- Fixes for reading xserver_tmp_t

2009-01-13 16:22:47 +00:00 · 2009-01-13 16:22:47 +00:00 · 339bf3bba8
parent 87fb15321a
commit 339bf3bba8
3 changed files with 113 additions and 28644 deletions
--- a/policy-20081111.patch
+++ b/policy-20081111.patch
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -388,7 +388,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow consoletype_t self:fifo_file rw_fifo_file_perms;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.2/policy/modules/admin/kismet.te
 --- nsaserefpolicy/policy/modules/admin/kismet.te	2009-01-05 15:39:44.000000000 -0500
-+++ serefpolicy-3.6.2/policy/modules/admin/kismet.te	2009-01-05 17:54:58.000000000 -0500
+++ serefpolicy-3.6.2/policy/modules/admin/kismet.te	2009-01-13 09:46:00.000000000 -0500
@@ -25,11 +25,14 @@
 # kismet local policy
 #
@ -406,7 +406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
 allow kismet_t kismet_log_t:dir setattr;
-@@ -47,6 +50,15 @@
+@@ -47,9 +50,19 @@
 
 corecmd_exec_bin(kismet_t)
 
@ -422,6 +422,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 auth_use_nsswitch(kismet_t)
 
 files_read_etc_files(kismet_t)
+files_read_usr_files(kismet_t)
+ 
+ miscfiles_read_localization(kismet_t)
+ 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.2/policy/modules/admin/logrotate.te
 --- nsaserefpolicy/policy/modules/admin/logrotate.te	2009-01-05 15:39:44.000000000 -0500
 +++ serefpolicy-3.6.2/policy/modules/admin/logrotate.te	2009-01-05 17:54:58.000000000 -0500
@ -1710,7 +1714,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/lib(64)?/gnupg/gpgkeys.* --	gen_context(system_u:object_r:gpg_helper_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.6.2/policy/modules/apps/gpg.if
 --- nsaserefpolicy/policy/modules/apps/gpg.if	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.2/policy/modules/apps/gpg.if	2009-01-05 17:54:58.000000000 -0500
+++ serefpolicy-3.6.2/policy/modules/apps/gpg.if	2009-01-12 14:03:31.000000000 -0500
@@ -30,7 +30,7 @@
 
 	# allow ps to show gpg
@ -1720,7 +1724,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	# communicate with the user 
 	allow gpg_helper_t $2:fd use;
-@@ -46,9 +46,17 @@
+@@ -46,9 +46,16 @@
 	manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
 	manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
 	files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
@ -1735,13 +1739,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	dontaudit gpg_t $2:unix_dgram_socket rw_socket_perms;
 +	dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
 +
-+	userdom_manage_user_home_content_files(gpg_t)
 ')
 
 ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.2/policy/modules/apps/gpg.te
 --- nsaserefpolicy/policy/modules/apps/gpg.te	2008-11-11 16:13:42.000000000 -0500
-+++ serefpolicy-3.6.2/policy/modules/apps/gpg.te	2009-01-05 17:54:58.000000000 -0500
+++ serefpolicy-3.6.2/policy/modules/apps/gpg.te	2009-01-12 14:04:38.000000000 -0500
@@ -60,7 +60,7 @@
 
 allow gpg_t self:capability { ipc_lock setuid };
@ -1819,10 +1822,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_dontaudit_rw_nfs_files(gpg_helper_t)
-@@ -157,6 +162,17 @@
+@@ -157,6 +162,19 @@
 	xserver_rw_xdm_pipes(gpg_t)
 ')
 
+userdom_manage_user_tmp_files(gpg_t)
+userdom_manage_user_home_content_files(gpg_t)
 +
 +tunable_policy(`use_nfs_home_dirs',`
 +	fs_manage_nfs_dirs(gpg_t)
@ -3477,7 +3482,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.2/policy/modules/apps/qemu.te
 --- nsaserefpolicy/policy/modules/apps/qemu.te	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.2/policy/modules/apps/qemu.te	2009-01-05 17:54:58.000000000 -0500
+++ serefpolicy-3.6.2/policy/modules/apps/qemu.te	2009-01-13 10:44:38.000000000 -0500
@@ -6,6 +6,8 @@
 # Declarations
 #
@ -3487,7 +3492,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## <desc>
 ## <p>
 ## Allow qemu to connect fully to the network
-@@ -13,16 +15,105 @@
+@@ -13,16 +15,107 @@
 ## </desc>
 gen_tunable(qemu_full_network, false)
 
@ -3565,6 +3570,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +term_use_all_terms(qemutype)
 +term_getattr_pty_fs(qemutype)
+term_use_generic_ptys(qemutype)
+term_use_ptmx(qemutype)
 +
 +auth_use_nsswitch(qemutype)
 +
@ -3593,7 +3600,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`qemu_full_network',`
 	allow qemu_t self:udp_socket create_socket_perms;
 
-@@ -35,6 +126,38 @@
+@@ -35,6 +128,38 @@
 	corenet_tcp_connect_all_ports(qemu_t)
 ')
 
@ -5048,7 +5055,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /var/lib/nfs/rpc_pipefs(/.*)?	<<none>>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.2/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.2/policy/modules/kernel/files.if	2009-01-05 17:54:58.000000000 -0500
+++ serefpolicy-3.6.2/policy/modules/kernel/files.if	2009-01-13 09:30:48.000000000 -0500
@@ -110,6 +110,11 @@
 ## </param>
 #
@ -6060,7 +6067,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /dev/root		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.2/policy/modules/kernel/terminal.if
 --- nsaserefpolicy/policy/modules/kernel/terminal.if	2008-11-11 16:13:41.000000000 -0500
-+++ serefpolicy-3.6.2/policy/modules/kernel/terminal.if	2009-01-05 17:54:59.000000000 -0500
+++ serefpolicy-3.6.2/policy/modules/kernel/terminal.if	2009-01-13 09:31:44.000000000 -0500
@@ -250,9 +250,11 @@
 interface(`term_dontaudit_use_console',`
 	gen_require(`
@ -8295,7 +8302,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.2/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2008-11-11 16:13:46.000000000 -0500
-+++ serefpolicy-3.6.2/policy/modules/services/apache.te	2009-01-05 17:54:59.000000000 -0500
+++ serefpolicy-3.6.2/policy/modules/services/apache.te	2009-01-13 09:27:31.000000000 -0500
@@ -19,6 +19,8 @@
 # Declarations
 #
@ -19161,7 +19168,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.2/policy/modules/services/sendmail.if
 --- nsaserefpolicy/policy/modules/services/sendmail.if	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.6.2/policy/modules/services/sendmail.if	2009-01-05 17:54:59.000000000 -0500
+++ serefpolicy-3.6.2/policy/modules/services/sendmail.if	2009-01-13 09:34:43.000000000 -0500
@@ -149,3 +149,92 @@
 
 	logging_log_filetrans($1, sendmail_log_t, file)
@ -20483,6 +20490,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	files_search_home(stunnel_t)
 
 	optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.6.2/policy/modules/services/sysstat.te
+--- nsaserefpolicy/policy/modules/services/sysstat.te	2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.2/policy/modules/services/sysstat.te	2009-01-12 15:45:05.000000000 -0500
+@@ -26,6 +26,7 @@
+ can_exec(sysstat_t, sysstat_exec_t)
+ 
+ manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+read_lnk_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+ logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
+ 
+ # get info from /proc
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.6.2/policy/modules/services/telnet.te
 --- nsaserefpolicy/policy/modules/services/telnet.te	2009-01-05 15:39:43.000000000 -0500
 +++ serefpolicy-3.6.2/policy/modules/services/telnet.te	2009-01-05 17:54:59.000000000 -0500
@ -20709,6 +20727,47 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +miscfiles_read_localization(ulogd_t)
 +
 +permissive ulogd_t;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.fc serefpolicy-3.6.2/policy/modules/services/uucp.fc
+--- nsaserefpolicy/policy/modules/services/uucp.fc	2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.2/policy/modules/services/uucp.fc	2009-01-13 09:34:09.000000000 -0500
+@@ -7,3 +7,5 @@
+ /var/spool/uucppublic(/.*)?	gen_context(system_u:object_r:uucpd_spool_t,s0)
+ 
+ /var/log/uucp(/.*)?		gen_context(system_u:object_r:uucpd_log_t,s0)
+
+/var/lock/uucp(/.*)?		gen_context(system_u:object_r:uucpd_lock_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.2/policy/modules/services/uucp.te
+--- nsaserefpolicy/policy/modules/services/uucp.te	2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.2/policy/modules/services/uucp.te	2009-01-13 09:35:13.000000000 -0500
+@@ -10,6 +10,9 @@
+ inetd_tcp_service_domain(uucpd_t, uucpd_exec_t)
+ role system_r types uucpd_t;
+ 
+type uucpd_lock_t;
+files_lock_file(uucpd_lock_t)
+
+ type uucpd_tmp_t;
+ files_tmp_file(uucpd_tmp_t)
+ 
+@@ -58,6 +61,10 @@
+ 
+ uucp_manage_spool(uucpd_t)
+ 
+files_search_locks(uucpd_t)
+manage_dirs_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t)
+manage_files_pattern(uucpd_t, uucpd_lock_t, uucpd_lock_t)
+
+ manage_dirs_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t)
+ manage_files_pattern(uucpd_t, uucpd_tmp_t, uucpd_tmp_t)
+ files_tmp_filetrans(uucpd_t, uucpd_tmp_t, { file dir })
+@@ -122,6 +129,7 @@
+ optional_policy(`
+ 	mta_send_mail(uux_t)
+ 	mta_read_queue(uux_t)
+	sendmail_rw_unix_stream_sockets(uux_t)
+ ')
+ 
+ optional_policy(`
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.2/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2009-01-05 15:39:43.000000000 -0500
 +++ serefpolicy-3.6.2/policy/modules/services/virt.te	2009-01-05 17:54:59.000000000 -0500
@ -20842,7 +20901,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.2/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.2/policy/modules/services/xserver.if	2009-01-05 17:54:59.000000000 -0500
+++ serefpolicy-3.6.2/policy/modules/services/xserver.if	2009-01-12 14:24:38.000000000 -0500
+@@ -156,7 +156,7 @@
+ 	allow $1 xserver_t:process signal;
+ 
+ 	# Read /tmp/.X0-lock
+-	allow $1 xserver_tmp_t:file { getattr read };
+	allow $1 xserver_tmp_t:file read_file_perms;
+ 
+ 	# Client read xserver shm
+ 	allow $1 xserver_t:fd use;
+@@ -219,12 +219,12 @@
+ 	allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
+ 
+ 	# Read .Xauthority file
+-	allow $1 xauth_home_t:file { getattr read };
+-	allow $1 iceauth_home_t:file { getattr read };
+	allow $1 xauth_home_t:file read_file_perms;
+	allow $1 iceauth_home_t:file read_file_perms;
+ 
+ 	# for when /tmp/.X11-unix is created by the system
+ 	allow $1 xdm_t:fd use;
+-	allow $1 xdm_t:fifo_file { getattr read write ioctl };
+	allow $1 xdm_t:fifo_file rw_fifo_file_perms;
+ 	allow $1 xdm_tmp_t:dir search;
+ 	allow $1 xdm_tmp_t:sock_file { read write };
+ 	dontaudit $1 xdm_t:tcp_socket { read write };
@@ -397,11 +397,12 @@
 	gen_require(`
 		type xdm_t, xdm_tmp_t;
@ -20859,6 +20943,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	# Read .Xauthority file
 	allow $2 xauth_home_t:file read_file_perms;
+@@ -409,7 +410,7 @@
+ 
+ 	# for when /tmp/.X11-unix is created by the system
+ 	allow $2 xdm_t:fd use;
+-	allow $2 xdm_t:fifo_file { getattr read write ioctl };
+	allow $2 xdm_t:fifo_file rw_fifo_file_perms;
+ 	allow $2 xdm_tmp_t:dir search_dir_perms;
+ 	allow $2 xdm_tmp_t:sock_file { read write };
+ 	dontaudit $2 xdm_t:tcp_socket { read write };
@@ -437,6 +438,10 @@
 		allow $2 xserver_t:shm rw_shm_perms;
 		allow $2 xserver_tmpfs_t:file rw_file_perms;
@ -25884,7 +25977,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.2/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.2/policy/modules/system/userdomain.if	2009-01-06 10:53:21.000000000 -0500
+++ serefpolicy-3.6.2/policy/modules/system/userdomain.if	2009-01-12 14:04:30.000000000 -0500
@@ -30,8 +30,9 @@
 	')
 
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.2
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -445,6 +445,9 @@ exit 0
 %endif

 %changelog
+* Mon Jan 12 2009 Dan Walsh <dwalsh@redhat.com> 3.6.2-4
+- Fixes for reading xserver_tmp_t
+
 * Thu Jan 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.2-3
 - Allow cups_pdf_t write to nfs_t