rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Remove allow_exec* booleans for confined users. Only available for

Browse Source 
unconfined_t
This commit is contained in:
Daniel J Walsh 2009-09-20 14:32:30 +00:00
parent 8323d545c4
commit 41f8e385a1
2 changed files with 104 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

193
policy-F12.patch
View File

@ -7579,8 +7579,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+') +')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-09-18 09:45:33.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-09-20 08:49:01.000000000 -0400
@@ -0,0 +1,392 @@ @@ -0,0 +1,402 @@
+policy_module(unconfineduser, 1.0.0) +policy_module(unconfineduser, 1.0.0)
+ +
+######################################## +########################################
@ -7686,6 +7686,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+usermanage_run_passwd(unconfined_t, unconfined_r) +usermanage_run_passwd(unconfined_t, unconfined_r)
+usermanage_run_chfn(unconfined_t, unconfined_r) +usermanage_run_chfn(unconfined_t, unconfined_r)
+ +
+tunable_policy(`allow_execmem',`
+ allow unconfined_t self:process execmem;
+')
+
+tunable_policy(`allow_execmem && allow_execstack',`
+ allow unconfined_t self:process execstack;
+')
+
+tunable_policy(`unconfined_login',` +tunable_policy(`unconfined_login',`
+ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t) + corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
+ allow unconfined_t unconfined_login_domain:fd use; + allow unconfined_t unconfined_login_domain:fd use;
@ -7973,6 +7981,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+# +#
+ +
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.32/policy/modules/roles/unprivuser.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.32/policy/modules/roles/unprivuser.te
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2009-07-14 14:19:57.000000000 -0400 --- nsaserefpolicy/policy/modules/roles/unprivuser.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/roles/unprivuser.te 2009-09-16 10:03:09.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/roles/unprivuser.te 2009-09-16 10:03:09.000000000 -0400
@ -17882,7 +17892,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2009-08-14 16:14:31.000000000 -0400 --- nsaserefpolicy/policy/modules/services/ssh.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2009-09-18 21:47:14.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2009-09-19 07:07:53.000000000 -0400
@@ -41,6 +41,9 @@ @@ -41,6 +41,9 @@
files_tmp_file(sshd_tmp_t) files_tmp_file(sshd_tmp_t)
files_poly_parent(sshd_tmp_t) files_poly_parent(sshd_tmp_t)
@ -17920,7 +17930,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow the ssh program to communicate with ssh-agent. # Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
@@ -126,11 +129,12 @@ @@ -126,11 +129,13 @@
read_lnk_files_pattern(ssh_t, home_ssh_t, home_ssh_t) read_lnk_files_pattern(ssh_t, home_ssh_t, home_ssh_t)
# ssh servers can read the user keys and config # ssh servers can read the user keys and config
@ -17930,13 +17940,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+manage_dirs_pattern(ssh_server, home_ssh_t, home_ssh_t) +manage_dirs_pattern(ssh_server, home_ssh_t, home_ssh_t)
+manage_files_pattern(ssh_server, home_ssh_t, home_ssh_t) +manage_files_pattern(ssh_server, home_ssh_t, home_ssh_t)
+userdom_user_home_dir_filetrans(ssh_server, home_ssh_t, dir) +userdom_user_home_dir_filetrans(ssh_server, home_ssh_t, dir)
+userdom_admin_home_dir_filetrans(ssh_server, home_ssh_t, dir)
kernel_read_kernel_sysctls(ssh_t) kernel_read_kernel_sysctls(ssh_t)
+kernel_read_system_state(ssh_t) +kernel_read_system_state(ssh_t)
corenet_all_recvfrom_unlabeled(ssh_t) corenet_all_recvfrom_unlabeled(ssh_t)
corenet_all_recvfrom_netlabel(ssh_t) corenet_all_recvfrom_netlabel(ssh_t)
@@ -139,6 +143,8 @@ @@ -139,6 +144,8 @@
corenet_tcp_sendrecv_all_ports(ssh_t) corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t) corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t) corenet_sendrecv_ssh_client_packets(ssh_t)
@ -17945,7 +17956,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_urand(ssh_t) dev_read_urand(ssh_t)
@@ -160,19 +166,19 @@ @@ -160,19 +167,19 @@
logging_send_syslog_msg(ssh_t) logging_send_syslog_msg(ssh_t)
logging_read_generic_logs(ssh_t) logging_read_generic_logs(ssh_t)
@ -17968,7 +17979,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`allow_ssh_keysign',` tunable_policy(`allow_ssh_keysign',`
domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
@@ -194,23 +200,13 @@ @@ -194,23 +201,13 @@
# for port forwarding # for port forwarding
tunable_policy(`user_tcp_server',` tunable_policy(`user_tcp_server',`
corenet_tcp_bind_ssh_port(ssh_t) corenet_tcp_bind_ssh_port(ssh_t)
@ -17994,7 +18005,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -301,6 +297,7 @@ @@ -301,6 +298,7 @@
kernel_search_key(sshd_t) kernel_search_key(sshd_t)
kernel_link_key(sshd_t) kernel_link_key(sshd_t)
@ -18002,7 +18013,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_use_all_user_ptys(sshd_t) term_use_all_user_ptys(sshd_t)
term_setattr_all_user_ptys(sshd_t) term_setattr_all_user_ptys(sshd_t)
@@ -310,16 +307,34 @@ @@ -310,16 +308,34 @@
corenet_tcp_bind_xserver_port(sshd_t) corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t)
@ -18039,7 +18050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -331,6 +346,10 @@ @@ -331,6 +347,10 @@
') ')
optional_policy(` optional_policy(`
@ -18050,7 +18061,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rpm_use_script_fds(sshd_t) rpm_use_script_fds(sshd_t)
') ')
@@ -341,7 +360,11 @@ @@ -341,7 +361,11 @@
') ')
optional_policy(` optional_policy(`
@ -18063,7 +18074,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_shell_domtrans(sshd_t) unconfined_shell_domtrans(sshd_t)
') ')
@@ -400,15 +423,13 @@ @@ -400,15 +424,13 @@
init_use_fds(ssh_keygen_t) init_use_fds(ssh_keygen_t)
init_use_script_ptys(ssh_keygen_t) init_use_script_ptys(ssh_keygen_t)
@ -25429,7 +25440,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+HOME_DIR/\.gvfs(/.*)? <<none>> +HOME_DIR/\.gvfs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400 --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-09-18 21:52:11.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-09-20 08:32:58.000000000 -0400
@@ -30,8 +30,9 @@ @@ -30,8 +30,9 @@
') ')
@ -25441,7 +25452,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_type($1_t) domain_type($1_t)
corecmd_shell_entry_type($1_t) corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t) corecmd_bin_entry_type($1_t)
@@ -41,71 +42,88 @@ @@ -41,80 +42,93 @@
allow system_r $1_r; allow system_r $1_r;
term_user_pty($1_t, user_devpts_t) term_user_pty($1_t, user_devpts_t)
@ -25554,47 +25565,43 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- files_dontaudit_getattr_non_security_symlinks($1_t) - files_dontaudit_getattr_non_security_symlinks($1_t)
- files_dontaudit_getattr_non_security_pipes($1_t) - files_dontaudit_getattr_non_security_pipes($1_t)
- files_dontaudit_getattr_non_security_sockets($1_t) - files_dontaudit_getattr_non_security_sockets($1_t)
-
- libs_exec_ld_so($1_t)
-
- miscfiles_read_localization($1_t)
- miscfiles_read_certs($1_t)
-
- sysnet_read_config($1_t)
+ files_dontaudit_getattr_all_dirs($1_usertype) + files_dontaudit_getattr_all_dirs($1_usertype)
+ files_dontaudit_list_non_security($1_usertype) + files_dontaudit_list_non_security($1_usertype)
+ files_dontaudit_getattr_all_files($1_usertype) + files_dontaudit_getattr_all_files($1_usertype)
+ files_dontaudit_getattr_non_security_symlinks($1_usertype) + files_dontaudit_getattr_non_security_symlinks($1_usertype)
+ files_dontaudit_getattr_non_security_pipes($1_usertype) + files_dontaudit_getattr_non_security_pipes($1_usertype)
+ files_dontaudit_getattr_non_security_sockets($1_usertype) + files_dontaudit_getattr_non_security_sockets($1_usertype)
+
- libs_exec_ld_so($1_t)
+ storage_rw_fuse($1_usertype) + storage_rw_fuse($1_usertype)
+
- miscfiles_read_localization($1_t)
- miscfiles_read_certs($1_t)
+ auth_use_nsswitch($1_usertype) + auth_use_nsswitch($1_usertype)
+
- sysnet_read_config($1_t)
+ libs_exec_ld_so($1_usertype) + libs_exec_ld_so($1_usertype)
+
- tunable_policy(`allow_execmem',`
- # Allow loading DSOs that require executable stack.
- allow $1_t self:process execmem;
- ')
+ miscfiles_read_certs($1_usertype) + miscfiles_read_certs($1_usertype)
+ miscfiles_read_localization($1_usertype) + miscfiles_read_localization($1_usertype)
+ miscfiles_read_man_pages($1_usertype) + miscfiles_read_man_pages($1_usertype)
+ miscfiles_read_public_files($1_usertype) + miscfiles_read_public_files($1_usertype)
tunable_policy(`allow_execmem',` - tunable_policy(`allow_execmem && allow_execstack',`
# Allow loading DSOs that require executable stack. - # Allow making the stack executable via mprotect.
@@ -116,6 +134,12 @@ - allow $1_t self:process execstack;
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
+
+ optional_policy(` + optional_policy(`
+ ssh_rw_stream_sockets($1_usertype) + ssh_rw_stream_sockets($1_usertype)
+ ssh_delete_tmp($1_t) + ssh_delete_tmp($1_t)
+ ssh_signal($1_t) + ssh_signal($1_t)
+ ') ')
') ')
####################################### @@ -147,6 +161,7 @@
@@ -147,6 +171,7 @@
interface(`userdom_ro_home_role',` interface(`userdom_ro_home_role',`
gen_require(` gen_require(`
type user_home_t, user_home_dir_t; type user_home_t, user_home_dir_t;
@ -25602,7 +25609,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
role $1 types { user_home_t user_home_dir_t }; role $1 types { user_home_t user_home_dir_t };
@@ -157,6 +182,7 @@ @@ -157,6 +172,7 @@
# #
type_member $2 user_home_dir_t:dir user_home_dir_t; type_member $2 user_home_dir_t:dir user_home_dir_t;
@ -25610,7 +25617,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# read-only home directory # read-only home directory
allow $2 user_home_dir_t:dir list_dir_perms; allow $2 user_home_dir_t:dir list_dir_perms;
@@ -168,27 +194,6 @@ @@ -168,27 +184,6 @@
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2) files_list_home($2)
@ -25638,7 +25645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
####################################### #######################################
@@ -220,9 +225,10 @@ @@ -220,9 +215,10 @@
interface(`userdom_manage_home_role',` interface(`userdom_manage_home_role',`
gen_require(` gen_require(`
type user_home_t, user_home_dir_t; type user_home_t, user_home_dir_t;
@ -25650,7 +25657,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
############################## ##############################
# #
@@ -232,17 +238,20 @@ @@ -232,17 +228,20 @@
type_member $2 user_home_dir_t:dir user_home_dir_t; type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory # full control of the home directory
@ -25681,7 +25688,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
files_list_home($2) files_list_home($2)
@@ -250,25 +259,23 @@ @@ -250,25 +249,23 @@
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
tunable_policy(`use_nfs_home_dirs',` tunable_policy(`use_nfs_home_dirs',`
@ -25711,7 +25718,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
') ')
@@ -303,6 +310,7 @@ @@ -303,6 +300,7 @@
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
@ -25719,7 +25726,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
####################################### #######################################
@@ -322,6 +330,7 @@ @@ -322,6 +320,7 @@
') ')
exec_files_pattern($1, user_tmp_t, user_tmp_t) exec_files_pattern($1, user_tmp_t, user_tmp_t)
@ -25727,7 +25734,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_search_tmp($1) files_search_tmp($1)
') ')
@@ -368,46 +377,41 @@ @@ -368,46 +367,41 @@
####################################### #######################################
## <summary> ## <summary>
@ -25794,7 +25801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
####################################### #######################################
@@ -412,7 +416,7 @@ @@ -412,7 +406,7 @@
####################################### #######################################
## <summary> ## <summary>
@ -25803,7 +25810,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary> ## </summary>
## <param name="userdomain_prefix"> ## <param name="userdomain_prefix">
## <summary> ## <summary>
@@ -420,35 +424,48 @@ @@ -420,35 +414,48 @@
## is the prefix for user_t). ## is the prefix for user_t).
## </summary> ## </summary>
## </param> ## </param>
@ -25841,17 +25848,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ dev_read_video_dev($1) + dev_read_video_dev($1)
+ dev_write_video_dev($1) + dev_write_video_dev($1)
+ dev_rw_wireless($1) + dev_rw_wireless($1)
+
+ miscfiles_dontaudit_write_fonts($1)
+
+ optional_policy(`
+ udev_read_db($1)
+ ')
- xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) - xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
- xserver_xsession_entry_type($1_t) - xserver_xsession_entry_type($1_t)
- xserver_dontaudit_write_log($1_t) - xserver_dontaudit_write_log($1_t)
- xserver_stream_connect_xdm($1_t) - xserver_stream_connect_xdm($1_t)
+ miscfiles_dontaudit_write_fonts($1)
+
+ optional_policy(`
+ udev_read_db($1)
+ ')
+
+ optional_policy(` + optional_policy(`
+ xserver_user_client($1, user_tmpfs_t) + xserver_user_client($1, user_tmpfs_t)
+ xserver_xsession_entry_type($1) + xserver_xsession_entry_type($1)
@ -25871,7 +25878,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
####################################### #######################################
@@ -498,7 +515,7 @@ @@ -498,7 +505,7 @@
attribute unpriv_userdomain; attribute unpriv_userdomain;
') ')
@ -25880,7 +25887,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
############################## ##############################
# #
@@ -508,182 +525,208 @@ @@ -508,182 +515,208 @@
# evolution and gnome-session try to create a netlink socket # evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@ -26011,19 +26018,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- # Allow graphical boot to check battery lifespan - # Allow graphical boot to check battery lifespan
- apm_stream_connect($1_t) - apm_stream_connect($1_t)
+ canna_stream_connect($1_usertype) + canna_stream_connect($1_usertype)
') + ')
+
optional_policy(` + optional_policy(`
- canna_stream_connect($1_t)
+ dbus_system_bus_client($1_usertype) + dbus_system_bus_client($1_usertype)
+ +
+ allow $1_usertype $1_usertype:dbus send_msg; + allow $1_usertype $1_usertype:dbus send_msg;
+ +
+ optional_policy(` + optional_policy(`
+ avahi_dbus_chat($1_usertype) + avahi_dbus_chat($1_usertype)
+ ') ')
+
+ optional_policy(` optional_policy(`
- canna_stream_connect($1_t)
+ bluetooth_dbus_chat($1_usertype) + bluetooth_dbus_chat($1_usertype)
') ')
@ -26162,7 +26169,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
####################################### #######################################
@@ -711,13 +754,26 @@ @@ -711,13 +744,26 @@
userdom_base_user_template($1) userdom_base_user_template($1)
@ -26173,9 +26180,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- userdom_manage_tmpfs_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t)
+ userdom_manage_tmp_role($1_r, $1_usertype) + userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype) + userdom_manage_tmpfs_role($1_r, $1_usertype)
+
- userdom_exec_user_tmp_files($1_t)
- userdom_exec_user_home_content_files($1_t)
+ ifelse(`$1',`unconfined',`',` + ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true) + gen_tunable(allow_$1_exec_content, true)
+ +
@ -26186,7 +26191,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` + tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype) + fs_exec_nfs_files($1_usertype)
+ ') + ')
+
- userdom_exec_user_tmp_files($1_t)
- userdom_exec_user_home_content_files($1_t)
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` + tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype) + fs_exec_cifs_files($1_usertype)
+ ') + ')
@ -26194,7 +26201,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_change_password_template($1) userdom_change_password_template($1)
@@ -735,70 +791,71 @@ @@ -735,70 +781,71 @@
allow $1_t self:context contains; allow $1_t self:context contains;
@ -26299,7 +26306,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
') ')
@@ -835,6 +892,32 @@ @@ -835,6 +882,32 @@
# Local policy # Local policy
# #
@ -26332,7 +26339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(` optional_policy(`
loadkeys_run($1_t,$1_r) loadkeys_run($1_t,$1_r)
') ')
@@ -865,51 +948,81 @@ @@ -865,51 +938,81 @@
userdom_restricted_user_template($1) userdom_restricted_user_template($1)
@ -26427,7 +26434,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
') ')
@@ -943,8 +1056,8 @@ @@ -943,8 +1046,8 @@
# Declarations # Declarations
# #
@ -26437,7 +26444,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_common_user_template($1) userdom_common_user_template($1)
############################## ##############################
@@ -953,11 +1066,12 @@ @@ -953,11 +1056,12 @@
# #
# port access is audited even if dac would not have allowed it, so dontaudit it here # port access is audited even if dac would not have allowed it, so dontaudit it here
@ -26452,7 +26459,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cjp: why? # cjp: why?
files_read_kernel_symbol_table($1_t) files_read_kernel_symbol_table($1_t)
@@ -975,36 +1089,53 @@ @@ -975,36 +1079,53 @@
') ')
') ')
@ -26520,7 +26527,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
') ')
@@ -1040,7 +1171,7 @@ @@ -1040,7 +1161,7 @@
template(`userdom_admin_user_template',` template(`userdom_admin_user_template',`
gen_require(` gen_require(`
attribute admindomain; attribute admindomain;
@ -26529,7 +26536,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
############################## ##############################
@@ -1049,8 +1180,7 @@ @@ -1049,8 +1170,7 @@
# #
# Inherit rules for ordinary users. # Inherit rules for ordinary users.
@ -26539,7 +26546,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_obj_id_change_exemption($1_t) domain_obj_id_change_exemption($1_t)
role system_r types $1_t; role system_r types $1_t;
@@ -1075,6 +1205,9 @@ @@ -1075,6 +1195,9 @@
# Skip authentication when pam_rootok is specified. # Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok; allow $1_t self:passwd rootok;
@ -26549,7 +26556,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_software_raid_state($1_t) kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t) kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t) kernel_getattr_message_if($1_t)
@@ -1089,6 +1222,7 @@ @@ -1089,6 +1212,7 @@
kernel_sigstop_unlabeled($1_t) kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t) kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t) kernel_sigchld_unlabeled($1_t)
@ -26557,7 +26564,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_generic_port($1_t) corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels # allow setting up tunnels
@@ -1096,8 +1230,6 @@ @@ -1096,8 +1220,6 @@
dev_getattr_generic_blk_files($1_t) dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t) dev_getattr_generic_chr_files($1_t)
@ -26566,7 +26573,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow MAKEDEV to work # Allow MAKEDEV to work
dev_create_all_blk_files($1_t) dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t) dev_create_all_chr_files($1_t)
@@ -1124,6 +1256,8 @@ @@ -1124,6 +1246,8 @@
files_exec_usr_src_files($1_t) files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t) fs_getattr_all_fs($1_t)
@ -26575,7 +26582,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_set_all_quotas($1_t) fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t) fs_exec_noxattr($1_t)
@@ -1152,20 +1286,6 @@ @@ -1152,20 +1276,6 @@
# But presently necessary for installing the file_contexts file. # But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t) seutil_manage_bin_policy($1_t)
@ -26596,7 +26603,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(` optional_policy(`
postgresql_unconfined($1_t) postgresql_unconfined($1_t)
') ')
@@ -1211,6 +1331,7 @@ @@ -1211,6 +1321,7 @@
dev_relabel_all_dev_nodes($1) dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1) files_create_boot_flag($1)
@ -26604,7 +26611,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Necessary for managing /boot/efi # Necessary for managing /boot/efi
fs_manage_dos_files($1) fs_manage_dos_files($1)
@@ -1276,11 +1397,15 @@ @@ -1276,11 +1387,15 @@
interface(`userdom_user_home_content',` interface(`userdom_user_home_content',`
gen_require(` gen_require(`
type user_home_t; type user_home_t;
@ -26620,7 +26627,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1391,12 +1516,13 @@ @@ -1391,12 +1506,13 @@
') ')
allow $1 user_home_dir_t:dir search_dir_perms; allow $1 user_home_dir_t:dir search_dir_perms;
@ -26635,7 +26642,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -1429,6 +1555,14 @@ @@ -1429,6 +1545,14 @@
allow $1 user_home_dir_t:dir list_dir_perms; allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1) files_search_home($1)
@ -26650,7 +26657,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1444,9 +1578,11 @@ @@ -1444,9 +1568,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(` gen_require(`
type user_home_dir_t; type user_home_dir_t;
@ -26662,7 +26669,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1503,6 +1639,25 @@ @@ -1503,6 +1629,25 @@
allow $1 user_home_dir_t:dir relabelto; allow $1 user_home_dir_t:dir relabelto;
') ')
@ -26688,7 +26695,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
######################################## ########################################
## <summary> ## <summary>
## Create directories in the home dir root with ## Create directories in the home dir root with
@@ -1577,6 +1732,8 @@ @@ -1577,6 +1722,8 @@
') ')
dontaudit $1 user_home_t:dir search_dir_perms; dontaudit $1 user_home_t:dir search_dir_perms;
@ -26697,7 +26704,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1670,6 +1827,7 @@ @@ -1670,6 +1817,7 @@
type user_home_dir_t, user_home_t; type user_home_dir_t, user_home_t;
') ')
@ -26705,7 +26712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1) files_search_home($1)
') ')
@@ -1797,19 +1955,32 @@ @@ -1797,19 +1945,32 @@
# #
interface(`userdom_exec_user_home_content_files',` interface(`userdom_exec_user_home_content_files',`
gen_require(` gen_require(`
@ -26745,7 +26752,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1844,6 +2015,7 @@ @@ -1844,6 +2005,7 @@
interface(`userdom_manage_user_home_content_files',` interface(`userdom_manage_user_home_content_files',`
gen_require(` gen_require(`
type user_home_dir_t, user_home_t; type user_home_dir_t, user_home_t;
@ -26753,7 +26760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
manage_files_pattern($1, user_home_t, user_home_t) manage_files_pattern($1, user_home_t, user_home_t)
@@ -2391,27 +2563,7 @@ @@ -2391,27 +2553,7 @@
######################################## ########################################
## <summary> ## <summary>
@ -26782,7 +26789,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -2765,11 +2917,32 @@ @@ -2765,11 +2907,32 @@
# #
interface(`userdom_search_user_home_content',` interface(`userdom_search_user_home_content',`
gen_require(` gen_require(`
@ -26817,7 +26824,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -2897,7 +3070,25 @@ @@ -2897,7 +3060,25 @@
type user_tmp_t; type user_tmp_t;
') ')
@ -26844,7 +26851,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -2934,6 +3125,7 @@ @@ -2934,6 +3115,7 @@
') ')
read_files_pattern($1, userdomain, userdomain) read_files_pattern($1, userdomain, userdomain)
@ -26852,7 +26859,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_search_proc($1) kernel_search_proc($1)
') ')
@@ -3064,3 +3256,559 @@ @@ -3064,3 +3246,559 @@
allow $1 userdomain:dbus send_msg; allow $1 userdomain:dbus send_msg;
') ')

5
selinux-policy.spec
View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.6.32 Version: 3.6.32
Release: 6%{?dist} Release: 7%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -447,6 +447,9 @@ exit 0
%endif %endif
%changelog %changelog
* Sun Sep 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-7
- Remove allow_exec* booleans for confined users. Only available for unconfined_t
* Fri Sep 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-6 * Fri Sep 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-6
- More fixes for sandbox_web_t - More fixes for sandbox_web_t