From 5928688f614657819dcfd173a8e3bd041fa334ee Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 13 Dec 2007 22:42:22 +0000 Subject: [PATCH] - Dontaudit dbus user client search of /root --- policy-20071130.patch | 11 ++++++----- selinux-policy.spec | 8 ++++++-- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/policy-20071130.patch b/policy-20071130.patch index e6ca8edd..47b9767c 100644 --- a/policy-20071130.patch +++ b/policy-20071130.patch @@ -5848,7 +5848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs. -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.4/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500 -+++ serefpolicy-3.2.4/policy/modules/services/dbus.if 2007-12-13 13:34:36.000000000 -0500 ++++ serefpolicy-3.2.4/policy/modules/services/dbus.if 2007-12-13 16:46:07.000000000 -0500 @@ -91,7 +91,7 @@ # SE-DBus specific permissions allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg; @@ -5868,17 +5868,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus allow $1_dbusd_t $2:process sigkill; allow $2 $1_dbusd_t:fd use; allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms; -@@ -161,7 +160,8 @@ +@@ -161,7 +160,9 @@ seutil_read_config($1_dbusd_t) seutil_read_default_contexts($1_dbusd_t) - userdom_read_user_home_content_files($1, $1_dbusd_t) ++ userdom_dontaudit_search_sysadm_home_dirs($1_dbusd_t) + userdom_read_unpriv_users_home_content_files($1_dbusd_t) + userdom_dontaudit_append_unpriv_home_content_files($1_dbusd_t) ifdef(`hide_broken_symptoms', ` dontaudit $2 $1_dbusd_t:netlink_selinux_socket { read write }; -@@ -214,7 +214,7 @@ +@@ -214,7 +215,7 @@ # SE-DBus specific permissions # allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg; @@ -5887,7 +5888,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($2) -@@ -366,3 +366,35 @@ +@@ -366,3 +367,35 @@ allow $1 system_dbusd_t:dbus *; ') @@ -14010,7 +14011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.4/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500 -+++ serefpolicy-3.2.4/policy/modules/system/userdomain.if 2007-12-13 13:34:37.000000000 -0500 ++++ serefpolicy-3.2.4/policy/modules/system/userdomain.if 2007-12-13 16:45:56.000000000 -0500 @@ -29,8 +29,9 @@ ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 0e555107..8b8268a1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.2.4 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -316,8 +316,9 @@ restorecon -R /root /etc/selinux/targeted 2> /dev/null exit 0 %files targeted -%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/xguest_u %fileList targeted +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/unconfined_u +%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/xguest_u %endif %if %{BUILD_OLPC} @@ -379,6 +380,9 @@ exit 0 %endif %changelog +* Thu Dec 13 2007 Dan Walsh 3.2.4-1 +- Dontaudit dbus user client search of /root + * Wed Dec 12 2007 Dan Walsh 3.2.4-1 - Update to upstream