rpms/selinux-policy
6
0
Fork 0
Code Issues Pull Requests Releases Activity

- Allow xserver to search devpts_t

Browse Source 
- Dontaudit ldconfig output to homedir
This commit is contained in:
Daniel J Walsh 2007-09-19 17:40:59 +00:00
parent 7ff410d3bc
commit 21c534bcb9
2 changed files with 89 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

135
policy-20070703.patch
View File

@ -302,8 +302,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.0.8/policy/modules/admin/alsa.fc
--- nsaserefpolicy/policy/modules/admin/alsa.fc 2007-05-29 14:10:59.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/alsa.fc 2007-09-17 16:20:18.000000000 -0400
@@ -1,4 +1,7 @@
+++ serefpolicy-3.0.8/policy/modules/admin/alsa.fc 2007-09-19 10:53:23.000000000 -0400
@@ -1,4 +1,8 @@
/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
@ -311,10 +311,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
+/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
+/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.0.8/policy/modules/admin/alsa.te
--- nsaserefpolicy/policy/modules/admin/alsa.te 2007-07-25 10:37:43.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/alsa.te 2007-09-17 16:20:18.000000000 -0400
@@ -19,20 +19,24 @@
+++ serefpolicy-3.0.8/policy/modules/admin/alsa.te 2007-09-19 10:54:14.000000000 -0400
@@ -14,25 +14,35 @@
type alsa_etc_rw_t;
files_type(alsa_etc_rw_t)
+type alsa_var_lib_t;
+files_type(alsa_var_lib_t)
+
########################################
#
# Local policy
#
@ -333,6 +342,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
manage_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
manage_lnk_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
+manage_dirs_pattern(alsa_t,alsa_var_lib_t,alsa_var_lib_t)
+manage_files_pattern(alsa_t,alsa_var_lib_t,alsa_var_lib_t)
+
+files_search_home(alsa_t)
files_read_etc_files(alsa_t)
@ -342,7 +354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
libs_use_ld_so(alsa_t)
libs_use_shared_libs(alsa_t)
@@ -43,7 +47,13 @@
@@ -43,7 +53,13 @@
userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
@ -5978,8 +5990,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
/var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.8/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-09-12 10:34:50.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/hal.te 2007-09-17 16:20:18.000000000 -0400
@@ -293,6 +293,7 @@
+++ serefpolicy-3.0.8/policy/modules/services/hal.te 2007-09-19 13:28:57.000000000 -0400
@@ -155,6 +155,8 @@
selinux_compute_relabel_context(hald_t)
selinux_compute_user_contexts(hald_t)
+dev_read_raw_memory(hald_t)
+
storage_raw_read_removable_device(hald_t)
storage_raw_write_removable_device(hald_t)
storage_raw_read_fixed_disk(hald_t)
@@ -293,6 +295,7 @@
#
allow hald_acl_t self:capability { dac_override fowner };
@ -9321,7 +9342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-09-19 11:59:57.000000000 -0400
@@ -126,6 +126,8 @@
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev($1_xserver_t)
@ -9331,7 +9352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
domain_mmap_low($1_xserver_t)
@@ -141,7 +143,7 @@
@@ -141,10 +143,11 @@
fs_getattr_xattr_fs($1_xserver_t)
fs_search_nfs($1_xserver_t)
fs_search_auto_mountpoints($1_xserver_t)
@ -9340,7 +9361,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
init_getpgid($1_xserver_t)
@@ -353,12 +355,6 @@
+ term_search_ptys($1_xserver_t)
term_setattr_unallocated_ttys($1_xserver_t)
term_use_unallocated_ttys($1_xserver_t)
@@ -353,12 +356,6 @@
# allow ps to show xauth
ps_process_pattern($2,$1_xauth_t)
@ -9353,7 +9378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
domain_use_interactive_fds($1_xauth_t)
files_read_etc_files($1_xauth_t)
@@ -387,6 +383,14 @@
@@ -387,6 +384,14 @@
')
optional_policy(`
@ -9368,7 +9393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
nis_use_ypbind($1_xauth_t)
')
@@ -537,16 +541,14 @@
@@ -537,16 +542,14 @@
gen_require(`
type xdm_t, xdm_tmp_t;
@ -9387,7 +9412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
@@ -555,25 +557,46 @@
@@ -555,25 +558,46 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@ -9443,7 +9468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
')
@@ -626,6 +649,24 @@
@@ -626,6 +650,24 @@
########################################
## <summary>
@ -9468,7 +9493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Transition to a user Xauthority domain.
## </summary>
## <desc>
@@ -659,6 +700,73 @@
@@ -659,6 +701,73 @@
########################################
## <summary>
@ -9542,7 +9567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Transition to a user Xauthority domain.
## </summary>
## <desc>
@@ -987,6 +1095,37 @@
@@ -987,6 +1096,37 @@
########################################
## <summary>
@ -9580,7 +9605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
@@ -1136,7 +1275,7 @@
@@ -1136,7 +1276,7 @@
type xdm_xserver_tmp_t;
')
@ -9589,7 +9614,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
@@ -1325,3 +1464,62 @@
@@ -1325,3 +1465,62 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@ -9654,7 +9679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-08-22 07:14:07.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-09-19 11:59:42.000000000 -0400
@@ -16,6 +16,13 @@
## <desc>
@ -10927,7 +10952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.8/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-08-02 08:17:28.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/libraries.te 2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/libraries.te 2007-09-19 13:33:20.000000000 -0400
@@ -23,6 +23,9 @@
init_system_domain(ldconfig_t,ldconfig_exec_t)
role system_r types ldconfig_t;
@ -10964,7 +10989,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
files_search_var_lib(ldconfig_t)
files_read_etc_files(ldconfig_t)
files_search_tmp(ldconfig_t)
@@ -96,4 +104,11 @@
@@ -79,6 +87,7 @@
logging_send_syslog_msg(ldconfig_t)
userdom_use_all_users_fds(ldconfig_t)
+userdom_dontaudit_write_unpriv_user_home_content_files(ldconfig_t)
ifdef(`hide_broken_symptoms',`
optional_policy(`
@@ -96,4 +105,11 @@
# and executes ldconfig on it. If you dont allow this kernel installs
# blow up.
rpm_manage_script_tmp_files(ldconfig_t)
@ -12959,7 +12992,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-19 13:32:51.000000000 -0400
@@ -45,7 +45,7 @@
type $1_tty_device_t;
term_user_tty($1_t,$1_tty_device_t)
@ -13699,12 +13732,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
files_tmp_filetrans($2,$1_tmp_t,$3)
@@ -4599,7 +4718,25 @@
########################################
## <summary>
-## Search all users home directories.
+## Search all users home directories.
@@ -4615,6 +4734,24 @@
files_list_home($1)
allow $1 home_dir_type:dir search_dir_perms;
')
+########################################
+## <summary>
+## Read all users home directories symlinks.
+## </summary>
+## <param name="domain">
+## <summary>
@ -13712,36 +13746,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+## </summary>
+## </param>
+#
+interface(`userdom_search_all_users_home_dirs',`
+interface(`userdom_read_all_users_home_dirs_symlinks',`
+ gen_require(`
+ attribute home_dir_type;
+ ')
+
+ files_list_home($1)
+ allow $1 home_dir_type:dir search_dir_perms;
+')
+########################################
+## <summary>
+## Read all users home directories symlinks.
## </summary>
## <param name="domain">
## <summary>
@@ -4607,13 +4744,13 @@
## </summary>
## </param>
#
-interface(`userdom_search_all_users_home_dirs',`
+interface(`userdom_read_all_users_home_dirs_symlinks',`
gen_require(`
attribute home_dir_type;
')
files_list_home($1)
- allow $1 home_dir_type:dir search_dir_perms;
+ allow $1 home_dir_type:lnk_file read_lnk_file_perms;
')
+')
########################################
## <summary>
@@ -4633,6 +4770,14 @@
files_list_home($1)
@ -13766,7 +13781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -5559,3 +5704,318 @@
@@ -5559,3 +5704,336 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@ -14067,6 +14082,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ allow $1 user_home_type:file execute;
+')
+
+########################################
+## <summary>
+## dontaudit attempts to write to user home dir files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_write_unpriv_user_home_content_files',`
+ gen_require(`
+ attribute user_home_type;
+ ')
+
+ allow $1 user_home_type:file write;
+')
+
+
+########################################
+## <summary>

6
selinux-policy.spec
View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
Release: 2%{?dist}
Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -362,6 +362,10 @@ exit 0
%endif
%changelog
* Wed Sep 19 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-3
- Allow xserver to search devpts_t
- Dontaudit ldconfig output to homedir
* Tue Sep 18 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-2
- Remove hplip_etc_t change back to etc_t.