- Allow seunshare to fowner

2010-08-25 09:45:26 -04:00 · 2010-08-25 09:45:26 -04:00 · 370d04ed3c
commit 370d04ed3c
parent cc138e86b5
2 changed files with 70 additions and 40 deletions
--- a/policy-F14.patch
+++ b/policy-F14.patch
@ -6211,8 +6211,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +# No types are sandbox_exec_t
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.8.8/policy/modules/apps/sandbox.if
 --- nsaserefpolicy/policy/modules/apps/sandbox.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/sandbox.if	2010-08-23 08:34:27.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/apps/sandbox.if	2010-08-25 09:14:51.000000000 -0400
-@@ -0,0 +1,333 @@
+@@ -0,0 +1,334 @@
 +
 +## <summary>policy for sandbox</summary>
 +
@ -6250,6 +6250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +	allow $1 sandbox_x_domain:process { signal_perms transition };
 +	dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
 +	allow sandbox_x_domain $1:process { sigchld signull };
 +	dontaudit sandbox_domain $1:process signal;
 +	role $2 types sandbox_x_domain;
 +	role $2 types sandbox_xserver_t;
 +	allow $1 sandbox_xserver_t:process signal_perms;
@ -7007,7 +7008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.8.8/policy/modules/apps/seunshare.te
 --- nsaserefpolicy/policy/modules/apps/seunshare.te	2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te	2010-08-11 08:01:44.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te	2010-08-25 09:09:14.000000000 -0400
@@ -5,40 +5,45 @@
 # Declarations
 #
@ -7022,7 +7023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
 #
 # seunshare local policy
 #
-+allow seunshare_domain self:capability { setuid dac_override setpcap sys_admin sys_nice };
+allow seunshare_domain self:capability { fowner setuid dac_override setpcap sys_admin sys_nice };
 +allow seunshare_domain self:process { fork setexec signal getcap setcap setsched };
 -allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
@ -7283,8 +7284,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathy.te serefpolicy-3.8.8/policy/modules/apps/telepathy.te
 --- nsaserefpolicy/policy/modules/apps/telepathy.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/telepathy.te	2010-08-19 05:59:57.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/apps/telepathy.te	2010-08-25 09:41:04.000000000 -0400
-@@ -0,0 +1,311 @@
+@@ -0,0 +1,313 @@
 +
 +policy_module(telepathy, 1.0.0)
 +
@ -7335,9 +7336,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
 +
 +manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
 +manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
 +manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
 +exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
 +files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file})
-+userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file})
+userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file})
 +userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
 +
 +corenet_sendrecv_http_client_packets(telepathy_msn_t)
 +corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
@ -10143,7 +10146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.
 #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.8.8/policy/modules/roles/staff.te
 --- nsaserefpolicy/policy/modules/roles/staff.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/staff.te	2010-08-19 06:52:30.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/roles/staff.te	2010-08-24 23:01:42.000000000 -0400
@@ -8,25 +8,60 @@
 role staff_r;
@ -10158,10 +10161,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
 # Local policy
 #
-+kernel_read_ring_buffer(staff_t)
+kernel_read_ring_buffer(staff_usertype)
-+kernel_getattr_core_if(staff_t)
+kernel_getattr_core_if(staff_usertype)
-+kernel_getattr_message_if(staff_t)
+kernel_getattr_message_if(staff_usertype)
-+kernel_read_software_raid_state(staff_t)
+kernel_read_software_raid_state(staff_usertype)
 +
 +auth_domtrans_pam_console(staff_t)
 +
@ -21138,7 +21141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.8.8/policy/modules/services/nut.te
 --- nsaserefpolicy/policy/modules/services/nut.te	2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nut.te	2010-07-30 14:06:53.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/nut.te	2010-08-25 09:16:11.000000000 -0400
@@ -41,7 +41,7 @@
 manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
 manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
@ -21148,7 +21151,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.
 kernel_read_kernel_sysctls(nut_upsd_t)
-@@ -103,6 +103,10 @@
+@@ -65,6 +65,7 @@
 allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid };
 allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;
 allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
 +allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
 allow nut_upsmon_t self:tcp_socket create_socket_perms;
 read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
@@ -103,6 +104,10 @@
 mta_send_mail(nut_upsmon_t)
@ -22382,8 +22393,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 /usr/sbin/postkick	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.8.8/policy/modules/services/postfix.if
 --- nsaserefpolicy/policy/modules/services/postfix.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/postfix.if	2010-07-30 14:06:53.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/postfix.if	2010-08-25 09:35:31.000000000 -0400
-@@ -376,6 +376,25 @@
+@@ -77,6 +77,7 @@
 	files_read_etc_files(postfix_$1_t)
 	files_read_etc_runtime_files(postfix_$1_t)
 +	files_read_usr_files(postfix_$1_t)
 	files_read_usr_symlinks(postfix_$1_t)
 	files_search_spool(postfix_$1_t)
 	files_getattr_tmp_dirs(postfix_$1_t)
@@ -376,6 +377,25 @@
 	domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
 ')
@ -22409,7 +22428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 ########################################
 ## <summary>
 ##	Execute the master postfix program in the
-@@ -529,6 +548,25 @@
+@@ -529,6 +549,25 @@
 ########################################
 ## <summary>
@ -22435,7 +22454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 ##	Search postfix mail spool directories.
 ## </summary>
 ## <param name="domain">
-@@ -539,10 +577,10 @@
+@@ -539,10 +578,10 @@
 #
 interface(`postfix_search_spool',`
 	gen_require(`
@ -22448,7 +22467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 	files_search_spool($1)
 ')
-@@ -558,10 +596,10 @@
+@@ -558,10 +597,10 @@
 #
 interface(`postfix_list_spool',`
 	gen_require(`
@ -22461,7 +22480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 	files_search_spool($1)
 ')
-@@ -577,11 +615,11 @@
+@@ -577,11 +616,11 @@
 #
 interface(`postfix_read_spool_files',`
 	gen_require(`
@ -22475,7 +22494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 ')
 ########################################
-@@ -596,11 +634,11 @@
+@@ -596,11 +635,11 @@
 #
 interface(`postfix_manage_spool_files',`
 	gen_require(`
@ -22489,7 +22508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 ')
 ########################################
-@@ -621,3 +659,101 @@
+@@ -621,3 +660,101 @@
 	typeattribute $1 postfix_user_domtrans;
 ')
@ -22593,7 +22612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.8.8/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/postfix.te	2010-08-23 14:01:01.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/postfix.te	2010-08-25 09:35:15.000000000 -0400
@@ -5,6 +5,15 @@
 # Declarations
 #
@ -30372,7 +30391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
 # /var
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.8.8/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/init.if	2010-07-30 14:06:53.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/system/init.if	2010-08-25 07:50:48.000000000 -0400
@@ -105,7 +105,11 @@
 	role system_r types $1;
@ -35089,7 +35108,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.8.8/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.te	2010-07-30 14:45:35.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.te	2010-08-25 07:51:06.000000000 -0400
@@ -5,6 +5,13 @@
 # Declarations
 #
@ -35150,7 +35169,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 domain_use_interactive_fds(dhcpc_t)
 domain_dontaudit_read_all_domains_state(dhcpc_t)
-@@ -155,6 +173,10 @@
+@@ -130,6 +148,7 @@
 term_dontaudit_use_generic_ptys(dhcpc_t)
 init_rw_utmp(dhcpc_t)
 +init_stream_connect(dhcpc_t)
 logging_send_syslog_msg(dhcpc_t)
@@ -155,6 +174,10 @@
 ')
 optional_policy(`
@ -35161,7 +35188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 	init_dbus_chat_script(dhcpc_t)
 	dbus_system_bus_client(dhcpc_t)
-@@ -171,6 +193,8 @@
+@@ -171,6 +194,8 @@
 optional_policy(`
 	hal_dontaudit_rw_dgram_sockets(dhcpc_t)
@ -35170,7 +35197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 ')
 optional_policy(`
-@@ -192,6 +216,13 @@
+@@ -192,6 +217,13 @@
 ')
 optional_policy(`
@ -35184,7 +35211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 	nis_read_ypbind_pid(dhcpc_t)
 ')
-@@ -213,6 +244,7 @@
+@@ -213,6 +245,7 @@
 optional_policy(`
 	seutil_sigchld_newrole(dhcpc_t)
 	seutil_dontaudit_search_config(dhcpc_t)
@ -35192,7 +35219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 ')
 optional_policy(`
-@@ -276,8 +308,11 @@
+@@ -276,8 +309,11 @@
 domain_use_interactive_fds(ifconfig_t)
@ -35204,7 +35231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 fs_getattr_xattr_fs(ifconfig_t)
 fs_search_auto_mountpoints(ifconfig_t)
-@@ -305,6 +340,8 @@
+@@ -305,6 +341,8 @@
 seutil_use_runinit_fds(ifconfig_t)
@ -35213,7 +35240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 userdom_use_user_terminals(ifconfig_t)
 userdom_use_all_users_fds(ifconfig_t)
-@@ -314,6 +351,10 @@
+@@ -314,6 +352,10 @@
 	')
 ')
@ -35224,7 +35251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 ifdef(`hide_broken_symptoms',`
 	optional_policy(`
 		dev_dontaudit_rw_cardmgr(ifconfig_t)
-@@ -327,6 +368,8 @@
+@@ -327,6 +369,8 @@
 optional_policy(`
 	hal_dontaudit_rw_pipes(ifconfig_t)
 	hal_dontaudit_rw_dgram_sockets(ifconfig_t)
@ -35233,7 +35260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 ')
 optional_policy(`
-@@ -334,6 +377,10 @@
+@@ -334,6 +378,10 @@
 ')
 optional_policy(`
@ -35244,7 +35271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 	nis_use_ypbind(ifconfig_t)
 ')
-@@ -355,3 +402,9 @@
+@@ -355,3 +403,9 @@
 	xen_append_log(ifconfig_t)
 	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
 ')
@ -36150,7 +36177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +HOME_DIR/\.gvfs(/.*)?	<<none>>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.8.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/userdomain.if	2010-08-19 07:42:28.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/system/userdomain.if	2010-08-25 09:41:50.000000000 -0400
@@ -30,8 +30,9 @@
 	')
@ -38391,7 +38418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 +########################################
 +## <summary>
-+##	Dontaudit search user temporary directories.
+##	Dontaudit attempt to set attributes on  user temporary directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@ -38399,12 +38426,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_dontaduit_search_user_tmp',`
+interface(`userdom_dontaudit_setattr_user_tmp',`
 +	gen_require(`
 +		type user_tmp_t;
 +	')
 +
-+	dontaudit $1 user_tmp_t:dir search_dir_perms;
+	dontaudit $1 user_tmp_t:dir setattr;
 +')
 +
 +########################################
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.8.8
-Release: 20%{?dist}
+Release: 21%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -469,6 +469,9 @@ exit 0
 %endif
 %changelog
 * Tue Aug 24 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-21
 - Allow seunshare to fowner
 * Tue Aug 24 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-20
 - Allow cron to look at user_cron_spool links
 - Lots of fixes for mozilla_plugin_t