- Remove allow_exec* booleans for confined users. Only available for
unconfined_t
This commit is contained in:
Daniel J Walsh
parent
8323d545c4
commit
41f8e385a1
193
policy-F12.patch
193
policy-F12.patch
@ -7579,8 +7579,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
|
||||
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-09-18 09:45:33.000000000 -0400
|
||||
@@ -0,0 +1,392 @@
|
||||
+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-09-20 08:49:01.000000000 -0400
|
||||
@@ -0,0 +1,402 @@
|
||||
+policy_module(unconfineduser, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -7686,6 +7686,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+usermanage_run_passwd(unconfined_t, unconfined_r)
|
||||
+usermanage_run_chfn(unconfined_t, unconfined_r)
|
||||
+
|
||||
+tunable_policy(`allow_execmem',`
|
||||
+ allow unconfined_t self:process execmem;
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`allow_execmem && allow_execstack',`
|
||||
+ allow unconfined_t self:process execstack;
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`unconfined_login',`
|
||||
+ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
|
||||
+ allow unconfined_t unconfined_login_domain:fd use;
|
||||
@ -7973,6 +7981,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+#
|
||||
+
|
||||
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
+
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.32/policy/modules/roles/unprivuser.te
|
||||
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.32/policy/modules/roles/unprivuser.te 2009-09-16 10:03:09.000000000 -0400
|
||||
@ -17882,7 +17892,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te
|
||||
--- nsaserefpolicy/policy/modules/services/ssh.te 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2009-09-18 21:47:14.000000000 -0400
|
||||
+++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2009-09-19 07:07:53.000000000 -0400
|
||||
@@ -41,6 +41,9 @@
|
||||
files_tmp_file(sshd_tmp_t)
|
||||
files_poly_parent(sshd_tmp_t)
|
||||
@ -17920,7 +17930,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Allow the ssh program to communicate with ssh-agent.
|
||||
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
|
||||
@@ -126,11 +129,12 @@
|
||||
@@ -126,11 +129,13 @@
|
||||
read_lnk_files_pattern(ssh_t, home_ssh_t, home_ssh_t)
|
||||
|
||||
# ssh servers can read the user keys and config
|
||||
@ -17930,13 +17940,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+manage_dirs_pattern(ssh_server, home_ssh_t, home_ssh_t)
|
||||
+manage_files_pattern(ssh_server, home_ssh_t, home_ssh_t)
|
||||
+userdom_user_home_dir_filetrans(ssh_server, home_ssh_t, dir)
|
||||
+userdom_admin_home_dir_filetrans(ssh_server, home_ssh_t, dir)
|
||||
|
||||
kernel_read_kernel_sysctls(ssh_t)
|
||||
+kernel_read_system_state(ssh_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(ssh_t)
|
||||
corenet_all_recvfrom_netlabel(ssh_t)
|
||||
@@ -139,6 +143,8 @@
|
||||
@@ -139,6 +144,8 @@
|
||||
corenet_tcp_sendrecv_all_ports(ssh_t)
|
||||
corenet_tcp_connect_ssh_port(ssh_t)
|
||||
corenet_sendrecv_ssh_client_packets(ssh_t)
|
||||
@ -17945,7 +17956,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
dev_read_urand(ssh_t)
|
||||
|
||||
@@ -160,19 +166,19 @@
|
||||
@@ -160,19 +167,19 @@
|
||||
logging_send_syslog_msg(ssh_t)
|
||||
logging_read_generic_logs(ssh_t)
|
||||
|
||||
@ -17968,7 +17979,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
tunable_policy(`allow_ssh_keysign',`
|
||||
domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
|
||||
@@ -194,23 +200,13 @@
|
||||
@@ -194,23 +201,13 @@
|
||||
# for port forwarding
|
||||
tunable_policy(`user_tcp_server',`
|
||||
corenet_tcp_bind_ssh_port(ssh_t)
|
||||
@ -17994,7 +18005,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -301,6 +297,7 @@
|
||||
@@ -301,6 +298,7 @@
|
||||
|
||||
kernel_search_key(sshd_t)
|
||||
kernel_link_key(sshd_t)
|
||||
@ -18002,7 +18013,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
term_use_all_user_ptys(sshd_t)
|
||||
term_setattr_all_user_ptys(sshd_t)
|
||||
@@ -310,16 +307,34 @@
|
||||
@@ -310,16 +308,34 @@
|
||||
corenet_tcp_bind_xserver_port(sshd_t)
|
||||
corenet_sendrecv_xserver_server_packets(sshd_t)
|
||||
|
||||
@ -18039,7 +18050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -331,6 +346,10 @@
|
||||
@@ -331,6 +347,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -18050,7 +18061,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
rpm_use_script_fds(sshd_t)
|
||||
')
|
||||
|
||||
@@ -341,7 +360,11 @@
|
||||
@@ -341,7 +361,11 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -18063,7 +18074,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
unconfined_shell_domtrans(sshd_t)
|
||||
')
|
||||
|
||||
@@ -400,15 +423,13 @@
|
||||
@@ -400,15 +424,13 @@
|
||||
init_use_fds(ssh_keygen_t)
|
||||
init_use_script_ptys(ssh_keygen_t)
|
||||
|
||||
@ -25429,7 +25440,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+HOME_DIR/\.gvfs(/.*)? <<none>>
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
|
||||
+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-09-18 21:52:11.000000000 -0400
|
||||
+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-09-20 08:32:58.000000000 -0400
|
||||
@@ -30,8 +30,9 @@
|
||||
')
|
||||
|
||||
@ -25441,7 +25452,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
domain_type($1_t)
|
||||
corecmd_shell_entry_type($1_t)
|
||||
corecmd_bin_entry_type($1_t)
|
||||
@@ -41,71 +42,88 @@
|
||||
@@ -41,80 +42,93 @@
|
||||
allow system_r $1_r;
|
||||
|
||||
term_user_pty($1_t, user_devpts_t)
|
||||
@ -25554,47 +25565,43 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
- files_dontaudit_getattr_non_security_symlinks($1_t)
|
||||
- files_dontaudit_getattr_non_security_pipes($1_t)
|
||||
- files_dontaudit_getattr_non_security_sockets($1_t)
|
||||
-
|
||||
- libs_exec_ld_so($1_t)
|
||||
-
|
||||
- miscfiles_read_localization($1_t)
|
||||
- miscfiles_read_certs($1_t)
|
||||
-
|
||||
- sysnet_read_config($1_t)
|
||||
+ files_dontaudit_getattr_all_dirs($1_usertype)
|
||||
+ files_dontaudit_list_non_security($1_usertype)
|
||||
+ files_dontaudit_getattr_all_files($1_usertype)
|
||||
+ files_dontaudit_getattr_non_security_symlinks($1_usertype)
|
||||
+ files_dontaudit_getattr_non_security_pipes($1_usertype)
|
||||
+ files_dontaudit_getattr_non_security_sockets($1_usertype)
|
||||
+
|
||||
|
||||
- libs_exec_ld_so($1_t)
|
||||
+ storage_rw_fuse($1_usertype)
|
||||
+
|
||||
|
||||
- miscfiles_read_localization($1_t)
|
||||
- miscfiles_read_certs($1_t)
|
||||
+ auth_use_nsswitch($1_usertype)
|
||||
+
|
||||
|
||||
- sysnet_read_config($1_t)
|
||||
+ libs_exec_ld_so($1_usertype)
|
||||
+
|
||||
|
||||
- tunable_policy(`allow_execmem',`
|
||||
- # Allow loading DSOs that require executable stack.
|
||||
- allow $1_t self:process execmem;
|
||||
- ')
|
||||
+ miscfiles_read_certs($1_usertype)
|
||||
+ miscfiles_read_localization($1_usertype)
|
||||
+ miscfiles_read_man_pages($1_usertype)
|
||||
+ miscfiles_read_public_files($1_usertype)
|
||||
|
||||
tunable_policy(`allow_execmem',`
|
||||
# Allow loading DSOs that require executable stack.
|
||||
@@ -116,6 +134,12 @@
|
||||
# Allow making the stack executable via mprotect.
|
||||
allow $1_t self:process execstack;
|
||||
')
|
||||
+
|
||||
- tunable_policy(`allow_execmem && allow_execstack',`
|
||||
- # Allow making the stack executable via mprotect.
|
||||
- allow $1_t self:process execstack;
|
||||
+ optional_policy(`
|
||||
+ ssh_rw_stream_sockets($1_usertype)
|
||||
+ ssh_delete_tmp($1_t)
|
||||
+ ssh_signal($1_t)
|
||||
+ ')
|
||||
')
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -147,6 +171,7 @@
|
||||
@@ -147,6 +161,7 @@
|
||||
interface(`userdom_ro_home_role',`
|
||||
gen_require(`
|
||||
type user_home_t, user_home_dir_t;
|
||||
@ -25602,7 +25609,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
role $1 types { user_home_t user_home_dir_t };
|
||||
@@ -157,6 +182,7 @@
|
||||
@@ -157,6 +172,7 @@
|
||||
#
|
||||
|
||||
type_member $2 user_home_dir_t:dir user_home_dir_t;
|
||||
@ -25610,7 +25617,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# read-only home directory
|
||||
allow $2 user_home_dir_t:dir list_dir_perms;
|
||||
@@ -168,27 +194,6 @@
|
||||
@@ -168,27 +184,6 @@
|
||||
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
|
||||
files_list_home($2)
|
||||
|
||||
@ -25638,7 +25645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -220,9 +225,10 @@
|
||||
@@ -220,9 +215,10 @@
|
||||
interface(`userdom_manage_home_role',`
|
||||
gen_require(`
|
||||
type user_home_t, user_home_dir_t;
|
||||
@ -25650,7 +25657,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
##############################
|
||||
#
|
||||
@@ -232,17 +238,20 @@
|
||||
@@ -232,17 +228,20 @@
|
||||
type_member $2 user_home_dir_t:dir user_home_dir_t;
|
||||
|
||||
# full control of the home directory
|
||||
@ -25681,7 +25688,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
|
||||
files_list_home($2)
|
||||
|
||||
@@ -250,25 +259,23 @@
|
||||
@@ -250,25 +249,23 @@
|
||||
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
@ -25711,7 +25718,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -303,6 +310,7 @@
|
||||
@@ -303,6 +300,7 @@
|
||||
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
|
||||
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
|
||||
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
|
||||
@ -25719,7 +25726,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -322,6 +330,7 @@
|
||||
@@ -322,6 +320,7 @@
|
||||
')
|
||||
|
||||
exec_files_pattern($1, user_tmp_t, user_tmp_t)
|
||||
@ -25727,7 +25734,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_search_tmp($1)
|
||||
')
|
||||
|
||||
@@ -368,46 +377,41 @@
|
||||
@@ -368,46 +367,41 @@
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
@ -25794,7 +25801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -412,7 +416,7 @@
|
||||
@@ -412,7 +406,7 @@
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
@ -25803,7 +25810,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
## <param name="userdomain_prefix">
|
||||
## <summary>
|
||||
@@ -420,35 +424,48 @@
|
||||
@@ -420,35 +414,48 @@
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
@ -25841,17 +25848,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ dev_read_video_dev($1)
|
||||
+ dev_write_video_dev($1)
|
||||
+ dev_rw_wireless($1)
|
||||
+
|
||||
+ miscfiles_dontaudit_write_fonts($1)
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ udev_read_db($1)
|
||||
+ ')
|
||||
|
||||
- xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
|
||||
- xserver_xsession_entry_type($1_t)
|
||||
- xserver_dontaudit_write_log($1_t)
|
||||
- xserver_stream_connect_xdm($1_t)
|
||||
+ miscfiles_dontaudit_write_fonts($1)
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ udev_read_db($1)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ xserver_user_client($1, user_tmpfs_t)
|
||||
+ xserver_xsession_entry_type($1)
|
||||
@ -25871,7 +25878,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -498,7 +515,7 @@
|
||||
@@ -498,7 +505,7 @@
|
||||
attribute unpriv_userdomain;
|
||||
')
|
||||
|
||||
@ -25880,7 +25887,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
##############################
|
||||
#
|
||||
@@ -508,182 +525,208 @@
|
||||
@@ -508,182 +515,208 @@
|
||||
# evolution and gnome-session try to create a netlink socket
|
||||
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
|
||||
@ -26011,19 +26018,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
- # Allow graphical boot to check battery lifespan
|
||||
- apm_stream_connect($1_t)
|
||||
+ canna_stream_connect($1_usertype)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- canna_stream_connect($1_t)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ dbus_system_bus_client($1_usertype)
|
||||
+
|
||||
+ allow $1_usertype $1_usertype:dbus send_msg;
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ avahi_dbus_chat($1_usertype)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- canna_stream_connect($1_t)
|
||||
+ bluetooth_dbus_chat($1_usertype)
|
||||
')
|
||||
|
||||
@ -26162,7 +26169,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -711,13 +754,26 @@
|
||||
@@ -711,13 +744,26 @@
|
||||
|
||||
userdom_base_user_template($1)
|
||||
|
||||
@ -26173,9 +26180,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
- userdom_manage_tmpfs_role($1_r, $1_t)
|
||||
+ userdom_manage_tmp_role($1_r, $1_usertype)
|
||||
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
|
||||
|
||||
- userdom_exec_user_tmp_files($1_t)
|
||||
- userdom_exec_user_home_content_files($1_t)
|
||||
+
|
||||
+ ifelse(`$1',`unconfined',`',`
|
||||
+ gen_tunable(allow_$1_exec_content, true)
|
||||
+
|
||||
@ -26186,7 +26191,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
|
||||
+ fs_exec_nfs_files($1_usertype)
|
||||
+ ')
|
||||
+
|
||||
|
||||
- userdom_exec_user_tmp_files($1_t)
|
||||
- userdom_exec_user_home_content_files($1_t)
|
||||
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
|
||||
+ fs_exec_cifs_files($1_usertype)
|
||||
+ ')
|
||||
@ -26194,7 +26201,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
userdom_change_password_template($1)
|
||||
|
||||
@@ -735,70 +791,71 @@
|
||||
@@ -735,70 +781,71 @@
|
||||
|
||||
allow $1_t self:context contains;
|
||||
|
||||
@ -26299,7 +26306,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -835,6 +892,32 @@
|
||||
@@ -835,6 +882,32 @@
|
||||
# Local policy
|
||||
#
|
||||
|
||||
@ -26332,7 +26339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
loadkeys_run($1_t,$1_r)
|
||||
')
|
||||
@@ -865,51 +948,81 @@
|
||||
@@ -865,51 +938,81 @@
|
||||
|
||||
userdom_restricted_user_template($1)
|
||||
|
||||
@ -26427,7 +26434,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -943,8 +1056,8 @@
|
||||
@@ -943,8 +1046,8 @@
|
||||
# Declarations
|
||||
#
|
||||
|
||||
@ -26437,7 +26444,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
userdom_common_user_template($1)
|
||||
|
||||
##############################
|
||||
@@ -953,11 +1066,12 @@
|
||||
@@ -953,11 +1056,12 @@
|
||||
#
|
||||
|
||||
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
||||
@ -26452,7 +26459,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# cjp: why?
|
||||
files_read_kernel_symbol_table($1_t)
|
||||
|
||||
@@ -975,36 +1089,53 @@
|
||||
@@ -975,36 +1079,53 @@
|
||||
')
|
||||
')
|
||||
|
||||
@ -26520,7 +26527,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -1040,7 +1171,7 @@
|
||||
@@ -1040,7 +1161,7 @@
|
||||
template(`userdom_admin_user_template',`
|
||||
gen_require(`
|
||||
attribute admindomain;
|
||||
@ -26529,7 +26536,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
##############################
|
||||
@@ -1049,8 +1180,7 @@
|
||||
@@ -1049,8 +1170,7 @@
|
||||
#
|
||||
|
||||
# Inherit rules for ordinary users.
|
||||
@ -26539,7 +26546,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
domain_obj_id_change_exemption($1_t)
|
||||
role system_r types $1_t;
|
||||
@@ -1075,6 +1205,9 @@
|
||||
@@ -1075,6 +1195,9 @@
|
||||
# Skip authentication when pam_rootok is specified.
|
||||
allow $1_t self:passwd rootok;
|
||||
|
||||
@ -26549,7 +26556,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kernel_read_software_raid_state($1_t)
|
||||
kernel_getattr_core_if($1_t)
|
||||
kernel_getattr_message_if($1_t)
|
||||
@@ -1089,6 +1222,7 @@
|
||||
@@ -1089,6 +1212,7 @@
|
||||
kernel_sigstop_unlabeled($1_t)
|
||||
kernel_signull_unlabeled($1_t)
|
||||
kernel_sigchld_unlabeled($1_t)
|
||||
@ -26557,7 +26564,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corenet_tcp_bind_generic_port($1_t)
|
||||
# allow setting up tunnels
|
||||
@@ -1096,8 +1230,6 @@
|
||||
@@ -1096,8 +1220,6 @@
|
||||
|
||||
dev_getattr_generic_blk_files($1_t)
|
||||
dev_getattr_generic_chr_files($1_t)
|
||||
@ -26566,7 +26573,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# Allow MAKEDEV to work
|
||||
dev_create_all_blk_files($1_t)
|
||||
dev_create_all_chr_files($1_t)
|
||||
@@ -1124,6 +1256,8 @@
|
||||
@@ -1124,6 +1246,8 @@
|
||||
files_exec_usr_src_files($1_t)
|
||||
|
||||
fs_getattr_all_fs($1_t)
|
||||
@ -26575,7 +26582,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
fs_set_all_quotas($1_t)
|
||||
fs_exec_noxattr($1_t)
|
||||
|
||||
@@ -1152,20 +1286,6 @@
|
||||
@@ -1152,20 +1276,6 @@
|
||||
# But presently necessary for installing the file_contexts file.
|
||||
seutil_manage_bin_policy($1_t)
|
||||
|
||||
@ -26596,7 +26603,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
postgresql_unconfined($1_t)
|
||||
')
|
||||
@@ -1211,6 +1331,7 @@
|
||||
@@ -1211,6 +1321,7 @@
|
||||
dev_relabel_all_dev_nodes($1)
|
||||
|
||||
files_create_boot_flag($1)
|
||||
@ -26604,7 +26611,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Necessary for managing /boot/efi
|
||||
fs_manage_dos_files($1)
|
||||
@@ -1276,11 +1397,15 @@
|
||||
@@ -1276,11 +1387,15 @@
|
||||
interface(`userdom_user_home_content',`
|
||||
gen_require(`
|
||||
type user_home_t;
|
||||
@ -26620,7 +26627,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1391,12 +1516,13 @@
|
||||
@@ -1391,12 +1506,13 @@
|
||||
')
|
||||
|
||||
allow $1 user_home_dir_t:dir search_dir_perms;
|
||||
@ -26635,7 +26642,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1429,6 +1555,14 @@
|
||||
@@ -1429,6 +1545,14 @@
|
||||
|
||||
allow $1 user_home_dir_t:dir list_dir_perms;
|
||||
files_search_home($1)
|
||||
@ -26650,7 +26657,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1444,9 +1578,11 @@
|
||||
@@ -1444,9 +1568,11 @@
|
||||
interface(`userdom_dontaudit_list_user_home_dirs',`
|
||||
gen_require(`
|
||||
type user_home_dir_t;
|
||||
@ -26662,7 +26669,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1503,6 +1639,25 @@
|
||||
@@ -1503,6 +1629,25 @@
|
||||
allow $1 user_home_dir_t:dir relabelto;
|
||||
')
|
||||
|
||||
@ -26688,7 +26695,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
## <summary>
|
||||
## Create directories in the home dir root with
|
||||
@@ -1577,6 +1732,8 @@
|
||||
@@ -1577,6 +1722,8 @@
|
||||
')
|
||||
|
||||
dontaudit $1 user_home_t:dir search_dir_perms;
|
||||
@ -26697,7 +26704,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1670,6 +1827,7 @@
|
||||
@@ -1670,6 +1817,7 @@
|
||||
type user_home_dir_t, user_home_t;
|
||||
')
|
||||
|
||||
@ -26705,7 +26712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
|
||||
files_search_home($1)
|
||||
')
|
||||
@@ -1797,19 +1955,32 @@
|
||||
@@ -1797,19 +1945,32 @@
|
||||
#
|
||||
interface(`userdom_exec_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -26745,7 +26752,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1844,6 +2015,7 @@
|
||||
@@ -1844,6 +2005,7 @@
|
||||
interface(`userdom_manage_user_home_content_files',`
|
||||
gen_require(`
|
||||
type user_home_dir_t, user_home_t;
|
||||
@ -26753,7 +26760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
manage_files_pattern($1, user_home_t, user_home_t)
|
||||
@@ -2391,27 +2563,7 @@
|
||||
@@ -2391,27 +2553,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -26782,7 +26789,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -2765,11 +2917,32 @@
|
||||
@@ -2765,11 +2907,32 @@
|
||||
#
|
||||
interface(`userdom_search_user_home_content',`
|
||||
gen_require(`
|
||||
@ -26817,7 +26824,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2897,7 +3070,25 @@
|
||||
@@ -2897,7 +3060,25 @@
|
||||
type user_tmp_t;
|
||||
')
|
||||
|
||||
@ -26844,7 +26851,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2934,6 +3125,7 @@
|
||||
@@ -2934,6 +3115,7 @@
|
||||
')
|
||||
|
||||
read_files_pattern($1, userdomain, userdomain)
|
||||
@ -26852,7 +26859,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kernel_search_proc($1)
|
||||
')
|
||||
|
||||
@@ -3064,3 +3256,559 @@
|
||||
@@ -3064,3 +3246,559 @@
|
||||
|
||||
allow $1 userdomain:dbus send_msg;
|
||||
')
|
||||
|
||||
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.6.32
|
||||
Release: 6%{?dist}
|
||||
Release: 7%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -447,6 +447,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Sun Sep 20 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-7
|
||||
- Remove allow_exec* booleans for confined users. Only available for unconfined_t
|
||||
|
||||
* Fri Sep 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-6
|
||||
- More fixes for sandbox_web_t
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user