- Change init_t to an unconfined_domain

2008-03-12 12:35:06 +00:00 · 2008-03-12 12:35:06 +00:00 · 41617c099b
commit 41617c099b
parent e9fce44302
1 changed files with 40 additions and 28 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -3316,7 +3316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s
 +/usr/lib(64)?/gnupg/gpgkeys.* --	gen_context(system_u:object_r:gpg_helper_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.3.1/policy/modules/apps/gpg.if
 --- nsaserefpolicy/policy/modules/apps/gpg.if	2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/apps/gpg.if	2008-02-29 17:00:38.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/apps/gpg.if	2008-03-12 08:31:43.000000000 -0400
@@ -38,6 +38,10 @@
 	gen_require(`
 		type gpg_exec_t, gpg_helper_exec_t;
@ -3328,7 +3328,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
 	')
 	########################################
-@@ -45,275 +49,59 @@
+@@ -45,275 +49,61 @@
 	# Declarations
 	#
@ -3519,6 +3519,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
 +	dontaudit gpg_t $2:udp_socket rw_socket_perms;
 +	dontaudit gpg_helper_t $2:tcp_socket rw_socket_perms;
 +	dontaudit gpg_helper_t $2:udp_socket rw_socket_perms;
 +	#Leaked File Descriptors
 +	dontaudit gpg_helper_t $2:unix_stream_socket rw_socket_perms;
 -	# allow gpg to connect to the gpg agent
 -	stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
@ -5076,8 +5078,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +HOME_DIR/\.macromedia(/.*)?			gen_context(system_u:object_r:user_nsplugin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.3.1/policy/modules/apps/nsplugin.if
 --- nsaserefpolicy/policy/modules/apps/nsplugin.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if	2008-03-10 14:36:14.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if	2008-03-12 08:30:42.000000000 -0400
-@@ -0,0 +1,344 @@
+@@ -0,0 +1,347 @@
 +
 +## <summary>policy for nsplugin</summary>
 +
@ -5239,10 +5241,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +	read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
 +	can_exec($2, nsplugin_rw_t)
 +
-+	allow nsplugin_t $2:udp_socket { read write };
+	#Leaked File Descriptors
-+	allow nsplugin_t $2:tcp_socket { read write };
+	dontaudit nsplugin_t $2:tcp_socket rw_socket_perms;
 +	dontaudit nsplugin_t $2:udp_socket rw_socket_perms;
 +	dontaudit nsplugin_t $2:unix_stream_socket rw_socket_perms;
 +	allow nsplugin_t $2:unix_stream_socket connectto;
 +	dontaudit nsplugin_t $2:process ptrace;
 +
 +	allow nsplugin_t $1_tmpfs_t:file { read getattr };
 +
 +	allow $2 nsplugin_t:process { getattr ptrace signal_perms };
@ -26321,7 +26326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2008-02-26 08:17:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/init.te	2008-03-11 18:57:27.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/init.te	2008-03-12 08:33:31.000000000 -0400
@@ -10,6 +10,20 @@
 # Declarations
 #
@ -26414,7 +26419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
 ')
-@@ -163,22 +194,25 @@
+@@ -163,14 +194,16 @@
 	fs_tmpfs_filetrans(init_t,initctl_t,fifo_file)
 ')
@ -26436,18 +26441,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 ')
 optional_policy(`
- 	nscd_socket_use(init_t)
+@@ -181,13 +214,18 @@
 	unconfined_domain(init_t)
 ')
 -optional_policy(`
 -	unconfined_domain(init_t)
 +ifndef(`distro_ubuntu',`
 +	corecmd_shell_domtrans(init_t,initrc_t)
 +	corecmd_shell_entry_type(initrc_t)
- ')
+')
- 
+
 ########################################
-@@ -187,7 +221,7 @@
+ #
 # Init script local policy
 #
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -26456,7 +26461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
 allow initrc_t self:passwd rootok;
-@@ -201,10 +235,9 @@
+@@ -201,10 +239,9 @@
 allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
 term_create_pty(initrc_t,initrc_devpts_t)
@ -26469,7 +26474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
 manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
-@@ -257,7 +290,7 @@
+@@ -257,7 +294,7 @@
 dev_read_sound_mixer(initrc_t)
 dev_write_sound_mixer(initrc_t)
 dev_setattr_all_chr_files(initrc_t)
@ -26478,7 +26483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
 dev_manage_generic_files(initrc_t)
-@@ -283,7 +316,6 @@
+@@ -283,7 +320,6 @@
 mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
@ -26486,7 +26491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 selinux_get_enforce_mode(initrc_t)
-@@ -496,6 +528,31 @@
+@@ -496,6 +532,31 @@
 	')
 ')
@ -26518,7 +26523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -559,14 +616,6 @@
+@@ -559,14 +620,6 @@
 ')
 optional_policy(`
@ -26533,7 +26538,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 	ftp_read_config(initrc_t)
 ')
-@@ -639,12 +688,6 @@
+@@ -639,12 +692,6 @@
 	mta_read_config(initrc_t)
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
@ -26546,7 +26551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 optional_policy(`
 	ifdef(`distro_redhat',`
-@@ -705,6 +748,9 @@
+@@ -705,6 +752,9 @@
 	# why is this needed:
 	rpm_manage_db(initrc_t)
@ -26556,7 +26561,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 ')
 optional_policy(`
-@@ -717,9 +763,11 @@
+@@ -717,9 +767,11 @@
 	squid_manage_logs(initrc_t)
 ')
@ -26571,7 +26576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 ')
 optional_policy(`
-@@ -738,6 +786,11 @@
+@@ -738,6 +790,11 @@
 	uml_setattr_util_sockets(initrc_t)
 ')
@ -26583,7 +26588,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 optional_policy(`
 	unconfined_domain(initrc_t)
-@@ -752,6 +805,10 @@
+@@ -752,6 +809,10 @@
 ')
 optional_policy(`
@ -26594,7 +26599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 	vmware_read_system_config(initrc_t)
 	vmware_append_system_config(initrc_t)
 ')
-@@ -774,3 +831,4 @@
+@@ -774,3 +835,4 @@
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -27160,7 +27165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.3.1/policy/modules/system/lvm.fc
 --- nsaserefpolicy/policy/modules/system/lvm.fc	2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/lvm.fc	2008-03-11 18:59:24.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/lvm.fc	2008-03-12 07:01:13.000000000 -0400
@@ -55,6 +55,7 @@
 /sbin/lvs		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /sbin/lvscan		--	gen_context(system_u:object_r:lvm_exec_t,s0)
@ -27169,6 +27174,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc
 /sbin/pvchange		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /sbin/pvcreate		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /sbin/pvdata		--	gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -97,3 +98,4 @@
 /var/lock/lvm(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
 /var/run/multipathd\.sock -s	gen_context(system_u:object_r:lvm_var_run_t,s0)
 /var/lib/multipath(/.*)?	gen_context(system_u:object_r:lvm_var_lib_t,s0)
 +/var/run/dmevent.*		gen_context(system_u:object_r:lvm_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.3.1/policy/modules/system/lvm.te
 --- nsaserefpolicy/policy/modules/system/lvm.te	2007-12-19 05:32:17.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/system/lvm.te	2008-03-11 19:04:42.000000000 -0400
@ -29611,7 +29621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-03-09 08:38:37.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-03-12 08:26:37.000000000 -0400
@@ -29,9 +29,14 @@
 	')
@ -31962,7 +31972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ##	Send a dbus message to all user domains.
 ## </summary>
 ## <param name="domain">
-@@ -5704,3 +6074,368 @@
+@@ -5704,3 +6074,370 @@
 interface(`userdom_unconfined',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
@ -32331,6 +32341,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 +  ')
 +')
 +
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.3.1/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2007-12-19 05:32:17.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/system/userdomain.te	2008-02-26 08:29:22.000000000 -0500