This commit is contained in:
Daniel J Walsh 2008-02-28 21:51:10 +00:00
parent b7229ad8bb
commit 338714fc7f
2 changed files with 141 additions and 92 deletions

View File

@ -2276,7 +2276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.3.1/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2007-12-19 05:32:18.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/admin/rpm.te 2008-02-26 08:29:22.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/admin/rpm.te 2008-02-28 15:36:54.000000000 -0500
@@ -31,6 +31,9 @@
files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
@ -6744,7 +6744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
type lvm_control_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.3.1/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-12-19 05:32:07.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/kernel/domain.te 2008-02-26 21:27:47.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/kernel/domain.te 2008-02-28 13:12:42.000000000 -0500
@@ -5,6 +5,13 @@
#
# Declarations
@ -6784,7 +6784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
@@ -148,3 +157,27 @@
@@ -148,3 +157,28 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@ -6812,6 +6812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+ unconfined_dontaudit_rw_pipes(domain)
+ unconfined_sigchld(domain)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.3.1/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-29 18:02:31.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-02-26 16:54:46.000000000 -0500
@ -8096,7 +8097,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-02-27 17:28:38.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-02-28 16:49:32.000000000 -0500
@@ -20,6 +20,8 @@
# Declarations
#
@ -8192,12 +8193,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# httpd_modules_t is the type given to module files (libraries)
# that come with Apache /etc/httpd/modules and /usr/lib/apache
type httpd_modules_t;
@@ -202,12 +233,15 @@
@@ -202,12 +233,16 @@
prelink_object_file(httpd_modules_t)
')
+apache_content_template(user)
+userdom_user_home_content(user,httpd_user_content_t)
+typealias httpd_user_content_t alias httpd_unconfined_content_t;
+
########################################
#
@ -8209,7 +8211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
@@ -249,6 +283,7 @@
@@ -249,6 +284,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
@ -8217,7 +8219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
@@ -289,6 +324,7 @@
@@ -289,6 +325,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@ -8225,7 +8227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
@@ -315,9 +351,7 @@
@@ -315,9 +352,7 @@
auth_use_nsswitch(httpd_t)
@ -8236,7 +8238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
domain_use_interactive_fds(httpd_t)
@@ -335,6 +369,10 @@
@@ -335,6 +370,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@ -8247,7 +8249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
@@ -351,25 +389,38 @@
@@ -351,25 +390,38 @@
userdom_use_unpriv_users_fds(httpd_t)
@ -8291,7 +8293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_can_network_relay',`
# allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
@@ -382,6 +433,10 @@
@@ -382,6 +434,10 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
@ -8302,7 +8304,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -399,11 +454,21 @@
@@ -399,11 +455,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@ -8324,7 +8326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
@@ -437,8 +502,14 @@
@@ -437,8 +503,14 @@
')
optional_policy(`
@ -8340,7 +8342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
@@ -450,19 +521,13 @@
@@ -450,19 +522,13 @@
')
optional_policy(`
@ -8361,7 +8363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
@@ -472,13 +537,14 @@
@@ -472,13 +538,14 @@
openca_kill(httpd_t)
')
@ -8380,7 +8382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
@@ -486,6 +552,7 @@
@@ -486,6 +553,7 @@
')
optional_policy(`
@ -8388,7 +8390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
@@ -521,6 +588,19 @@
@@ -521,6 +589,19 @@
userdom_use_sysadm_terms(httpd_helper_t)
')
@ -8408,7 +8410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
@@ -550,18 +630,24 @@
@@ -550,18 +631,24 @@
fs_search_auto_mountpoints(httpd_php_t)
@ -8436,7 +8438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
@@ -585,6 +671,8 @@
@@ -585,6 +672,8 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@ -8445,7 +8447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
@@ -593,9 +681,7 @@
@@ -593,9 +682,7 @@
fs_search_auto_mountpoints(httpd_suexec_t)
@ -8456,7 +8458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
@@ -628,6 +714,7 @@
@@ -628,6 +715,7 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@ -8464,7 +8466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
@@ -638,6 +725,12 @@
@@ -638,6 +726,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@ -8477,7 +8479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
@@ -655,10 +748,6 @@
@@ -655,10 +749,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@ -8488,7 +8490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache system script local policy
@@ -668,7 +757,8 @@
@@ -668,7 +758,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@ -8498,7 +8500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
@@ -682,15 +772,44 @@
@@ -682,15 +773,44 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@ -8544,7 +8546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
@@ -700,9 +819,15 @@
@@ -700,9 +820,15 @@
clamav_domtrans_clamscan(httpd_sys_script_t)
')
@ -8560,7 +8562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
@@ -724,3 +849,46 @@
@@ -724,3 +850,46 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@ -11280,7 +11282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.3.1/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/cvs.te 2008-02-26 08:29:22.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/cvs.te 2008-02-28 15:30:50.000000000 -0500
@@ -28,6 +28,9 @@
type cvs_var_run_t;
files_pid_file(cvs_var_run_t)
@ -13254,7 +13256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.3.1/policy/modules/services/fail2ban.te
--- nsaserefpolicy/policy/modules/services/fail2ban.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/fail2ban.te 2008-02-26 08:29:22.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/fail2ban.te 2008-02-28 15:39:03.000000000 -0500
@@ -18,6 +18,9 @@
type fail2ban_var_run_t;
files_pid_file(fail2ban_var_run_t)
@ -13276,7 +13278,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
kernel_read_system_state(fail2ban_t)
@@ -55,6 +59,8 @@
@@ -47,14 +51,20 @@
files_read_etc_files(fail2ban_t)
files_read_usr_files(fail2ban_t)
+files_list_var(fail2ban_t)
+files_search_var_lib(fail2ban_t)
+
+fs_search_inotifyfs(fail2ban_t)
libs_use_ld_so(fail2ban_t)
libs_use_shared_libs(fail2ban_t)
-logging_read_generic_logs(fail2ban_t)
+logging_read_all_logs(fail2ban_t)
miscfiles_read_localization(fail2ban_t)
@ -22702,7 +22717,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-02-27 23:02:25.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-02-28 09:30:18.000000000 -0500
@@ -15,6 +15,11 @@
template(`xserver_common_domain_template',`
gen_require(`
@ -23153,7 +23168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
@@ -542,25 +539,360 @@
@@ -542,25 +539,364 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@ -23298,6 +23313,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ # everyone can get the input focus of everyone else
+ # this is a fundamental brokenness in the X protocol
+ allow $3 { x_domain x_server_domain }:x_device { getfocus setfocus use setattr bell manage freeze getattr grab };
+ tunable_policy(`allow_read_x_device',`
+ allow $3 { x_domain x_server_domain }:x_device read;
+ ')
+
+ # everyone can grab the server
+ # everyone does it, it is basically a free DOS attack
+ allow $3 x_server_domain:x_server grab;
@ -23520,7 +23539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
')
@@ -593,26 +925,44 @@
@@ -593,26 +929,44 @@
#
template(`xserver_use_user_fonts',`
gen_require(`
@ -23572,7 +23591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Transition to a user Xauthority domain.
## </summary>
## <desc>
@@ -638,10 +988,77 @@
@@ -638,10 +992,77 @@
#
template(`xserver_domtrans_user_xauth',`
gen_require(`
@ -23652,7 +23671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
@@ -671,10 +1088,10 @@
@@ -671,10 +1092,10 @@
#
template(`xserver_user_home_dir_filetrans_user_xauth',`
gen_require(`
@ -23665,7 +23684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
@@ -760,7 +1177,7 @@
@@ -760,7 +1181,7 @@
type xconsole_device_t;
')
@ -23674,7 +23693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
@@ -860,6 +1277,25 @@
@@ -860,6 +1281,25 @@
########################################
## <summary>
@ -23700,7 +23719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Read xdm-writable configuration files.
## </summary>
## <param name="domain">
@@ -914,6 +1350,7 @@
@@ -914,6 +1354,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@ -23708,7 +23727,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
@@ -955,6 +1392,24 @@
@@ -955,6 +1396,24 @@
########################################
## <summary>
@ -23733,7 +23752,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Execute the X server in the XDM X server domain.
## </summary>
## <param name="domain">
@@ -965,15 +1420,47 @@
@@ -965,15 +1424,47 @@
#
interface(`xserver_domtrans_xdm_xserver',`
gen_require(`
@ -23782,7 +23801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
@@ -1123,7 +1610,7 @@
@@ -1123,7 +1614,7 @@
type xdm_xserver_tmp_t;
')
@ -23791,7 +23810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
@@ -1312,3 +1799,108 @@
@@ -1312,3 +1803,108 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@ -23902,8 +23921,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-02-27 23:17:59.000000000 -0500
@@ -16,21 +16,79 @@
+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-02-28 16:46:06.000000000 -0500
@@ -8,6 +8,14 @@
## <desc>
## <p>
+## Allows X clients to read the x devices (keyboard/mouse)
+## </p>
+## </desc>
+gen_tunable(allow_read_x_device,true)
+
+
+## <desc>
+## <p>
## Allows clients to write to the X server shared
## memory segments.
## </p>
@@ -16,21 +24,79 @@
## <desc>
## <p>
@ -23985,7 +24019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# this is not actually a device, its a pipe
type xconsole_device_t;
@@ -56,6 +114,12 @@
@@ -56,6 +122,12 @@
type xdm_var_run_t;
files_pid_file(xdm_var_run_t)
@ -23998,7 +24032,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
type xdm_tmp_t;
files_tmp_file(xdm_tmp_t)
typealias xdm_tmp_t alias ice_tmp_t;
@@ -78,7 +142,31 @@
@@ -78,7 +150,31 @@
type xserver_log_t;
logging_log_file(xserver_log_t)
@ -24030,7 +24064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
init_system_domain(xdm_xserver_t,xserver_exec_t)
ifdef(`enable_mcs',`
@@ -95,8 +183,9 @@
@@ -95,8 +191,9 @@
# XDM Local policy
#
@ -24042,7 +24076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
@@ -109,6 +198,8 @@
@@ -109,6 +206,8 @@
allow xdm_t self:key { search link write };
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
@ -24051,7 +24085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
@@ -131,15 +222,22 @@
@@ -131,15 +230,22 @@
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@ -24075,7 +24109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
@@ -153,6 +251,7 @@
@@ -153,6 +259,7 @@
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
@ -24083,7 +24117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
@@ -173,6 +272,8 @@
@@ -173,6 +280,8 @@
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
@ -24092,7 +24126,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
@@ -184,6 +285,7 @@
@@ -184,6 +293,7 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_all_nodes(xdm_t)
corenet_udp_bind_all_nodes(xdm_t)
@ -24100,7 +24134,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
corenet_tcp_connect_all_ports(xdm_t)
corenet_sendrecv_all_client_packets(xdm_t)
# xdm tries to bind to biff_port_t
@@ -196,6 +298,7 @@
@@ -196,6 +306,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@ -24108,7 +24142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
@@ -208,8 +311,8 @@
@@ -208,8 +319,8 @@
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
@ -24119,7 +24153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_getattr_power_mgmt_dev(xdm_t)
dev_setattr_power_mgmt_dev(xdm_t)
@@ -226,6 +329,7 @@
@@ -226,6 +337,7 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@ -24127,7 +24161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
fs_getattr_all_fs(xdm_t)
fs_search_auto_mountpoints(xdm_t)
@@ -245,6 +349,7 @@
@@ -245,6 +357,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@ -24135,7 +24169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
@@ -256,12 +361,11 @@
@@ -256,12 +369,11 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
@ -24149,7 +24183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_dontaudit_search_sysadm_home_dirs(xdm_t)
userdom_create_all_users_keys(xdm_t)
@@ -270,8 +374,13 @@
@@ -270,8 +382,13 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@ -24163,7 +24197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
@@ -304,7 +413,11 @@
@@ -304,7 +421,11 @@
')
optional_policy(`
@ -24176,7 +24210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
@@ -312,6 +425,23 @@
@@ -312,6 +433,23 @@
')
optional_policy(`
@ -24200,7 +24234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
@@ -322,6 +452,10 @@
@@ -322,6 +460,10 @@
')
optional_policy(`
@ -24211,7 +24245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
loadkeys_exec(xdm_t)
')
@@ -335,6 +469,11 @@
@@ -335,6 +477,11 @@
')
optional_policy(`
@ -24223,18 +24257,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
seutil_sigchld_newrole(xdm_t)
')
@@ -343,8 +482,9 @@
@@ -343,8 +490,8 @@
')
optional_policy(`
- unconfined_domain(xdm_t)
+ unconfined_domain(xdm_xserver_t)
unconfined_domtrans(xdm_t)
+ unconfined_signal(xdm_t)
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
@@ -380,7 +520,7 @@
@@ -380,7 +527,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@ -24243,7 +24276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
@@ -392,6 +532,15 @@
@@ -392,6 +539,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@ -24259,7 +24292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
@@ -404,9 +553,17 @@
@@ -404,9 +560,17 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_unpriv_users_home_content_files(xdm_xserver_t)
@ -24277,7 +24310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_xserver_t)
fs_manage_nfs_files(xdm_xserver_t)
@@ -420,6 +577,22 @@
@@ -420,6 +584,22 @@
')
optional_policy(`
@ -24300,7 +24333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
resmgr_stream_connect(xdm_t)
')
@@ -429,47 +602,125 @@
@@ -429,47 +609,138 @@
')
optional_policy(`
@ -24309,30 +24342,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ rpm_dontaudit_rw_shm(xdm_xserver_t)
+ rpm_rw_tmpfs_files(xdm_xserver_t)
+')
+
- ifndef(`distro_redhat',`
- allow xdm_xserver_t self:process { execheap execmem };
- ')
+optional_policy(`
+ unconfined_rw_shm(xdm_xserver_t)
+ unconfined_execmem_rw_shm(xdm_xserver_t)
+ unconfined_rw_tmpfs_files(xdm_xserver_t)
- ifndef(`distro_redhat',`
- ifdef(`distro_rhel4',`
- allow xdm_xserver_t self:process { execheap execmem };
- ')
+ # xserver signals unconfined user on startx
+ unconfined_signal(xdm_xserver_t)
+ unconfined_getpgid(xdm_xserver_t)
+')
- ifdef(`distro_rhel4',`
- allow xdm_xserver_t self:process { execheap execmem };
- ')
+
+tunable_policy(`allow_xserver_execmem', `
+ allow xdm_xserver_t self:process { execheap execmem execstack };
+')
+
+ifndef(`distro_redhat',`
+ allow xdm_xserver_t self:process { execheap execmem };
')
-ifdef(`TODO',`
@ -24356,16 +24380,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
-allow xdm_t polymember:lnk_file { create unlink };
-# xdm needs access for copying .Xauthority into new home
-allow xdm_t polymember:file { create getattr write };
+ifdef(`distro_rhel4',`
+ allow xdm_xserver_t self:process { execheap execmem };
+
+tunable_policy(`allow_xserver_execmem', `
+ allow xdm_xserver_t self:process { execheap execmem execstack };
')
+ifndef(`distro_redhat',`
+ allow xdm_xserver_t self:process { execheap execmem };
+')
+
+ifdef(`distro_rhel4',`
+ allow xdm_xserver_t self:process { execheap execmem };
+')
+
+##############################
#
-# Wants to delete .xsession-errors file
+# xauth_t Local policy
#
-allow xdm_t user_home_type:file unlink;
+#
+domtrans_pattern(xdm_xserver_t, xauth_exec_t, xauth_t)
+
+userdom_user_home_dir_filetrans(user,xauth_t,user_xauth_home_t,file)
@ -24412,11 +24444,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
+##############################
#
-# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
-allow xdm_t user_home_type:file unlink;
+# iceauth_t Local policy
#
-allow pam_t xdm_t:fifo_file { getattr ioctl write };
-') dnl end TODO
-# Should fix exec of pam_timestamp_check is not closing xdm file descriptor
+
+allow iceauth_t user_iceauth_home_t:file manage_file_perms;
+userdom_user_home_dir_filetrans($1,iceauth_t,user_iceauth_home_t,file)
@ -24440,7 +24471,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+userdom_sysadm_home_dir_filetrans(xauth_t, admin_xauth_home_t, file)
+
+########################################
+#
#
-allow pam_t xdm_t:fifo_file { getattr ioctl write };
-') dnl end TODO
+# Rules for unconfined access to this module
+#
+
@ -24459,6 +24492,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+allow xserver_unconfined_type { x_domain x_server_domain self }:x_resource *;
+allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
+
+gen_require(`
+ attribute domain;
+')
+
+allow xserver_unconfined_type domain:x_resource *;
+allow xserver_unconfined_type domain:{ x_event x_synthetic_event } *;
+allow xserver_unconfined_type domain:x_drawable *;
+
+
+tunable_policy(`allow_read_x_device',`
+ allow xserver_unconfined_type { x_domain x_server_domain self }:x_device read;
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zabbix.fc serefpolicy-3.3.1/policy/modules/services/zabbix.fc
--- nsaserefpolicy/policy/modules/services/zabbix.fc 2007-04-11 15:52:54.000000000 -0400

View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
Release: 6%{?dist}
Release: 7%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -388,6 +388,9 @@ exit 0
%endif
%changelog
* Thu Feb 28 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-7
-
* Wed Feb 27 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-6
- Prepare policy for beta release
- Change some of the system domains back to unconfined