- Fixes for confined xwindows and xdm_t
This commit is contained in:
Daniel J Walsh
parent
86369ef439
commit
1062bd3849
@ -6707,7 +6707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.5.10/policy/modules/kernel/devices.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/devices.if 2008-08-07 11:15:01.000000000 -0400
|
||||
+++ serefpolicy-3.5.10/policy/modules/kernel/devices.if 2008-10-03 11:36:44.000000000 -0400
|
||||
+++ serefpolicy-3.5.10/policy/modules/kernel/devices.if 2008-10-06 13:16:47.000000000 -0400
|
||||
@@ -65,7 +65,7 @@
|
||||
|
||||
relabelfrom_dirs_pattern($1, device_t, device_node)
|
||||
@ -6717,7 +6717,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
relabelfrom_fifo_files_pattern($1, device_t, device_node)
|
||||
relabelfrom_sock_files_pattern($1, device_t, device_node)
|
||||
relabel_blk_files_pattern($1,device_t,{ device_t device_node })
|
||||
@@ -167,6 +167,25 @@
|
||||
@@ -148,6 +148,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Del entries to directories in /dev.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to add entries.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`dev_del_entry_generic_dirs',`
|
||||
+ gen_require(`
|
||||
+ type device_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 device_t:dir del_entry_dir_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Create a directory in the device directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -167,6 +185,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -6743,7 +6768,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Delete a directory in the device directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -667,6 +686,7 @@
|
||||
@@ -667,6 +704,7 @@
|
||||
')
|
||||
|
||||
dontaudit $1 device_node:blk_file getattr;
|
||||
@ -6751,7 +6776,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -704,6 +724,7 @@
|
||||
@@ -704,6 +742,7 @@
|
||||
')
|
||||
|
||||
dontaudit $1 device_node:chr_file getattr;
|
||||
@ -6759,7 +6784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1160,6 +1181,25 @@
|
||||
@@ -1160,6 +1199,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -6785,7 +6810,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Read the CPU identity.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1958,6 +1998,42 @@
|
||||
@@ -1958,6 +2016,42 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -6828,7 +6853,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Read and write to the null device (/dev/null).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2769,6 +2845,24 @@
|
||||
@@ -2769,6 +2863,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -6853,7 +6878,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Read and write generic the USB devices.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2787,6 +2881,97 @@
|
||||
@@ -2787,6 +2899,97 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -6951,7 +6976,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Mount a usbfs filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -3322,3 +3507,223 @@
|
||||
@@ -3322,3 +3525,223 @@
|
||||
|
||||
typeattribute $1 devices_unconfined_type;
|
||||
')
|
||||
@ -8201,7 +8226,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.5.10/policy/modules/kernel/filesystem.te
|
||||
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-08-14 13:08:27.000000000 -0400
|
||||
+++ serefpolicy-3.5.10/policy/modules/kernel/filesystem.te 2008-10-03 11:36:44.000000000 -0400
|
||||
+++ serefpolicy-3.5.10/policy/modules/kernel/filesystem.te 2008-10-06 14:17:31.000000000 -0400
|
||||
@@ -21,7 +21,6 @@
|
||||
|
||||
# Use xattrs for the following filesystem types.
|
||||
@ -8222,7 +8247,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
type eventpollfs_t;
|
||||
fs_type(eventpollfs_t)
|
||||
# change to task SID 20060628
|
||||
@@ -241,6 +245,7 @@
|
||||
@@ -141,6 +145,7 @@
|
||||
fs_noxattr_type(vmblock_t)
|
||||
files_mountpoint(vmblock_t)
|
||||
genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0)
|
||||
+genfscon vboxsf / gen_context(system_u:object_r:vmblock_t,s0)
|
||||
|
||||
type vxfs_t;
|
||||
fs_noxattr_type(vxfs_t)
|
||||
@@ -241,6 +246,7 @@
|
||||
genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
|
||||
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
|
||||
@ -8320,7 +8353,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_read_default_files(kernel_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.5.10/policy/modules/kernel/selinux.if
|
||||
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2008-08-07 11:15:01.000000000 -0400
|
||||
+++ serefpolicy-3.5.10/policy/modules/kernel/selinux.if 2008-10-03 11:36:44.000000000 -0400
|
||||
+++ serefpolicy-3.5.10/policy/modules/kernel/selinux.if 2008-10-06 13:08:30.000000000 -0400
|
||||
@@ -164,6 +164,7 @@
|
||||
type security_t;
|
||||
')
|
||||
@ -8660,8 +8693,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.5.10/policy/modules/roles/guest.te
|
||||
--- nsaserefpolicy/policy/modules/roles/guest.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.5.10/policy/modules/roles/guest.te 2008-10-03 11:36:44.000000000 -0400
|
||||
@@ -0,0 +1,34 @@
|
||||
+++ serefpolicy-3.5.10/policy/modules/roles/guest.te 2008-10-06 12:29:55.000000000 -0400
|
||||
@@ -0,0 +1,35 @@
|
||||
+
|
||||
+policy_module(guest, 1.0.0)
|
||||
+
|
||||
@ -8687,6 +8720,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ mono_per_role_template(guest, guest_t, guest_r)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gen_require(`
|
||||
+ type xguest_t;
|
||||
@ -18892,7 +18926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## <param name="domain">
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.10/policy/modules/services/networkmanager.te
|
||||
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-09-24 09:07:28.000000000 -0400
|
||||
+++ serefpolicy-3.5.10/policy/modules/services/networkmanager.te 2008-10-03 11:37:02.000000000 -0400
|
||||
+++ serefpolicy-3.5.10/policy/modules/services/networkmanager.te 2008-10-06 12:42:23.000000000 -0400
|
||||
@@ -33,9 +33,9 @@
|
||||
|
||||
# networkmanager will ptrace itself if gdb is installed
|
||||
@ -19033,12 +19067,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -174,9 +208,18 @@
|
||||
@@ -174,9 +208,19 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- ppp_domtrans(NetworkManager_t)
|
||||
+ ppp_initrc_domtrans(NetworkManager_t)
|
||||
ppp_domtrans(NetworkManager_t)
|
||||
ppp_read_pid_files(NetworkManager_t)
|
||||
+ ppp_sigkill(NetworkManager_t)
|
||||
ppp_signal(NetworkManager_t)
|
||||
@ -19053,7 +19087,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -221,3 +264,28 @@
|
||||
@@ -221,3 +265,28 @@
|
||||
miscfiles_read_localization(wpa_cli_t)
|
||||
|
||||
term_dontaudit_use_console(wpa_cli_t)
|
||||
@ -22900,15 +22934,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
unconfined_shell_domtrans(rshd_t)
|
||||
+ unconfined_signal(rshd_t)
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.5.10/policy/modules/services/rsync.fc
|
||||
--- nsaserefpolicy/policy/modules/services/rsync.fc 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.10/policy/modules/services/rsync.fc 2008-10-06 08:55:56.000000000 -0400
|
||||
@@ -3,4 +3,4 @@
|
||||
|
||||
/var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0)
|
||||
|
||||
-/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_log_t,s0)
|
||||
+/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.5.10/policy/modules/services/rsync.te
|
||||
--- nsaserefpolicy/policy/modules/services/rsync.te 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.10/policy/modules/services/rsync.te 2008-10-03 11:36:44.000000000 -0400
|
||||
+++ serefpolicy-3.5.10/policy/modules/services/rsync.te 2008-10-06 12:50:44.000000000 -0400
|
||||
@@ -45,7 +45,7 @@
|
||||
# Local policy
|
||||
#
|
||||
|
||||
-allow rsync_t self:capability { dac_read_search dac_override setuid setgid sys_chroot };
|
||||
+allow rsync_t self:capability { chown dac_read_search dac_override setuid setgid sys_chroot };
|
||||
+allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
|
||||
allow rsync_t self:process signal_perms;
|
||||
allow rsync_t self:fifo_file rw_fifo_file_perms;
|
||||
allow rsync_t self:tcp_socket create_stream_socket_perms;
|
||||
@ -24232,7 +24275,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.5.10/policy/modules/services/smartmon.te
|
||||
--- nsaserefpolicy/policy/modules/services/smartmon.te 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.10/policy/modules/services/smartmon.te 2008-10-03 11:36:44.000000000 -0400
|
||||
+++ serefpolicy-3.5.10/policy/modules/services/smartmon.te 2008-10-06 13:16:57.000000000 -0400
|
||||
@@ -10,6 +10,9 @@
|
||||
type fsdaemon_exec_t;
|
||||
init_daemon_domain(fsdaemon_t, fsdaemon_exec_t)
|
||||
@ -24243,7 +24286,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
type fsdaemon_var_run_t;
|
||||
files_pid_file(fsdaemon_var_run_t)
|
||||
|
||||
@@ -28,6 +31,7 @@
|
||||
@@ -23,11 +26,12 @@
|
||||
|
||||
allow fsdaemon_t self:capability { setgid sys_rawio sys_admin };
|
||||
dontaudit fsdaemon_t self:capability sys_tty_config;
|
||||
-allow fsdaemon_t self:process signal_perms;
|
||||
+allow fsdaemon_t self:process { signal_perms setfscreate };
|
||||
allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
|
||||
allow fsdaemon_t self:unix_dgram_socket create_socket_perms;
|
||||
allow fsdaemon_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow fsdaemon_t self:udp_socket create_socket_perms;
|
||||
@ -24271,6 +24320,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
sysadm_dontaudit_search_home_dirs(fsdaemon_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -95,3 +99,10 @@
|
||||
optional_policy(`
|
||||
udev_read_db(fsdaemon_t)
|
||||
')
|
||||
+
|
||||
+dev_del_entry_generic_dirs(fsdaemon_t)
|
||||
+storage_dev_filetrans_fixed_disk(fsdaemon_t)
|
||||
+storage_manage_fixed_disk(fsdaemon_t)
|
||||
+seutil_read_file_contexts(fsdaemon_t)
|
||||
+selinux_validate_context(fsdaemon_t)
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.5.10/policy/modules/services/snmp.fc
|
||||
--- nsaserefpolicy/policy/modules/services/snmp.fc 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.10/policy/modules/services/snmp.fc 2008-10-03 11:36:44.000000000 -0400
|
||||
@ -26535,7 +26595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.10/policy/modules/services/xserver.if
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-09-24 09:07:28.000000000 -0400
|
||||
+++ serefpolicy-3.5.10/policy/modules/services/xserver.if 2008-10-03 16:06:18.000000000 -0400
|
||||
+++ serefpolicy-3.5.10/policy/modules/services/xserver.if 2008-10-06 12:32:14.000000000 -0400
|
||||
@@ -16,6 +16,7 @@
|
||||
gen_require(`
|
||||
type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
|
||||
@ -26665,14 +26725,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
- #
|
||||
- # $1_xserver_t Local policy
|
||||
- #
|
||||
-
|
||||
- domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
|
||||
+ allow $1_xserver_t xauth_home_t:file { getattr read };
|
||||
|
||||
- allow $1_xserver_t $1_xauth_home_t:file { getattr read };
|
||||
- domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
|
||||
+ domtrans_pattern($1_xserver_t, xauth_exec_t, xauth_t)
|
||||
+ role $3 types xauth_t;
|
||||
|
||||
- allow $1_xserver_t $1_xauth_home_t:file { getattr read };
|
||||
-
|
||||
- domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
|
||||
allow $1_xserver_t $2:process signal;
|
||||
|
||||
@ -26740,15 +26800,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
-
|
||||
- allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
|
||||
- userdom_user_home_dir_filetrans($1, $1_xauth_t, $1_xauth_home_t,file)
|
||||
-
|
||||
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
|
||||
+ allow $2 xauth_t:process signal;
|
||||
|
||||
- manage_dirs_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t)
|
||||
- manage_files_pattern($1_xauth_t, $1_xauth_tmp_t, $1_xauth_tmp_t)
|
||||
- files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
|
||||
-
|
||||
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
|
||||
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
|
||||
+ allow $2 xauth_t:process signal;
|
||||
|
||||
-
|
||||
- allow $2 $1_xauth_t:process signal;
|
||||
+ allow $2 xauth_home_t:file manage_file_perms;
|
||||
+ allow $2 xauth_home_t:file { relabelfrom relabelto };
|
||||
@ -26772,13 +26832,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
-
|
||||
- # cjp: why?
|
||||
- term_use_ptmx($1_xauth_t)
|
||||
+ ps_process_pattern($2,xauth_t)
|
||||
|
||||
-
|
||||
- auth_use_nsswitch($1_xauth_t)
|
||||
-
|
||||
- libs_use_ld_so($1_xauth_t)
|
||||
- libs_use_shared_libs($1_xauth_t)
|
||||
-
|
||||
+ ps_process_pattern($2,xauth_t)
|
||||
|
||||
- userdom_use_user_terminals($1, $1_xauth_t)
|
||||
- userdom_read_user_tmp_files($1, $1_xauth_t)
|
||||
-
|
||||
@ -26818,7 +26878,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ allow $2 iceauth_home_t:file { relabelfrom relabelto };
|
||||
|
||||
- allow xdm_t $1_iceauth_home_t:file read_file_perms;
|
||||
+ allow xdm_t iceauth_home_t:file read_file_perms;
|
||||
+ xserver_use_xdm($2)
|
||||
|
||||
fs_search_auto_mountpoints($1_iceauth_t)
|
||||
|
||||
@ -26879,7 +26939,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# for when /tmp/.X11-unix is created by the system
|
||||
allow $2 xdm_t:fd use;
|
||||
@@ -643,11 +572,109 @@
|
||||
@@ -643,13 +572,208 @@
|
||||
|
||||
xserver_read_xdm_tmp_files($2)
|
||||
|
||||
@ -26921,8 +26981,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ attribute x_domain;
|
||||
+ type $1_xserver_t;
|
||||
+# type $2_input_xevent_t;
|
||||
+ ')
|
||||
+
|
||||
')
|
||||
|
||||
+ allow $1_xserver_t self:netlink_selinux_socket create_socket_perms;
|
||||
+
|
||||
+# typeattribute $2_input_xevent_t $1_input_xevent_type;
|
||||
@ -26990,13 +27050,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+ allow $1_xserver_t input_xevent_t:x_event send;
|
||||
+ allow $1_xserver_t $1_rootwindow_t:x_drawable send;
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -662,6 +689,103 @@
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Interface to provide X object permissions on a given X server to
|
||||
+## an X client domain. Provides the minimal set required by a basic
|
||||
+## X client application.
|
||||
+## </summary>
|
||||
+## <param name="user">
|
||||
+## <summary>
|
||||
+## The prefix of the X server domain (e.g., user
|
||||
+## is the prefix for user_t).
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Client domain allowed access.
|
||||
@ -27082,21 +27149,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
+
|
||||
+
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Interface to provide X object permissions on a given X server to
|
||||
+## an X client domain. Provides the minimal set required by a basic
|
||||
+## X client application.
|
||||
+## </summary>
|
||||
+## <param name="user">
|
||||
+## <summary>
|
||||
+## The prefix of the X server domain (e.g., user
|
||||
+## is the prefix for user_t).
|
||||
+## </summary>
|
||||
+## </param>
|
||||
## <param name="prefix">
|
||||
## <summary>
|
||||
## The prefix of the X client domain (e.g., user
|
||||
#######################################
|
||||
## <summary>
|
||||
## Interface to provide X object permissions on a given X server to
|
||||
@@ -676,7 +800,7 @@
|
||||
#
|
||||
template(`xserver_common_x_domain_template',`
|
||||
@ -27237,13 +27292,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
tunable_policy(`! xserver_object_manager',`
|
||||
# should be xserver_unconfined($3),
|
||||
@@ -879,17 +1007,17 @@
|
||||
@@ -879,24 +1007,17 @@
|
||||
#
|
||||
template(`xserver_user_x_domain_template',`
|
||||
gen_require(`
|
||||
- type xdm_t, xdm_tmp_t;
|
||||
- type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
|
||||
+ type xdm_t, xdm_tmp_t, xdm_xproperty_t;
|
||||
+ type xdm_xproperty_t;
|
||||
+ type xauth_home_t, iceauth_home_t;
|
||||
')
|
||||
|
||||
@ -27257,12 +27312,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# Read .Xauthority file
|
||||
- allow $3 $1_xauth_home_t:file { getattr read };
|
||||
- allow $3 $1_iceauth_home_t:file { getattr read };
|
||||
-
|
||||
- # for when /tmp/.X11-unix is created by the system
|
||||
- allow $3 xdm_t:fd use;
|
||||
- allow $3 xdm_t:fifo_file { getattr read write ioctl };
|
||||
- allow $3 xdm_tmp_t:dir search;
|
||||
- allow $3 xdm_tmp_t:sock_file { read write };
|
||||
- dontaudit $3 xdm_t:tcp_socket { read write };
|
||||
+ allow $3 xauth_home_t:file { getattr read };
|
||||
+ allow $3 iceauth_home_t:file { getattr read };
|
||||
|
||||
# for when /tmp/.X11-unix is created by the system
|
||||
allow $3 xdm_t:fd use;
|
||||
@@ -916,11 +1044,9 @@
|
||||
# Allow connections to X server.
|
||||
files_search_tmp($3)
|
||||
@@ -911,16 +1032,11 @@
|
||||
xserver_rw_session_template($1, $3, $4)
|
||||
xserver_use_user_fonts($1, $3)
|
||||
|
||||
- xserver_read_xdm_tmp_files($3)
|
||||
-
|
||||
# X object manager
|
||||
xserver_common_x_domain_template($1, $2, $3)
|
||||
|
||||
@ -27271,13 +27338,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
- allow $3 $1_xserver_t:shm rw_shm_perms;
|
||||
- allow $3 $1_xserver_tmpfs_t:file rw_file_perms;
|
||||
- ')
|
||||
+ allow $3 xdm_t:x_client { getattr destroy };
|
||||
+ allow $3 xdm_t:x_drawable { receive get_property getattr send list_child };
|
||||
+ allow $3 xdm_xproperty_t:x_property { write read };
|
||||
+ xserver_use_xdm($3)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -952,26 +1078,43 @@
|
||||
@@ -952,26 +1068,43 @@
|
||||
#
|
||||
template(`xserver_use_user_fonts',`
|
||||
gen_require(`
|
||||
@ -27328,15 +27394,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Transition to a user Xauthority domain.
|
||||
## </summary>
|
||||
## <desc>
|
||||
@@ -997,10 +1140,77 @@
|
||||
@@ -997,10 +1130,77 @@
|
||||
#
|
||||
template(`xserver_domtrans_user_xauth',`
|
||||
gen_require(`
|
||||
- type $1_xauth_t, xauth_exec_t;
|
||||
+ type xauth_t, xauth_exec_t;
|
||||
')
|
||||
|
||||
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
|
||||
+ ')
|
||||
+
|
||||
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
|
||||
+')
|
||||
+
|
||||
@ -27368,8 +27433,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+template(`xserver_read_user_xauth',`
|
||||
+ gen_require(`
|
||||
+ type xauth_home_t;
|
||||
+ ')
|
||||
+
|
||||
')
|
||||
|
||||
- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
|
||||
+ allow $2 xauth_home_t:file { getattr read };
|
||||
+')
|
||||
+
|
||||
@ -27408,7 +27474,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1030,10 +1240,10 @@
|
||||
@@ -1030,10 +1230,10 @@
|
||||
#
|
||||
template(`xserver_user_home_dir_filetrans_user_xauth',`
|
||||
gen_require(`
|
||||
@ -27421,7 +27487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1219,6 +1429,25 @@
|
||||
@@ -1219,6 +1419,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -27447,7 +27513,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Read xdm-writable configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1273,6 +1502,7 @@
|
||||
@@ -1273,6 +1492,7 @@
|
||||
files_search_tmp($1)
|
||||
allow $1 xdm_tmp_t:dir list_dir_perms;
|
||||
create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
|
||||
@ -27455,7 +27521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1291,7 +1521,7 @@
|
||||
@@ -1291,7 +1511,7 @@
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
@ -27464,7 +27530,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1314,6 +1544,24 @@
|
||||
@@ -1314,6 +1534,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -27489,7 +27555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Execute the X server in the XDM X server domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1324,15 +1572,47 @@
|
||||
@@ -1324,15 +1562,47 @@
|
||||
#
|
||||
interface(`xserver_domtrans_xdm_xserver',`
|
||||
gen_require(`
|
||||
@ -27538,7 +27604,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Make an X session script an entrypoint for the specified domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1482,7 +1762,7 @@
|
||||
@@ -1482,7 +1752,7 @@
|
||||
type xdm_xserver_tmp_t;
|
||||
')
|
||||
|
||||
@ -27547,7 +27613,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1674,6 +1954,26 @@
|
||||
@@ -1674,6 +1944,26 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -27574,7 +27640,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## xdm xserver RW shared memory socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1692,6 +1992,24 @@
|
||||
@@ -1692,6 +1982,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -27599,7 +27665,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Interface to provide X object permissions on a given X server to
|
||||
## an X client domain. Gives the domain complete control over the
|
||||
## display.
|
||||
@@ -1704,8 +2022,127 @@
|
||||
@@ -1704,8 +2012,157 @@
|
||||
#
|
||||
interface(`xserver_unconfined',`
|
||||
gen_require(`
|
||||
@ -27663,15 +27729,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ gen_require(`
|
||||
+ type fonts_home_t;
|
||||
+ type fonts_config_home_t;
|
||||
')
|
||||
|
||||
- typeattribute $1 xserver_unconfined_type;
|
||||
+ ')
|
||||
+
|
||||
+ manage_dirs_pattern($1, fonts_home_t, fonts_home_t)
|
||||
+ manage_files_pattern($1, fonts_home_t, fonts_home_t)
|
||||
+ manage_lnk_files_pattern($1, fonts_home_t, fonts_home_t)
|
||||
+
|
||||
+ manage_files_pattern($1, fonts_config_home_t, fonts_config_home_t)
|
||||
')
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
@ -27729,9 +27794,40 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ dontaudit $1 xdm_home_t:file rw_file_perms;
|
||||
+')
|
||||
+
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Interface to provide X object permissions on a given X server to
|
||||
+## an X client domain. Provides the minimal set required by a basic
|
||||
+## X client application.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Client domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`xserver_use_xdm',`
|
||||
+ gen_require(`
|
||||
+ type xdm_t, xdm_tmp_t;
|
||||
')
|
||||
|
||||
- typeattribute $1 xserver_unconfined_type;
|
||||
+ allow $1 xdm_t:fd use;
|
||||
+ allow $1 xdm_t:fifo_file { getattr read write ioctl };
|
||||
+ dontaudit $1 xdm_t:tcp_socket { read write };
|
||||
+
|
||||
+ # Allow connections to X server.
|
||||
+ xserver_stream_connect_xdm($1)
|
||||
+ xserver_read_xdm_tmp_files($1)
|
||||
+ xserver_xdm_stream_connect($1)
|
||||
+
|
||||
+ allow $1 xdm_t:x_client { getattr destroy };
|
||||
+ allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child };
|
||||
+ allow $1 xdm_xproperty_t:x_property { write read };
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.10/policy/modules/services/xserver.te
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-09-24 09:07:28.000000000 -0400
|
||||
+++ serefpolicy-3.5.10/policy/modules/services/xserver.te 2008-10-03 16:06:35.000000000 -0400
|
||||
+++ serefpolicy-3.5.10/policy/modules/services/xserver.te 2008-10-06 12:03:23.000000000 -0400
|
||||
@@ -8,6 +8,14 @@
|
||||
|
||||
## <desc>
|
||||
@ -28278,7 +28374,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ ssh_dontaudit_rw_tcp_sockets(xauth_t)
|
||||
+')
|
||||
+
|
||||
+
|
||||
+allow xdm_t iceauth_home_t:file read_file_perms;
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.fc serefpolicy-3.5.10/policy/modules/services/zabbix.fc
|
||||
--- nsaserefpolicy/policy/modules/services/zabbix.fc 2008-08-07 11:15:11.000000000 -0400
|
||||
+++ serefpolicy-3.5.10/policy/modules/services/zabbix.fc 2008-10-03 11:36:44.000000000 -0400
|
||||
@ -29538,7 +29634,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.10/policy/modules/system/libraries.fc
|
||||
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-08-13 15:24:56.000000000 -0400
|
||||
+++ serefpolicy-3.5.10/policy/modules/system/libraries.fc 2008-10-03 11:36:44.000000000 -0400
|
||||
+++ serefpolicy-3.5.10/policy/modules/system/libraries.fc 2008-10-06 12:36:31.000000000 -0400
|
||||
@@ -60,12 +60,15 @@
|
||||
#
|
||||
# /opt
|
||||
@ -29618,7 +29714,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
') dnl end distro_redhat
|
||||
|
||||
#
|
||||
@@ -310,3 +321,13 @@
|
||||
@@ -310,3 +321,15 @@
|
||||
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
|
||||
@ -29632,6 +29728,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+
|
||||
+/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
+
|
||||
+/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.5.10/policy/modules/system/libraries.te
|
||||
--- nsaserefpolicy/policy/modules/system/libraries.te 2008-08-13 15:24:56.000000000 -0400
|
||||
+++ serefpolicy-3.5.10/policy/modules/system/libraries.te 2008-10-03 11:36:44.000000000 -0400
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.5.10
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -390,6 +390,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Oct 6 2008 Dan Walsh <dwalsh@redhat.com> 3.5.10-3
|
||||
- Fixes for confined xwindows and xdm_t
|
||||
|
||||
* Fri Oct 3 2008 Dan Walsh <dwalsh@redhat.com> 3.5.10-2
|
||||
- Allow confined users and xdm to exec wm
|
||||
- Allow nsplugin to talk to fifo files on nfs
|
||||
|
||||
Loading…
Reference in New Issue
Block a user