014,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +##	</summary>
 +## </param>
 +#
-+template(`userdom_unpriv_login_user', `
-+	gen_require(`
-+		attribute unpriv_userdomain;
-+		attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
-+	')
-+	userdom_login_user_template($1)
-+	userdom_privhome_user_template($1)
+template(`userdom_unpriv_user_template', `
 +
-+	typeattribute $1_t unpriv_userdomain;
-+
-+	domain_interactive_fd($1_t)
-+
-+	typeattribute $1_devpts_t user_ptynode;
-+	typeattribute $1_home_dir_t user_home_dir_type;
-+	typeattribute $1_home_t user_home_type;
-+	typeattribute $1_tmp_t user_tmpfile;
-+	typeattribute $1_tty_device_t user_ttynode;
-+
-+	auth_exec_pam($1_t)
- 
- 	optional_policy(`
-		usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
-+		loadkeys_run($1_t,$1_r,$1_tty_device_t)
- 	')
- ')
- 
-@@ -964,9 +1057,7 @@
- #
- template(`userdom_unpriv_user_template', `
- 
-	gen_require(`
-		attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
-	')
 +	userdom_unpriv_login_user($1)
+
+	# Find CDROM devices:
+	kernel_read_device_sysctls($1_t)
+	kernel_read_network_state($1_t)
+	kernel_read_net_sysctls($1_t)
+	kernel_read_system_state($1_t)
 
 	##############################
 	#
-@@ -976,25 +1067,11 @@
+@@ -976,25 +1078,11 @@
 	# Inherit rules for ordinary users.
 	userdom_common_user_template($1)
 
@ -10992,7 +11052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	# port access is audited even if dac would not have allowed it, so dontaudit it here
 	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
 	# Need the following rule to allow users to run vpnc
-@@ -1033,14 +1110,6 @@
+@@ -1033,14 +1121,6 @@
 	')
 
 	optional_policy(`
@ -11007,7 +11067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 		netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 	')
-@@ -1054,17 +1123,6 @@
+@@ -1054,17 +1134,6 @@
 		setroubleshoot_stream_connect($1_t)
 	')
 
@ -11025,7 +11085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 #######################################
-@@ -1102,6 +1160,8 @@
+@@ -1102,6 +1171,8 @@
 		class passwd { passwd chfn chsh rootok crontab };
 	')
 
@ -11034,7 +11094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	##############################
 	#
 	# Declarations
-@@ -1127,7 +1187,7 @@
+@@ -1127,7 +1198,7 @@
 	# $1_t local policy
 	#
 
@ -11043,16 +11103,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	allow $1_t self:process { setexec setfscreate };
 
 	# Set password information for other users.
-@@ -1139,8 +1199,6 @@
+@@ -1139,7 +1210,11 @@
 	# Manipulate other users crontab.
 	allow $1_t self:passwd crontab;
 
 -	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
-
+	# Find CDROM devices:
+	kernel_read_device_sysctls($1_t)
+	kernel_read_network_state($1_t)
+	kernel_read_net_sysctls($1_t)
+	kernel_read_system_state($1_t)
+ 
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
- 	kernel_getattr_message_if($1_t)
-@@ -1902,6 +1960,41 @@
+@@ -1902,6 +1977,41 @@
 
 ########################################
 ## <summary>
@ -11094,7 +11158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ##	Do not audit attempts to set the
 ##	attributes of user home files.
 ## </summary>
-@@ -3078,7 +3171,7 @@
+@@ -3078,7 +3188,7 @@
 #
 template(`userdom_tmp_filetrans_user_tmp',`
 	gen_require(`
@ -11103,7 +11167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 
 	files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -5323,7 +5416,7 @@
+@@ -5323,7 +5433,7 @@
 		attribute user_tmpfile;
 	')
 
@ -11112,7 +11176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -5548,6 +5641,26 @@
+@@ -5548,6 +5658,26 @@
 
 ########################################
 ## <summary>
@ -11139,7 +11203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ##	Unconfined access to user domains.  (Deprecated)
 ## </summary>
 ## <param name="domain">
-@@ -5559,3 +5672,233 @@
+@@ -5559,3 +5689,233 @@
 interface(`userdom_unconfined',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.3
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -359,6 +359,9 @@ exit 0
 %endif

 %changelog
+* Tue Jul 23 2007 Dan Walsh <dwalsh@redhat.com> 3.0.3-6
+- Fix prelink to handle execmod
+
 * Mon Jul 23 2007 Dan Walsh <dwalsh@redhat.com> 3.0.3-5
 - Add ntpd_key_t to handle secret data