- Label /var/run/gdm correctly

- Fix unconfined_u user creation
2008-04-10 14:37:57 +00:00 · 2008-04-10 14:37:57 +00:00 · 41625a26ea
parent 254e3c7af3
commit 41625a26ea
2 changed files with 70 additions and 39 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -5572,8 +5572,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te	2008-04-08 13:28:42.000000000 -0400
-@@ -0,0 +1,188 @@
+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te	2008-04-10 08:50:50.000000000 -0400
+@@ -0,0 +1,189 @@
 +
 +policy_module(nsplugin,1.0.0)
 +
@ -5716,6 +5716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +	xserver_stream_connect_xdm_xserver(nsplugin_t)
 +	xserver_xdm_rw_shm(nsplugin_t)
 +	xserver_read_xdm_tmp_files(nsplugin_t)
+	xserver_read_xdm_pid(nsplugin_t)
 +	xserver_read_user_xauth(user, nsplugin_t)
 +	xserver_use_user_fonts(user, nsplugin_t)
 +')
@ -18715,7 +18716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 # Local Policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.3.1/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/postfix.te	2008-04-04 12:06:55.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/postfix.te	2008-04-09 08:18:34.000000000 -0400
@@ -6,6 +6,14 @@
 # Declarations
 #
@ -18777,7 +18778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 ########################################
 #
 # Postfix local local policy
-@@ -273,6 +292,8 @@
+@@ -273,18 +292,25 @@
 
 files_read_etc_files(postfix_local_t)
 
@ -18786,8 +18787,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 mta_read_aliases(postfix_local_t)
 mta_delete_spool(postfix_local_t)
 # For reading spamassasin
-@@ -280,11 +301,14 @@
+ mta_read_config(postfix_local_t)
 
+domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+
 optional_policy(`
 	clamav_search_lib(postfix_local_t)
 +	clamav_exec_clamscan(postfix_local_t)
@ -18801,7 +18804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 ')
 
 optional_policy(`
-@@ -295,8 +319,7 @@
+@@ -295,8 +321,7 @@
 #
 # Postfix map local policy
 #
@ -18811,7 +18814,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
 allow postfix_map_t self:unix_dgram_socket create_socket_perms;
 allow postfix_map_t self:tcp_socket create_stream_socket_perms;
-@@ -346,8 +369,6 @@
+@@ -346,8 +371,6 @@
 
 miscfiles_read_localization(postfix_map_t)
 
@ -18820,7 +18823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 tunable_policy(`read_default_t',`
 	files_list_default(postfix_map_t)
 	files_read_default_files(postfix_map_t)
-@@ -360,6 +381,11 @@
+@@ -360,6 +383,11 @@
 	locallogin_dontaudit_use_fds(postfix_map_t)
 ')
 
@ -18832,18 +18835,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 ########################################
 #
 # Postfix pickup local policy
-@@ -392,6 +418,10 @@
+@@ -384,6 +412,7 @@
+ #
+ 
+ allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
+allow postfix_pipe_t self:process setrlimit;
+ 
+ write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)
+ 
+@@ -391,6 +420,12 @@
+ 
 rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
 
- optional_policy(`
+domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+
+optional_policy(`
 +	dovecot_domtrans_deliver(postfix_pipe_t)
 +')
 +
-+optional_policy(`
+ optional_policy(`
 	procmail_domtrans(postfix_pipe_t)
 ')
- 
-@@ -400,6 +430,10 @@
+@@ -400,6 +435,10 @@
 ')
 
 optional_policy(`
@ -18854,7 +18867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 	uucp_domtrans_uux(postfix_pipe_t)
 ')
 
-@@ -532,9 +566,6 @@
+@@ -532,9 +571,6 @@
 # connect to master process
 stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
 
@ -18864,7 +18877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 # for prng_exch
 allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
 allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
-@@ -557,6 +588,10 @@
+@@ -557,6 +593,10 @@
 	sasl_connect(postfix_smtpd_t)
 ')
 
@ -18875,7 +18888,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 ########################################
 #
 # Postfix virtual local policy
-@@ -584,3 +619,4 @@
+@@ -584,3 +624,4 @@
 # For reading spamassasin
 mta_read_config(postfix_virtual_t)
 mta_manage_spool(postfix_virtual_t)
@ -19629,7 +19642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/priv
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.3.1/policy/modules/services/privoxy.te
 --- nsaserefpolicy/policy/modules/services/privoxy.te	2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/privoxy.te	2008-04-04 12:06:55.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/privoxy.te	2008-04-09 08:37:52.000000000 -0400
@@ -19,6 +19,9 @@
 type privoxy_var_run_t;
 files_pid_file(privoxy_var_run_t)
@ -19640,6 +19653,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/priv
 ########################################
 #
 # Local Policy
+@@ -50,6 +53,7 @@
+ corenet_tcp_connect_http_port(privoxy_t)
+ corenet_tcp_connect_http_cache_port(privoxy_t)
+ corenet_tcp_connect_ftp_port(privoxy_t)
+corenet_tcp_connect_pgpkeyserver_port(privoxy_t)
+ corenet_tcp_connect_tor_port(privoxy_t)
+ corenet_sendrecv_http_cache_client_packets(privoxy_t)
+ corenet_sendrecv_http_cache_server_packets(privoxy_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.3.1/policy/modules/services/procmail.fc
 --- nsaserefpolicy/policy/modules/services/procmail.fc	2006-11-16 17:15:21.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/services/procmail.fc	2008-04-04 12:06:55.000000000 -0400
@ -24203,7 +24224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xpri
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.3.1/policy/modules/services/xserver.fc
 --- nsaserefpolicy/policy/modules/services/xserver.fc	2007-10-15 16:11:05.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.fc	2008-04-04 12:06:56.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/xserver.fc	2008-04-08 16:39:13.000000000 -0400
@@ -1,13 +1,13 @@
 #
 # HOME_DIR
@ -24246,7 +24267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/iceauth		--	gen_context(system_u:object_r:iceauth_exec_t,s0)
 /usr/bin/Xair		--	gen_context(system_u:object_r:xserver_exec_t,s0)
-@@ -89,16 +84,21 @@
+@@ -89,16 +84,22 @@
 
 /var/[xgk]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
 
@ -24262,6 +24283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 /var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
 +/var/log/nvidia-installer\.log.* --	gen_context(system_u:object_r:xserver_log_t,s0)
 
+/var/run/gdm(/.*)?	 	gen_context(system_u:object_r:xdm_var_run_t,s0)
 +/var/run/gdm_socket	-s	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/[gx]dm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
@ -24272,7 +24294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if	2008-04-04 12:06:56.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/xserver.if	2008-04-10 08:50:38.000000000 -0400
@@ -12,9 +12,15 @@
 ##	</summary>
 ## </param>
@ -25468,6 +25490,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	allow $1 xdm_tmp_t:sock_file unlink;
 ')
 
+ ########################################
+@@ -932,7 +1547,7 @@
+ 	')
+ 
+ 	files_search_pids($1)
+-	allow $1 xdm_var_run_t:file read_file_perms;
+	read_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
+ ')
+ 
 ########################################
@@ -955,6 +1570,24 @@
 
@ -35193,7 +35224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets
 +define(`manage_key_perms', `{ create link read search setattr view write } ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.3.1/policy/users
 --- nsaserefpolicy/policy/users	2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.3.1/policy/users	2008-04-04 18:04:09.000000000 -0400
+++ serefpolicy-3.3.1/policy/users	2008-04-10 10:33:42.000000000 -0400
@@ -16,7 +16,7 @@
 # and a user process should never be assigned the system user
 # identity.
@ -35203,20 +35234,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.3
 
 #
 # user_u is a generic user identity for Linux users who have no
-@@ -26,12 +26,9 @@
+@@ -26,11 +26,8 @@
 # permit any access to such users, then remove this entry.
 #
 gen_user(user_u, user, user_r, s0, s0)
 -gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-+gen_user(staff_u, staff, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
- gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
- 
+-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+-
 -# Until order dependence is fixed for users:
 -gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
+gen_user(staff_u, user, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ 
 #
 # The following users correspond to Unix identities.
- # These identities are typically assigned as the user attribute
@@ -39,8 +36,4 @@
 # role should use the staff_r role instead of the user_r role when
 # not in the sysadm_r.
@ -35226,7 +35257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.3
 -',`
 -	gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
 -')
-+gen_user(root, unconfined, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.3.1/Rules.modular
 --- nsaserefpolicy/Rules.modular	2007-12-19 05:32:18.000000000 -0500
 +++ serefpolicy-3.3.1/Rules.modular	2008-04-04 12:06:56.000000000 -0400
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 31%{?dist}
+Release: 32%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -244,8 +244,6 @@ SELINUX=enforcing
 #	targeted - Targeted processes are protected,
 #	mls - Multi Level Security protection.
 SELINUXTYPE=targeted 
-# SETLOCALDEFS= Check local definition changes
-SETLOCALDEFS=0 

 " > /etc/selinux/config

@ -257,8 +255,6 @@ else
 	[ -f /etc/selinux/${SELINUXTYPE}/booleans.local ] && mv /etc/selinux/${SELINUXTYPE}/booleans.local /etc/selinux/targeted/modules/active/
 	[ -f /etc/selinux/${SELINUXTYPE}/seusers ] && cp -f /etc/selinux/${SELINUXTYPE}/seusers /etc/selinux/${SELINUXTYPE}/modules/active/seusers
 	grep -q "^SETLOCALDEFS" /etc/selinux/config || echo -n "
-# SETLOCALDEFS= Check local definition changes
-SETLOCALDEFS=0 
 ">> /etc/selinux/config
 fi

@ -292,11 +288,11 @@ SELinux Reference policy targeted base module.
 %post targeted
 if [ $1 -eq 1 ]; then
 %loadpolicy targeted
-semanage user -a -S targeted -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
-semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__ 2> /dev/null
-semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root 2> /dev/null
-semanage user -a -S targeted -R guest_r guest_u
-semanage user -a -S targeted -R xguest_r xguest_u 
+semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
+semanage login -m -S targeted  -P user -s "unconfined_u" -r s0-s0:c0.c1023 __default__ 2> /dev/null
+semanage login -m -S targeted  -P user -s "unconfined_u" -r s0-s0:c0.c1023 root 2> /dev/null
+semanage user -a -S targeted  -P user -R guest_r guest_u
+semanage user -a -S targeted  -P user -R xguest_r xguest_u 
 restorecon -R /root /var/log /var/run 2> /dev/null
 else
 semodule -s targeted -r moilscanner 2>/dev/null
@ -312,7 +308,7 @@ semanage user -l | grep -s unconfined_u
 if [ $? -eq 0 ]; then
   semanage user -m -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u  2> /dev/null
 else
-   semanage user -a -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u  2> /dev/null
+   semanage user -a -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u  2> /dev/null
 fi
 seuser=`semanage login -l | grep __default__ | awk '{ print $2 }'`
 [ $seuser == "system_u" ]   && semanage login -m -s "unconfined_u"  -r s0-s0:c0.c1023 __default__
@ -387,6 +383,10 @@ exit 0
 %endif

 %changelog
+* Thu Apr 10 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-32
+- Label /var/run/gdm correctly
+- Fix unconfined_u user creation
+
 * Tue Apr 8 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-31
 - Allow transition from initrc_t to getty_t