- Remove user specific crond_t

2007-11-28 16:56:57 +00:00 · 2007-11-28 16:56:57 +00:00 · 3a54e4809f
parent 965b62cceb
commit 3a54e4809f
2 changed files with 80 additions and 36 deletions
--- a/policy-20071114.patch
+++ b/policy-20071114.patch
@ -1256,7 +1256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.1.2/policy/modules/admin/rpm.te
 --- nsaserefpolicy/policy/modules/admin/rpm.te	2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.1.2/policy/modules/admin/rpm.te	2007-11-26 16:40:13.000000000 -0500
+++ serefpolicy-3.1.2/policy/modules/admin/rpm.te	2007-11-28 10:57:00.000000000 -0500
@@ -139,6 +139,7 @@
 auth_relabel_all_files_except_shadow(rpm_t)
 auth_manage_all_files_except_shadow(rpm_t)
@ -1287,7 +1287,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
 ')
 
 optional_policy(`
-@@ -289,6 +296,7 @@
+@@ -195,6 +202,7 @@
+ 	unconfined_domain(rpm_t)
+ 	# yum-updatesd requires this
+ 	unconfined_dbus_chat(rpm_t)
+	unconfined_dbus_chat(rpm_script_t)
+ ')
+ 
+ ifdef(`TODO',`
+@@ -289,6 +297,7 @@
 auth_dontaudit_getattr_shadow(rpm_script_t)
 # ideally we would not need this
 auth_manage_all_files_except_shadow(rpm_script_t)
@ -1295,7 +1303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
 
 corecmd_exec_all_executables(rpm_script_t)
 
-@@ -321,6 +329,7 @@
+@@ -321,6 +330,7 @@
 seutil_domtrans_loadpolicy(rpm_script_t)
 seutil_domtrans_setfiles(rpm_script_t)
 seutil_domtrans_semanage(rpm_script_t)
@ -1303,7 +1311,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
 
 userdom_use_all_users_fds(rpm_script_t)
 
-@@ -339,10 +348,6 @@
+@@ -339,10 +349,6 @@
 ')
 
 optional_policy(`
@ -2869,7 +2877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
 network_port(postgrey, tcp,60000,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.1.2/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2007-11-14 16:20:13.000000000 -0500
-+++ serefpolicy-3.1.2/policy/modules/kernel/devices.fc	2007-11-26 16:40:13.000000000 -0500
+++ serefpolicy-3.1.2/policy/modules/kernel/devices.fc	2007-11-28 10:30:00.000000000 -0500
@@ -4,6 +4,7 @@
 
 /dev/.*mouse.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
@ -2896,18 +2904,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 /dev/hiddev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/hpet		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/hw_random		-c	gen_context(system_u:object_r:random_device_t,s0)
-@@ -30,7 +34,10 @@
+@@ -30,6 +34,8 @@
 /dev/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/kmsg		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
 +/dev/kvm		-c	gen_context(system_u:object_r:kvm_device_t,s0)
 +/dev/lircm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/logibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
-+/dev/lircm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/mcelog		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
- /dev/mem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
-@@ -114,9 +121,14 @@
+@@ -114,9 +120,14 @@
 /dev/xen/blktap.*	-c	gen_context(system_u:object_r:xen_device_t,s0)
 /dev/xen/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
 
@ -4610,8 +4616,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 +/var/lib/misc(/.*)?			gen_context(system_u:object_r:system_crond_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.1.2/policy/modules/services/cron.if
 --- nsaserefpolicy/policy/modules/services/cron.if	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.2/policy/modules/services/cron.if	2007-11-26 16:40:13.000000000 -0500
-@@ -35,6 +35,7 @@
+++ serefpolicy-3.1.2/policy/modules/services/cron.if	2007-11-28 08:46:16.000000000 -0500
+@@ -35,38 +35,23 @@
 #
 template(`cron_per_role_template',`
 	gen_require(`
@ -4619,10 +4625,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 		attribute cron_spool_type;
 		type crond_t, cron_spool_t, crontab_exec_t;
 	')
-@@ -44,29 +45,13 @@
+	typealias $1_t alias $1_crond_t;
+ 
+ 	# Type of user crontabs once moved to cron spool.
+ 	type $1_cron_spool_t, cron_spool_type;
 	files_type($1_cron_spool_t)
 
- 	type $1_crond_t;
+-	type $1_crond_t;
 -	domain_type($1_crond_t)
 -	domain_cron_exemption_target($1_crond_t)
 -	corecmd_shell_entry_type($1_crond_t)
@ -4815,7 +4824,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 
 	tunable_policy(`fcron_crond',`
 		# fcron wants an instant update of a crontab change for the administrator
-@@ -438,6 +333,25 @@
+@@ -285,14 +180,12 @@
+ template(`cron_admin_template',`
+ 	gen_require(`
+ 		attribute cron_spool_type;
+-		type $1_crontab_t, $1_crond_t;
+		type $1_crontab_t;
+ 	')
+ 
+ 	# Allow our crontab domain to unlink a user cron spool file.
+ 	allow $1_crontab_t cron_spool_type:file { getattr read unlink };
+ 
+-	logging_read_generic_logs($1_crond_t)
+-
+ 	# Manipulate other users crontab.
+ 	selinux_get_fs_mount($1_crontab_t)
+ 	selinux_validate_context($1_crontab_t)
+@@ -438,6 +331,25 @@
 
 ########################################
 ## <summary>
@ -5054,8 +5079,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 ifdef(`TODO',`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.1.2/policy/modules/services/cups.fc
 --- nsaserefpolicy/policy/modules/services/cups.fc	2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.1.2/policy/modules/services/cups.fc	2007-11-26 16:40:13.000000000 -0500
-@@ -8,17 +8,14 @@
+++ serefpolicy-3.1.2/policy/modules/services/cups.fc	2007-11-28 08:28:27.000000000 -0500
+@@ -8,17 +8,15 @@
 /etc/cups/ppd/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /etc/cups/ppds\.dat	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /etc/cups/printers\.conf.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@ -5068,13 +5093,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 /etc/printcap.* 	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 
 /usr/bin/cups-config-daemon --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/bin/hpijs		--	gen_context(system_u:object_r:hplip_exec_t,s0)
 
 -/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
 -/usr/lib(64)?/cups/daemon/.*	-- gen_context(system_u:object_r:cupsd_exec_t,s0)
 /usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
 
 /usr/libexec/hal_lpadmin --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-@@ -26,6 +23,11 @@
+@@ -26,6 +24,11 @@
 /usr/sbin/cupsd		--	gen_context(system_u:object_r:cupsd_exec_t,s0)
 /usr/sbin/hal_lpadmin --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 /usr/sbin/hpiod		--	gen_context(system_u:object_r:hplip_exec_t,s0)
@ -5086,7 +5112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 /usr/sbin/printconf-backend --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 /usr/sbin/ptal-printd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
 /usr/sbin/ptal-mlcd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
-@@ -33,7 +35,7 @@
+@@ -33,7 +36,7 @@
 
 /usr/share/cups(/.*)?		gen_context(system_u:object_r:cupsd_etc_t,s0)
 /usr/share/foomatic/db/oldprinterids --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@ -5095,7 +5121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 
 /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 /var/cache/foomatic(/.*)? 	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -50,3 +52,6 @@
+@@ -50,3 +53,6 @@
 /var/run/hp.*\.port	--	gen_context(system_u:object_r:hplip_var_run_t,s0)
 /var/run/ptal-printd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
 /var/run/ptal-mlcd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
@ -9312,7 +9338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.1.2/policy/modules/services/sendmail.te
 --- nsaserefpolicy/policy/modules/services/sendmail.te	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.2/policy/modules/services/sendmail.te	2007-11-26 16:40:13.000000000 -0500
+++ serefpolicy-3.1.2/policy/modules/services/sendmail.te	2007-11-28 07:25:24.000000000 -0500
@@ -20,19 +20,22 @@
 mta_mailserver_delivery(sendmail_t)
 mta_mailserver_sender(sendmail_t)
@ -9347,7 +9373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 corenet_all_recvfrom_unlabeled(sendmail_t)
 corenet_all_recvfrom_netlabel(sendmail_t)
 corenet_tcp_sendrecv_all_if(sendmail_t)
-@@ -94,30 +99,32 @@
+@@ -94,30 +99,33 @@
 miscfiles_read_certs(sendmail_t)
 miscfiles_read_localization(sendmail_t)
 
@ -9356,6 +9382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 -
 userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
 userdom_dontaudit_search_sysadm_home_dirs(sendmail_t)
+userdom_read_all_users_home_content_files(sendmail_t)
 
 mta_read_config(sendmail_t)
 mta_etc_filetrans_aliases(sendmail_t)
@ -9386,7 +9413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 ')
 
 optional_policy(`
-@@ -131,10 +138,18 @@
+@@ -131,10 +139,18 @@
 ')
 
 optional_policy(`
@ -9405,7 +9432,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 	udev_read_db(sendmail_t)
 ')
 
-@@ -156,3 +171,15 @@
+@@ -156,3 +172,15 @@
 
 dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
 ') dnl end TODO
@ -13007,6 +13034,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 optional_policy(`
 	hotplug_use_fds(setfiles_t)
 ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.1.2/policy/modules/system/sysnetwork.fc
+--- nsaserefpolicy/policy/modules/system/sysnetwork.fc	2006-11-16 17:15:24.000000000 -0500
+++ serefpolicy-3.1.2/policy/modules/system/sysnetwork.fc	2007-11-28 11:55:44.000000000 -0500
+@@ -52,8 +52,7 @@
+ /var/lib/dhcpcd(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
+ /var/lib/dhclient(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
+ 
+-/var/run/dhclient.*\.pid --	gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+-/var/run/dhclient.*\.leases --	gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+/var/run/dhclient.*		--	gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+ 
+ ifdef(`distro_gentoo',`
+ /var/lib/dhcpc(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.1.2/policy/modules/system/sysnetwork.if
 --- nsaserefpolicy/policy/modules/system/sysnetwork.if	2007-07-16 14:09:49.000000000 -0400
 +++ serefpolicy-3.1.2/policy/modules/system/sysnetwork.if	2007-11-26 16:40:13.000000000 -0500
@ -13484,7 +13524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.1.2/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.1.2/policy/modules/system/unconfined.te	2007-11-26 16:40:13.000000000 -0500
+++ serefpolicy-3.1.2/policy/modules/system/unconfined.te	2007-11-28 08:47:02.000000000 -0500
@@ -16,6 +16,10 @@
 
 type unconfined_exec_t;
@ -13545,17 +13585,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 	unconfined_domain(httpd_unconfined_script_t)
 ')
 
-@@ -73,6 +87,9 @@
+@@ -71,8 +85,8 @@
+ 
+ optional_policy(`
 	cron_per_role_template(unconfined, unconfined_t, unconfined_r)
- 	# this is disallowed usage:
- 	unconfined_domain(unconfined_crond_t)
+-	# this is disallowed usage:
+-	unconfined_domain(unconfined_crond_t)
 +	unconfined_domain(unconfined_crontab_t)
 +	role system_r types unconfined_crontab_t;
-+	rpm_transition_script(unconfined_crond_t)
 ')
 
 optional_policy(`
-@@ -107,6 +124,10 @@
+@@ -107,6 +121,10 @@
 	optional_policy(`
 		oddjob_dbus_chat(unconfined_t)
 	')
@ -13566,7 +13607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 optional_policy(`
-@@ -118,11 +139,11 @@
+@@ -118,11 +136,11 @@
 ')
 
 optional_policy(`
@ -13580,7 +13621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 optional_policy(`
-@@ -134,11 +155,7 @@
+@@ -134,11 +152,7 @@
 ')
 
 optional_policy(`
@ -13593,7 +13634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 optional_policy(`
-@@ -154,33 +171,20 @@
+@@ -154,33 +168,20 @@
 ')
 
 optional_policy(`
@ -13631,7 +13672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 optional_policy(`
-@@ -205,11 +209,22 @@
+@@ -205,11 +206,22 @@
 ')
 
 optional_policy(`
@ -13656,7 +13697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 ########################################
-@@ -219,14 +234,26 @@
+@@ -219,14 +231,26 @@
 
 allow unconfined_execmem_t self:process { execstack execmem };
 unconfined_domain_noaudit(unconfined_execmem_t)
@ -13694,7 +13735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.1.2/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-11-14 08:17:58.000000000 -0500
-+++ serefpolicy-3.1.2/policy/modules/system/userdomain.if	2007-11-26 22:54:17.000000000 -0500
+++ serefpolicy-3.1.2/policy/modules/system/userdomain.if	2007-11-28 07:19:08.000000000 -0500
@@ -29,8 +29,9 @@
 	')
 
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.1.2
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -379,6 +379,9 @@ exit 0
 %endif

 %changelog
+* Wed Nov 28 2007 Dan Walsh <dwalsh@redhat.com> 3.1.2-2
+- Remove user specific crond_t
+
 * Mon Nov 19 2007 Dan Walsh <dwalsh@redhat.com> 3.1.2-1
 - Merge with upstream
 - Allow xsever to read hwdata_t