- Run rpm in system_r

2007-12-20 21:26:31 +00:00 · 2007-12-20 21:26:31 +00:00 · 673eaaeafb
commit 673eaaeafb
parent 5615fe1b3d
2 changed files with 116 additions and 42 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -206,7 +206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.2.5/policy/modules/admin/alsa.te
 --- nsaserefpolicy/policy/modules/admin/alsa.te	2007-12-19 05:32:18.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/admin/alsa.te	2007-12-19 05:38:08.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/alsa.te	2007-12-20 08:55:02.000000000 -0500
@@ -8,12 +8,15 @@
 type alsa_t;
@ -224,7 +224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
 ########################################
 #
 # Local policy
-@@ -30,11 +33,18 @@
+@@ -30,14 +33,23 @@
 manage_lnk_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
 files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
@ -243,7 +243,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
 files_search_home(alsa_t)
 files_read_etc_files(alsa_t)
-@@ -48,10 +58,7 @@
+auth_use_nsswitch(alsa_t)
 +
 libs_use_ld_so(alsa_t)
 libs_use_shared_libs(alsa_t)
@@ -48,10 +60,7 @@
 userdom_manage_unpriv_user_semaphores(alsa_t)
 userdom_manage_unpriv_user_shared_mem(alsa_t)
 userdom_search_generic_user_home_dirs(alsa_t)
@ -920,7 +925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
 /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.2.5/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2007-05-18 11:12:44.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/admin/rpm.if	2007-12-19 05:38:08.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/rpm.if	2007-12-20 08:55:42.000000000 -0500
@@ -152,6 +152,24 @@
 ########################################
@ -1002,7 +1007,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
 ')
 ########################################
-@@ -289,3 +346,111 @@
+@@ -289,3 +346,137 @@
 	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
 	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
 ')
@ -1114,6 +1119,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
 +	read_lnk_files_pattern($1,rpm_tmpfs_t,rpm_tmpfs_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Transition to system_r when execute an init script
 +## </summary>
 +## <desc>
 +##      <p>
 +##	Execute rpm script in a specified role
 +##      </p>
 +##      <p>
 +##      No interprocess communication (signals, pipes,
 +##      etc.) is provided by this interface since
 +##      the domains are not owned by this module.
 +##      </p>
 +## </desc>
 +## <param name="source_role">
 +##	<summary>
 +##	Role to transition from.
 +##	</summary>
 +## </param>
 +interface(`rpm_role_transition',`
 +	gen_require(`
 +		type rpm_t;
 +	')
 +
 +	role_transition $1 rpm_t system_r;
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.2.5/policy/modules/admin/rpm.te
 --- nsaserefpolicy/policy/modules/admin/rpm.te	2007-12-19 05:32:18.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/admin/rpm.te	2007-12-19 05:38:08.000000000 -0500
@ -3699,7 +3730,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.5/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/kernel/files.if	2007-12-19 05:38:08.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/kernel/files.if	2007-12-20 16:15:45.000000000 -0500
@@ -1266,6 +1266,24 @@
 ########################################
@ -5138,7 +5169,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 +/var/lib/misc(/.*)?			gen_context(system_u:object_r:system_crond_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.2.5/policy/modules/services/cron.if
 --- nsaserefpolicy/policy/modules/services/cron.if	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/cron.if	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/cron.if	2007-12-20 14:02:12.000000000 -0500
@@ -35,38 +35,23 @@
 #
 template(`cron_per_role_template',`
@ -5388,6 +5419,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 ##	Read, and write cron daemon TCP sockets.
 ## </summary>
 ## <param name="domain">
@@ -583,3 +495,23 @@
 	dontaudit $1 system_crond_tmp_t:file append;
 ')
 +
 +
 +########################################
 +## <summary>
 +##	Read temporary files from the system cron jobs.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`cron_read_system_job_lib_files',`
 +	gen_require(`
 +		type system_crond_var_lib_t;
 +	')
 +
 +
 +	read_files_pattern($1, system_crond_var_lib_t,  system_crond_var_lib_t)
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.2.5/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2007-12-19 05:32:17.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/services/cron.te	2007-12-19 05:38:09.000000000 -0500
@ -6698,7 +6753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.2.5/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/hal.te	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/hal.te	2007-12-20 14:02:58.000000000 -0500
@@ -49,6 +49,9 @@
 type hald_var_lib_t;
 files_type(hald_var_lib_t)
@ -6782,11 +6837,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 libs_use_ld_so(hald_mac_t)
 libs_use_shared_libs(hald_mac_t)
-@@ -391,3 +412,4 @@
+@@ -391,3 +412,7 @@
 libs_use_shared_libs(hald_keymap_t)
 miscfiles_read_localization(hald_keymap_t)
 +
 +# This is caused by a bug in hald and PolicyKit.  
 +# Should be removed when this is fixed
 +cron_read_system_job_lib_files(hald_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.2.5/policy/modules/services/inetd.te
 --- nsaserefpolicy/policy/modules/services/inetd.te	2007-12-19 05:32:17.000000000 -0500
 +++ serefpolicy-3.2.5/policy/modules/services/inetd.te	2007-12-19 05:38:09.000000000 -0500
@ -11742,7 +11800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.2.5/policy/modules/system/fstools.te
 --- nsaserefpolicy/policy/modules/system/fstools.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/fstools.te	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/fstools.te	2007-12-20 16:16:24.000000000 -0500
@@ -109,8 +109,7 @@
 term_use_console(fsadm_t)
@ -11753,7 +11811,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
 #RedHat bug #201164
 corecmd_exec_shell(fsadm_t)
-@@ -183,4 +182,5 @@
+@@ -132,6 +131,8 @@
 # Access to /initrd devices
 files_rw_isid_type_dirs(fsadm_t)
 files_rw_isid_type_blk_files(fsadm_t)
 +files_read_isid_type_files(fsadm_t)
 +
 # Recreate /mnt/cdrom.
 files_manage_mnt_dirs(fsadm_t)
 # for tune2fs
@@ -183,4 +184,5 @@
 optional_policy(`
 	xen_append_log(fsadm_t)
@ -11811,7 +11878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
 optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.2.5/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/system/init.if	2007-12-19 05:38:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/init.if	2007-12-20 08:48:00.000000000 -0500
@@ -211,6 +211,13 @@
 			kernel_dontaudit_use_fds($1)
 		')
@ -14034,8 +14101,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.5/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/unconfined.te	2007-12-19 16:35:02.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/unconfined.te	2007-12-20 09:13:54.000000000 -0500
-@@ -9,32 +9,48 @@
+@@ -9,32 +9,49 @@
 # usage in this module of types created by these
 # calls is not correct, however we dont currently
 # have another method to add access to these types
@ -14054,6 +14121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +allow system_r unconfined_r;
 +allow unconfined_r system_r;
 +init_script_role_transition(unconfined_r)
 +rpm_role_transition(unconfined_r)
 type unconfined_execmem_t;
 type unconfined_execmem_exec_t;
@ -14088,7 +14156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-@@ -42,7 +58,10 @@
+@@ -42,7 +59,10 @@
 logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@ -14099,7 +14167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 seutil_run_setfiles(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 seutil_run_semanage(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-@@ -51,13 +70,13 @@
+@@ -51,13 +71,13 @@
 userdom_priveleged_home_dir_manager(unconfined_t)
 optional_policy(`
@ -14115,7 +14183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 	unconfined_domain(httpd_unconfined_script_t)
 ')
-@@ -69,11 +88,11 @@
+@@ -69,11 +89,11 @@
 	bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 ')
@ -14132,7 +14200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 optional_policy(`
 	init_dbus_chat_script(unconfined_t)
-@@ -107,6 +126,10 @@
+@@ -107,6 +127,10 @@
 	optional_policy(`
 		oddjob_dbus_chat(unconfined_t)
 	')
@ -14143,7 +14211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 optional_policy(`
-@@ -118,11 +141,7 @@
+@@ -118,11 +142,7 @@
 ')
 optional_policy(`
@ -14156,7 +14224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 optional_policy(`
-@@ -134,14 +153,6 @@
+@@ -134,14 +154,6 @@
 ')
 optional_policy(`
@ -14171,7 +14239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 	oddjob_domtrans_mkhomedir(unconfined_t)
 ')
-@@ -154,33 +165,20 @@
+@@ -154,33 +166,20 @@
 ')
 optional_policy(`
@ -14209,7 +14277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 optional_policy(`
-@@ -205,11 +203,30 @@
+@@ -205,11 +204,30 @@
 ')
 optional_policy(`
@ -14242,34 +14310,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 ########################################
-@@ -219,14 +236,36 @@
+@@ -219,14 +237,32 @@
 allow unconfined_execmem_t self:process { execstack execmem };
 unconfined_domain_noaudit(unconfined_execmem_t)
 +allow unconfined_execmem_t unconfined_t:process transition;
 optional_policy(`
-+	init_dbus_chat_script(unconfined_execmem_t)
+-	dbus_stub(unconfined_execmem_t)
-+
+-
- 	dbus_stub(unconfined_execmem_t)
+ 	init_dbus_chat_script(unconfined_execmem_t)
- 
+	dbus_system_bus_client_template(unconfined_execmem, unconfined_execmem_t)
 -	init_dbus_chat_script(unconfined_execmem_t)
 +	dbus_connect_system_bus(unconfined_execmem_t)
 +	unconfined_dbus_connect(unconfined_execmem_t)
 	unconfined_dbus_chat(unconfined_execmem_t)
 +	unconfined_dbus_connect(unconfined_execmem_t)
 +')
- 	optional_policy(`
+-	optional_policy(`
 -		hal_dbus_chat(unconfined_execmem_t)
 -	')
 +optional_policy(`
 +	avahi_dbus_chat(unconfined_execmem_t)
-+	')
+')
 +
-+	optional_policy(`
+optional_policy(`
- 		hal_dbus_chat(unconfined_execmem_t)
+	hal_dbus_chat(unconfined_execmem_t)
- 	')
+')
 +
-+	optional_policy(`
+optional_policy(`
 +	xserver_xdm_rw_shm(unconfined_execmem_t)
 +
 +	')
 ')
 +
 +########################################
@ -14295,7 +14363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if	2007-12-19 16:35:24.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if	2007-12-20 14:54:51.000000000 -0500
@@ -29,8 +29,9 @@
 	')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.2.5
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -73,6 +73,9 @@ SELinux Policy development package
 %{_usr}/share/selinux/devel/policy.*
 %attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp
 %check devel
 /usr/bin/sepolgen-ifgen -i %{buildroot}%{_usr}/share/selinux/devel/include -o /dev/null
 %post devel
 [ -x /usr/bin/sepolgen-ifgen ] && /usr/bin/sepolgen-ifgen 
 exit 0
@ -383,6 +386,9 @@ exit 0
 %endif
 %changelog
 * Thu Dec 20 2007 Dan Walsh <dwalsh@redhat.com> 3.2.5-3
 - Run rpm in system_r
 * Wed Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 3.2.5-2
 - Zero out customizable types