- Allow xserver to be started by unconfined process and talk to tty

2007-08-24 14:20:35 +00:00 · 2007-08-24 14:20:35 +00:00 · 3b13a834c7
commit 3b13a834c7
parent 95bbe5cff0
2 changed files with 67 additions and 24 deletions
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -2226,7 +2226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t
 corenet_sendrecv_all_server_packets(vmware_host_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.0.6/policy/modules/apps/wine.if
 --- nsaserefpolicy/policy/modules/apps/wine.if	2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/apps/wine.if	2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/apps/wine.if	2007-08-24 10:17:01.000000000 -0400
@@ -18,3 +18,34 @@
 	corecmd_search_bin($1)
 	domtrans_pattern($1, wine_exec_t, wine_t)
@ -7347,7 +7347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.6/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/services/samba.te	2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/services/samba.te	2007-08-23 17:07:11.000000000 -0400
@@ -190,6 +190,8 @@
 
 miscfiles_read_localization(samba_net_t) 
@ -7376,10 +7376,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 
 domain_use_interactive_fds(smbd_t)
 domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -350,6 +353,10 @@
+@@ -350,6 +353,14 @@
 ')
 
 optional_policy(`
+	kerberos_read_keytab(smbd_t)
+')
+
+optional_policy(`
 +	lpd_exec_lpr(smbd_t)
 +')
 +
@ -7387,7 +7391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 	cups_read_rw_config(smbd_t)
 	cups_stream_connect(smbd_t)
 ')
-@@ -533,6 +540,7 @@
+@@ -533,6 +544,7 @@
 storage_raw_write_fixed_disk(smbmount_t)
 
 term_list_ptys(smbmount_t)
@ -7395,7 +7399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 
 corecmd_list_bin(smbmount_t)
 
-@@ -556,6 +564,11 @@
+@@ -556,6 +568,11 @@
 sysnet_read_config(smbmount_t)
 
 userdom_use_all_users_fds(smbmount_t)
@ -7407,7 +7411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 
 optional_policy(`
 	nis_use_ypbind(smbmount_t)
-@@ -570,15 +583,18 @@
+@@ -570,15 +587,18 @@
 # SWAT Local policy
 #
 
@ -7429,7 +7433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 
 rw_files_pattern(swat_t,samba_etc_t,samba_etc_t)
 
-@@ -597,7 +613,9 @@
+@@ -597,7 +617,9 @@
 manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
 files_pid_filetrans(swat_t,swat_var_run_t,file)
 
@ -7440,7 +7444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 
 kernel_read_kernel_sysctls(swat_t)
 kernel_read_system_state(swat_t)
-@@ -622,17 +640,20 @@
+@@ -622,17 +644,20 @@
 
 dev_read_urand(swat_t)
 
@ -7461,7 +7465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 logging_search_logs(swat_t)
 
 miscfiles_read_localization(swat_t)
-@@ -660,6 +681,24 @@
+@@ -660,6 +685,24 @@
 	nscd_socket_use(swat_t)
 ')
 
@ -7486,7 +7490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 ########################################
 #
 # Winbind local policy
-@@ -672,7 +711,6 @@
+@@ -672,7 +715,6 @@
 allow winbind_t self:fifo_file { read write };
 allow winbind_t self:unix_dgram_socket create_socket_perms;
 allow winbind_t self:unix_stream_socket create_stream_socket_perms;
@ -7494,7 +7498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 allow winbind_t self:tcp_socket create_stream_socket_perms;
 allow winbind_t self:udp_socket create_socket_perms;
 
-@@ -709,6 +747,8 @@
+@@ -709,6 +751,8 @@
 manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
 files_pid_filetrans(winbind_t,winbind_var_run_t,file)
 
@ -7503,7 +7507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 kernel_read_kernel_sysctls(winbind_t)
 kernel_list_proc(winbind_t)
 kernel_read_proc_symlinks(winbind_t)
-@@ -733,7 +773,9 @@
+@@ -733,7 +777,9 @@
 fs_getattr_all_fs(winbind_t)
 fs_search_auto_mountpoints(winbind_t)
 
@ -7513,7 +7517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 
 domain_use_interactive_fds(winbind_t)
 
-@@ -746,9 +788,6 @@
+@@ -746,9 +792,6 @@
 
 miscfiles_read_localization(winbind_t)
 
@ -7523,7 +7527,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 userdom_dontaudit_use_unpriv_user_fds(winbind_t)
 userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
 userdom_priveleged_home_dir_manager(winbind_t)
-@@ -758,10 +797,6 @@
+@@ -758,10 +801,6 @@
 ')
 
 optional_policy(`
@ -7534,7 +7538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 	seutil_sigchld_newrole(winbind_t)
 ')
 
-@@ -804,6 +839,7 @@
+@@ -804,6 +843,7 @@
 optional_policy(`
 	squid_read_log(winbind_helper_t)
 	squid_append_log(winbind_helper_t)
@ -8195,7 +8199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.6/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/services/xserver.if	2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/services/xserver.if	2007-08-24 10:18:58.000000000 -0400
@@ -126,6 +126,8 @@
 	# read events - the synaptics touchpad driver reads raw events
 	dev_rw_input_dev($1_xserver_t)
@ -8416,7 +8420,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ##	Transition to a user Xauthority domain.
 ## </summary>
 ## <desc>
-@@ -1136,7 +1244,7 @@
+@@ -987,6 +1095,37 @@
+ 
+ ########################################
+ ## <summary>
+##	Execute xsever in the xdm_xserver domain, and
+##	allow the specified role the xdm_xserver domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the xdm_xserver domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the xdm_xserver domain to use.
+##	</summary>
+## </param>
+#
+interface(`xserver_run_xdm_xserver',`
+	gen_require(`
+		type xdm_xserver_t;
+	')
+
+	xserver_domtrans_xdm_xserver($1)
+	role $2 types xdm_xserver_t;
+	allow xdm_xserver_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+ ##	Make an X session script an entrypoint for the specified domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -1136,7 +1275,7 @@
 		type xdm_xserver_tmp_t;
 	')
 
@ -8425,7 +8467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 
 ########################################
-@@ -1325,3 +1433,62 @@
+@@ -1325,3 +1464,62 @@
 	files_search_tmp($1)
 	stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
 ')
@ -11457,7 +11499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.6/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/system/unconfined.te	2007-08-22 08:03:53.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/system/unconfined.te	2007-08-24 10:16:34.000000000 -0400
@@ -5,28 +5,36 @@
 #
 # Declarations
@ -11628,7 +11670,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 optional_policy(`
- 	xserver_domtrans_xdm_xserver(unconfined_t)
+-	xserver_domtrans_xdm_xserver(unconfined_t)
+	xserver_run_xdm_xserver(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 +	xserver_xdm_rw_shm(unconfined_t)
 ')
 
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.6
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -97,9 +97,6 @@ make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic}
 %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/contexts/files \
 touch %{buildroot}/%{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \
 touch %{buildroot}/%{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \
-make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4  MLS_CATS=1024 MCS_CATS=1024 enableaudit \
-make -W base.conf NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \
-install -m0644 base.pp %{buildroot}%{_usr}/share/selinux/%1/enableaudit.pp \
 rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/booleans \
 touch %{buildroot}%{_sysconfdir}/selinux/%1/seusers \
 touch %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
@ -360,6 +357,9 @@ exit 0
 %endif

 %changelog
+* Fri Aug 24 2007 Dan Walsh <dwalsh@redhat.com> 3.0.6-2
+- Allow xserver to be started by unconfined process and talk to tty
+
 * Wed Aug 22 2007 Dan Walsh <dwalsh@redhat.com> 3.0.6-1
 - Upgrade to upstream to grab postgressql changes