From 21c534bcb92d0c8d506c5ee4bb27d5d6acd9c866 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 19 Sep 2007 17:40:59 +0000 Subject: [PATCH] - Allow xserver to search devpts_t - Dontaudit ldconfig output to homedir --- policy-20070703.patch | 135 ++++++++++++++++++++++++++---------------- selinux-policy.spec | 6 +- 2 files changed, 89 insertions(+), 52 deletions(-) diff --git a/policy-20070703.patch b/policy-20070703.patch index 7696f8fd..aa88f064 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -302,8 +302,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.0.8/policy/modules/admin/alsa.fc --- nsaserefpolicy/policy/modules/admin/alsa.fc 2007-05-29 14:10:59.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/admin/alsa.fc 2007-09-17 16:20:18.000000000 -0400 -@@ -1,4 +1,7 @@ ++++ serefpolicy-3.0.8/policy/modules/admin/alsa.fc 2007-09-19 10:53:23.000000000 -0400 +@@ -1,4 +1,8 @@ /etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) +/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) @@ -311,10 +311,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc /usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) +/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) ++/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.0.8/policy/modules/admin/alsa.te --- nsaserefpolicy/policy/modules/admin/alsa.te 2007-07-25 10:37:43.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/admin/alsa.te 2007-09-17 16:20:18.000000000 -0400 -@@ -19,20 +19,24 @@ ++++ serefpolicy-3.0.8/policy/modules/admin/alsa.te 2007-09-19 10:54:14.000000000 -0400 +@@ -14,25 +14,35 @@ + type alsa_etc_rw_t; + files_type(alsa_etc_rw_t) + ++type alsa_var_lib_t; ++files_type(alsa_var_lib_t) ++ + ######################################## + # # Local policy # @@ -333,6 +342,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te manage_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t) manage_lnk_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t) ++manage_dirs_pattern(alsa_t,alsa_var_lib_t,alsa_var_lib_t) ++manage_files_pattern(alsa_t,alsa_var_lib_t,alsa_var_lib_t) ++ +files_search_home(alsa_t) files_read_etc_files(alsa_t) @@ -342,7 +354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te libs_use_ld_so(alsa_t) libs_use_shared_libs(alsa_t) -@@ -43,7 +47,13 @@ +@@ -43,7 +53,13 @@ userdom_manage_unpriv_user_semaphores(alsa_t) userdom_manage_unpriv_user_shared_mem(alsa_t) @@ -5978,8 +5990,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. /var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.8/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2007-09-12 10:34:50.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/hal.te 2007-09-17 16:20:18.000000000 -0400 -@@ -293,6 +293,7 @@ ++++ serefpolicy-3.0.8/policy/modules/services/hal.te 2007-09-19 13:28:57.000000000 -0400 +@@ -155,6 +155,8 @@ + selinux_compute_relabel_context(hald_t) + selinux_compute_user_contexts(hald_t) + ++dev_read_raw_memory(hald_t) ++ + storage_raw_read_removable_device(hald_t) + storage_raw_write_removable_device(hald_t) + storage_raw_read_fixed_disk(hald_t) +@@ -293,6 +295,7 @@ # allow hald_acl_t self:capability { dac_override fowner }; @@ -9321,7 +9342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-09-19 11:59:57.000000000 -0400 @@ -126,6 +126,8 @@ # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev($1_xserver_t) @@ -9331,7 +9352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser domain_mmap_low($1_xserver_t) -@@ -141,7 +143,7 @@ +@@ -141,10 +143,11 @@ fs_getattr_xattr_fs($1_xserver_t) fs_search_nfs($1_xserver_t) fs_search_auto_mountpoints($1_xserver_t) @@ -9340,7 +9361,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser init_getpgid($1_xserver_t) -@@ -353,12 +355,6 @@ ++ term_search_ptys($1_xserver_t) + term_setattr_unallocated_ttys($1_xserver_t) + term_use_unallocated_ttys($1_xserver_t) + +@@ -353,12 +356,6 @@ # allow ps to show xauth ps_process_pattern($2,$1_xauth_t) @@ -9353,7 +9378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser domain_use_interactive_fds($1_xauth_t) files_read_etc_files($1_xauth_t) -@@ -387,6 +383,14 @@ +@@ -387,6 +384,14 @@ ') optional_policy(` @@ -9368,7 +9393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser nis_use_ypbind($1_xauth_t) ') -@@ -537,16 +541,14 @@ +@@ -537,16 +542,14 @@ gen_require(` type xdm_t, xdm_tmp_t; @@ -9387,7 +9412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -555,25 +557,46 @@ +@@ -555,25 +558,46 @@ allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; @@ -9443,7 +9468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ') -@@ -626,6 +649,24 @@ +@@ -626,6 +650,24 @@ ######################################## ## @@ -9468,7 +9493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -659,6 +700,73 @@ +@@ -659,6 +701,73 @@ ######################################## ## @@ -9542,7 +9567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -987,6 +1095,37 @@ +@@ -987,6 +1096,37 @@ ######################################## ## @@ -9580,7 +9605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1136,7 +1275,7 @@ +@@ -1136,7 +1276,7 @@ type xdm_xserver_tmp_t; ') @@ -9589,7 +9614,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1325,3 +1464,62 @@ +@@ -1325,3 +1465,62 @@ files_search_tmp($1) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') @@ -9654,7 +9679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2007-08-22 07:14:07.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-09-19 11:59:42.000000000 -0400 @@ -16,6 +16,13 @@ ## @@ -10927,7 +10952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.8/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2007-08-02 08:17:28.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/libraries.te 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/libraries.te 2007-09-19 13:33:20.000000000 -0400 @@ -23,6 +23,9 @@ init_system_domain(ldconfig_t,ldconfig_exec_t) role system_r types ldconfig_t; @@ -10964,7 +10989,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar files_search_var_lib(ldconfig_t) files_read_etc_files(ldconfig_t) files_search_tmp(ldconfig_t) -@@ -96,4 +104,11 @@ +@@ -79,6 +87,7 @@ + logging_send_syslog_msg(ldconfig_t) + + userdom_use_all_users_fds(ldconfig_t) ++userdom_dontaudit_write_unpriv_user_home_content_files(ldconfig_t) + + ifdef(`hide_broken_symptoms',` + optional_policy(` +@@ -96,4 +105,11 @@ # and executes ldconfig on it. If you dont allow this kernel installs # blow up. rpm_manage_script_tmp_files(ldconfig_t) @@ -12959,7 +12992,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-19 13:32:51.000000000 -0400 @@ -45,7 +45,7 @@ type $1_tty_device_t; term_user_tty($1_t,$1_tty_device_t) @@ -13699,12 +13732,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_tmp_filetrans($2,$1_tmp_t,$3) -@@ -4599,7 +4718,25 @@ - - ######################################## - ## --## Search all users home directories. -+## Search all users home directories. +@@ -4615,6 +4734,24 @@ + files_list_home($1) + allow $1 home_dir_type:dir search_dir_perms; + ') ++######################################## ++## ++## Read all users home directories symlinks. +## +## +## @@ -13712,36 +13746,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +## +## +# -+interface(`userdom_search_all_users_home_dirs',` ++interface(`userdom_read_all_users_home_dirs_symlinks',` + gen_require(` + attribute home_dir_type; + ') + + files_list_home($1) -+ allow $1 home_dir_type:dir search_dir_perms; -+') -+######################################## -+## -+## Read all users home directories symlinks. - ## - ## - ## -@@ -4607,13 +4744,13 @@ - ## - ## - # --interface(`userdom_search_all_users_home_dirs',` -+interface(`userdom_read_all_users_home_dirs_symlinks',` - gen_require(` - attribute home_dir_type; - ') - - files_list_home($1) -- allow $1 home_dir_type:dir search_dir_perms; + allow $1 home_dir_type:lnk_file read_lnk_file_perms; - ') ++') ######################################## + ## @@ -4633,6 +4770,14 @@ files_list_home($1) @@ -13766,7 +13781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5559,3 +5704,318 @@ +@@ -5559,3 +5704,336 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -14067,6 +14082,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + allow $1 user_home_type:file execute; +') + ++######################################## ++## ++## dontaudit attempts to write to user home dir files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_dontaudit_write_unpriv_user_home_content_files',` ++ gen_require(` ++ attribute user_home_type; ++ ') ++ ++ allow $1 user_home_type:file write; ++') ++ + +######################################## +## diff --git a/selinux-policy.spec b/selinux-policy.spec index c01b0367..c2bea8ec 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.8 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -362,6 +362,10 @@ exit 0 %endif %changelog +* Wed Sep 19 2007 Dan Walsh 3.0.8-3 +- Allow xserver to search devpts_t +- Dontaudit ldconfig output to homedir + * Tue Sep 18 2007 Dan Walsh 3.0.8-2 - Remove hplip_etc_t change back to etc_t.