- Allow mozilla to run with unconfined_execmem_t

2008-10-25 11:14:56 +00:00 · 2008-10-25 11:14:56 +00:00 · 4fa9db787c
commit 4fa9db787c
parent 798a73de69
2 changed files with 57 additions and 27 deletions
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@ -11824,7 +11824,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	allow ndc_t named_conf_t:dir search;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.5.13/policy/modules/services/bluetooth.fc
 --- nsaserefpolicy/policy/modules/services/bluetooth.fc	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/bluetooth.fc	2008-10-17 10:31:27.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/bluetooth.fc	2008-10-25 07:10:51.000000000 -0400
@@ -3,6 +3,9 @@
 #
 /etc/bluetooth(/.*)?		gen_context(system_u:object_r:bluetooth_conf_t,s0)
@ -11835,7 +11835,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 #
 # /usr
-@@ -22,3 +25,4 @@
+@@ -16,9 +19,11 @@
 /usr/sbin/hcid		--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 /usr/sbin/hid2hci	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 /usr/sbin/sdpd		--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 +/usr/sbin/bluetoothd	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 #
 # /var
 #
 /var/lib/bluetooth(/.*)?	gen_context(system_u:object_r:bluetooth_var_lib_t,s0)
 /var/run/sdp		-s	gen_context(system_u:object_r:bluetooth_var_run_t,s0)
@ -14517,8 +14524,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /var/run/dnsmasq\.pid		--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.5.13/policy/modules/services/dnsmasq.if
 --- nsaserefpolicy/policy/modules/services/dnsmasq.if	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.if	2008-10-23 17:21:21.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.if	2008-10-24 11:31:46.000000000 -0400
-@@ -1 +1,156 @@
+@@ -1 +1,175 @@
 ## <summary>dnsmasq DNS forwarder and DHCP server</summary>
 +
 +########################################
@ -14621,7 +14628,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +########################################
 +## <summary>
-+##	Send dnsmasq a sigkill
+##	Delete dnsmasq pid files
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@ -14640,6 +14647,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +########################################
 +## <summary>
 +##	Read dnsmasq pid files
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +#
 +interface(`dnsmasq_read_pid_files',`
 +	gen_require(`
 +		type dnsmasq_var_run_t;
 +	')
 +
 +	read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
 +')
 +
 +########################################
 +## <summary>
 +##	All of the rules required to administrate 
 +##	an dnsmasq environment
 +## </summary>
@ -16978,13 +17004,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## <param name="domain">
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.13/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2008-10-14 11:58:09.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te	2008-10-23 16:47:42.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te	2008-10-24 11:33:18.000000000 -0400
@@ -33,9 +33,9 @@
 # networkmanager will ptrace itself if gdb is installed
 # and it receives a unexpected signal (rh bug #204161) 
 -allow NetworkManager_t self:capability { kill setgid setuid dac_override net_admin net_raw net_bind_service ipc_lock };
-+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice sys_ptrace dac_override net_admin net_raw net_bind_service ipc_lock };
 dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
 -allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
 +allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
@ -17085,7 +17111,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -151,8 +173,20 @@
+@@ -151,8 +173,21 @@
 ')
 optional_policy(`
@ -17095,6 +17121,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +optional_policy(`
 +	dnsmasq_read_pid_files(NetworkManager_t)
 +	dnsmasq_delete_pid_files(NetworkManager_t)
 +	dnsmasq_domtrans(NetworkManager_t)
 +	dnsmasq_initrc_domtrans(NetworkManager_t)
@ -17108,7 +17135,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -160,23 +194,48 @@
+@@ -160,23 +195,48 @@
 ')
 optional_policy(`
@ -17159,7 +17186,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -194,7 +253,9 @@
+@@ -194,7 +254,9 @@
 optional_policy(`
 	vpn_domtrans(NetworkManager_t)
@ -29617,7 +29644,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.5.13/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2008-10-14 11:58:09.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/unconfined.te	2008-10-23 10:34:43.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/unconfined.te	2008-10-24 10:26:04.000000000 -0400
@@ -6,35 +6,76 @@
 # Declarations
 #
@ -29702,7 +29729,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-@@ -42,28 +83,37 @@
+@@ -42,28 +83,39 @@
 logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@ -29721,6 +29748,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
 +	nsplugin_per_role_template_notrans(unconfined, unconfined_t, unconfined_r)
 +	tunable_policy(`allow_unconfined_nsplugin_transition',`
 +	      nsplugin_domtrans_user(unconfined, unconfined_execmem_t)
 +	      nsplugin_domtrans_user_config(unconfined, unconfined_execmem_t)
 +	      nsplugin_domtrans_user(unconfined, unconfined_t)
 +	      nsplugin_domtrans_user_config(unconfined, unconfined_t)
 +	')
@ -29744,7 +29773,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -75,12 +125,6 @@
+@@ -75,12 +127,6 @@
 ')
 optional_policy(`
@ -29757,7 +29786,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	init_dbus_chat_script(unconfined_t)
 	dbus_stub(unconfined_t)
-@@ -106,12 +150,24 @@
+@@ -106,12 +152,24 @@
 	')
 	optional_policy(`
@ -29782,7 +29811,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -123,31 +179,33 @@
+@@ -123,31 +181,33 @@
 ')
 optional_policy(`
@ -29823,7 +29852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -159,43 +217,48 @@
+@@ -159,43 +219,48 @@
 ')
 optional_policy(`
@ -29832,9 +29861,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -	# cjp: this should probably be removed:
 -	postfix_domtrans_master(unconfined_t)
 -')
 -
 +	qemu_per_role_template_notrans(unconfined, unconfined_t, unconfined_r)
 -
 -optional_policy(`
 -	pyzor_per_role_template(unconfined)
 +	tunable_policy(`allow_unconfined_qemu_transition',`
@ -29888,7 +29917,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -203,7 +266,7 @@
+@@ -203,7 +268,7 @@
 ')
 optional_policy(`
@ -29897,7 +29926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -215,11 +278,12 @@
+@@ -215,11 +280,12 @@
 ')
 optional_policy(`
@ -29912,7 +29941,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 ########################################
-@@ -229,14 +293,52 @@
+@@ -229,14 +295,50 @@
 allow unconfined_execmem_t self:process { execstack execmem };
 unconfined_domain_noaudit(unconfined_execmem_t)
@ -29958,13 +29987,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t)
 +')
 +
-+optional_policy(`
+tunable_policy(`allow_unconfined_nsplugin_transition',`', `
-+	tunable_policy(`allow_unconfined_nsplugin_transition',`', `
+	gen_require(`
-+		gen_require(`
+		type mozilla_exec_t;
 +			type mozilla_exec_t;
 +		')
 +		domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t)
 +	')
 +	domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t)
 +')
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.5.13/policy/modules/system/userdomain.fc
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.5.13
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -462,6 +462,9 @@ exit 0
 %endif
 %changelog
 * Fri Oct 24 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-8
 - Allow mozilla to run with unconfined_execmem_t
 * Thu Oct 23 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-7
 - Dontaudit domains trying to write to .xsession-errors