- Add boolean to disallow unconfined_t login

This commit is contained in:
Daniel J Walsh 2009-02-03 15:26:10 +00:00
parent 0554a10b80
commit 574cab47f1
2 changed files with 214 additions and 63 deletions

View File

@ -2875,8 +2875,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.3/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/apps/nsplugin.te 2009-01-19 13:10:02.000000000 -0500
@@ -0,0 +1,277 @@
+++ serefpolicy-3.6.3/policy/modules/apps/nsplugin.te 2009-02-02 09:39:29.000000000 -0500
@@ -0,0 +1,288 @@
+
+policy_module(nsplugin, 1.0.0)
+
@ -2892,6 +2892,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## </desc>
+gen_tunable(allow_nsplugin_execmem, false)
+
+## <desc>
+## <p>
+## Allow nsplugin code to connect to unreserved ports
+## </p>
+## </desc>
+gen_tunable(nsplugin_can_network, True)
+
+type nsplugin_exec_t;
+application_executable_file(nsplugin_exec_t)
+
@ -2940,6 +2947,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow nsplugin_config_t self:process { execstack execmem };
+')
+
+tunable_policy(`nsplugin_can_network',`
+ corenet_tcp_connect_all_unreserved_ports(nsplugin_t)
+')
+
+manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
@ -4313,8 +4324,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.6.3/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2009-01-19 11:03:28.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/kernel/corenetwork.if.in 2009-01-19 13:13:31.000000000 -0500
@@ -1579,6 +1579,24 @@
+++ serefpolicy-3.6.3/policy/modules/kernel/corenetwork.if.in 2009-02-02 09:34:32.000000000 -0500
@@ -1504,6 +1504,24 @@
########################################
## <summary>
+## Connect TCP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_connect_all_unreserved_ports',`
+ gen_require(`
+ attribute port_type, reserved_port_type;
+ ')
+
+ allow $1 { port_type -reserved_port_type }:tcp_socket name_connect;
+')
+
+########################################
+## <summary>
## Do not audit attempts to connect TCP sockets
## all reserved ports.
## </summary>
@@ -1579,6 +1597,24 @@
########################################
## <summary>
@ -9419,6 +9455,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t;
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.6.3/policy/modules/services/apcupsd.fc
--- nsaserefpolicy/policy/modules/services/apcupsd.fc 2008-10-08 19:00:27.000000000 -0400
+++ serefpolicy-3.6.3/policy/modules/services/apcupsd.fc 2009-02-02 08:21:34.000000000 -0500
@@ -5,6 +5,7 @@
')
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
+/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.3/policy/modules/services/apm.te
--- nsaserefpolicy/policy/modules/services/apm.te 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/apm.te 2009-01-28 09:26:27.000000000 -0500
@ -14526,6 +14573,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.6.3/policy/modules/services/mysql.fc
--- nsaserefpolicy/policy/modules/services/mysql.fc 2008-11-18 18:57:20.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/mysql.fc 2009-02-02 08:23:53.000000000 -0500
@@ -10,6 +10,7 @@
#
# /usr
#
+/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.3/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/mysql.te 2009-02-02 08:24:35.000000000 -0500
@@ -65,6 +65,7 @@
kernel_read_system_state(mysqld_t)
kernel_read_kernel_sysctls(mysqld_t)
+can_exec(mysqld_t, mysqld_exec_t)
corenet_all_recvfrom_unlabeled(mysqld_t)
corenet_all_recvfrom_netlabel(mysqld_t)
corenet_tcp_sendrecv_generic_if(mysqld_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.3/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.3/policy/modules/services/nagios.fc 2009-01-19 13:10:02.000000000 -0500
@ -19924,13 +19993,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_write_login_records(rshd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.3/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/rsync.te 2009-01-19 13:10:02.000000000 -0500
@@ -119,5 +119,8 @@
+++ serefpolicy-3.6.3/policy/modules/services/rsync.te 2009-02-02 08:28:58.000000000 -0500
@@ -119,5 +119,9 @@
tunable_policy(`rsync_export_all_ro',`
fs_read_noxattr_fs_files(rsync_t)
+ auth_read_all_dirs_except_shadow(rsync_t)
auth_read_all_files_except_shadow(rsync_t)
+ auth_read_all_symlinks_except_shadow(rsync_t)
+ auth_tunable_read_shadow(rsync_t)
')
+auth_can_read_shadow_passwords(rsync_t)
@ -20365,7 +20435,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.3/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-01-19 11:07:34.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/samba.te 2009-01-19 13:10:02.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/samba.te 2009-02-03 10:22:51.000000000 -0500
@@ -66,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
@ -20519,7 +20589,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
@@ -350,8 +377,20 @@
@@ -338,20 +365,27 @@
')
tunable_policy(`samba_enable_home_dirs',`
- userdom_manage_user_home_content_dirs(smbd_t)
- userdom_manage_user_home_content_files(smbd_t)
- userdom_manage_user_home_content_symlinks(smbd_t)
- userdom_manage_user_home_content_sockets(smbd_t)
- userdom_manage_user_home_content_pipes(smbd_t)
- userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file })
+ userdom_manage_user_home_content(smbd_t)
')
# Support Samba sharing of NFS mount points
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
@ -20540,7 +20623,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
@@ -359,6 +398,16 @@
@@ -359,6 +393,16 @@
optional_policy(`
kerberos_use(smbd_t)
@ -20557,7 +20640,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -381,8 +430,10 @@
@@ -381,8 +425,10 @@
tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
@ -20568,7 +20651,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_read_all_files_except_shadow(nmbd_t)
')
@@ -454,6 +505,7 @@
@@ -454,6 +500,7 @@
dev_getattr_mtrr_dev(nmbd_t)
fs_getattr_all_fs(nmbd_t)
@ -20576,7 +20659,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
@@ -553,19 +605,33 @@
@@ -553,19 +600,33 @@
userdom_use_user_terminals(smbmount_t)
userdom_use_all_users_fds(smbmount_t)
@ -20613,7 +20696,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
@@ -585,6 +651,9 @@
@@ -585,6 +646,9 @@
files_pid_filetrans(swat_t, swat_var_run_t, file)
allow swat_t winbind_exec_t:file mmap_file_perms;
@ -20623,7 +20706,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
@@ -609,15 +678,18 @@
@@ -609,15 +673,18 @@
dev_read_urand(swat_t)
@ -20642,7 +20725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
@@ -635,6 +707,17 @@
@@ -635,6 +702,17 @@
kerberos_use(swat_t)
')
@ -20660,7 +20743,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Winbind local policy
@@ -642,7 +725,7 @@
@@ -642,7 +720,7 @@
allow winbind_t self:capability { dac_override ipc_lock setuid };
dontaudit winbind_t self:capability sys_tty_config;
@ -20669,7 +20752,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow winbind_t self:fifo_file rw_fifo_file_perms;
allow winbind_t self:unix_dgram_socket create_socket_perms;
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
@@ -683,9 +766,10 @@
@@ -683,9 +761,10 @@
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
files_pid_filetrans(winbind_t, winbind_var_run_t, file)
@ -20682,7 +20765,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(winbind_t)
corenet_all_recvfrom_netlabel(winbind_t)
@@ -709,10 +793,12 @@
@@ -709,10 +788,12 @@
auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
@ -20695,7 +20778,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(winbind_t)
@@ -768,8 +854,13 @@
@@ -768,8 +849,13 @@
userdom_use_user_terminals(winbind_helper_t)
optional_policy(`
@ -20709,7 +20792,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -778,6 +869,16 @@
@@ -778,6 +864,16 @@
#
optional_policy(`
@ -20726,7 +20809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
@@ -788,9 +889,43 @@
@@ -788,9 +884,43 @@
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@ -21996,7 +22079,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.3/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/ssh.te 2009-01-19 13:10:02.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/ssh.te 2009-02-02 14:39:09.000000000 -0500
@@ -75,7 +75,7 @@
ubac_constrained(ssh_tmpfs_t)
@ -23252,7 +23335,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-28 13:23:35.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-02-02 14:36:35.000000000 -0500
@@ -34,6 +34,13 @@
## <desc>
@ -23652,17 +23735,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(xdm_t)
')
@@ -550,8 +651,8 @@
@@ -550,9 +651,11 @@
')
optional_policy(`
- unconfined_domain(xdm_t)
unconfined_domtrans(xdm_t)
- unconfined_domtrans(xdm_t)
+ unconfined_shell_domtrans(xdm_t)
+ unconfined_signal(xdm_t)
+')
+optional_policy(`
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
@@ -571,6 +672,10 @@
')
@@ -571,6 +674,10 @@
')
optional_policy(`
@ -23673,7 +23760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xfs_stream_connect(xdm_t)
')
@@ -587,7 +692,7 @@
@@ -587,7 +694,7 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@ -23682,7 +23769,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:memprotect mmap_zero;
@@ -602,9 +707,11 @@
@@ -602,9 +709,11 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@ -23694,7 +23781,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
@@ -622,7 +729,7 @@
@@ -622,7 +731,7 @@
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
@ -23703,7 +23790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
@@ -635,6 +742,15 @@
@@ -635,6 +744,15 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@ -23719,7 +23806,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Create files in /var/log with the xserver_log_t type.
manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
logging_log_filetrans(xserver_t, xserver_log_t,file)
@@ -680,9 +796,14 @@
@@ -680,9 +798,14 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@ -23734,7 +23821,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
@@ -697,8 +818,13 @@
@@ -697,8 +820,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@ -23748,7 +23835,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
@@ -720,6 +846,7 @@
@@ -720,6 +848,7 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@ -23756,7 +23843,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
modutils_domtrans_insmod(xserver_t)
@@ -742,7 +869,7 @@
@@ -742,7 +871,7 @@
')
ifdef(`enable_mls',`
@ -23765,7 +23852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
@@ -774,6 +901,10 @@
@@ -774,6 +903,10 @@
')
optional_policy(`
@ -23776,7 +23863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rhgb_getpgid(xserver_t)
rhgb_signal(xserver_t)
')
@@ -806,7 +937,7 @@
@@ -806,7 +939,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@ -23785,7 +23872,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
@@ -827,9 +958,14 @@
@@ -827,9 +960,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@ -23800,7 +23887,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
@@ -844,11 +980,14 @@
@@ -844,11 +982,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@ -23816,7 +23903,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -856,6 +995,11 @@
@@ -856,6 +997,11 @@
rhgb_rw_tmpfs_files(xserver_t)
')
@ -23828,7 +23915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Rules common to all X window domains
@@ -881,6 +1025,8 @@
@@ -881,6 +1027,8 @@
# X Server
# can read server-owned resources
allow x_domain xserver_t:x_resource read;
@ -23837,7 +23924,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# can mess with own clients
allow x_domain self:x_client { manage destroy };
@@ -905,6 +1051,8 @@
@@ -905,6 +1053,8 @@
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@ -23846,7 +23933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# X Colormaps
# can use the default colormap
allow x_domain rootwindow_t:x_colormap { read use add_color };
@@ -972,6 +1120,37 @@
@@ -972,6 +1122,37 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@ -23884,7 +23971,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`TODO',`
tunable_policy(`allow_polyinstantiation',`
# xdm needs access for linking .X11-unix to poly /tmp
@@ -986,3 +1165,12 @@
@@ -986,3 +1167,12 @@
#
allow xdm_t user_home_type:file unlink;
') dnl end TODO
@ -27634,7 +27721,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.3/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/unconfined.if 2009-01-19 13:10:02.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/unconfined.if 2009-02-02 14:49:54.000000000 -0500
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@ -27692,7 +27779,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -367,6 +376,24 @@
@@ -227,13 +236,9 @@
#
interface(`unconfined_shell_domtrans',`
gen_require(`
- type unconfined_t;
+ type unconfined_login_domain;
')
-
- corecmd_shell_domtrans($1,unconfined_t)
- allow unconfined_t $1:fd use;
- allow unconfined_t $1:fifo_file rw_file_perms;
- allow unconfined_t $1:process sigchld;
+ typeattribute $1 unconfined_login_domain
')
########################################
@@ -367,6 +372,24 @@
########################################
## <summary>
@ -27717,7 +27820,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Send generic signals to the unconfined domain.
## </summary>
## <param name="domain">
@@ -581,3 +608,150 @@
@@ -581,3 +604,150 @@
allow $1 unconfined_t:dbus acquire_svc;
')
@ -27870,11 +27973,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.3/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/unconfined.te 2009-01-30 10:55:24.000000000 -0500
@@ -6,35 +6,77 @@
+++ serefpolicy-3.6.3/policy/modules/system/unconfined.te 2009-02-02 14:52:21.000000000 -0500
@@ -5,36 +5,86 @@
#
# Declarations
#
+attribute unconfined_login_domain;
+
+## <desc>
+## <p>
+## Transition to confined nsplugin domains from unconfined user
@ -27884,6 +27989,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+## <desc>
+## <p>
+## Allow a user to login as an unconfined domain
+## </p>
+## </desc>
+gen_tunable(unconfined_login, true)
+
+## <desc>
+## <p>
+## Allow unconfined domain to map low memory in the kernel
+## </p>
+## </desc>
@ -27895,7 +28007,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## </p>
+## </desc>
+gen_tunable(allow_unconfined_qemu_transition, false)
+
# usage in this module of types created by these
# calls is not correct, however we dont currently
# have another method to add access to these types
@ -27956,7 +28068,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
libs_run_ldconfig(unconfined_t, unconfined_r)
@@ -42,26 +84,39 @@
@@ -42,26 +92,39 @@
logging_run_auditctl(unconfined_t, unconfined_r)
mount_run_unconfined(unconfined_t, unconfined_r)
@ -27998,7 +28110,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -102,12 +157,24 @@
@@ -102,12 +165,24 @@
')
optional_policy(`
@ -28023,7 +28135,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -119,31 +186,33 @@
@@ -119,31 +194,33 @@
')
optional_policy(`
@ -28064,7 +28176,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -155,36 +224,38 @@
@@ -155,36 +232,38 @@
')
optional_policy(`
@ -28115,7 +28227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -192,7 +263,7 @@
@@ -192,7 +271,7 @@
')
optional_policy(`
@ -28124,7 +28236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -204,11 +275,12 @@
@@ -204,11 +283,12 @@
')
optional_policy(`
@ -28139,7 +28251,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -218,14 +290,60 @@
@@ -218,14 +298,68 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@ -28183,7 +28295,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ type mplayer_exec_t;
+ ')
+ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t)
+')
')
+
+optional_policy(`
+tunable_policy(`allow_unconfined_nsplugin_transition',`', `
@ -28191,7 +28303,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ type mozilla_exec_t;
+ ')
+ domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t)
')
+')
+')
+
+optional_policy(`
@ -28202,6 +28314,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+tunable_policy(`unconfined_login',`
+ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
+ allow unconfined_t unconfined_login_domain:fd use;
+ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
+ allow unconfined_t unconfined_login_domain:process sigchld;
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.3/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-11-11 16:13:48.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/userdomain.fc 2009-01-19 13:10:02.000000000 -0500
@ -28216,7 +28336,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-30 09:14:16.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-02-03 10:23:11.000000000 -0500
@@ -30,8 +30,9 @@
')
@ -29682,7 +29802,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
@@ -2981,3 +3235,285 @@
@@ -2981,3 +3235,313 @@
allow $1 userdomain:dbus send_msg;
')
@ -29968,6 +30088,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ exec_files_pattern($1, admin_home_t, admin_home_t)
+')
+
+
+#######################################
+## <summary>
+## Manage all files/directories in the homedir
+## </summary>
+## <param name="userdomain">
+## <summary>
+## The user domain
+## </summary>
+## </param>
+## <rolebase/>
+#
+interface(`userdom_manage_user_home_content',`
+ gen_require(`
+ type user_home_dir_t;
+ attribute user_home_type;
+ ')
+
+ files_list_home($1)
+ manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
+
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.3/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2009-01-19 11:07:34.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/userdomain.te 2009-01-19 13:10:02.000000000 -0500

View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.3
Release: 12%{?dist}
Release: 13%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -234,7 +234,7 @@ make clean
%installCmds olpc mcs n y allow
%endif
make UNK_PERMS=allow NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
mkdir %{buildroot}%{_usr}/share/selinux/devel/
mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
install -m 755 $RPM_SOURCE_DIR/policygentool %{buildroot}%{_usr}/share/selinux/devel/
@ -444,6 +444,9 @@ exit 0
%endif
%changelog
* Mon Feb 2 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-13
- Add boolean to disallow unconfined_t login
* Fri Jan 30 2009 Dan Walsh <dwalsh@redhat.com> 3.6.3-12
- Add back transition from xguest to mozilla