- Allow xserver to be started by unconfined process and talk to tty

policy-20070703.patch

@@ -2226,7 +2226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t
  corenet_sendrecv_all_server_packets(vmware_host_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.0.6/policy/modules/apps/wine.if
 --- nsaserefpolicy/policy/modules/apps/wine.if	2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/apps/wine.if	2007-08-22 08:03:53.000000000 -0400
++++ serefpolicy-3.0.6/policy/modules/apps/wine.if	2007-08-24 10:17:01.000000000 -0400
 @@ -18,3 +18,34 @@
  	corecmd_search_bin($1)
  	domtrans_pattern($1, wine_exec_t, wine_t)
@@ -7347,7 +7347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.6/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/services/samba.te	2007-08-22 08:03:53.000000000 -0400
++++ serefpolicy-3.0.6/policy/modules/services/samba.te	2007-08-23 17:07:11.000000000 -0400
 @@ -190,6 +190,8 @@
  
  miscfiles_read_localization(samba_net_t) 
@@ -7376,10 +7376,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  domain_use_interactive_fds(smbd_t)
  domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -350,6 +353,10 @@
+@@ -350,6 +353,14 @@
  ')
  
  optional_policy(`
++	kerberos_read_keytab(smbd_t)
++')
++
++optional_policy(`
 +	lpd_exec_lpr(smbd_t)
 +')
 +
@@ -7387,7 +7391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  	cups_read_rw_config(smbd_t)
  	cups_stream_connect(smbd_t)
  ')
-@@ -533,6 +540,7 @@
+@@ -533,6 +544,7 @@
  storage_raw_write_fixed_disk(smbmount_t)
  
  term_list_ptys(smbmount_t)
@@ -7395,7 +7399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  corecmd_list_bin(smbmount_t)
  
-@@ -556,6 +564,11 @@
+@@ -556,6 +568,11 @@
  sysnet_read_config(smbmount_t)
  
  userdom_use_all_users_fds(smbmount_t)
@@ -7407,7 +7411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  optional_policy(`
  	nis_use_ypbind(smbmount_t)
-@@ -570,15 +583,18 @@
+@@ -570,15 +587,18 @@
  # SWAT Local policy
  #
  
@@ -7429,7 +7433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  rw_files_pattern(swat_t,samba_etc_t,samba_etc_t)
  
-@@ -597,7 +613,9 @@
+@@ -597,7 +617,9 @@
  manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
  files_pid_filetrans(swat_t,swat_var_run_t,file)
  
@@ -7440,7 +7444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  kernel_read_kernel_sysctls(swat_t)
  kernel_read_system_state(swat_t)
-@@ -622,17 +640,20 @@
+@@ -622,17 +644,20 @@
  
  dev_read_urand(swat_t)
  
@@ -7461,7 +7465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  logging_search_logs(swat_t)
  
  miscfiles_read_localization(swat_t)
-@@ -660,6 +681,24 @@
+@@ -660,6 +685,24 @@
  	nscd_socket_use(swat_t)
  ')
  
@@ -7486,7 +7490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  ########################################
  #
  # Winbind local policy
-@@ -672,7 +711,6 @@
+@@ -672,7 +715,6 @@
  allow winbind_t self:fifo_file { read write };
  allow winbind_t self:unix_dgram_socket create_socket_perms;
  allow winbind_t self:unix_stream_socket create_stream_socket_perms;
@@ -7494,7 +7498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  allow winbind_t self:tcp_socket create_stream_socket_perms;
  allow winbind_t self:udp_socket create_socket_perms;
  
-@@ -709,6 +747,8 @@
+@@ -709,6 +751,8 @@
  manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
  files_pid_filetrans(winbind_t,winbind_var_run_t,file)
  
@@ -7503,7 +7507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  kernel_read_kernel_sysctls(winbind_t)
  kernel_list_proc(winbind_t)
  kernel_read_proc_symlinks(winbind_t)
-@@ -733,7 +773,9 @@
+@@ -733,7 +777,9 @@
  fs_getattr_all_fs(winbind_t)
  fs_search_auto_mountpoints(winbind_t)
  
@@ -7513,7 +7517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  domain_use_interactive_fds(winbind_t)
  
-@@ -746,9 +788,6 @@
+@@ -746,9 +792,6 @@
  
  miscfiles_read_localization(winbind_t)
  
@@ -7523,7 +7527,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  userdom_dontaudit_use_unpriv_user_fds(winbind_t)
  userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
  userdom_priveleged_home_dir_manager(winbind_t)
-@@ -758,10 +797,6 @@
+@@ -758,10 +801,6 @@
  ')
  
  optional_policy(`
@@ -7534,7 +7538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  	seutil_sigchld_newrole(winbind_t)
  ')
  
-@@ -804,6 +839,7 @@
+@@ -804,6 +843,7 @@
  optional_policy(`
  	squid_read_log(winbind_helper_t)
  	squid_append_log(winbind_helper_t)
@@ -8195,7 +8199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.6/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/services/xserver.if	2007-08-22 08:03:53.000000000 -0400
++++ serefpolicy-3.0.6/policy/modules/services/xserver.if	2007-08-24 10:18:58.000000000 -0400
 @@ -126,6 +126,8 @@
  	# read events - the synaptics touchpad driver reads raw events
  	dev_rw_input_dev($1_xserver_t)
@@ -8416,7 +8420,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Transition to a user Xauthority domain.
  ## </summary>
  ## <desc>
-@@ -1136,7 +1244,7 @@
+@@ -987,6 +1095,37 @@
+ 
+ ########################################
+ ## <summary>
++##	Execute xsever in the xdm_xserver domain, and
++##	allow the specified role the xdm_xserver domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed the xdm_xserver domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the terminal allow the xdm_xserver domain to use.
++##	</summary>
++## </param>
++#
++interface(`xserver_run_xdm_xserver',`
++	gen_require(`
++		type xdm_xserver_t;
++	')
++
++	xserver_domtrans_xdm_xserver($1)
++	role $2 types xdm_xserver_t;
++	allow xdm_xserver_t $3:chr_file rw_term_perms;
++')
++
++########################################
++## <summary>
+ ##	Make an X session script an entrypoint for the specified domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -1136,7 +1275,7 @@
  		type xdm_xserver_tmp_t;
  	')
  
@@ -8425,7 +8467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -1325,3 +1433,62 @@
+@@ -1325,3 +1464,62 @@
  	files_search_tmp($1)
  	stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
  ')
@@ -11457,7 +11499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.6/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/system/unconfined.te	2007-08-22 08:03:53.000000000 -0400
++++ serefpolicy-3.0.6/policy/modules/system/unconfined.te	2007-08-24 10:16:34.000000000 -0400
 @@ -5,28 +5,36 @@
  #
  # Declarations
@@ -11628,7 +11670,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
- 	xserver_domtrans_xdm_xserver(unconfined_t)
+-	xserver_domtrans_xdm_xserver(unconfined_t)
++	xserver_run_xdm_xserver(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 +	xserver_xdm_rw_shm(unconfined_t)
  ')
  

selinux-policy.spec

@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.6
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -97,9 +97,6 @@ make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic}
 %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/contexts/files \
 touch %{buildroot}/%{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \
 touch %{buildroot}/%{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \
-make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4  MLS_CATS=1024 MCS_CATS=1024 enableaudit \
-make -W base.conf NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \
-install -m0644 base.pp %{buildroot}%{_usr}/share/selinux/%1/enableaudit.pp \
 rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/booleans \
 touch %{buildroot}%{_sysconfdir}/selinux/%1/seusers \
 touch %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
@@ -360,6 +357,9 @@ exit 0
 %endif
 
 %changelog
+* Fri Aug 24 2007 Dan Walsh <dwalsh@redhat.com> 3.0.6-2
+- Allow xserver to be started by unconfined process and talk to tty
+
 * Wed Aug 22 2007 Dan Walsh <dwalsh@redhat.com> 3.0.6-1
 - Upgrade to upstream to grab postgressql changes