rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Remove allow_ptrace and replace it with deny_ptrace, which will remove all

Browse Source 
ptrace from the system
Remove 2000 dontaudit rules between confined domains on transition
and replace with single
dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
This commit is contained in:
Dan Walsh 2011-10-11 16:46:26 -04:00
parent 2a89dffbb5
commit 6554bb3cca
7 changed files with 1724 additions and 1373 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
apache.patch
View File

@ -1,81 +1,8 @@
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if diff -up serefpolicy-3.10.0/policy/modules/kernel/domain.if.apache serefpolicy-3.10.0/policy/modules/kernel/domain.if
index cf3d50b..3ded83e 100644 diff -up serefpolicy-3.10.0/policy/modules/kernel/domain.te.apache serefpolicy-3.10.0/policy/modules/kernel/domain.te
--- a/policy/modules/kernel/domain.if diff -up serefpolicy-3.10.0/policy/modules/services/apache.if.apache serefpolicy-3.10.0/policy/modules/services/apache.if
+++ b/policy/modules/kernel/domain.if --- serefpolicy-3.10.0/policy/modules/services/apache.if.apache 2011-10-11 10:17:05.262944711 -0400
@@ -75,34 +75,6 @@ interface(`domain_base_type',` +++ serefpolicy-3.10.0/policy/modules/services/apache.if 2011-10-11 10:17:13.416929487 -0400
interface(`domain_type',`
# start with basic domain
domain_base_type($1)
-
- ifdef(`distro_redhat',`
- optional_policy(`
- unconfined_use_fds($1)
- ')
- ')
-
- # send init a sigchld and signull
- optional_policy(`
- init_sigchld($1)
- init_signull($1)
- ')
-
- # these seem questionable:
-
- optional_policy(`
- rpm_use_fds($1)
- rpm_read_pipes($1)
- ')
-
- optional_policy(`
- selinux_dontaudit_getattr_fs($1)
- selinux_dontaudit_read_fs($1)
- ')
-
- optional_policy(`
- seutil_dontaudit_read_config($1)
- ')
')
########################################
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 00e20f7..db2a183 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -285,3 +285,30 @@ optional_policy(`
# broken kernel
dontaudit can_change_object_identity can_change_object_identity:key link;
+ifdef(`distro_redhat',`
+ optional_policy(`
+ unconfined_use_fds(domain)
+ ')
+')
+
+# send init a sigchld and signull
+optional_policy(`
+ init_sigchld(domain)
+ init_signull(domain)
+')
+
+# these seem questionable:
+
+optional_policy(`
+ rpm_use_fds(domain)
+ rpm_read_pipes(domain)
+')
+
+optional_policy(`
+ selinux_dontaudit_getattr_fs(domain)
+ selinux_dontaudit_read_fs(domain)
+')
+
+optional_policy(`
+ seutil_dontaudit_read_config(domain)
+')
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index e12bbc0..606323d 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -16,55 +16,43 @@ template(`apache_content_template',` @@ -16,55 +16,43 @@ template(`apache_content_template',`
attribute httpd_exec_scripts, httpd_script_exec_type; attribute httpd_exec_scripts, httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t; type httpd_t, httpd_suexec_t, httpd_log_t;
@ -240,11 +167,10 @@ index e12bbc0..606323d 100644
') ')
') ')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te diff -up serefpolicy-3.10.0/policy/modules/services/apache.te.apache serefpolicy-3.10.0/policy/modules/services/apache.te
index f165efd..adf2423 100644 --- serefpolicy-3.10.0/policy/modules/services/apache.te.apache 2011-10-11 10:17:05.263944709 -0400
--- a/policy/modules/services/apache.te +++ serefpolicy-3.10.0/policy/modules/services/apache.te 2011-10-11 10:17:13.418929446 -0400
+++ b/policy/modules/services/apache.te @@ -217,10 +217,12 @@ gen_tunable(allow_httpd_sys_script_anon_
@@ -217,10 +217,12 @@ gen_tunable(allow_httpd_sys_script_anon_write, false)
attribute httpdcontent; attribute httpdcontent;
attribute httpd_user_content_type; attribute httpd_user_content_type;

6
booleans-mls.conf
View File

@ -1,4 +1,4 @@
d# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. # Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
# #
allow_execmem = false allow_execmem = false
@ -38,9 +38,9 @@ allow_saslauthd_read_shadow = false
# #
allow_smbd_anon_write = false allow_smbd_anon_write = false
# Allow sysadm to ptrace all processes # Deny all processes the ability to ptrace other processes
# #
allow_ptrace = false deny_ptrace = false
# Allow system to run with NIS # Allow system to run with NIS
# #

8
booleans-targeted.conf
View File

@ -210,9 +210,9 @@ allow_daemons_use_tty = false
# #
allow_polyinstantiation = false allow_polyinstantiation = false
# Allow confined domains to ptrace them selves # Deny all processes the ability to ptrace other processes
# #
allow_ptrace = true deny_ptrace = false
# Allow all domains to dump core # Allow all domains to dump core
# #
@ -267,6 +267,10 @@ unconfined_mozilla_plugin_transition=true
# #
unconfined_telepathy_transition=true unconfined_telepathy_transition=true
# Allow unconfined domain to transition to chrome_sandbox confined domain
#
unconfined_chrome_sandbox_transition=true
# Allow telepathy domains to connect to all network ports # Allow telepathy domains to connect to all network ports
# #
telepathy_tcp_connect_generic_network_ports=true telepathy_tcp_connect_generic_network_ports=true

1094
policy-F16.patch
View File

File diff suppressed because it is too large Load Diff

1604
ptrace.patch
View File

File diff suppressed because it is too large Load Diff

36
selinux-policy.spec
View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.10.0 Version: 3.10.0
Release: 38.1%{?dist} Release: 39.1%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -29,6 +29,7 @@ patch4: execmem.patch
patch5: userdomain.patch patch5: userdomain.patch
patch6: apache.patch patch6: apache.patch
patch7: ptrace.patch patch7: ptrace.patch
patch8: dontaudit.patch
Source1: modules-targeted.conf Source1: modules-targeted.conf
Source2: booleans-targeted.conf Source2: booleans-targeted.conf
Source3: Makefile.devel Source3: Makefile.devel
@ -218,7 +219,7 @@ fi;
if [ -e /etc/selinux/%2/.rebuild ]; then \ if [ -e /etc/selinux/%2/.rebuild ]; then \
rm /etc/selinux/%2/.rebuild; \ rm /etc/selinux/%2/.rebuild; \
if [ %1 -ne 1 ]; then \ if [ %1 -ne 1 ]; then \
/usr/sbin/semodule -n -s %2 -r java mono moilscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \ /usr/sbin/semodule -n -s %2 -r hotplug howl java mono moilscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \
fi \ fi \
/usr/sbin/semodule -B -s %2; \ /usr/sbin/semodule -B -s %2; \
else \ else \
@ -248,7 +249,8 @@ Based off of reference policy: Checked out revision 2.20091117
%patch4 -p1 -b .execmem %patch4 -p1 -b .execmem
%patch5 -p1 -b .userdomain %patch5 -p1 -b .userdomain
%patch6 -p1 -b .apache %patch6 -p1 -b .apache
#%patch7 -p1 -b .ptrace %patch7 -p1 -b .ptrace
%patch8 -p1 -b .dontaudit
%install %install
mkdir selinux_config mkdir selinux_config
@ -480,6 +482,31 @@ SELinux Reference policy mls base module.
%endif %endif
%changelog %changelog
* Tue Oct 11 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-39.1
- Remove allow_ptrace and replace it with deny_ptrace, which will remove all
ptrace from the system
- Remove 2000 dontaudit rules between confined domains on transition
and replace with single
dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
* Mon Oct 10 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-39
- Fixes for bootloader policy
- $1_gkeyringd_t needs to read $HOME/%USER/.local/share/keystore
- Allow nsplugin to read /usr/share/config
- Allow sa-update to update rules
- Add use_fusefs_home_dirs for chroot ssh option
- Fixes for grub2
- Update systemd_exec_systemctl() interface
- Allow gpg to read the mail spool
- More fixes for sa-update running out of cron job
- Allow ipsec_mgmt_t to read hardware state information
- Allow pptp_t to connect to unreserved_port_t
- Dontaudit getattr on initctl in /dev from chfn
- Dontaudit getattr on kernel_core from chfn
- Add systemd_list_unit_dirs to systemd_exec_systemctl call
- Fixes for collectd policy
- CHange sysadm_t to create content as user_tmp_t under /tmp
* Thu Oct 6 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-38.1 * Thu Oct 6 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-38.1
- Shrink size of policy through use of attributes for userdomain and apache - Shrink size of policy through use of attributes for userdomain and apache
@ -496,9 +523,6 @@ SELinux Reference policy mls base module.
- Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly - Stop transitioning from unconfined_t to ldconfig_t, but make sure /etc/ld.so.cache is labeled correctly
- Allow systemd_logind_t to manage /run/USER/dconf/user - Allow systemd_logind_t to manage /run/USER/dconf/user
* Tue Oct 3 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-36.2
- Make allow_ptrace remove all ptrace
* Tue Oct 3 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-36.1 * Tue Oct 3 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-36.1
- Fix missing patch from F16 - Fix missing patch from F16

257
userdomain.patch
View File

@ -1,7 +1,6 @@
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.if.userdomain serefpolicy-3.10.0/policy/modules/admin/usermanage.if
index 66cf96c..a6d907b 100644 --- serefpolicy-3.10.0/policy/modules/admin/usermanage.if.userdomain 2011-10-11 10:15:28.062129903 -0400
--- a/policy/modules/admin/usermanage.if +++ serefpolicy-3.10.0/policy/modules/admin/usermanage.if 2011-10-11 10:15:28.489129089 -0400
+++ b/policy/modules/admin/usermanage.if
@@ -308,7 +308,7 @@ interface(`usermanage_run_useradd',` @@ -308,7 +308,7 @@ interface(`usermanage_run_useradd',`
role $2 types useradd_t; role $2 types useradd_t;
@ -11,11 +10,10 @@ index 66cf96c..a6d907b 100644
seutil_run_semanage(useradd_t, $2) seutil_run_semanage(useradd_t, $2)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te diff -up serefpolicy-3.10.0/policy/modules/admin/usermanage.te.userdomain serefpolicy-3.10.0/policy/modules/admin/usermanage.te
index 4779a8d..7d7efd7 100644 --- serefpolicy-3.10.0/policy/modules/admin/usermanage.te.userdomain 2011-10-11 10:15:28.447129169 -0400
--- a/policy/modules/admin/usermanage.te +++ serefpolicy-3.10.0/policy/modules/admin/usermanage.te 2011-10-11 10:15:28.490129087 -0400
+++ b/policy/modules/admin/usermanage.te @@ -512,7 +512,7 @@ seutil_domtrans_setfiles(useradd_t)
@@ -509,7 +509,7 @@ seutil_domtrans_setfiles(useradd_t)
userdom_use_unpriv_users_fds(useradd_t) userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories # Add/remove user home directories
userdom_home_filetrans_user_home_dir(useradd_t) userdom_home_filetrans_user_home_dir(useradd_t)
@ -24,10 +22,9 @@ index 4779a8d..7d7efd7 100644
mta_manage_spool(useradd_t) mta_manage_spool(useradd_t)
diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if diff -up serefpolicy-3.10.0/policy/modules/apps/execmem.if.userdomain serefpolicy-3.10.0/policy/modules/apps/execmem.if
index e23f640..182d6d1 100644 --- serefpolicy-3.10.0/policy/modules/apps/execmem.if.userdomain 2011-10-11 10:15:28.472129121 -0400
--- a/policy/modules/apps/execmem.if +++ serefpolicy-3.10.0/policy/modules/apps/execmem.if 2011-10-11 10:15:28.491129085 -0400
+++ b/policy/modules/apps/execmem.if
@@ -57,8 +57,6 @@ template(`execmem_role_template',` @@ -57,8 +57,6 @@ template(`execmem_role_template',`
role $2 types $1_execmem_t; role $2 types $1_execmem_t;
@ -37,10 +34,9 @@ index e23f640..182d6d1 100644
allow $1_execmem_t self:process { execmem execstack }; allow $1_execmem_t self:process { execmem execstack };
allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms }; allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if diff -up serefpolicy-3.10.0/policy/modules/apps/java.if.userdomain serefpolicy-3.10.0/policy/modules/apps/java.if
index 7c398c0..c64cced 100644 --- serefpolicy-3.10.0/policy/modules/apps/java.if.userdomain 2011-10-11 10:15:28.077129873 -0400
--- a/policy/modules/apps/java.if +++ serefpolicy-3.10.0/policy/modules/apps/java.if 2011-10-11 10:15:28.492129083 -0400
+++ b/policy/modules/apps/java.if
@@ -73,7 +73,8 @@ template(`java_role_template',` @@ -73,7 +73,8 @@ template(`java_role_template',`
domain_interactive_fd($1_java_t) domain_interactive_fd($1_java_t)
@ -51,10 +47,9 @@ index 7c398c0..c64cced 100644
allow $1_java_t self:process { ptrace signal getsched execmem execstack }; allow $1_java_t self:process { ptrace signal getsched execmem execstack };
diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if diff -up serefpolicy-3.10.0/policy/modules/apps/mono.if.userdomain serefpolicy-3.10.0/policy/modules/apps/mono.if
index 1fa8573..8179185 100644 --- serefpolicy-3.10.0/policy/modules/apps/mono.if.userdomain 2011-10-11 10:15:28.082129864 -0400
--- a/policy/modules/apps/mono.if +++ serefpolicy-3.10.0/policy/modules/apps/mono.if 2011-10-11 10:15:28.493129081 -0400
+++ b/policy/modules/apps/mono.if
@@ -49,7 +49,8 @@ template(`mono_role_template',` @@ -49,7 +49,8 @@ template(`mono_role_template',`
corecmd_bin_domtrans($1_mono_t, $1_t) corecmd_bin_domtrans($1_mono_t, $1_t)
@ -65,10 +60,9 @@ index 1fa8573..8179185 100644
optional_policy(` optional_policy(`
xserver_role($1_r, $1_mono_t) xserver_role($1_r, $1_mono_t)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if diff -up serefpolicy-3.10.0/policy/modules/apps/mozilla.if.userdomain serefpolicy-3.10.0/policy/modules/apps/mozilla.if
index 83fc139..596232f 100644 --- serefpolicy-3.10.0/policy/modules/apps/mozilla.if.userdomain 2011-10-11 10:15:28.083129862 -0400
--- a/policy/modules/apps/mozilla.if +++ serefpolicy-3.10.0/policy/modules/apps/mozilla.if 2011-10-11 10:15:28.494129079 -0400
+++ b/policy/modules/apps/mozilla.if
@@ -51,7 +51,7 @@ interface(`mozilla_role',` @@ -51,7 +51,7 @@ interface(`mozilla_role',`
mozilla_run_plugin(mozilla_t, $1) mozilla_run_plugin(mozilla_t, $1)
mozilla_dbus_chat($2) mozilla_dbus_chat($2)
@ -78,10 +72,9 @@ index 83fc139..596232f 100644
optional_policy(` optional_policy(`
nsplugin_role($1, mozilla_t) nsplugin_role($1, mozilla_t)
diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.userdomain serefpolicy-3.10.0/policy/modules/apps/nsplugin.if
index 1925bd9..0a794bc 100644 --- serefpolicy-3.10.0/policy/modules/apps/nsplugin.if.userdomain 2011-10-11 10:15:28.087129854 -0400
--- a/policy/modules/apps/nsplugin.if +++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.if 2011-10-11 10:15:28.495129077 -0400
+++ b/policy/modules/apps/nsplugin.if
@@ -103,7 +103,7 @@ ifdef(`hide_broken_symptoms', ` @@ -103,7 +103,7 @@ ifdef(`hide_broken_symptoms', `
userdom_use_inherited_user_terminals(nsplugin_t) userdom_use_inherited_user_terminals(nsplugin_t)
userdom_use_inherited_user_terminals(nsplugin_config_t) userdom_use_inherited_user_terminals(nsplugin_config_t)
@ -91,11 +84,10 @@ index 1925bd9..0a794bc 100644
optional_policy(` optional_policy(`
pulseaudio_role($1, nsplugin_t) pulseaudio_role($1, nsplugin_t)
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te diff -up serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.userdomain serefpolicy-3.10.0/policy/modules/apps/nsplugin.te
index 9bf1dd8..564d1ea 100644 --- serefpolicy-3.10.0/policy/modules/apps/nsplugin.te.userdomain 2011-10-11 10:15:28.088129853 -0400
--- a/policy/modules/apps/nsplugin.te +++ serefpolicy-3.10.0/policy/modules/apps/nsplugin.te 2011-10-11 10:15:28.496129075 -0400
+++ b/policy/modules/apps/nsplugin.te @@ -286,6 +286,7 @@ userdom_search_user_home_content(nsplugi
@@ -284,6 +284,7 @@ userdom_search_user_home_content(nsplugin_config_t)
userdom_read_user_home_content_symlinks(nsplugin_config_t) userdom_read_user_home_content_symlinks(nsplugin_config_t)
userdom_read_user_home_content_files(nsplugin_config_t) userdom_read_user_home_content_files(nsplugin_config_t)
userdom_dontaudit_search_admin_dir(nsplugin_config_t) userdom_dontaudit_search_admin_dir(nsplugin_config_t)
@ -103,10 +95,9 @@ index 9bf1dd8..564d1ea 100644
tunable_policy(`use_nfs_home_dirs',` tunable_policy(`use_nfs_home_dirs',`
fs_getattr_nfs(nsplugin_t) fs_getattr_nfs(nsplugin_t)
diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if diff -up serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if.userdomain serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if
index 9a5e99c..1e6cf7d 100644 --- serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if.userdomain 2011-10-11 10:15:28.089129851 -0400
--- a/policy/modules/apps/pulseaudio.if +++ serefpolicy-3.10.0/policy/modules/apps/pulseaudio.if 2011-10-11 10:15:28.497129073 -0400
+++ b/policy/modules/apps/pulseaudio.if
@@ -35,9 +35,9 @@ interface(`pulseaudio_role',` @@ -35,9 +35,9 @@ interface(`pulseaudio_role',`
allow pulseaudio_t $2:unix_stream_socket connectto; allow pulseaudio_t $2:unix_stream_socket connectto;
allow $2 pulseaudio_t:unix_stream_socket connectto; allow $2 pulseaudio_t:unix_stream_socket connectto;
@ -120,10 +111,9 @@ index 9a5e99c..1e6cf7d 100644
allow $2 pulseaudio_t:dbus send_msg; allow $2 pulseaudio_t:dbus send_msg;
allow pulseaudio_t $2:dbus { acquire_svc send_msg }; allow pulseaudio_t $2:dbus { acquire_svc send_msg };
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te diff -up serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te.userdomain serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te
index 8522ab4..6941c29 100644 --- serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te.userdomain 2011-10-11 10:15:28.091129847 -0400
--- a/policy/modules/apps/pulseaudio.te +++ serefpolicy-3.10.0/policy/modules/apps/pulseaudio.te 2011-10-11 10:15:28.498129071 -0400
+++ b/policy/modules/apps/pulseaudio.te
@@ -95,6 +95,10 @@ logging_send_syslog_msg(pulseaudio_t) @@ -95,6 +95,10 @@ logging_send_syslog_msg(pulseaudio_t)
miscfiles_read_localization(pulseaudio_t) miscfiles_read_localization(pulseaudio_t)
@ -135,11 +125,10 @@ index 8522ab4..6941c29 100644
optional_policy(` optional_policy(`
alsa_read_rw_config(pulseaudio_t) alsa_read_rw_config(pulseaudio_t)
') ')
diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if diff -up serefpolicy-3.10.0/policy/modules/apps/userhelper.if.userdomain serefpolicy-3.10.0/policy/modules/apps/userhelper.if
index 8895098..19438a5 100644 --- serefpolicy-3.10.0/policy/modules/apps/userhelper.if.userdomain 2011-10-11 10:15:28.102129826 -0400
--- a/policy/modules/apps/userhelper.if +++ serefpolicy-3.10.0/policy/modules/apps/userhelper.if 2011-10-11 10:15:28.498129071 -0400
+++ b/policy/modules/apps/userhelper.if @@ -294,7 +294,7 @@ template(`userhelper_console_role_templa
@@ -294,7 +294,7 @@ template(`userhelper_console_role_template',`
auth_use_pam($1_consolehelper_t) auth_use_pam($1_consolehelper_t)
@ -148,10 +137,9 @@ index 8895098..19438a5 100644
optional_policy(` optional_policy(`
dbus_connect_session_bus($1_consolehelper_t) dbus_connect_session_bus($1_consolehelper_t)
diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te diff -up serefpolicy-3.10.0/policy/modules/apps/userhelper.te.userdomain serefpolicy-3.10.0/policy/modules/apps/userhelper.te
index 8ce8577..f967898 100644 --- serefpolicy-3.10.0/policy/modules/apps/userhelper.te.userdomain 2011-10-11 10:15:28.102129826 -0400
--- a/policy/modules/apps/userhelper.te +++ serefpolicy-3.10.0/policy/modules/apps/userhelper.te 2011-10-11 10:15:28.499129069 -0400
+++ b/policy/modules/apps/userhelper.te
@@ -65,6 +65,7 @@ userhelper_exec(consolehelper_domain) @@ -65,6 +65,7 @@ userhelper_exec(consolehelper_domain)
userdom_use_user_ptys(consolehelper_domain) userdom_use_user_ptys(consolehelper_domain)
userdom_use_user_ttys(consolehelper_domain) userdom_use_user_ttys(consolehelper_domain)
@ -160,10 +148,9 @@ index 8ce8577..f967898 100644
optional_policy(` optional_policy(`
gnome_read_gconf_home_files(consolehelper_domain) gnome_read_gconf_home_files(consolehelper_domain)
diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if diff -up serefpolicy-3.10.0/policy/modules/apps/wine.if.userdomain serefpolicy-3.10.0/policy/modules/apps/wine.if
index e10101a..cf453e6 100644 --- serefpolicy-3.10.0/policy/modules/apps/wine.if.userdomain 2011-10-11 10:15:28.105129820 -0400
--- a/policy/modules/apps/wine.if +++ serefpolicy-3.10.0/policy/modules/apps/wine.if 2011-10-11 10:15:28.499129069 -0400
+++ b/policy/modules/apps/wine.if
@@ -105,7 +105,8 @@ template(`wine_role_template',` @@ -105,7 +105,8 @@ template(`wine_role_template',`
corecmd_bin_domtrans($1_wine_t, $1_t) corecmd_bin_domtrans($1_wine_t, $1_t)
@ -174,10 +161,9 @@ index e10101a..cf453e6 100644
domain_mmap_low($1_wine_t) domain_mmap_low($1_wine_t)
diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if diff -up serefpolicy-3.10.0/policy/modules/apps/wm.if.userdomain serefpolicy-3.10.0/policy/modules/apps/wm.if
index 50c1a74..d618395 100644 --- serefpolicy-3.10.0/policy/modules/apps/wm.if.userdomain 2011-10-11 10:15:28.107129816 -0400
--- a/policy/modules/apps/wm.if +++ serefpolicy-3.10.0/policy/modules/apps/wm.if 2011-10-11 10:15:28.500129068 -0400
+++ b/policy/modules/apps/wm.if
@@ -77,9 +77,13 @@ template(`wm_role_template',` @@ -77,9 +77,13 @@ template(`wm_role_template',`
miscfiles_read_fonts($1_wm_t) miscfiles_read_fonts($1_wm_t)
miscfiles_read_localization($1_wm_t) miscfiles_read_localization($1_wm_t)
@ -195,10 +181,22 @@ index 50c1a74..d618395 100644
userdom_exec_user_tmp_files($1_wm_t) userdom_exec_user_tmp_files($1_wm_t)
optional_policy(` optional_policy(`
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te diff -up serefpolicy-3.10.0/policy/modules/roles/sysadm.te.userdomain serefpolicy-3.10.0/policy/modules/roles/sysadm.te
index e1113e0..5bcd298 100644 --- serefpolicy-3.10.0/policy/modules/roles/sysadm.te.userdomain 2011-10-11 10:15:28.000000000 -0400
--- a/policy/modules/roles/unconfineduser.te +++ serefpolicy-3.10.0/policy/modules/roles/sysadm.te 2011-10-11 10:16:15.471039586 -0400
+++ b/policy/modules/roles/unconfineduser.te @@ -60,7 +60,8 @@ sysnet_filetrans_named_content(sysadm_t)
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
userdom_home_filetrans_user_home_dir(sysadm_t)
-userdom_manage_tmp_role(sysadm_r, sysadm_t)
+userdom_manage_tmp_role(sysadm_r)
+userdom_manage_tmp(sysadm_t)
optional_policy(`
ssh_filetrans_admin_home_content(sysadm_t)
diff -up serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.userdomain serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te
--- serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te.userdomain 2011-10-11 10:15:28.476129113 -0400
+++ serefpolicy-3.10.0/policy/modules/roles/unconfineduser.te 2011-10-11 10:15:28.501129066 -0400
@@ -45,9 +45,12 @@ gen_tunable(unconfined_login, true) @@ -45,9 +45,12 @@ gen_tunable(unconfined_login, true)
# calls is not correct, however we dont currently # calls is not correct, however we dont currently
# have another method to add access to these types # have another method to add access to these types
@ -215,10 +213,9 @@ index e1113e0..5bcd298 100644
userdom_unpriv_usertype(unconfined, unconfined_t) userdom_unpriv_usertype(unconfined, unconfined_t)
type unconfined_exec_t; type unconfined_exec_t;
diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te diff -up serefpolicy-3.10.0/policy/modules/services/rshd.te.userdomain serefpolicy-3.10.0/policy/modules/services/rshd.te
index 49a4283..7a3ea96 100644 --- serefpolicy-3.10.0/policy/modules/services/rshd.te.userdomain 2011-10-11 10:15:28.333129386 -0400
--- a/policy/modules/services/rshd.te +++ serefpolicy-3.10.0/policy/modules/services/rshd.te 2011-10-11 10:15:28.502129064 -0400
+++ b/policy/modules/services/rshd.te
@@ -66,7 +66,7 @@ seutil_read_config(rshd_t) @@ -66,7 +66,7 @@ seutil_read_config(rshd_t)
seutil_read_default_contexts(rshd_t) seutil_read_default_contexts(rshd_t)
@ -228,10 +225,9 @@ index 49a4283..7a3ea96 100644
tunable_policy(`use_nfs_home_dirs',` tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(rshd_t) fs_read_nfs_files(rshd_t)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if diff -up serefpolicy-3.10.0/policy/modules/services/ssh.if.userdomain serefpolicy-3.10.0/policy/modules/services/ssh.if
index 8e3e9de..862e108 100644 --- serefpolicy-3.10.0/policy/modules/services/ssh.if.userdomain 2011-10-11 10:15:28.354129346 -0400
--- a/policy/modules/services/ssh.if +++ serefpolicy-3.10.0/policy/modules/services/ssh.if 2011-10-11 10:15:28.503129062 -0400
+++ b/policy/modules/services/ssh.if
@@ -380,7 +380,7 @@ template(`ssh_role_template',` @@ -380,7 +380,7 @@ template(`ssh_role_template',`
manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t) manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
manage_sock_files_pattern($3, ssh_home_t, ssh_home_t) manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
@ -241,10 +237,9 @@ index 8e3e9de..862e108 100644
############################## ##############################
# #
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te diff -up serefpolicy-3.10.0/policy/modules/services/ssh.te.userdomain serefpolicy-3.10.0/policy/modules/services/ssh.te
index d81a09f..3fdc1df 100644 --- serefpolicy-3.10.0/policy/modules/services/ssh.te.userdomain 2011-10-11 10:15:28.355129344 -0400
--- a/policy/modules/services/ssh.te +++ serefpolicy-3.10.0/policy/modules/services/ssh.te 2011-10-11 10:15:28.503129062 -0400
+++ b/policy/modules/services/ssh.te
@@ -200,6 +200,7 @@ userdom_read_user_tmp_files(ssh_t) @@ -200,6 +200,7 @@ userdom_read_user_tmp_files(ssh_t)
userdom_write_user_tmp_files(ssh_t) userdom_write_user_tmp_files(ssh_t)
userdom_read_user_home_content_symlinks(ssh_t) userdom_read_user_home_content_symlinks(ssh_t)
@ -253,7 +248,7 @@ index d81a09f..3fdc1df 100644
tunable_policy(`allow_ssh_keysign',` tunable_policy(`allow_ssh_keysign',`
domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
@@ -280,7 +281,7 @@ corenet_sendrecv_xserver_server_packets(sshd_t) @@ -280,7 +281,7 @@ corenet_sendrecv_xserver_server_packets(
userdom_read_user_home_content_files(sshd_t) userdom_read_user_home_content_files(sshd_t)
userdom_read_user_home_content_symlinks(sshd_t) userdom_read_user_home_content_symlinks(sshd_t)
@ -262,10 +257,9 @@ index d81a09f..3fdc1df 100644
userdom_spec_domtrans_unpriv_users(sshd_t) userdom_spec_domtrans_unpriv_users(sshd_t)
userdom_signal_unpriv_users(sshd_t) userdom_signal_unpriv_users(sshd_t)
userdom_dyntransition_unpriv_users(sshd_t) userdom_dyntransition_unpriv_users(sshd_t)
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te diff -up serefpolicy-3.10.0/policy/modules/services/sssd.te.userdomain serefpolicy-3.10.0/policy/modules/services/sssd.te
index 7d5a298..36b8a4c 100644 --- serefpolicy-3.10.0/policy/modules/services/sssd.te.userdomain 2011-10-11 10:15:28.356129342 -0400
--- a/policy/modules/services/sssd.te +++ serefpolicy-3.10.0/policy/modules/services/sssd.te 2011-10-11 10:15:28.504129060 -0400
+++ b/policy/modules/services/sssd.te
@@ -92,7 +92,7 @@ miscfiles_read_generic_certs(sssd_t) @@ -92,7 +92,7 @@ miscfiles_read_generic_certs(sssd_t)
sysnet_dns_name_resolve(sssd_t) sysnet_dns_name_resolve(sssd_t)
sysnet_use_ldap(sssd_t) sysnet_use_ldap(sssd_t)
@ -275,10 +269,9 @@ index 7d5a298..36b8a4c 100644
optional_policy(` optional_policy(`
dbus_system_bus_client(sssd_t) dbus_system_bus_client(sssd_t)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te diff -up serefpolicy-3.10.0/policy/modules/services/xserver.te.userdomain serefpolicy-3.10.0/policy/modules/services/xserver.te
index 60e0e2d..fcf2f38 100644 --- serefpolicy-3.10.0/policy/modules/services/xserver.te.userdomain 2011-10-11 10:15:28.480129106 -0400
--- a/policy/modules/services/xserver.te +++ serefpolicy-3.10.0/policy/modules/services/xserver.te 2011-10-11 10:15:28.505129058 -0400
+++ b/policy/modules/services/xserver.te
@@ -671,7 +671,7 @@ userdom_stream_connect(xdm_t) @@ -671,7 +671,7 @@ userdom_stream_connect(xdm_t)
userdom_manage_user_tmp_dirs(xdm_t) userdom_manage_user_tmp_dirs(xdm_t)
userdom_manage_user_tmp_files(xdm_t) userdom_manage_user_tmp_files(xdm_t)
@ -288,10 +281,9 @@ index 60e0e2d..fcf2f38 100644
application_signal(xdm_t) application_signal(xdm_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.if.userdomain serefpolicy-3.10.0/policy/modules/system/userdomain.if
index e7a65ae..6974244 100644 --- serefpolicy-3.10.0/policy/modules/system/userdomain.if.userdomain 2011-10-11 10:15:28.482129102 -0400
--- a/policy/modules/system/userdomain.if +++ serefpolicy-3.10.0/policy/modules/system/userdomain.if 2011-10-11 10:15:28.506129056 -0400
+++ b/policy/modules/system/userdomain.if
@@ -35,21 +35,14 @@ template(`userdom_base_user_template',` @@ -35,21 +35,14 @@ template(`userdom_base_user_template',`
type $1_t, userdomain, $1_usertype; type $1_t, userdomain, $1_usertype;
domain_type($1_t) domain_type($1_t)
@ -611,7 +603,7 @@ index e7a65ae..6974244 100644
') ')
####################################### #######################################
@@ -424,6 +336,21 @@ interface(`userdom_exec_user_tmp_files',` @@ -424,6 +336,21 @@ interface(`userdom_exec_user_tmp_files',
## Role allowed access. ## Role allowed access.
## </summary> ## </summary>
## </param> ## </param>
@ -633,7 +625,7 @@ index e7a65ae..6974244 100644
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
## Domain allowed access. ## Domain allowed access.
@@ -431,25 +358,23 @@ interface(`userdom_exec_user_tmp_files',` @@ -431,25 +358,23 @@ interface(`userdom_exec_user_tmp_files',
## </param> ## </param>
## <rolecap/> ## <rolecap/>
# #
@ -671,7 +663,7 @@ index e7a65ae..6974244 100644
') ')
####################################### #######################################
@@ -578,260 +503,31 @@ template(`userdom_change_password_template',` @@ -578,260 +503,31 @@ template(`userdom_change_password_templa
template(`userdom_common_user_template',` template(`userdom_common_user_template',`
gen_require(` gen_require(`
attribute unpriv_userdomain; attribute unpriv_userdomain;
@ -690,11 +682,9 @@ index e7a65ae..6974244 100644
- dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; - dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
- allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; - allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
- allow $1_t self:socket create_socket_perms; - allow $1_t self:socket create_socket_perms;
+ typeattribute $1_t common_userdomain; -
- allow $1_usertype unpriv_userdomain:fd use; - allow $1_usertype unpriv_userdomain:fd use;
+ userdom_basic_networking(common_userdomain) -
- kernel_read_system_state($1_usertype) - kernel_read_system_state($1_usertype)
- kernel_read_network_state($1_usertype) - kernel_read_network_state($1_usertype)
- kernel_read_software_raid_state($1_usertype) - kernel_read_software_raid_state($1_usertype)
@ -746,11 +736,13 @@ index e7a65ae..6974244 100644
- -
- # for eject - # for eject
- storage_getattr_fixed_disk_dev($1_usertype) - storage_getattr_fixed_disk_dev($1_usertype)
- + typeattribute $1_t common_userdomain;
- auth_read_login_records($1_usertype) - auth_read_login_records($1_usertype)
- auth_run_pam($1_t,$1_r) - auth_run_pam($1_t,$1_r)
- auth_run_utempter($1_t,$1_r) - auth_run_utempter($1_t,$1_r)
- + userdom_basic_networking(common_userdomain)
- init_read_utmp($1_usertype) - init_read_utmp($1_usertype)
- -
- seutil_read_file_contexts($1_usertype) - seutil_read_file_contexts($1_usertype)
@ -775,21 +767,16 @@ index e7a65ae..6974244 100644
- # Allow graphical boot to check battery lifespan - # Allow graphical boot to check battery lifespan
- apm_stream_connect($1_usertype) - apm_stream_connect($1_usertype)
- ') - ')
+ auth_run_pam(common_userdomain,$1_r) -
+ auth_run_utempter(common_userdomain,$1_r) - optional_policy(`
+ seutil_run_newrole(common_userdomain,$1_r)
optional_policy(`
- canna_stream_connect($1_usertype) - canna_stream_connect($1_usertype)
+ chrome_role($1_r, common_userdomain) - ')
') -
- optional_policy(`
optional_policy(`
- chrome_role($1_r, $1_usertype) - chrome_role($1_r, $1_usertype)
+ git_session_role($1_r, common_userdomain) - ')
') -
- optional_policy(`
optional_policy(`
- colord_read_lib_files($1_usertype) - colord_read_lib_files($1_usertype)
- ') - ')
- -
@ -850,10 +837,9 @@ index e7a65ae..6974244 100644
- optional_policy(` - optional_policy(`
- vpn_dbus_chat($1_usertype) - vpn_dbus_chat($1_usertype)
- ') - ')
+ nsplugin_role($1_r, common_userdomain) - ')
') -
- optional_policy(`
optional_policy(`
- git_session_role($1_r, $1_usertype) - git_session_role($1_r, $1_usertype)
- ') - ')
- -
@ -922,27 +908,33 @@ index e7a65ae..6974244 100644
- optional_policy(` - optional_policy(`
- resmgr_stream_connect($1_usertype) - resmgr_stream_connect($1_usertype)
- ') - ')
- + auth_run_pam(common_userdomain,$1_r)
- optional_policy(` + auth_run_utempter(common_userdomain,$1_r)
+ seutil_run_newrole(common_userdomain,$1_r)
optional_policy(`
- rpc_dontaudit_getattr_exports($1_usertype) - rpc_dontaudit_getattr_exports($1_usertype)
- rpc_manage_nfs_rw_content($1_usertype) - rpc_manage_nfs_rw_content($1_usertype)
- ') + chrome_role($1_r, common_userdomain)
- ')
- optional_policy(`
optional_policy(`
- rpcbind_stream_connect($1_usertype) - rpcbind_stream_connect($1_usertype)
- ') + git_session_role($1_r, common_userdomain)
- ')
- optional_policy(`
optional_policy(`
- samba_stream_connect_winbind($1_usertype) - samba_stream_connect_winbind($1_usertype)
- ') + nsplugin_role($1_r, common_userdomain)
- ')
- optional_policy(`
optional_policy(`
- sandbox_transition($1_usertype, $1_r) - sandbox_transition($1_usertype, $1_r)
+ sandbox_transition(common_userdomain, $1_r) + sandbox_transition(common_userdomain, $1_r)
') ')
optional_policy(` optional_policy(`
@@ -839,11 +535,7 @@ template(`userdom_common_user_template',` @@ -839,11 +535,7 @@ template(`userdom_common_user_template',
') ')
optional_policy(` optional_policy(`
@ -955,7 +947,7 @@ index e7a65ae..6974244 100644
') ')
') ')
@@ -872,10 +564,9 @@ template(`userdom_login_user_template', ` @@ -872,10 +564,9 @@ template(`userdom_login_user_template',
userdom_base_user_template($1) userdom_base_user_template($1)
@ -969,7 +961,7 @@ index e7a65ae..6974244 100644
ifelse(`$1',`unconfined',`',` ifelse(`$1',`unconfined',`',`
gen_tunable(allow_$1_exec_content, true) gen_tunable(allow_$1_exec_content, true)
@@ -1010,9 +701,6 @@ template(`userdom_restricted_user_template',` @@ -1010,9 +701,6 @@ template(`userdom_restricted_user_templa
typeattribute $1_t unpriv_userdomain; typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t) domain_interactive_fd($1_t)
@ -979,7 +971,7 @@ index e7a65ae..6974244 100644
############################## ##############################
# #
# Local policy # Local policy
@@ -3918,6 +3606,10 @@ template(`userdom_unpriv_usertype',` @@ -3929,6 +3617,10 @@ template(`userdom_unpriv_usertype',`
auth_use_nsswitch($2) auth_use_nsswitch($2)
ubac_constrained($2) ubac_constrained($2)
@ -990,10 +982,9 @@ index e7a65ae..6974244 100644
') ')
######################################## ########################################
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te diff -up serefpolicy-3.10.0/policy/modules/system/userdomain.te.userdomain serefpolicy-3.10.0/policy/modules/system/userdomain.te
index 04d748b..c636356 100644 --- serefpolicy-3.10.0/policy/modules/system/userdomain.te.userdomain 2011-10-11 10:15:28.427129208 -0400
--- a/policy/modules/system/userdomain.te +++ serefpolicy-3.10.0/policy/modules/system/userdomain.te 2011-10-11 10:15:28.507129054 -0400
+++ b/policy/modules/system/userdomain.te
@@ -69,6 +69,8 @@ attribute userdomain; @@ -69,6 +69,8 @@ attribute userdomain;
# unprivileged user domains # unprivileged user domains