- Allow xserver to search devpts_t

- Dontaudit ldconfig output to homedir
2007-09-19 17:40:59 +00:00 · 2007-09-19 17:40:59 +00:00 · 21c534bcb9
parent 7ff410d3bc
commit 21c534bcb9
2 changed files with 89 additions and 52 deletions
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -302,8 +302,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.0.8/policy/modules/admin/alsa.fc
 --- nsaserefpolicy/policy/modules/admin/alsa.fc	2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/alsa.fc	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/alsa.fc	2007-09-19 10:53:23.000000000 -0400
-@@ -1,4 +1,7 @@
+@@ -1,4 +1,8 @@
 /etc/alsa/pcm(/.*)?		gen_context(system_u:object_r:alsa_etc_rw_t,s0)
 +/etc/asound(/.*)?		gen_context(system_u:object_r:alsa_etc_rw_t,s0)
@ -311,10 +311,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc
 /usr/bin/ainit 		--	gen_context(system_u:object_r:alsa_exec_t,s0)
 +/sbin/alsactl 		--	gen_context(system_u:object_r:alsa_exec_t,s0)
 +/var/lib/alsa(/.*)?		gen_context(system_u:object_r:alsa_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.0.8/policy/modules/admin/alsa.te
 --- nsaserefpolicy/policy/modules/admin/alsa.te	2007-07-25 10:37:43.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/alsa.te	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/alsa.te	2007-09-19 10:54:14.000000000 -0400
-@@ -19,20 +19,24 @@
+@@ -14,25 +14,35 @@
 type alsa_etc_rw_t;
 files_type(alsa_etc_rw_t)
 +type alsa_var_lib_t;
 +files_type(alsa_var_lib_t)
 +
 ########################################
 #
 # Local policy
 #
@ -333,6 +342,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
 manage_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
 manage_lnk_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
 +manage_dirs_pattern(alsa_t,alsa_var_lib_t,alsa_var_lib_t)
 +manage_files_pattern(alsa_t,alsa_var_lib_t,alsa_var_lib_t)
 +
 +files_search_home(alsa_t)
 files_read_etc_files(alsa_t)
@ -342,7 +354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
 libs_use_ld_so(alsa_t)
 libs_use_shared_libs(alsa_t)
-@@ -43,7 +47,13 @@
+@@ -43,7 +53,13 @@
 userdom_manage_unpriv_user_semaphores(alsa_t)
 userdom_manage_unpriv_user_shared_mem(alsa_t)
@ -5978,8 +5990,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 /var/run/vbestate 	--			gen_context(system_u:object_r:hald_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.8/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/hal.te	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/hal.te	2007-09-19 13:28:57.000000000 -0400
-@@ -293,6 +293,7 @@
+@@ -155,6 +155,8 @@
 selinux_compute_relabel_context(hald_t)
 selinux_compute_user_contexts(hald_t)
 +dev_read_raw_memory(hald_t)
 +
 storage_raw_read_removable_device(hald_t)
 storage_raw_write_removable_device(hald_t)
 storage_raw_read_fixed_disk(hald_t)
@@ -293,6 +295,7 @@
 #
 allow hald_acl_t self:capability { dac_override fowner };
@ -9321,7 +9342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.if	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/xserver.if	2007-09-19 11:59:57.000000000 -0400
@@ -126,6 +126,8 @@
 	# read events - the synaptics touchpad driver reads raw events
 	dev_rw_input_dev($1_xserver_t)
@ -9331,7 +9352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	domain_mmap_low($1_xserver_t)
-@@ -141,7 +143,7 @@
+@@ -141,10 +143,11 @@
 	fs_getattr_xattr_fs($1_xserver_t)
 	fs_search_nfs($1_xserver_t)
 	fs_search_auto_mountpoints($1_xserver_t)
@ -9340,7 +9361,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	init_getpgid($1_xserver_t)
-@@ -353,12 +355,6 @@
+	term_search_ptys($1_xserver_t)
 	term_setattr_unallocated_ttys($1_xserver_t)
 	term_use_unallocated_ttys($1_xserver_t)
@@ -353,12 +356,6 @@
 	# allow ps to show xauth
 	ps_process_pattern($2,$1_xauth_t)
@ -9353,7 +9378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	domain_use_interactive_fds($1_xauth_t)
 	files_read_etc_files($1_xauth_t)
-@@ -387,6 +383,14 @@
+@@ -387,6 +384,14 @@
 	')
 	optional_policy(`
@ -9368,7 +9393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 		nis_use_ypbind($1_xauth_t)
 	')
-@@ -537,16 +541,14 @@
+@@ -537,16 +542,14 @@
 	gen_require(`
 		type xdm_t, xdm_tmp_t;
@ -9387,7 +9412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	# for when /tmp/.X11-unix is created by the system
 	allow $2 xdm_t:fd use;
-@@ -555,25 +557,46 @@
+@@ -555,25 +558,46 @@
 	allow $2 xdm_tmp_t:sock_file { read write };
 	dontaudit $2 xdm_t:tcp_socket { read write };
@ -9443,7 +9468,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	')
 ')
-@@ -626,6 +649,24 @@
+@@ -626,6 +650,24 @@
 ########################################
 ## <summary>
@ -9468,7 +9493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ##	Transition to a user Xauthority domain.
 ## </summary>
 ## <desc>
-@@ -659,6 +700,73 @@
+@@ -659,6 +701,73 @@
 ########################################
 ## <summary>
@ -9542,7 +9567,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ##	Transition to a user Xauthority domain.
 ## </summary>
 ## <desc>
-@@ -987,6 +1095,37 @@
+@@ -987,6 +1096,37 @@
 ########################################
 ## <summary>
@ -9580,7 +9605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ##	Make an X session script an entrypoint for the specified domain.
 ## </summary>
 ## <param name="domain">
-@@ -1136,7 +1275,7 @@
+@@ -1136,7 +1276,7 @@
 		type xdm_xserver_tmp_t;
 	')
@ -9589,7 +9614,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 ########################################
-@@ -1325,3 +1464,62 @@
+@@ -1325,3 +1465,62 @@
 	files_search_tmp($1)
 	stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
 ')
@ -9654,7 +9679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.te	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/xserver.te	2007-09-19 11:59:42.000000000 -0400
@@ -16,6 +16,13 @@
 ## <desc>
@ -10927,7 +10952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
 +/usr/lib/libFLAC\.so.* 	  --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.8/policy/modules/system/libraries.te
 --- nsaserefpolicy/policy/modules/system/libraries.te	2007-08-02 08:17:28.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/libraries.te	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/libraries.te	2007-09-19 13:33:20.000000000 -0400
@@ -23,6 +23,9 @@
 init_system_domain(ldconfig_t,ldconfig_exec_t)
 role system_r types ldconfig_t;
@ -10964,7 +10989,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
 files_search_var_lib(ldconfig_t)
 files_read_etc_files(ldconfig_t)
 files_search_tmp(ldconfig_t)
-@@ -96,4 +104,11 @@
+@@ -79,6 +87,7 @@
 logging_send_syslog_msg(ldconfig_t)
 userdom_use_all_users_fds(ldconfig_t)
 +userdom_dontaudit_write_unpriv_user_home_content_files(ldconfig_t)
 ifdef(`hide_broken_symptoms',`
 	optional_policy(`
@@ -96,4 +105,11 @@
 	# and executes ldconfig on it.  If you dont allow this kernel installs 
 	# blow up.
 	rpm_manage_script_tmp_files(ldconfig_t)
@ -12959,7 +12992,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-09-19 13:32:51.000000000 -0400
@@ -45,7 +45,7 @@
 	type $1_tty_device_t; 
 	term_user_tty($1_t,$1_tty_device_t)
@ -13699,12 +13732,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 	files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -4599,7 +4718,25 @@
+@@ -4615,6 +4734,24 @@
- 
+ 	files_list_home($1)
- ########################################
+ 	allow $1 home_dir_type:dir search_dir_perms;
- ## <summary>
+ ')
-##	Search all users home directories.
+########################################
-+##	Search all users home directories.
+## <summary>
 +##	Read all users home directories symlinks.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@ -13712,36 +13746,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_search_all_users_home_dirs',`
+interface(`userdom_read_all_users_home_dirs_symlinks',`
 +	gen_require(`
 +		attribute home_dir_type;
 +	')
 +
 +	files_list_home($1)
 +	allow $1 home_dir_type:dir search_dir_perms;
 +')
 +########################################
 +## <summary>
 +##	Read all users home directories symlinks.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -4607,13 +4744,13 @@
 ##	</summary>
 ## </param>
 #
 -interface(`userdom_search_all_users_home_dirs',`
 +interface(`userdom_read_all_users_home_dirs_symlinks',`
 	gen_require(`
 		attribute home_dir_type;
 	')
 	files_list_home($1)
 -	allow $1 home_dir_type:dir search_dir_perms;
 +	allow $1 home_dir_type:lnk_file read_lnk_file_perms;
- ')
+')
 ########################################
 ## <summary>
@@ -4633,6 +4770,14 @@
 	files_list_home($1)
@ -13766,7 +13781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 ########################################
-@@ -5559,3 +5704,318 @@
+@@ -5559,3 +5704,336 @@
 interface(`userdom_unconfined',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
@ -14067,6 +14082,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	allow $1 user_home_type:file execute;
 +')
 +
 +########################################
 +## <summary>
 +##	dontaudit attempts to write to user home dir files
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`userdom_dontaudit_write_unpriv_user_home_content_files',`
 +	gen_require(`
 +		attribute user_home_type;
 +	')
 +
 +	allow $1 user_home_type:file write;
 +')
 +
 +
 +########################################
 +## <summary>
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -362,6 +362,10 @@ exit 0
 %endif
 %changelog
 * Wed Sep 19 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-3
 - Allow xserver to search devpts_t
 - Dontaudit ldconfig output to homedir
 * Tue Sep 18 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-2
 - Remove hplip_etc_t change back to etc_t.