From 0f8f545d1aba7861bdd6d368dbee25865e4b0462 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Tue, 24 Jul 2007 14:39:01 +0000
Subject: [PATCH] - Fix prelink to handle execmod

---
 booleans-targeted.conf |   9 ++
 policy-20070703.patch  | 218 ++++++++++++++++++++++++++---------------
 selinux-policy.spec    |   5 +-
 3 files changed, 154 insertions(+), 78 deletions(-)

diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index a970450e..3003143f 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -245,3 +245,12 @@ samba_run_unconfined = true
 # Allows XServer to execute writable memory
 # 
 allow_xserver_execmem = true
+
+# disallow guest accounts to execute files that they can create 
+# 
+allow_guest_exec_content = false
+allow_xguest_exec_content = false
+
+# Only allow browser to use the web
+# 
+browser_confine_xguest=true
diff --git a/policy-20070703.patch b/policy-20070703.patch
index f5294172..df093051 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -567,7 +567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.0.3/policy/modules/admin/prelink.te
 --- nsaserefpolicy/policy/modules/admin/prelink.te	2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/admin/prelink.te	2007-07-17 15:46:25.000000000 -0400
++++ serefpolicy-3.0.3/policy/modules/admin/prelink.te	2007-07-24 08:59:27.000000000 -0400
 @@ -26,7 +26,7 @@
  # Local policy
  #
@@ -577,7 +577,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
  allow prelink_t self:process { execheap execmem execstack signal };
  allow prelink_t self:fifo_file rw_fifo_file_perms;
  
-@@ -49,8 +49,7 @@
+@@ -40,17 +40,17 @@
+ read_lnk_files_pattern(prelink_t,prelink_log_t,prelink_log_t)
+ logging_log_filetrans(prelink_t, prelink_log_t, file)
+ 
+-allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom };
++allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod };
+ files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
+ fs_tmpfs_filetrans(prelink_t, prelink_tmp_t, file)
+ 
++
+ # prelink misc objects that are not system
+ # libraries or entrypoints
  allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
  
  kernel_read_system_state(prelink_t)
@@ -587,7 +598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
  
  corecmd_manage_all_executables(prelink_t)
  corecmd_relabel_all_executables(prelink_t)
-@@ -65,6 +64,8 @@
+@@ -65,6 +65,8 @@
  files_read_etc_files(prelink_t)
  files_read_etc_runtime_files(prelink_t)
  files_dontaudit_read_all_symlinks(prelink_t)
@@ -596,7 +607,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
  
  fs_getattr_xattr_fs(prelink_t)
  
-@@ -84,6 +85,13 @@
+@@ -81,9 +83,17 @@
+ libs_manage_lib_files(prelink_t)
+ libs_relabel_lib_files(prelink_t)
+ libs_delete_lib_symlinks(prelink_t)
++libs_legacy_use_shared_libs(prelink_t)
  
  miscfiles_read_localization(prelink_t)
  
@@ -1739,7 +1754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.3/policy/modules/apps/mozilla.if
 --- nsaserefpolicy/policy/modules/apps/mozilla.if	2007-07-03 07:05:43.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/apps/mozilla.if	2007-07-23 16:25:26.000000000 -0400
++++ serefpolicy-3.0.3/policy/modules/apps/mozilla.if	2007-07-24 10:14:15.000000000 -0400
 @@ -36,6 +36,8 @@
  	gen_require(`
  		type mozilla_conf_t, mozilla_exec_t;
@@ -10407,7 +10422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +corecmd_exec_all_executables(unconfined_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.3/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/system/userdomain.if	2007-07-23 16:30:24.000000000 -0400
++++ serefpolicy-3.0.3/policy/modules/system/userdomain.if	2007-07-24 10:14:54.000000000 -0400
 @@ -62,6 +62,10 @@
  
  	allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
@@ -10445,7 +10460,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	tunable_policy(`use_nfs_home_dirs',`
  		fs_list_nfs_dirs($1_t)
  		fs_read_nfs_files($1_t)
-@@ -517,10 +517,6 @@
+@@ -323,13 +323,19 @@
+ ## <rolebase/>
+ #
+ template(`userdom_exec_home_template',`
+-	can_exec($1_t,$1_home_t)
+ 
+-	tunable_policy(`use_nfs_home_dirs',`
++	tunable_policy(`allow_$1_exec_content', `
++		can_exec($1_t,$1_home_t)
++	',`
++		dontaudit $1_t $1_home_t:file execute;
++	')
++
++
++	tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ 		fs_exec_nfs_files($1_t)
+ 	')
+ 
+-	tunable_policy(`use_samba_home_dirs',`
++	tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ 		fs_exec_cifs_files($1_t)
+ 	')
+ ')
+@@ -403,7 +409,9 @@
+ ## <rolebase/>
+ #
+ template(`userdom_exec_tmp_template',`
+-	exec_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
++	tunable_policy(`allow_$1_exec_content', `
++		exec_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
++	')
+ ')
+ 
+ #######################################
+@@ -517,10 +525,6 @@
  ## <rolebase/>
  #
  template(`userdom_exec_generic_pgms_template',`
@@ -10456,7 +10505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	corecmd_exec_bin($1_t)
  ')
  
-@@ -538,9 +534,6 @@
+@@ -538,9 +542,6 @@
  ## <rolebase/>
  #
  template(`userdom_basic_networking_template',`
@@ -10466,7 +10515,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	allow $1_t self:tcp_socket create_stream_socket_perms;
  	allow $1_t self:udp_socket create_socket_perms;
-@@ -555,6 +548,12 @@
+@@ -555,6 +556,12 @@
  	corenet_udp_sendrecv_all_ports($1_t)
  	corenet_tcp_connect_all_ports($1_t)
  	corenet_sendrecv_all_client_packets($1_t)
@@ -10479,7 +10528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  #######################################
-@@ -571,32 +570,29 @@
+@@ -571,32 +578,29 @@
  #
  template(`userdom_xwindows_client_template',`
  	gen_require(`
@@ -10533,7 +10582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  #######################################
-@@ -672,67 +668,39 @@
+@@ -672,67 +676,39 @@
  		attribute unpriv_userdomain;
  	')
  
@@ -10604,7 +10653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	files_exec_etc_files($1_t)
  	files_search_locks($1_t)
  	# Check to see if cdrom is mounted
-@@ -745,12 +713,6 @@
+@@ -745,12 +721,6 @@
  	# Stat lost+found.
  	files_getattr_lost_found_dirs($1_t)
  
@@ -10617,7 +10666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	# cjp: some of this probably can be removed
  	selinux_get_fs_mount($1_t)
  	selinux_validate_context($1_t)
-@@ -763,31 +725,16 @@
+@@ -763,31 +733,16 @@
  	storage_getattr_fixed_disk_dev($1_t)
  
  	auth_read_login_records($1_t)
@@ -10651,7 +10700,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
  	seutil_exec_checkpolicy($1_t)
  	seutil_exec_setfiles($1_t)
-@@ -802,19 +749,12 @@
+@@ -802,19 +757,12 @@
  		files_read_default_symlinks($1_t)
  		files_read_default_sockets($1_t)
  		files_read_default_pipes($1_t)
@@ -10671,7 +10720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	optional_policy(`
  		alsa_read_rw_config($1_t)
  	')
-@@ -829,34 +769,14 @@
+@@ -829,34 +777,14 @@
  	')
  
  	optional_policy(`
@@ -10706,7 +10755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	optional_policy(`
-@@ -884,17 +804,19 @@
+@@ -884,17 +812,19 @@
  	')
  
  	optional_policy(`
@@ -10732,7 +10781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	optional_policy(`
-@@ -908,39 +830,210 @@
+@@ -908,45 +838,170 @@
  	')
  
  	optional_policy(`
@@ -10763,7 +10812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -		rpm_read_db($1_t)
 -		rpm_dontaudit_manage_db($1_t)
 +		usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
-+	')
+ 	')
 +')
 +
 +#######################################
@@ -10820,11 +10869,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	userdom_base_user_template($1)
 +
 +	userdom_manage_home_template($1)
-+	userdom_exec_home_template($1)
 +	userdom_manage_tmp_template($1)
-+	userdom_exec_tmp_template($1)
 +	userdom_manage_tmpfs_template($1)
 +
++	gen_tunable(allow_$1_exec_content,true)
++
++	userdom_exec_tmp_template($1)
++	userdom_exec_home_template($1)
++
 +	userdom_change_password_template($1)
 +
 +	role $1_r types $1_t;
@@ -10845,12 +10897,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 +	auth_dontaudit_write_login_records($1_t)
 +
-+	# Find CDROM devices:
-+	kernel_read_device_sysctls($1_t)
-+	kernel_read_network_state($1_t)
-+	kernel_read_net_sysctls($1_t)
-+	kernel_read_system_state($1_t)
-+
 +	dev_read_sysfs($1_t)
 +	dev_read_urand($1_t)
 +
@@ -10888,19 +10934,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 +	userdom_poly_home_template($1)
 +	userdom_poly_tmp_template($1)
-+
-+	optional_policy(`
+ 
+ 	optional_policy(`
+-		samba_stream_connect_winbind($1_t)
 +		cups_stream_connect($1_t)
 +		cups_stream_connect_ptal($1_t)
  	')
  
  	optional_policy(`
--		samba_stream_connect_winbind($1_t)
+-		slrnpull_search_spool($1_t)
 +		kerberos_use($1_t)
  	')
  
  	optional_policy(`
--		slrnpull_search_spool($1_t)
+-		usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
 +		quota_dontaudit_getattr_db($1_t)
 +	')
 +
@@ -10908,12 +10955,50 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +		rpm_read_db($1_t)
 +		rpm_dontaudit_manage_db($1_t)
  	')
-+')
+ ')
+ 
 +
+ #######################################
+ ## <summary>
+-##	The template for creating a unprivileged user.
++##	The template for creating a unprivileged login user.
+ ## </summary>
+ ## <desc>
+ ##	<p>
+@@ -962,11 +1017,58 @@
+ ##	</summary>
+ ## </param>
+ #
+-template(`userdom_unpriv_user_template', `
+-
++template(`userdom_unpriv_login_user', `
+ 	gen_require(`
++		attribute unpriv_userdomain;
+ 		attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
+ 	')
++	userdom_login_user_template($1)
++	userdom_privhome_user_template($1)
++
++	typeattribute $1_t unpriv_userdomain;
++
++	domain_interactive_fd($1_t)
++
++	typeattribute $1_devpts_t user_ptynode;
++	typeattribute $1_home_dir_t user_home_dir_type;
++	typeattribute $1_home_t user_home_type;
++	typeattribute $1_tmp_t user_tmpfile;
++	typeattribute $1_tty_device_t user_ttynode;
++
++	auth_exec_pam($1_t)
++
++	optional_policy(`
++		loadkeys_run($1_t,$1_r,$1_tty_device_t)
++	')
++')
 +
 +#######################################
 +## <summary>
-+##	The template for creating a unprivileged login user.
++##	The template for creating a unprivileged user.
 +## </summary>
 +## <desc>
 +##	<p>
@@ -10929,44 +11014,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +##	</summary>
 +## </param>
 +#
-+template(`userdom_unpriv_login_user', `
-+	gen_require(`
-+		attribute unpriv_userdomain;
-+		attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
-+	')
-+	userdom_login_user_template($1)
-+	userdom_privhome_user_template($1)
++template(`userdom_unpriv_user_template', `
 +
-+	typeattribute $1_t unpriv_userdomain;
-+
-+	domain_interactive_fd($1_t)
-+
-+	typeattribute $1_devpts_t user_ptynode;
-+	typeattribute $1_home_dir_t user_home_dir_type;
-+	typeattribute $1_home_t user_home_type;
-+	typeattribute $1_tmp_t user_tmpfile;
-+	typeattribute $1_tty_device_t user_ttynode;
-+
-+	auth_exec_pam($1_t)
- 
- 	optional_policy(`
--		usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
-+		loadkeys_run($1_t,$1_r,$1_tty_device_t)
- 	')
- ')
- 
-@@ -964,9 +1057,7 @@
- #
- template(`userdom_unpriv_user_template', `
- 
--	gen_require(`
--		attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
--	')
 +	userdom_unpriv_login_user($1)
++
++	# Find CDROM devices:
++	kernel_read_device_sysctls($1_t)
++	kernel_read_network_state($1_t)
++	kernel_read_net_sysctls($1_t)
++	kernel_read_system_state($1_t)
  
  	##############################
  	#
-@@ -976,25 +1067,11 @@
+@@ -976,25 +1078,11 @@
  	# Inherit rules for ordinary users.
  	userdom_common_user_template($1)
  
@@ -10992,7 +11052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
  	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
  	# Need the following rule to allow users to run vpnc
-@@ -1033,14 +1110,6 @@
+@@ -1033,14 +1121,6 @@
  	')
  
  	optional_policy(`
@@ -11007,7 +11067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  		netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
  		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
  	')
-@@ -1054,17 +1123,6 @@
+@@ -1054,17 +1134,6 @@
  		setroubleshoot_stream_connect($1_t)
  	')
  
@@ -11025,7 +11085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  #######################################
-@@ -1102,6 +1160,8 @@
+@@ -1102,6 +1171,8 @@
  		class passwd { passwd chfn chsh rootok crontab };
  	')
  
@@ -11034,7 +11094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	##############################
  	#
  	# Declarations
-@@ -1127,7 +1187,7 @@
+@@ -1127,7 +1198,7 @@
  	# $1_t local policy
  	#
  
@@ -11043,16 +11103,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	allow $1_t self:process { setexec setfscreate };
  
  	# Set password information for other users.
-@@ -1139,8 +1199,6 @@
+@@ -1139,7 +1210,11 @@
  	# Manipulate other users crontab.
  	allow $1_t self:passwd crontab;
  
 -	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
--
++	# Find CDROM devices:
++	kernel_read_device_sysctls($1_t)
++	kernel_read_network_state($1_t)
++	kernel_read_net_sysctls($1_t)
++	kernel_read_system_state($1_t)
+ 
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
- 	kernel_getattr_message_if($1_t)
-@@ -1902,6 +1960,41 @@
+@@ -1902,6 +1977,41 @@
  
  ########################################
  ## <summary>
@@ -11094,7 +11158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Do not audit attempts to set the
  ##	attributes of user home files.
  ## </summary>
-@@ -3078,7 +3171,7 @@
+@@ -3078,7 +3188,7 @@
  #
  template(`userdom_tmp_filetrans_user_tmp',`
  	gen_require(`
@@ -11103,7 +11167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -5323,7 +5416,7 @@
+@@ -5323,7 +5433,7 @@
  		attribute user_tmpfile;
  	')
  
@@ -11112,7 +11176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -5548,6 +5641,26 @@
+@@ -5548,6 +5658,26 @@
  
  ########################################
  ## <summary>
@@ -11139,7 +11203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Unconfined access to user domains.  (Deprecated)
  ## </summary>
  ## <param name="domain">
-@@ -5559,3 +5672,233 @@
+@@ -5559,3 +5689,233 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2c3b1f75..ae096d25 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.3
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -359,6 +359,9 @@ exit 0
 %endif
 
 %changelog
+* Tue Jul 23 2007 Dan Walsh <dwalsh@redhat.com> 3.0.3-6
+- Fix prelink to handle execmod
+
 * Mon Jul 23 2007 Dan Walsh <dwalsh@redhat.com> 3.0.3-5
 - Add ntpd_key_t to handle secret data