- Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs.

.gitignore

@@ -226,4 +226,4 @@ serefpolicy*
 /serefpolicy-3.9.3.tgz
 /serefpolicy-3.9.4.tgz
 /serefpolicy-3.9.5.tgz
-/serefpolicy-3.9.7.tgz
+/serefpolicy-3.9.6.tgz

modules-targeted.conf

@@ -23,7 +23,7 @@ accountsd = module
 #
 # Berkeley process accounting
 # 
-acct = base
+acct = module
 
 # Layer: services
 # Module: ajaxterm
@@ -67,7 +67,7 @@ cpufreqselector = module
 # 
 chrome = module
 
-# Layer: modules
+# Layer: module
 # Module: awstats
 #
 # awstats executable
@@ -717,7 +717,7 @@ howl = module
 #
 # Internet services daemon.
 # 
-inetd = base
+inetd = module
 
 # Layer: system
 # Module: init
@@ -759,7 +759,7 @@ irc = module
 #
 # IRQ balancing daemon
 # 
-irqbalance = base
+irqbalance = module
 
 # Layer: system
 # Module: iscsi
@@ -1893,7 +1893,7 @@ uucp = module
 #
 # run real-mode video BIOS code to alter hardware state
 # 
-vbetool = base
+vbetool = module
 
 # Layer: apps
 # Module: webalizer
@@ -1914,7 +1914,7 @@ xfs = module
 #
 # X windows login display manager
 # 
-xserver = base
+xserver = module
 
 # Layer: services
 # Module: zarafa
@@ -1942,7 +1942,7 @@ usermanage = base
 #
 # Red Hat utility to change /etc/fstab.
 # 
-updfstab = base
+updfstab = module
 
 # Layer: admin
 # Module: vpn
@@ -1956,7 +1956,7 @@ vpn = module
 #
 # run real-mode video BIOS code to alter hardware state
 # 
-vbetool = base
+vbetool = module
 
 # Layer: kernel
 # Module: terminal

policy-F14.patch

@@ -5812,10 +5812,10 @@ index 0000000..587c440
 +')
 diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
 new file mode 100644
-index 0000000..89fcce3
+index 0000000..39f006a
 --- /dev/null
 +++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,408 @@
+@@ -0,0 +1,420 @@
 +policy_module(sandbox,1.0.0)
 +dbus_stub()
 +attribute sandbox_domain;
@@ -6052,6 +6052,18 @@ index 0000000..89fcce3
 +userdom_read_user_home_content_symlinks(sandbox_x_domain)
 +userdom_search_user_home_content(sandbox_x_domain)
 +
++tunable_policy(`use_nfs_home_dirs',`
++	fs_search_nfs(sandbox_x_domain)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++	fs_search_cifs(sandbox_x_domain)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++	fs_search_fusefs(sandbox_x_domain)
++')
++
 +files_search_home(sandbox_x_t)
 +userdom_use_user_ptys(sandbox_x_t)
 +
@@ -6380,10 +6392,10 @@ index 0000000..7866118
 +/usr/libexec/telepathy-sunshine			--		gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
 diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
 new file mode 100644
-index 0000000..3d12484
+index 0000000..46368cc
 --- /dev/null
 +++ b/policy/modules/apps/telepathy.if
-@@ -0,0 +1,188 @@
+@@ -0,0 +1,168 @@
 +
 +## <summary>Telepathy framework.</summary>
 +
@@ -6497,26 +6509,6 @@ index 0000000..3d12484
 +
 +########################################
 +## <summary>
-+##	Read and write Telepathy Butterfly
-+##	temporary files.
-+## </summary>
-+## <param name="domain">
-+## 	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`telepathy_butterfly_rw_tmp_files', `
-+	gen_require(`
-+		type telepathy_butterfly_tmp_t;
-+	')
-+
-+	allow $1 telepathy_butterfly_tmp_t:file rw_file_perms;
-+	files_search_tmp($1)
-+')
-+
-+########################################
-+## <summary>
 +##	Stream connect to Telepathy Gabble
 +## </summary>
 +## <param name="domain">
@@ -7691,7 +7683,7 @@ index 3b2da10..7c29e17 100644
 +#
 +/sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 99482ca..8d34173 100644
+index 99482ca..c381190 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
 @@ -336,6 +336,24 @@ interface(`dev_dontaudit_getattr_generic_files',`
@@ -7887,7 +7879,32 @@ index 99482ca..8d34173 100644
  ##	Do not audit attempts to get the attributes of
  ##	the autofs device node.
  ## </summary>
-@@ -3613,6 +3757,24 @@ interface(`dev_manage_smartcard',`
+@@ -3048,24 +3192,6 @@ interface(`dev_rw_printer',`
+ 
+ ########################################
+ ## <summary>
+-##	Read printk devices (e.g., /dev/kmsg /dev/mcelog)
+-## </summary>
+-## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
+-#
+-interface(`dev_read_printk',`
+-	gen_require(`
+-		type device_t, printk_device_t;
+-	')
+-
+-	read_chr_files_pattern($1, device_t, printk_device_t)
+-')
+-
+-########################################
+-## <summary>
+ ##	Get the attributes of the QEMU
+ ##	microcode and id interfaces.
+ ## </summary>
+@@ -3613,6 +3739,24 @@ interface(`dev_manage_smartcard',`
  
  ########################################
  ## <summary>
@@ -7912,7 +7929,7 @@ index 99482ca..8d34173 100644
  ##	Get the attributes of sysfs directories.
  ## </summary>
  ## <param name="domain">
-@@ -3755,6 +3917,24 @@ interface(`dev_rw_sysfs',`
+@@ -3755,6 +3899,24 @@ interface(`dev_rw_sysfs',`
  
  ########################################
  ## <summary>
@@ -7937,7 +7954,7 @@ index 99482ca..8d34173 100644
  ##	Read from pseudo random number generator devices (e.g., /dev/urandom).
  ## </summary>
  ## <desc>
-@@ -3924,6 +4104,24 @@ interface(`dev_read_usbmon_dev',`
+@@ -3924,6 +4086,24 @@ interface(`dev_read_usbmon_dev',`
  
  ########################################
  ## <summary>
@@ -7962,7 +7979,7 @@ index 99482ca..8d34173 100644
  ##	Mount a usbfs filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -4234,11 +4432,10 @@ interface(`dev_write_video_dev',`
+@@ -4234,11 +4414,10 @@ interface(`dev_write_video_dev',`
  #
  interface(`dev_rw_vhost',`
  	gen_require(`
@@ -16219,7 +16236,7 @@ index fa82327..7f4ca47 100644
  # bind to udp/323
  corenet_udp_bind_chronyd_port(chronyd_t)
 diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
-index 1f11572..01b02f3 100644
+index 1f11572..7f6a7ab 100644
 --- a/policy/modules/services/clamav.if
 +++ b/policy/modules/services/clamav.if
 @@ -33,6 +33,7 @@ interface(`clamav_stream_connect',`
@@ -16230,6 +16247,22 @@ index 1f11572..01b02f3 100644
  	stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t)
  ')
  
+@@ -49,12 +50,12 @@ interface(`clamav_stream_connect',`
+ #
+ interface(`clamav_append_log',`
+ 	gen_require(`
+-		type clamav_log_t;
++		type clamav_var_log_t;
+ 	')
+ 
+ 	logging_search_logs($1)
+-	allow $1 clamav_log_t:dir list_dir_perms;
+-	append_files_pattern($1, clamav_log_t, clamav_log_t)
++	allow $1 clamav_var_log_t:dir list_dir_perms;
++	append_files_pattern($1, clamav_var_log_t, clamav_var_log_t)
+ ')
+ 
+ ########################################
 @@ -151,9 +152,8 @@ interface(`clamav_exec_clamscan',`
  interface(`clamav_admin',`
  	gen_require(`
@@ -18739,7 +18772,7 @@ index f706b99..ab2edfc 100644
 +	files_list_pids($1)
  ')
 diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..8d467c4 100644
+index f231f17..3aaa784 100644
 --- a/policy/modules/services/devicekit.te
 +++ b/policy/modules/services/devicekit.te
 @@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
@@ -18861,7 +18894,7 @@ index f231f17..8d467c4 100644
  ')
  
  optional_policy(`
-+	mount_exec(devicekit_power_t)
++	mount_domtrans(devicekit_power_t)
 +')
 +
 +optional_policy(`
@@ -18902,10 +18935,19 @@ index 5e2cea8..7e129ff 100644
  	')
  
 diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
-index d4424ad..a307b51 100644
+index d4424ad..2e09383 100644
 --- a/policy/modules/services/dhcp.te
 +++ b/policy/modules/services/dhcp.te
-@@ -111,6 +111,10 @@ optional_policy(`
+@@ -73,6 +73,8 @@ corenet_tcp_connect_all_ports(dhcpd_t)
+ corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
+ corenet_sendrecv_pxe_server_packets(dhcpd_t)
+ corenet_sendrecv_all_client_packets(dhcpd_t)
++corenet_dontaudit_udp_bind_all_reserved_ports(dhcpd_t)
++corenet_udp_bind_all_unreserved_ports(dhcpd_t)
+ 
+ dev_read_sysfs(dhcpd_t)
+ dev_read_rand(dhcpd_t)
+@@ -111,6 +113,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28038,7 +28080,7 @@ index 29b9295..2a70dd1 100644
  	pyzor_signal(procmail_t)
  ')
 diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if
-index bc329d1..d1a3745 100644
+index bc329d1..f040c20 100644
 --- a/policy/modules/services/psad.if
 +++ b/policy/modules/services/psad.if
 @@ -91,7 +91,6 @@ interface(`psad_manage_config',`
@@ -28085,6 +28127,15 @@ index bc329d1..d1a3745 100644
  ##	Read and write psad fifo files.
  ## </summary>
  ## <param name="domain">
+@@ -186,7 +205,7 @@ interface(`psad_append_log',`
+ #
+ interface(`psad_rw_fifo_file',`
+ 	gen_require(`
+-		type psad_t;
++		type psad_t, psad_var_lib_t;
+ 	')
+ 
+ 	files_search_var_lib($1)
 @@ -233,7 +252,7 @@ interface(`psad_rw_tmp_files',`
  interface(`psad_admin',`
  	gen_require(`
@@ -32881,7 +32932,7 @@ index 22adaca..784c363 100644
 +	allow $1 sshd_t:process signull;
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..c7efe5d 100644
+index 2dad3c8..580297a 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
 @@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -32959,7 +33010,12 @@ index 2dad3c8..c7efe5d 100644
  ##############################
  #
  # SSH client local policy
-@@ -99,11 +103,6 @@ allow ssh_t self:tcp_socket create_stream_socket_perms;
+@@ -95,15 +99,11 @@ allow ssh_t self:sem create_sem_perms;
+ allow ssh_t self:msgq create_msgq_perms;
+ allow ssh_t self:msg { send receive };
+ allow ssh_t self:tcp_socket create_stream_socket_perms;
++can_exec(ssh_t, ssh_exec_t)
+ 
  # Read the ssh key file.
  allow ssh_t sshd_key_t:file read_file_perms;
  
@@ -32971,7 +33027,7 @@ index 2dad3c8..c7efe5d 100644
  manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
  manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
  manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -113,6 +112,7 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+@@ -113,6 +113,7 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
  manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
  manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
  userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
@@ -32979,7 +33035,7 @@ index 2dad3c8..c7efe5d 100644
  
  # Allow the ssh program to communicate with ssh-agent.
  stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
-@@ -124,9 +124,10 @@ manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
+@@ -124,9 +125,10 @@ manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
  read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
  
  # ssh servers can read the user keys and config
@@ -32993,7 +33049,7 @@ index 2dad3c8..c7efe5d 100644
  
  kernel_read_kernel_sysctls(ssh_t)
  kernel_read_system_state(ssh_t)
-@@ -138,6 +139,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
+@@ -138,6 +140,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
  corenet_tcp_sendrecv_all_ports(ssh_t)
  corenet_tcp_connect_ssh_port(ssh_t)
  corenet_sendrecv_ssh_client_packets(ssh_t)
@@ -33002,7 +33058,7 @@ index 2dad3c8..c7efe5d 100644
  
  dev_read_urand(ssh_t)
  
-@@ -169,14 +172,13 @@ userdom_dontaudit_list_user_home_dirs(ssh_t)
+@@ -169,14 +173,13 @@ userdom_dontaudit_list_user_home_dirs(ssh_t)
  userdom_search_user_home_dirs(ssh_t)
  # Write to the user domain tty.
  userdom_use_user_terminals(ssh_t)
@@ -33021,7 +33077,7 @@ index 2dad3c8..c7efe5d 100644
  ')
  
  tunable_policy(`use_nfs_home_dirs',`
-@@ -200,6 +202,53 @@ optional_policy(`
+@@ -200,6 +203,53 @@ optional_policy(`
  	xserver_domtrans_xauth(ssh_t)
  ')
  
@@ -33075,7 +33131,7 @@ index 2dad3c8..c7efe5d 100644
  ##############################
  #
  # ssh_keysign_t local policy
-@@ -209,7 +258,7 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,7 +259,7 @@ tunable_policy(`allow_ssh_keysign',`
  	allow ssh_keysign_t self:capability { setgid setuid };
  	allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
  
@@ -33084,7 +33140,7 @@ index 2dad3c8..c7efe5d 100644
  
  	dev_read_urand(ssh_keysign_t)
  
-@@ -232,33 +281,39 @@ optional_policy(`
+@@ -232,33 +282,39 @@ optional_policy(`
  # so a tunnel can point to another ssh tunnel
  allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
  allow sshd_t self:key { search link write };
@@ -33133,7 +33189,7 @@ index 2dad3c8..c7efe5d 100644
  ')
  
  optional_policy(`
-@@ -266,11 +321,24 @@ optional_policy(`
+@@ -266,11 +322,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -33159,7 +33215,7 @@ index 2dad3c8..c7efe5d 100644
  ')
  
  optional_policy(`
-@@ -284,6 +352,11 @@ optional_policy(`
+@@ -284,6 +353,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -33171,7 +33227,7 @@ index 2dad3c8..c7efe5d 100644
  	unconfined_shell_domtrans(sshd_t)
  ')
  
-@@ -292,26 +365,26 @@ optional_policy(`
+@@ -292,26 +366,26 @@ optional_policy(`
  ')
  
  ifdef(`TODO',`
@@ -33217,7 +33273,7 @@ index 2dad3c8..c7efe5d 100644
  ') dnl endif TODO
  
  ########################################
-@@ -324,7 +397,6 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -324,7 +398,6 @@ tunable_policy(`ssh_sysadm_login',`
  
  dontaudit ssh_keygen_t self:capability sys_tty_config;
  allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
@@ -33225,7 +33281,7 @@ index 2dad3c8..c7efe5d 100644
  allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
  
  allow ssh_keygen_t sshd_key_t:file manage_file_perms;
-@@ -353,10 +425,6 @@ logging_send_syslog_msg(ssh_keygen_t)
+@@ -353,10 +426,6 @@ logging_send_syslog_msg(ssh_keygen_t)
  userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
  
  optional_policy(`
@@ -40400,7 +40456,7 @@ index 9df8c4d..0199a7d 100644
 +/opt/google/picasa/.*\.yti	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
-index d97d16d..8b174c8 100644
+index d97d16d..ed1b8be 100644
 --- a/policy/modules/system/libraries.if
 +++ b/policy/modules/system/libraries.if
 @@ -46,6 +46,26 @@ interface(`libs_run_ldconfig',`
@@ -40430,6 +40486,37 @@ index d97d16d..8b174c8 100644
  ##	Use the dynamic link/loader for automatic loading
  ##	of shared libraries.
  ## </summary>
+@@ -383,7 +403,7 @@ interface(`libs_manage_shared_libs',`
+ 		type lib_t, textrel_shlib_t;
+ 	')
+ 
+-	manage_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
++	manage_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
+ ')
+ 
+ ########################################
+@@ -402,9 +422,9 @@ interface(`libs_use_shared_libs',`
+ 	')
+ 
+ 	files_search_usr($1)
+-	allow $1 lib_t:dir list_dir_perms;
+-	read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
+-	mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
++	allow $1 { textrel_shlib_t lib_t }:dir list_dir_perms;
++	read_lnk_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
++	mmap_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
+ 	allow $1 textrel_shlib_t:file execmod;
+ ')
+ 
+@@ -445,7 +465,7 @@ interface(`libs_relabel_shared_libs',`
+ 		type lib_t, textrel_shlib_t;
+ 	')
+ 
+-	relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
++	relabel_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t })
+ ')
+ 
+ ########################################
 diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
 index bf416a4..99d7f60 100644
 --- a/policy/modules/system/libraries.te

selinux-policy.spec

@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.7
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,9 @@ exit 0
 %endif
 
 %changelog
+* Fri Oct 15 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-4
+- Allow sandbox_x_domains to work with nfs/cifs/fusefs home dirs.
+
 * Fri Oct 15 2010 Dan Walsh <dwalsh@redhat.com> 3.9.7-3
 - Allow cobblerd to list cobler appache content