- Fixes for polkit
- Allow xserver to ptrace
This commit is contained in:
parent
7dfe3eb3ef
commit
4c6f2dd6a3
@ -6145,7 +6145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
|
||||
-')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.3/policy/modules/services/dbus.if
|
||||
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500
|
||||
+++ serefpolicy-3.2.3/policy/modules/services/dbus.if 2007-12-06 16:37:24.000000000 -0500
|
||||
+++ serefpolicy-3.2.3/policy/modules/services/dbus.if 2007-12-11 17:07:29.000000000 -0500
|
||||
@@ -91,7 +91,7 @@
|
||||
# SE-DBus specific permissions
|
||||
allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
|
||||
@ -6165,7 +6165,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
||||
allow $1_dbusd_t $2:process sigkill;
|
||||
allow $2 $1_dbusd_t:fd use;
|
||||
allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
|
||||
@@ -214,7 +213,7 @@
|
||||
@@ -161,7 +160,8 @@
|
||||
seutil_read_config($1_dbusd_t)
|
||||
seutil_read_default_contexts($1_dbusd_t)
|
||||
|
||||
- userdom_read_user_home_content_files($1, $1_dbusd_t)
|
||||
+ userdom_read_unpriv_users_home_content_files($1_dbusd_t)
|
||||
+ userdom_dontaudit_append_unpriv_home_content_files($1_dbusd_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write };
|
||||
@@ -214,7 +214,7 @@
|
||||
|
||||
# SE-DBus specific permissions
|
||||
# allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
|
||||
@ -6174,7 +6184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
|
||||
|
||||
read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
||||
files_search_var_lib($2)
|
||||
@@ -366,3 +365,35 @@
|
||||
@@ -366,3 +366,35 @@
|
||||
|
||||
allow $1 system_dbusd_t:dbus *;
|
||||
')
|
||||
@ -6868,7 +6878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.2.3/policy/modules/services/hal.te
|
||||
--- nsaserefpolicy/policy/modules/services/hal.te 2007-11-14 08:17:58.000000000 -0500
|
||||
+++ serefpolicy-3.2.3/policy/modules/services/hal.te 2007-12-11 00:56:25.000000000 -0500
|
||||
+++ serefpolicy-3.2.3/policy/modules/services/hal.te 2007-12-11 16:49:43.000000000 -0500
|
||||
@@ -49,6 +49,9 @@
|
||||
type hald_var_lib_t;
|
||||
files_type(hald_var_lib_t)
|
||||
@ -6905,18 +6915,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
||||
storage_raw_read_removable_device(hald_t)
|
||||
storage_raw_write_removable_device(hald_t)
|
||||
storage_raw_read_fixed_disk(hald_t)
|
||||
@@ -265,6 +271,10 @@
|
||||
@@ -265,6 +271,11 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ polkit_domtrans_auth(hald_t)
|
||||
+ polkit_read_lib(hald_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
rpc_search_nfs_state_data(hald_t)
|
||||
')
|
||||
|
||||
@@ -291,6 +301,7 @@
|
||||
@@ -291,6 +302,7 @@
|
||||
#
|
||||
|
||||
allow hald_acl_t self:capability { dac_override fowner };
|
||||
@ -6924,19 +6935,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
||||
allow hald_acl_t self:fifo_file read_fifo_file_perms;
|
||||
|
||||
domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
|
||||
@@ -325,6 +336,11 @@
|
||||
@@ -325,6 +337,11 @@
|
||||
|
||||
miscfiles_read_localization(hald_acl_t)
|
||||
|
||||
+optional_policy(`
|
||||
+ polkit_domtrans_auth(hald_acl_t)
|
||||
+ polkit_search_lib(hald_acl_t)
|
||||
+ polkit_read_lib(hald_acl_t)
|
||||
+')
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# Local hald mac policy
|
||||
@@ -338,10 +354,14 @@
|
||||
@@ -338,10 +355,14 @@
|
||||
manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
|
||||
files_search_var_lib(hald_mac_t)
|
||||
|
||||
@ -6951,7 +6962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
|
||||
libs_use_ld_so(hald_mac_t)
|
||||
libs_use_shared_libs(hald_mac_t)
|
||||
|
||||
@@ -391,3 +411,4 @@
|
||||
@@ -391,3 +412,4 @@
|
||||
libs_use_shared_libs(hald_keymap_t)
|
||||
|
||||
miscfiles_read_localization(hald_keymap_t)
|
||||
@ -8351,8 +8362,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
|
||||
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.2.3/policy/modules/services/polkit.if
|
||||
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.2.3/policy/modules/services/polkit.if 2007-12-11 00:56:05.000000000 -0500
|
||||
@@ -0,0 +1,41 @@
|
||||
+++ serefpolicy-3.2.3/policy/modules/services/polkit.if 2007-12-11 16:49:17.000000000 -0500
|
||||
@@ -0,0 +1,60 @@
|
||||
+
|
||||
+## <summary>policy for polkit_auth</summary>
|
||||
+
|
||||
@ -8394,6 +8405,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
|
||||
+ files_search_var_lib($1)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## read polkit lib files
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`polkit_read_lib',`
|
||||
+ gen_require(`
|
||||
+ type polkit_var_lib_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_var_lib($1)
|
||||
+ read_files_pattern($1, polkit_var_lib_t, polkit_var_lib_t)
|
||||
+')
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.3/policy/modules/services/polkit.te
|
||||
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.2.3/policy/modules/services/polkit.te 2007-12-11 00:18:16.000000000 -0500
|
||||
@ -10792,7 +10822,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.3/policy/modules/services/xserver.if
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
|
||||
+++ serefpolicy-3.2.3/policy/modules/services/xserver.if 2007-12-06 16:37:24.000000000 -0500
|
||||
+++ serefpolicy-3.2.3/policy/modules/services/xserver.if 2007-12-11 17:02:56.000000000 -0500
|
||||
@@ -45,7 +45,7 @@
|
||||
# execheap needed until the X module loader is fixed.
|
||||
# NVIDIA Needs execstack
|
||||
|
||||
- allow $1_xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
|
||||
+ allow $1_xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_ptrace sys_tty_config mknod net_bind_service };
|
||||
dontaudit $1_xserver_t self:capability chown;
|
||||
allow $1_xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow $1_xserver_t self:memprotect mmap_zero;
|
||||
@@ -115,8 +115,7 @@
|
||||
dev_rw_agp($1_xserver_t)
|
||||
dev_rw_framebuffer($1_xserver_t)
|
||||
@ -10803,7 +10842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
# raw memory access is needed if not using the frame buffer
|
||||
dev_read_raw_memory($1_xserver_t)
|
||||
dev_wx_raw_memory($1_xserver_t)
|
||||
@@ -125,8 +124,12 @@
|
||||
@@ -125,8 +124,13 @@
|
||||
# read events - the synaptics touchpad driver reads raw events
|
||||
dev_rw_input_dev($1_xserver_t)
|
||||
dev_rwx_zero($1_xserver_t)
|
||||
@ -10813,10 +10852,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
domain_mmap_low($1_xserver_t)
|
||||
+ domain_read_all_domains_state($1_xserver_t)
|
||||
+ domain_dontaudit_ptrace_all_domains($1_xserver_t)
|
||||
|
||||
files_read_etc_files($1_xserver_t)
|
||||
files_read_etc_runtime_files($1_xserver_t)
|
||||
@@ -140,12 +143,16 @@
|
||||
@@ -140,12 +144,16 @@
|
||||
fs_getattr_xattr_fs($1_xserver_t)
|
||||
fs_search_nfs($1_xserver_t)
|
||||
fs_search_auto_mountpoints($1_xserver_t)
|
||||
@ -10834,7 +10874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
term_setattr_unallocated_ttys($1_xserver_t)
|
||||
term_use_unallocated_ttys($1_xserver_t)
|
||||
|
||||
@@ -232,39 +239,26 @@
|
||||
@@ -232,39 +240,26 @@
|
||||
# Declarations
|
||||
#
|
||||
|
||||
@ -10881,7 +10921,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
##############################
|
||||
#
|
||||
# $1_xserver_t Local policy
|
||||
@@ -272,12 +266,15 @@
|
||||
@@ -272,12 +267,15 @@
|
||||
|
||||
domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
|
||||
|
||||
@ -10898,7 +10938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
|
||||
manage_files_pattern($2,$1_fonts_t,$1_fonts_t)
|
||||
@@ -307,6 +304,7 @@
|
||||
@@ -307,6 +305,7 @@
|
||||
userdom_use_user_ttys($1,$1_xserver_t)
|
||||
userdom_setattr_user_ttys($1,$1_xserver_t)
|
||||
userdom_rw_user_tmpfs_files($1,$1_xserver_t)
|
||||
@ -10906,7 +10946,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
xserver_use_user_fonts($1,$1_xserver_t)
|
||||
xserver_rw_xdm_tmp_files($1_xauth_t)
|
||||
@@ -330,12 +328,12 @@
|
||||
@@ -330,12 +329,12 @@
|
||||
allow $1_xauth_t self:process signal;
|
||||
allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
@ -10924,7 +10964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
|
||||
|
||||
@@ -344,12 +342,6 @@
|
||||
@@ -344,12 +343,6 @@
|
||||
# allow ps to show xauth
|
||||
ps_process_pattern($2,$1_xauth_t)
|
||||
|
||||
@ -10937,7 +10977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
domain_use_interactive_fds($1_xauth_t)
|
||||
|
||||
files_read_etc_files($1_xauth_t)
|
||||
@@ -378,6 +370,14 @@
|
||||
@@ -378,6 +371,14 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -10952,7 +10992,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
ssh_sigchld($1_xauth_t)
|
||||
ssh_read_pipes($1_xauth_t)
|
||||
ssh_dontaudit_rw_tcp_sockets($1_xauth_t)
|
||||
@@ -390,16 +390,16 @@
|
||||
@@ -390,16 +391,16 @@
|
||||
|
||||
domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t)
|
||||
|
||||
@ -10974,7 +11014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
fs_search_auto_mountpoints($1_iceauth_t)
|
||||
|
||||
@@ -523,17 +523,16 @@
|
||||
@@ -523,17 +524,16 @@
|
||||
template(`xserver_user_client_template',`
|
||||
|
||||
gen_require(`
|
||||
@ -10999,7 +11039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
|
||||
# for when /tmp/.X11-unix is created by the system
|
||||
allow $2 xdm_t:fd use;
|
||||
@@ -542,25 +541,55 @@
|
||||
@@ -542,25 +542,55 @@
|
||||
allow $2 xdm_tmp_t:sock_file { read write };
|
||||
dontaudit $2 xdm_t:tcp_socket { read write };
|
||||
|
||||
@ -11063,7 +11103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
')
|
||||
')
|
||||
|
||||
@@ -613,6 +642,24 @@
|
||||
@@ -613,6 +643,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -11088,7 +11128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
## Transition to a user Xauthority domain.
|
||||
## </summary>
|
||||
## <desc>
|
||||
@@ -646,6 +693,73 @@
|
||||
@@ -646,6 +694,73 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -11162,7 +11202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
## Transition to a user Xauthority domain.
|
||||
## </summary>
|
||||
## <desc>
|
||||
@@ -671,10 +785,10 @@
|
||||
@@ -671,10 +786,10 @@
|
||||
#
|
||||
template(`xserver_user_home_dir_filetrans_user_xauth',`
|
||||
gen_require(`
|
||||
@ -11175,7 +11215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -760,7 +874,7 @@
|
||||
@@ -760,7 +875,7 @@
|
||||
type xconsole_device_t;
|
||||
')
|
||||
|
||||
@ -11184,7 +11224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -860,6 +974,25 @@
|
||||
@@ -860,6 +975,25 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -11210,7 +11250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
## Read xdm-writable configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -914,6 +1047,7 @@
|
||||
@@ -914,6 +1048,7 @@
|
||||
files_search_tmp($1)
|
||||
allow $1 xdm_tmp_t:dir list_dir_perms;
|
||||
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
|
||||
@ -11218,7 +11258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -974,6 +1108,37 @@
|
||||
@@ -974,6 +1109,37 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -11256,7 +11296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
## Make an X session script an entrypoint for the specified domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1123,7 +1288,7 @@
|
||||
@@ -1123,7 +1289,7 @@
|
||||
type xdm_xserver_tmp_t;
|
||||
')
|
||||
|
||||
@ -11265,7 +11305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1312,3 +1477,45 @@
|
||||
@@ -1312,3 +1478,45 @@
|
||||
files_search_tmp($1)
|
||||
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
|
||||
')
|
||||
@ -14503,7 +14543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
||||
+domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.2.3/policy/modules/system/userdomain.fc
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2007-02-19 11:32:53.000000000 -0500
|
||||
+++ serefpolicy-3.2.3/policy/modules/system/userdomain.fc 2007-12-06 16:37:24.000000000 -0500
|
||||
+++ serefpolicy-3.2.3/policy/modules/system/userdomain.fc 2007-12-11 16:44:50.000000000 -0500
|
||||
@@ -1,4 +1,5 @@
|
||||
-HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
|
||||
-HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0)
|
||||
@ -14513,10 +14553,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
+HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
|
||||
+HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
|
||||
+/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0)
|
||||
+/root(/.*) gen_context(system_u:object_r:admin_home_t,s0)
|
||||
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.3/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
|
||||
+++ serefpolicy-3.2.3/policy/modules/system/userdomain.if 2007-12-10 23:50:13.000000000 -0500
|
||||
+++ serefpolicy-3.2.3/policy/modules/system/userdomain.if 2007-12-11 17:06:47.000000000 -0500
|
||||
@@ -29,8 +29,9 @@
|
||||
')
|
||||
|
||||
@ -16020,7 +16060,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4283,11 +4334,11 @@
|
||||
@@ -4283,16 +4334,16 @@
|
||||
#
|
||||
interface(`userdom_relabelto_staff_home_dirs',`
|
||||
gen_require(`
|
||||
@ -16034,20 +16074,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4303,10 +4354,10 @@
|
||||
## <summary>
|
||||
-## Do not audit attempts to append to the staff
|
||||
+## Do not audit attempts to append to the
|
||||
## users home directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -4301,12 +4352,27 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_dontaudit_append_staff_home_content_files',`
|
||||
-interface(`userdom_dontaudit_append_staff_home_content_files',`
|
||||
+interface(`userdom_dontaudit_append_unpriv_home_content_files',`
|
||||
gen_require(`
|
||||
- type staff_home_t;
|
||||
+ type user_home_t;
|
||||
')
|
||||
|
||||
- dontaudit $1 staff_home_t:file append;
|
||||
+ dontaudit $1 user_home_t:file append;
|
||||
+ dontaudit $1 user_home_t:file append_file_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Do not audit attempts to append to the staff
|
||||
+## users home directory.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_dontaudit_append_staff_home_content_files',`
|
||||
+ userdom_dontaudit_append_unpriv_home_content_files($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4321,13 +4372,13 @@
|
||||
@@ -4321,13 +4387,13 @@
|
||||
#
|
||||
interface(`userdom_read_staff_home_content_files',`
|
||||
gen_require(`
|
||||
@ -16065,7 +16129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4525,10 +4576,10 @@
|
||||
@@ -4525,10 +4591,10 @@
|
||||
#
|
||||
interface(`userdom_getattr_sysadm_home_dirs',`
|
||||
gen_require(`
|
||||
@ -16078,7 +16142,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4545,10 +4596,10 @@
|
||||
@@ -4545,10 +4611,10 @@
|
||||
#
|
||||
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
|
||||
gen_require(`
|
||||
@ -16091,7 +16155,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4563,10 +4614,10 @@
|
||||
@@ -4563,10 +4629,10 @@
|
||||
#
|
||||
interface(`userdom_search_sysadm_home_dirs',`
|
||||
gen_require(`
|
||||
@ -16104,7 +16168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4582,10 +4633,10 @@
|
||||
@@ -4582,10 +4648,10 @@
|
||||
#
|
||||
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
|
||||
gen_require(`
|
||||
@ -16117,7 +16181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4600,10 +4651,10 @@
|
||||
@@ -4600,10 +4666,10 @@
|
||||
#
|
||||
interface(`userdom_list_sysadm_home_dirs',`
|
||||
gen_require(`
|
||||
@ -16130,7 +16194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4619,10 +4670,10 @@
|
||||
@@ -4619,10 +4685,10 @@
|
||||
#
|
||||
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
|
||||
gen_require(`
|
||||
@ -16143,7 +16207,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4638,12 +4689,11 @@
|
||||
@@ -4638,12 +4704,11 @@
|
||||
#
|
||||
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
|
||||
gen_require(`
|
||||
@ -16159,7 +16223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4670,10 +4720,10 @@
|
||||
@@ -4670,10 +4735,10 @@
|
||||
#
|
||||
interface(`userdom_sysadm_home_dir_filetrans',`
|
||||
gen_require(`
|
||||
@ -16172,7 +16236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4688,10 +4738,10 @@
|
||||
@@ -4688,10 +4753,10 @@
|
||||
#
|
||||
interface(`userdom_search_sysadm_home_content_dirs',`
|
||||
gen_require(`
|
||||
@ -16185,7 +16249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4706,13 +4756,13 @@
|
||||
@@ -4706,13 +4771,13 @@
|
||||
#
|
||||
interface(`userdom_read_sysadm_home_content_files',`
|
||||
gen_require(`
|
||||
@ -16203,41 +16267,61 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4748,11 +4798,29 @@
|
||||
@@ -4748,16 +4813,15 @@
|
||||
#
|
||||
interface(`userdom_search_all_users_home_dirs',`
|
||||
gen_require(`
|
||||
- attribute home_dir_type;
|
||||
+ attribute user_home_dir_type;
|
||||
+ ')
|
||||
+
|
||||
+ files_list_home($1)
|
||||
+ allow $1 user_home_dir_type:dir search_dir_perms;
|
||||
+')
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read all users home directories symlinks.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_read_all_users_home_dirs_symlinks',`
|
||||
+ gen_require(`
|
||||
attribute home_dir_type;
|
||||
')
|
||||
|
||||
files_list_home($1)
|
||||
- allow $1 home_dir_type:dir search_dir_perms;
|
||||
+ allow $1 user_home_dir_type:dir search_dir_perms;
|
||||
')
|
||||
-
|
||||
########################################
|
||||
## <summary>
|
||||
-## List all users home directories.
|
||||
+## Read all users home directories symlinks.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -4765,18 +4829,18 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`userdom_list_all_users_home_dirs',`
|
||||
+interface(`userdom_read_all_users_home_dirs_symlinks',`
|
||||
gen_require(`
|
||||
attribute home_dir_type;
|
||||
')
|
||||
|
||||
files_list_home($1)
|
||||
- allow $1 home_dir_type:dir list_dir_perms;
|
||||
+ allow $1 home_dir_type:lnk_file read_lnk_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -4772,6 +4840,14 @@
|
||||
|
||||
files_list_home($1)
|
||||
allow $1 home_dir_type:dir list_dir_perms;
|
||||
## <summary>
|
||||
-## Search all users home directories.
|
||||
+## List all users home directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -4784,9 +4848,36 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`userdom_search_all_users_home_content',`
|
||||
+interface(`userdom_list_all_users_home_dirs',`
|
||||
gen_require(`
|
||||
- attribute home_dir_type, home_type;
|
||||
+ attribute home_dir_type;
|
||||
+ ')
|
||||
+
|
||||
+ files_list_home($1)
|
||||
+ allow $1 home_dir_type:dir list_dir_perms;
|
||||
+
|
||||
+ tunable_policy(`use_nfs_home_dirs',`
|
||||
+ fs_list_nfs(crond_t)
|
||||
@ -16246,10 +16330,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
+ tunable_policy(`use_samba_home_dirs',`
|
||||
+ fs_list_cifs(crond_t)
|
||||
+ ')
|
||||
')
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Search all users home directories.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_search_all_users_home_content',`
|
||||
+ gen_require(`
|
||||
+ attribute home_dir_type, home_type;
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -5109,7 +5185,7 @@
|
||||
files_list_home($1)
|
||||
@@ -5109,7 +5200,7 @@
|
||||
#
|
||||
interface(`userdom_relabelto_generic_user_home_dirs',`
|
||||
gen_require(`
|
||||
@ -16258,29 +16357,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
files_search_home($1)
|
||||
@@ -5298,8 +5374,8 @@
|
||||
@@ -5298,6 +5389,49 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Create, read, write, and delete directories in
|
||||
-## unprivileged users home directories.
|
||||
+## append all unprivileged users home directory
|
||||
+## files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -5307,13 +5383,56 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-interface(`userdom_manage_unpriv_users_home_content_dirs',`
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_append_unpriv_users_home_content_files',`
|
||||
gen_require(`
|
||||
attribute user_home_dir_type, user_home_type;
|
||||
')
|
||||
|
||||
files_search_home($1)
|
||||
- manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
|
||||
+ gen_require(`
|
||||
+ attribute user_home_dir_type, user_home_type;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_home($1)
|
||||
+ allow $1 user_home_type:dir list_dir_perms;
|
||||
+ append_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
|
||||
+')
|
||||
@ -16309,26 +16404,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Create, read, write, and delete directories in
|
||||
+## unprivileged users home directories.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_manage_unpriv_users_home_content_dirs',`
|
||||
+ gen_require(`
|
||||
+ attribute user_home_dir_type, user_home_type;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_home($1)
|
||||
+ manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -5503,6 +5622,24 @@
|
||||
## Create, read, write, and delete directories in
|
||||
## unprivileged users home directories.
|
||||
## </summary>
|
||||
@@ -5503,6 +5637,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -16353,7 +16432,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
## Read and write unprivileged user ttys.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -5668,6 +5805,24 @@
|
||||
@@ -5668,6 +5820,24 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -16378,7 +16457,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
## Send a dbus message to all user domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -5698,3 +5853,277 @@
|
||||
@@ -5698,3 +5868,277 @@
|
||||
interface(`userdom_unconfined',`
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.2.3
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -379,6 +379,10 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Dec 11 2007 Dan Walsh <dwalsh@redhat.com> 3.2.3-2
|
||||
- Fixes for polkit
|
||||
- Allow xserver to ptrace
|
||||
|
||||
* Tue Dec 11 2007 Dan Walsh <dwalsh@redhat.com> 3.2.3-1
|
||||
- Add polkit policy
|
||||
- Symplify userdom context, remove automatic per_role changes
|
||||
|
Loading…
Reference in New Issue
Block a user