- Allow nsplugin to unix_read unix_write sem for unconfined_java

2009-04-28 20:09:21 +00:00 · 2009-04-28 20:09:21 +00:00 · 40d8f60dd7
commit 40d8f60dd7
parent b3ac4a052b
3 changed files with 128 additions and 25 deletions
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -493,6 +493,13 @@ finger = module
 # 
 firstboot = base
 # Layer: services
 # Module: fprintd
 #
 # finger print server
 # 
 fprintd = module
 # Layer: system
 # Module: fstools
 #
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -788,7 +788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -/usr/sbin/readahead	--	gen_context(system_u:object_r:readahead_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te
 --- nsaserefpolicy/policy/modules/admin/readahead.te	2009-01-05 15:39:44.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te	2009-04-27 11:01:26.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te	2009-04-28 15:47:35.000000000 -0400
@@ -11,8 +11,8 @@
 init_daemon_domain(readahead_t, readahead_exec_t)
 application_domain(readahead_t, readahead_exec_t)
@ -800,7 +800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 type readahead_var_run_t;
 files_pid_file(readahead_var_run_t)
-@@ -24,9 +24,11 @@
+@@ -24,14 +24,17 @@
 allow readahead_t self:capability { fowner dac_override dac_read_search };
 dontaudit readahead_t self:capability sys_tty_config;
@ -814,7 +814,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
 files_pid_filetrans(readahead_t, readahead_var_run_t, file)
-@@ -46,6 +48,7 @@
+ 
 kernel_read_kernel_sysctls(readahead_t)
 +kernel_read_net_sysctls(readahead_t)
 kernel_read_system_state(readahead_t)
 kernel_dontaudit_getattr_core_if(readahead_t)
@@ -46,6 +49,7 @@
 storage_raw_read_fixed_disk(readahead_t)
 domain_use_interactive_fds(readahead_t)
@ -822,7 +828,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_dontaudit_getattr_all_sockets(readahead_t)
 files_list_non_security(readahead_t)
-@@ -58,6 +61,7 @@
+@@ -58,6 +62,7 @@
 fs_dontaudit_search_ramfs(readahead_t)
 fs_dontaudit_read_ramfs_pipes(readahead_t)
 fs_dontaudit_read_ramfs_files(readahead_t)
@ -830,7 +836,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 fs_read_tmpfs_symlinks(readahead_t)
 fs_list_inotifyfs(readahead_t)
-@@ -72,6 +76,7 @@
+@@ -72,6 +77,7 @@
 init_getattr_initctl(readahead_t)
 logging_send_syslog_msg(readahead_t)
@ -2336,7 +2342,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/lib/opera(/.*)?/opera	--	gen_context(system_u:object_r:java_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.12/policy/modules/apps/java.if
 --- nsaserefpolicy/policy/modules/apps/java.if	2008-11-11 16:13:42.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/java.if	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/apps/java.if	2009-04-28 12:20:13.000000000 -0400
@@ -30,6 +30,7 @@
 	allow java_t $2:unix_stream_socket connectto;
@ -2345,7 +2351,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -68,3 +69,129 @@
+@@ -68,3 +69,130 @@
 	domtrans_pattern($1, java_exec_t, unconfined_java_t)
 	corecmd_search_bin($1)
 ')
@ -2400,6 +2406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	java_domtrans_unconfined($1)
 +	role $2 types unconfined_java_t;
 +	role $2 types java_t;
 +	nsplugin_role_notrans($2, unconfined_java_t)
 +')
 +
 +########################################
@ -2477,7 +2484,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.12/policy/modules/apps/java.te
 --- nsaserefpolicy/policy/modules/apps/java.te	2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/java.te	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/apps/java.te	2009-04-28 12:19:47.000000000 -0400
@@ -20,6 +20,8 @@
 typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
 typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
@ -2519,18 +2526,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	nis_use_ypbind(java_t)
 ')
-@@ -147,4 +151,11 @@
+@@ -147,4 +151,12 @@
 	unconfined_domain_noaudit(unconfined_java_t)
 	unconfined_dbus_chat(unconfined_java_t)
 +	optional_policy(`
 +		hal_dbus_chat(unconfined_java_t)
-+	')
+ ')
 +
 +	optional_policy(`
 +		rpm_domtrans(unconfined_java_t)
 +	')
- ')
+')
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.6.12/policy/modules/apps/livecd.fc
 --- nsaserefpolicy/policy/modules/apps/livecd.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/apps/livecd.fc	2009-04-23 09:44:57.000000000 -0400
@ -5090,7 +5098,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /dev/usb.+		-c	gen_context(system_u:object_r:usb_device_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.12/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2009-03-05 12:28:56.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/devices.if	2009-04-24 09:05:52.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/devices.if	2009-04-28 15:25:49.000000000 -0400
@@ -2268,6 +2268,25 @@
 ########################################
@ -5117,6 +5125,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Read and write to the null device (/dev/null).
 ## </summary>
 ## <param name="domain">
@@ -3217,6 +3236,7 @@
 #
 interface(`dev_rw_generic_usb_dev',`
 	gen_require(`
 +		type device_t;
 		type usb_device_t;
 	')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.12/policy/modules/kernel/devices.te
 --- nsaserefpolicy/policy/modules/kernel/devices.te	2009-03-05 12:28:57.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/kernel/devices.te	2009-04-23 09:44:57.000000000 -0400
@ -7428,8 +7444,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te	2009-04-27 15:35:55.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te	2009-04-28 12:10:25.000000000 -0400
-@@ -0,0 +1,393 @@
+@@ -0,0 +1,397 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@ -7546,7 +7562,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +optional_policy(`
-+	nsplugin_role_notrans(unconfined_r, unconfined_t)
+	gen_require(`
 +		attribute unconfined_usertype;
 +	')
 +
 +	nsplugin_role_notrans(unconfined_r, unconfined_usertype)
 +	tunable_policy(`allow_unconfined_nsplugin_transition',`
 +	      nsplugin_domtrans(unconfined_execmem_t)
 +	      nsplugin_domtrans_config(unconfined_execmem_t)
@ -13377,6 +13397,78 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 # pid file
 manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
 manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.fc serefpolicy-3.6.12/policy/modules/services/fprintd.fc
 --- nsaserefpolicy/policy/modules/services/fprintd.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/services/fprintd.fc	2009-04-28 15:26:41.000000000 -0400
@@ -0,0 +1,2 @@
 +
 +/usr/libexec/fprintd	--	gen_context(system_u:object_r:fprintd_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.if serefpolicy-3.6.12/policy/modules/services/fprintd.if
 --- nsaserefpolicy/policy/modules/services/fprintd.if	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/services/fprintd.if	2009-04-28 15:26:38.000000000 -0400
@@ -0,0 +1,22 @@
 +
 +## <summary>policy for fprintd</summary>
 +
 +########################################
 +## <summary>
 +##	Execute a domain transition to run fprintd.
 +## </summary>
 +## <param name="domain">
 +## <summary>
 +##	Domain allowed to transition.
 +## </summary>
 +## </param>
 +#
 +interface(`fprintd_domtrans',`
 +	gen_require(`
 +		type fprintd_t;
 +                type fprintd_exec_t;
 +	')
 +
 +	domtrans_pattern($1,fprintd_exec_t,fprintd_t)
 +')
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te
 --- nsaserefpolicy/policy/modules/services/fprintd.te	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/services/fprintd.te	2009-04-28 16:07:25.000000000 -0400
@@ -0,0 +1,36 @@
 +policy_module(fprintd,1.0.0)
 +
 +########################################
 +#
 +# Declarations
 +#
 +
 +type fprintd_t;
 +type fprintd_exec_t;
 +dbus_system_domain(fprintd_t, fprintd_exec_t)
 +
 +allow fprintd_t self:fifo_file rw_fifo_file_perms;
 +allow fprintd_t self:process { getsched signal };
 +
 +corecmd_search_bin(fprintd_t)
 +
 +dev_rw_generic_usb_dev(fprintd_t)
 +dev_read_sysfs(fprintd_t)
 +
 +files_read_etc_files(fprintd_t)
 +files_read_usr_files(fprintd_t)
 +
 +auth_use_nsswitch(fprintd_t)
 +
 +miscfiles_read_localization(fprintd_t)
 +
 +userdom_use_user_ptys(fprintd_t)
 +userdom_read_all_users_state(fprintd_t)
 +
 +optional_policy(`
 +	polkit_read_reload(fprintd_t)
 +	polkit_read_lib(fprintd_t)
 +')
 +
 +permissive fprintd_t;
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.12/policy/modules/services/ftp.te
 --- nsaserefpolicy/policy/modules/services/ftp.te	2009-01-19 11:06:49.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/services/ftp.te	2009-04-23 09:44:57.000000000 -0400
@ -17341,7 +17433,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/lib/misc/PolicyKit.reload			gen_context(system_u:object_r:polkit_reload_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.12/policy/modules/services/polkit.if
 --- nsaserefpolicy/policy/modules/services/polkit.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/polkit.if	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/polkit.if	2009-04-28 16:05:38.000000000 -0400
@@ -0,0 +1,241 @@
 +
 +## <summary>policy for polkit_auth</summary>
@ -19377,7 +19469,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 		mysql_search_db(httpd_prewikka_script_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.12/policy/modules/services/privoxy.te
 --- nsaserefpolicy/policy/modules/services/privoxy.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/privoxy.te	2009-04-28 11:40:52.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/privoxy.te	2009-04-28 11:45:58.000000000 -0400
@@ -6,6 +6,14 @@
 # Declarations
 #
@ -19393,7 +19485,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 type privoxy_t; # web_client_domain
 type privoxy_exec_t;
 init_daemon_domain(privoxy_t, privoxy_exec_t)
-@@ -72,21 +80,19 @@
+@@ -72,21 +80,18 @@
 logging_send_syslog_msg(privoxy_t)
@ -19416,7 +19508,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -	nscd_socket_use(privoxy_t)
 +tunable_policy(`privoxy_connect_any',`
 +	corenet_tcp_connect_all_ports(privoxy_t)
 +	corenet_tcp_bind_all_ports(privoxy_t)
 +	corenet_sendrecv_all_packets(privoxy_t)
 ')
@ -22284,7 +22375,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.12/policy/modules/services/squid.te
 --- nsaserefpolicy/policy/modules/services/squid.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/squid.te	2009-04-28 11:39:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/squid.te	2009-04-28 11:44:05.000000000 -0400
@@ -118,6 +118,9 @@
 fs_getattr_all_fs(squid_t)
@ -22994,8 +23085,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.12/policy/modules/services/sssd.te
 --- nsaserefpolicy/policy/modules/services/sssd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/sssd.te	2009-04-23 09:44:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/sssd.te	2009-04-28 15:43:36.000000000 -0400
-@@ -0,0 +1,70 @@
+@@ -0,0 +1,72 @@
 +policy_module(sssd,1.0.0)
 +
 +########################################
@ -23022,7 +23113,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +#
 +# sssd local policy
 +#
-+allow sssd_t self:capability sys_nice;
+allow sssd_t self:capability { sys_nice setuid };
 +allow sssd_t self:process { setsched signal getsched };
 +allow sssd_t tmp_t:dir { read getattr open };
 +
@ -23053,6 +23144,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +files_read_etc_files(sssd_t)
 +files_read_usr_files(sssd_t)
 +
 +fs_list_inotifyfs(sssd_t)
 +
 +auth_use_nsswitch(sssd_t)
 +auth_domtrans_chk_passwd(sssd_t)
 +auth_domtrans_upd_passwd(sssd_t)
@ -29744,7 +29837,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if	2009-04-27 08:32:47.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if	2009-04-28 16:06:27.000000000 -0400
@@ -30,8 +30,9 @@
 	')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 23%{?dist}
+Release: 24%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -480,6 +480,9 @@ exit 0
 %endif
 %changelog
 * Tue Apr 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-24
 - Allow nsplugin to unix_read unix_write sem for unconfined_java
 * Tue Apr 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-23
 - Fix uml files to be owned by users