- Fix prelink to handle execmod

2007-07-24 14:39:01 +00:00 · 2007-07-24 14:39:01 +00:00 · 0f8f545d1a
commit 0f8f545d1a
parent e0ae206813
3 changed files with 154 additions and 78 deletions
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@ -245,3 +245,12 @@ samba_run_unconfined = true
 # Allows XServer to execute writable memory
 # 
 allow_xserver_execmem = true
 # disallow guest accounts to execute files that they can create 
 # 
 allow_guest_exec_content = false
 allow_xguest_exec_content = false
 # Only allow browser to use the web
 # 
 browser_confine_xguest=true
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -567,7 +567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.0.3/policy/modules/admin/prelink.te
 --- nsaserefpolicy/policy/modules/admin/prelink.te	2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/admin/prelink.te	2007-07-17 15:46:25.000000000 -0400
+++ serefpolicy-3.0.3/policy/modules/admin/prelink.te	2007-07-24 08:59:27.000000000 -0400
@@ -26,7 +26,7 @@
 # Local policy
 #
@ -577,7 +577,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
 allow prelink_t self:process { execheap execmem execstack signal };
 allow prelink_t self:fifo_file rw_fifo_file_perms;
-@@ -49,8 +49,7 @@
+@@ -40,17 +40,17 @@
 read_lnk_files_pattern(prelink_t,prelink_log_t,prelink_log_t)
 logging_log_filetrans(prelink_t, prelink_log_t, file)
 -allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom };
 +allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod };
 files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
 fs_tmpfs_filetrans(prelink_t, prelink_tmp_t, file)
 +
 # prelink misc objects that are not system
 # libraries or entrypoints
 allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
 kernel_read_system_state(prelink_t)
@ -587,7 +598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
 corecmd_manage_all_executables(prelink_t)
 corecmd_relabel_all_executables(prelink_t)
-@@ -65,6 +64,8 @@
+@@ -65,6 +65,8 @@
 files_read_etc_files(prelink_t)
 files_read_etc_runtime_files(prelink_t)
 files_dontaudit_read_all_symlinks(prelink_t)
@ -596,7 +607,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
 fs_getattr_xattr_fs(prelink_t)
-@@ -84,6 +85,13 @@
+@@ -81,9 +83,17 @@
 libs_manage_lib_files(prelink_t)
 libs_relabel_lib_files(prelink_t)
 libs_delete_lib_symlinks(prelink_t)
 +libs_legacy_use_shared_libs(prelink_t)
 miscfiles_read_localization(prelink_t)
@ -1739,7 +1754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.3/policy/modules/apps/mozilla.if
 --- nsaserefpolicy/policy/modules/apps/mozilla.if	2007-07-03 07:05:43.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/apps/mozilla.if	2007-07-23 16:25:26.000000000 -0400
+++ serefpolicy-3.0.3/policy/modules/apps/mozilla.if	2007-07-24 10:14:15.000000000 -0400
@@ -36,6 +36,8 @@
 	gen_require(`
 		type mozilla_conf_t, mozilla_exec_t;
@ -10407,7 +10422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +corecmd_exec_all_executables(unconfined_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.3/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.3/policy/modules/system/userdomain.if	2007-07-23 16:30:24.000000000 -0400
+++ serefpolicy-3.0.3/policy/modules/system/userdomain.if	2007-07-24 10:14:54.000000000 -0400
@@ -62,6 +62,10 @@
 	allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
@ -10445,7 +10460,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	tunable_policy(`use_nfs_home_dirs',`
 		fs_list_nfs_dirs($1_t)
 		fs_read_nfs_files($1_t)
-@@ -517,10 +517,6 @@
+@@ -323,13 +323,19 @@
 ## <rolebase/>
 #
 template(`userdom_exec_home_template',`
 -	can_exec($1_t,$1_home_t)
 -	tunable_policy(`use_nfs_home_dirs',`
 +	tunable_policy(`allow_$1_exec_content', `
 +		can_exec($1_t,$1_home_t)
 +	',`
 +		dontaudit $1_t $1_home_t:file execute;
 +	')
 +
 +
 +	tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
 		fs_exec_nfs_files($1_t)
 	')
 -	tunable_policy(`use_samba_home_dirs',`
 +	tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
 		fs_exec_cifs_files($1_t)
 	')
 ')
@@ -403,7 +409,9 @@
 ## <rolebase/>
 #
 template(`userdom_exec_tmp_template',`
 -	exec_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
 +	tunable_policy(`allow_$1_exec_content', `
 +		exec_files_pattern($1_t,$1_tmp_t,$1_tmp_t)
 +	')
 ')
 #######################################
@@ -517,10 +525,6 @@
 ## <rolebase/>
 #
 template(`userdom_exec_generic_pgms_template',`
@ -10456,7 +10505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	corecmd_exec_bin($1_t)
 ')
-@@ -538,9 +534,6 @@
+@@ -538,9 +542,6 @@
 ## <rolebase/>
 #
 template(`userdom_basic_networking_template',`
@ -10466,7 +10515,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	allow $1_t self:tcp_socket create_stream_socket_perms;
 	allow $1_t self:udp_socket create_socket_perms;
-@@ -555,6 +548,12 @@
+@@ -555,6 +556,12 @@
 	corenet_udp_sendrecv_all_ports($1_t)
 	corenet_tcp_connect_all_ports($1_t)
 	corenet_sendrecv_all_client_packets($1_t)
@ -10479,7 +10528,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 #######################################
-@@ -571,32 +570,29 @@
+@@ -571,32 +578,29 @@
 #
 template(`userdom_xwindows_client_template',`
 	gen_require(`
@ -10533,7 +10582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 #######################################
-@@ -672,67 +668,39 @@
+@@ -672,67 +676,39 @@
 		attribute unpriv_userdomain;
 	')
@ -10604,7 +10653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	files_exec_etc_files($1_t)
 	files_search_locks($1_t)
 	# Check to see if cdrom is mounted
-@@ -745,12 +713,6 @@
+@@ -745,12 +721,6 @@
 	# Stat lost+found.
 	files_getattr_lost_found_dirs($1_t)
@ -10617,7 +10666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	# cjp: some of this probably can be removed
 	selinux_get_fs_mount($1_t)
 	selinux_validate_context($1_t)
-@@ -763,31 +725,16 @@
+@@ -763,31 +733,16 @@
 	storage_getattr_fixed_disk_dev($1_t)
 	auth_read_login_records($1_t)
@ -10651,7 +10700,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
 	seutil_exec_checkpolicy($1_t)
 	seutil_exec_setfiles($1_t)
-@@ -802,19 +749,12 @@
+@@ -802,19 +757,12 @@
 		files_read_default_symlinks($1_t)
 		files_read_default_sockets($1_t)
 		files_read_default_pipes($1_t)
@ -10671,7 +10720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	optional_policy(`
 		alsa_read_rw_config($1_t)
 	')
-@@ -829,34 +769,14 @@
+@@ -829,34 +777,14 @@
 	')
 	optional_policy(`
@ -10706,7 +10755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 	optional_policy(`
-@@ -884,17 +804,19 @@
+@@ -884,17 +812,19 @@
 	')
 	optional_policy(`
@ -10732,7 +10781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 	optional_policy(`
-@@ -908,39 +830,210 @@
+@@ -908,45 +838,170 @@
 	')
 	optional_policy(`
@ -10763,7 +10812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -		rpm_read_db($1_t)
 -		rpm_dontaudit_manage_db($1_t)
 +		usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
-+	')
+ 	')
 +')
 +
 +#######################################
@ -10820,11 +10869,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	userdom_base_user_template($1)
 +
 +	userdom_manage_home_template($1)
 +	userdom_exec_home_template($1)
 +	userdom_manage_tmp_template($1)
 +	userdom_exec_tmp_template($1)
 +	userdom_manage_tmpfs_template($1)
 +
 +	gen_tunable(allow_$1_exec_content,true)
 +
 +	userdom_exec_tmp_template($1)
 +	userdom_exec_home_template($1)
 +
 +	userdom_change_password_template($1)
 +
 +	role $1_r types $1_t;
@ -10845,12 +10897,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 +	auth_dontaudit_write_login_records($1_t)
 +
 +	# Find CDROM devices:
 +	kernel_read_device_sysctls($1_t)
 +	kernel_read_network_state($1_t)
 +	kernel_read_net_sysctls($1_t)
 +	kernel_read_system_state($1_t)
 +
 +	dev_read_sysfs($1_t)
 +	dev_read_urand($1_t)
 +
@ -10888,19 +10934,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 +	userdom_poly_home_template($1)
 +	userdom_poly_tmp_template($1)
-+
+ 
-+	optional_policy(`
+ 	optional_policy(`
 -		samba_stream_connect_winbind($1_t)
 +		cups_stream_connect($1_t)
 +		cups_stream_connect_ptal($1_t)
 	')
 	optional_policy(`
-		samba_stream_connect_winbind($1_t)
+-		slrnpull_search_spool($1_t)
 +		kerberos_use($1_t)
 	')
 	optional_policy(`
-		slrnpull_search_spool($1_t)
+-		usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
 +		quota_dontaudit_getattr_db($1_t)
 +	')
 +
@ -10908,12 +10955,50 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +		rpm_read_db($1_t)
 +		rpm_dontaudit_manage_db($1_t)
 	')
-+')
+ ')
 +
 #######################################
 ## <summary>
 -##	The template for creating a unprivileged user.
 +##	The template for creating a unprivileged login user.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -962,11 +1017,58 @@
 ##	</summary>
 ## </param>
 #
 -template(`userdom_unpriv_user_template', `
 -
 +template(`userdom_unpriv_login_user', `
 	gen_require(`
 +		attribute unpriv_userdomain;
 		attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
 	')
 +	userdom_login_user_template($1)
 +	userdom_privhome_user_template($1)
 +
 +	typeattribute $1_t unpriv_userdomain;
 +
 +	domain_interactive_fd($1_t)
 +
 +	typeattribute $1_devpts_t user_ptynode;
 +	typeattribute $1_home_dir_t user_home_dir_type;
 +	typeattribute $1_home_t user_home_type;
 +	typeattribute $1_tmp_t user_tmpfile;
 +	typeattribute $1_tty_device_t user_ttynode;
 +
 +	auth_exec_pam($1_t)
 +
 +	optional_policy(`
 +		loadkeys_run($1_t,$1_r,$1_tty_device_t)
 +	')
 +')
 +
 +#######################################
 +## <summary>
-+##	The template for creating a unprivileged login user.
+##	The template for creating a unprivileged user.
 +## </summary>
 +## <desc>
 +##	<p>
@ -10929,44 +11014,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +##	</summary>
 +## </param>
 +#
-+template(`userdom_unpriv_login_user', `
+template(`userdom_unpriv_user_template', `
 +	gen_require(`
 +		attribute unpriv_userdomain;
 +		attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
 +	')
 +	userdom_login_user_template($1)
 +	userdom_privhome_user_template($1)
 +
 +	typeattribute $1_t unpriv_userdomain;
 +
 +	domain_interactive_fd($1_t)
 +
 +	typeattribute $1_devpts_t user_ptynode;
 +	typeattribute $1_home_dir_t user_home_dir_type;
 +	typeattribute $1_home_t user_home_type;
 +	typeattribute $1_tmp_t user_tmpfile;
 +	typeattribute $1_tty_device_t user_ttynode;
 +
 +	auth_exec_pam($1_t)
 	optional_policy(`
 -		usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
 +		loadkeys_run($1_t,$1_r,$1_tty_device_t)
 	')
 ')
@@ -964,9 +1057,7 @@
 #
 template(`userdom_unpriv_user_template', `
 -	gen_require(`
 -		attribute privhome, user_ptynode, user_home_dir_type, user_home_type, user_tmpfile, user_ttynode;
 -	')
 +	userdom_unpriv_login_user($1)
 +
 +	# Find CDROM devices:
 +	kernel_read_device_sysctls($1_t)
 +	kernel_read_network_state($1_t)
 +	kernel_read_net_sysctls($1_t)
 +	kernel_read_system_state($1_t)
 	##############################
 	#
-@@ -976,25 +1067,11 @@
+@@ -976,25 +1078,11 @@
 	# Inherit rules for ordinary users.
 	userdom_common_user_template($1)
@ -10992,7 +11052,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	# port access is audited even if dac would not have allowed it, so dontaudit it here
 	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
 	# Need the following rule to allow users to run vpnc
-@@ -1033,14 +1110,6 @@
+@@ -1033,14 +1121,6 @@
 	')
 	optional_policy(`
@ -11007,7 +11067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 		netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 	')
-@@ -1054,17 +1123,6 @@
+@@ -1054,17 +1134,6 @@
 		setroubleshoot_stream_connect($1_t)
 	')
@ -11025,7 +11085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 #######################################
-@@ -1102,6 +1160,8 @@
+@@ -1102,6 +1171,8 @@
 		class passwd { passwd chfn chsh rootok crontab };
 	')
@ -11034,7 +11094,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	##############################
 	#
 	# Declarations
-@@ -1127,7 +1187,7 @@
+@@ -1127,7 +1198,7 @@
 	# $1_t local policy
 	#
@ -11043,16 +11103,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	allow $1_t self:process { setexec setfscreate };
 	# Set password information for other users.
-@@ -1139,8 +1199,6 @@
+@@ -1139,7 +1210,11 @@
 	# Manipulate other users crontab.
 	allow $1_t self:passwd crontab;
 -	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
-
+	# Find CDROM devices:
 +	kernel_read_device_sysctls($1_t)
 +	kernel_read_network_state($1_t)
 +	kernel_read_net_sysctls($1_t)
 +	kernel_read_system_state($1_t)
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
- 	kernel_getattr_message_if($1_t)
+@@ -1902,6 +1977,41 @@
@@ -1902,6 +1960,41 @@
 ########################################
 ## <summary>
@ -11094,7 +11158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ##	Do not audit attempts to set the
 ##	attributes of user home files.
 ## </summary>
-@@ -3078,7 +3171,7 @@
+@@ -3078,7 +3188,7 @@
 #
 template(`userdom_tmp_filetrans_user_tmp',`
 	gen_require(`
@ -11103,7 +11167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 	files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -5323,7 +5416,7 @@
+@@ -5323,7 +5433,7 @@
 		attribute user_tmpfile;
 	')
@ -11112,7 +11176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 ########################################
-@@ -5548,6 +5641,26 @@
+@@ -5548,6 +5658,26 @@
 ########################################
 ## <summary>
@ -11139,7 +11203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ##	Unconfined access to user domains.  (Deprecated)
 ## </summary>
 ## <param name="domain">
-@@ -5559,3 +5672,233 @@
+@@ -5559,3 +5689,233 @@
 interface(`userdom_unconfined',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.3
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -359,6 +359,9 @@ exit 0
 %endif
 %changelog
 * Tue Jul 23 2007 Dan Walsh <dwalsh@redhat.com> 3.0.3-6
 - Fix prelink to handle execmod
 * Mon Jul 23 2007 Dan Walsh <dwalsh@redhat.com> 3.0.3-5
 - Add ntpd_key_t to handle secret data