From 41625a26ea26fbcb30243a1ea4e0be9c525524db Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 10 Apr 2008 14:37:57 +0000 Subject: [PATCH] - Label /var/run/gdm correctly - Fix unconfined_u user creation --- policy-20071130.patch | 87 +++++++++++++++++++++++++++++-------------- selinux-policy.spec | 22 +++++------ 2 files changed, 70 insertions(+), 39 deletions(-) diff --git a/policy-20071130.patch b/policy-20071130.patch index 3146cf83..3f4d3b56 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -5572,8 +5572,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-04-08 13:28:42.000000000 -0400 -@@ -0,0 +1,188 @@ ++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-04-10 08:50:50.000000000 -0400 +@@ -0,0 +1,189 @@ + +policy_module(nsplugin,1.0.0) + @@ -5716,6 +5716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin + xserver_stream_connect_xdm_xserver(nsplugin_t) + xserver_xdm_rw_shm(nsplugin_t) + xserver_read_xdm_tmp_files(nsplugin_t) ++ xserver_read_xdm_pid(nsplugin_t) + xserver_read_user_xauth(user, nsplugin_t) + xserver_use_user_fonts(user, nsplugin_t) +') @@ -18715,7 +18716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post # Local Policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.3.1/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2007-12-19 05:32:17.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/postfix.te 2008-04-04 12:06:55.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/postfix.te 2008-04-09 08:18:34.000000000 -0400 @@ -6,6 +6,14 @@ # Declarations # @@ -18777,7 +18778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix local local policy -@@ -273,6 +292,8 @@ +@@ -273,18 +292,25 @@ files_read_etc_files(postfix_local_t) @@ -18786,8 +18787,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post mta_read_aliases(postfix_local_t) mta_delete_spool(postfix_local_t) # For reading spamassasin -@@ -280,11 +301,14 @@ + mta_read_config(postfix_local_t) ++domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t) ++ optional_policy(` clamav_search_lib(postfix_local_t) + clamav_exec_clamscan(postfix_local_t) @@ -18801,7 +18804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ') optional_policy(` -@@ -295,8 +319,7 @@ +@@ -295,8 +321,7 @@ # # Postfix map local policy # @@ -18811,7 +18814,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; allow postfix_map_t self:unix_dgram_socket create_socket_perms; allow postfix_map_t self:tcp_socket create_stream_socket_perms; -@@ -346,8 +369,6 @@ +@@ -346,8 +371,6 @@ miscfiles_read_localization(postfix_map_t) @@ -18820,7 +18823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post tunable_policy(`read_default_t',` files_list_default(postfix_map_t) files_read_default_files(postfix_map_t) -@@ -360,6 +381,11 @@ +@@ -360,6 +383,11 @@ locallogin_dontaudit_use_fds(postfix_map_t) ') @@ -18832,18 +18835,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix pickup local policy -@@ -392,6 +418,10 @@ +@@ -384,6 +412,7 @@ + # + + allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; ++allow postfix_pipe_t self:process setrlimit; + + write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t) + +@@ -391,6 +420,12 @@ + rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t) - optional_policy(` ++domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) ++ ++optional_policy(` + dovecot_domtrans_deliver(postfix_pipe_t) +') + -+optional_policy(` + optional_policy(` procmail_domtrans(postfix_pipe_t) ') - -@@ -400,6 +430,10 @@ +@@ -400,6 +435,10 @@ ') optional_policy(` @@ -18854,7 +18867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post uucp_domtrans_uux(postfix_pipe_t) ') -@@ -532,9 +566,6 @@ +@@ -532,9 +571,6 @@ # connect to master process stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t) @@ -18864,7 +18877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post # for prng_exch allow postfix_smtpd_t postfix_spool_t:file rw_file_perms; allow postfix_smtpd_t postfix_prng_t:file rw_file_perms; -@@ -557,6 +588,10 @@ +@@ -557,6 +593,10 @@ sasl_connect(postfix_smtpd_t) ') @@ -18875,7 +18888,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post ######################################## # # Postfix virtual local policy -@@ -584,3 +619,4 @@ +@@ -584,3 +624,4 @@ # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -19629,7 +19642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/priv + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.3.1/policy/modules/services/privoxy.te --- nsaserefpolicy/policy/modules/services/privoxy.te 2008-02-15 09:52:56.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/privoxy.te 2008-04-04 12:06:55.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/privoxy.te 2008-04-09 08:37:52.000000000 -0400 @@ -19,6 +19,9 @@ type privoxy_var_run_t; files_pid_file(privoxy_var_run_t) @@ -19640,6 +19653,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/priv ######################################## # # Local Policy +@@ -50,6 +53,7 @@ + corenet_tcp_connect_http_port(privoxy_t) + corenet_tcp_connect_http_cache_port(privoxy_t) + corenet_tcp_connect_ftp_port(privoxy_t) ++corenet_tcp_connect_pgpkeyserver_port(privoxy_t) + corenet_tcp_connect_tor_port(privoxy_t) + corenet_sendrecv_http_cache_client_packets(privoxy_t) + corenet_sendrecv_http_cache_server_packets(privoxy_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.3.1/policy/modules/services/procmail.fc --- nsaserefpolicy/policy/modules/services/procmail.fc 2006-11-16 17:15:21.000000000 -0500 +++ serefpolicy-3.3.1/policy/modules/services/procmail.fc 2008-04-04 12:06:55.000000000 -0400 @@ -24203,7 +24224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xpri + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.3.1/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2007-10-15 16:11:05.000000000 -0400 -+++ serefpolicy-3.3.1/policy/modules/services/xserver.fc 2008-04-04 12:06:56.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/xserver.fc 2008-04-08 16:39:13.000000000 -0400 @@ -1,13 +1,13 @@ # # HOME_DIR @@ -24246,7 +24267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) -@@ -89,16 +84,21 @@ +@@ -89,16 +84,22 @@ /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) @@ -24262,6 +24283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) ++/var/run/gdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) @@ -24272,7 +24294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-04-04 12:06:56.000000000 -0400 ++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-04-10 08:50:38.000000000 -0400 @@ -12,9 +12,15 @@ ## ## @@ -25468,6 +25490,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + allow $1 xdm_tmp_t:sock_file unlink; ') + ######################################## +@@ -932,7 +1547,7 @@ + ') + + files_search_pids($1) +- allow $1 xdm_var_run_t:file read_file_perms; ++ read_files_pattern($1, xdm_var_run_t, xdm_var_run_t) + ') + ######################################## @@ -955,6 +1570,24 @@ @@ -35193,7 +35224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets +define(`manage_key_perms', `{ create link read search setattr view write } ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.3.1/policy/users --- nsaserefpolicy/policy/users 2007-10-12 08:56:09.000000000 -0400 -+++ serefpolicy-3.3.1/policy/users 2008-04-04 18:04:09.000000000 -0400 ++++ serefpolicy-3.3.1/policy/users 2008-04-10 10:33:42.000000000 -0400 @@ -16,7 +16,7 @@ # and a user process should never be assigned the system user # identity. @@ -35203,20 +35234,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.3 # # user_u is a generic user identity for Linux users who have no -@@ -26,12 +26,9 @@ +@@ -26,11 +26,8 @@ # permit any access to such users, then remove this entry. # gen_user(user_u, user, user_r, s0, s0) -gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -+gen_user(staff_u, staff, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) - gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) - +-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) +- -# Until order dependence is fixed for users: -gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) -- ++gen_user(staff_u, user, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) ++gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) + # # The following users correspond to Unix identities. - # These identities are typically assigned as the user attribute @@ -39,8 +36,4 @@ # role should use the staff_r role instead of the user_r role when # not in the sysadm_r. @@ -35226,7 +35257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.3 -',` - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) -') -+gen_user(root, unconfined, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) ++gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.3.1/Rules.modular --- nsaserefpolicy/Rules.modular 2007-12-19 05:32:18.000000000 -0500 +++ serefpolicy-3.3.1/Rules.modular 2008-04-04 12:06:56.000000000 -0400 diff --git a/selinux-policy.spec b/selinux-policy.spec index e7dd698d..02945d08 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.3.1 -Release: 31%{?dist} +Release: 32%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -244,8 +244,6 @@ SELINUX=enforcing # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted -# SETLOCALDEFS= Check local definition changes -SETLOCALDEFS=0 " > /etc/selinux/config @@ -257,8 +255,6 @@ else [ -f /etc/selinux/${SELINUXTYPE}/booleans.local ] && mv /etc/selinux/${SELINUXTYPE}/booleans.local /etc/selinux/targeted/modules/active/ [ -f /etc/selinux/${SELINUXTYPE}/seusers ] && cp -f /etc/selinux/${SELINUXTYPE}/seusers /etc/selinux/${SELINUXTYPE}/modules/active/seusers grep -q "^SETLOCALDEFS" /etc/selinux/config || echo -n " -# SETLOCALDEFS= Check local definition changes -SETLOCALDEFS=0 ">> /etc/selinux/config fi @@ -292,11 +288,11 @@ SELinux Reference policy targeted base module. %post targeted if [ $1 -eq 1 ]; then %loadpolicy targeted -semanage user -a -S targeted -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null -semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 __default__ 2> /dev/null -semanage login -m -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 root 2> /dev/null -semanage user -a -S targeted -R guest_r guest_u -semanage user -a -S targeted -R xguest_r xguest_u +semanage user -a -S targeted -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null +semanage login -m -S targeted -P user -s "unconfined_u" -r s0-s0:c0.c1023 __default__ 2> /dev/null +semanage login -m -S targeted -P user -s "unconfined_u" -r s0-s0:c0.c1023 root 2> /dev/null +semanage user -a -S targeted -P user -R guest_r guest_u +semanage user -a -S targeted -P user -R xguest_r xguest_u restorecon -R /root /var/log /var/run 2> /dev/null else semodule -s targeted -r moilscanner 2>/dev/null @@ -312,7 +308,7 @@ semanage user -l | grep -s unconfined_u if [ $? -eq 0 ]; then semanage user -m -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null else - semanage user -a -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null + semanage user -a -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null fi seuser=`semanage login -l | grep __default__ | awk '{ print $2 }'` [ $seuser == "system_u" ] && semanage login -m -s "unconfined_u" -r s0-s0:c0.c1023 __default__ @@ -387,6 +383,10 @@ exit 0 %endif %changelog +* Thu Apr 10 2008 Dan Walsh 3.3.1-32 +- Label /var/run/gdm correctly +- Fix unconfined_u user creation + * Tue Apr 8 2008 Dan Walsh 3.3.1-31 - Allow transition from initrc_t to getty_t