- Allow unconfined_t to transition to NetworkManager_t

- Fix netlabel policy
2007-05-16 19:31:34 +00:00 · 2007-05-16 19:31:34 +00:00 · 7c3dcb3584
parent 810e69636e
commit 7c3dcb3584
2 changed files with 130 additions and 19 deletions
--- a/policy-20070501.patch
+++ b/policy-20070501.patch
@ -1009,8 +1009,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
 	dev_dontaudit_rw_dri($1_mozilla_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-2.6.4/policy/modules/apps/slocate.te
 --- nsaserefpolicy/policy/modules/apps/slocate.te	2007-04-30 11:25:12.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/apps/slocate.te	2007-05-08 09:59:33.000000000 -0400
-@@ -43,7 +43,7 @@
+++ serefpolicy-2.6.4/policy/modules/apps/slocate.te	2007-05-15 11:05:16.000000000 -0400
+@@ -39,11 +39,12 @@
+ 
+ files_list_all(locate_t)
+ files_getattr_all_files(locate_t)
+files_getattr_all_sockets(locate_t)
+ files_read_etc_runtime_files(locate_t)
 files_read_etc_files(locate_t)
 
 fs_getattr_all_fs(locate_t)
@ -1653,8 +1658,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.6.4/policy/modules/kernel/filesystem.te
 --- nsaserefpolicy/policy/modules/kernel/filesystem.te	2007-04-23 09:35:56.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.te	2007-05-08 09:59:33.000000000 -0400
-@@ -54,17 +54,30 @@
+++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.te	2007-05-16 09:21:57.000000000 -0400
+@@ -54,17 +54,29 @@
 
 type capifs_t;
 fs_type(capifs_t)
@ -1676,7 +1681,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 #genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0)
 
 +type fusefs_t;
-+fs_type(fusefs_t)
 +fs_noxattr_type(fusefs_t)
 +allow fusefs_t self:filesystem associate;
 +genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
@ -1685,12 +1689,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 type futexfs_t;
 fs_type(futexfs_t)
 genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
-@@ -83,6 +96,12 @@
+@@ -83,6 +95,11 @@
 fs_type(inotifyfs_t)
 genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
 
 +type mvfs_t;
-+fs_type(mvfs_t)
 +fs_noxattr_type(mvfs_t)
 +allow mvfs_t self:filesystem associate;
 +genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
@ -1698,6 +1701,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 type nfsd_fs_t;
 fs_type(nfsd_fs_t)
 genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
+@@ -105,6 +122,11 @@
+ genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0)
+ files_mountpoint(rpc_pipefs_t)
+ 
+type vxfs_t;
+fs_noxattr_type(vxfs_t)
+files_mountpoint(vxfs_t)
+genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
+
+ #
+ # tmpfs_t is the type for tmpfs filesystems
+ #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.6.4/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2007-05-02 15:04:46.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/kernel/kernel.if	2007-05-08 09:59:33.000000000 -0400
@ -2502,6 +2517,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
 dev_read_urand(automount_t)
 
 domain_use_interactive_fds(automount_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-2.6.4/policy/modules/services/avahi.te
+--- nsaserefpolicy/policy/modules/services/avahi.te	2007-05-03 08:50:57.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/avahi.te	2007-05-15 11:02:52.000000000 -0400
+@@ -18,7 +18,7 @@
+ # Local policy
+ #
+ 
+-allow avahi_t self:capability { dac_override setgid chown kill setuid sys_chroot };
+allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot };
+ dontaudit avahi_t self:capability sys_tty_config;
+ allow avahi_t self:process { setrlimit signal_perms setcap };
+ allow avahi_t self:fifo_file { read write };
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-2.6.4/policy/modules/services/bind.te
 --- nsaserefpolicy/policy/modules/services/bind.te	2007-04-23 09:36:01.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/services/bind.te	2007-05-08 09:59:33.000000000 -0400
@ -2925,7 +2952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru
 optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-2.6.4/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2007-03-26 10:39:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/dbus.if	2007-05-08 09:59:33.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/dbus.if	2007-05-14 15:57:48.000000000 -0400
@@ -49,6 +49,12 @@
 ## </param>
 #
@ -2981,7 +3008,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 
 	miscfiles_read_localization($1_dbusd_t)
 
-@@ -273,6 +290,31 @@
+@@ -204,6 +221,7 @@
+ 	# For connecting to the bus
+ 	files_search_pids($2)
+ 	stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t)
+	dbus_read_config($2)
+ ')
+ 
+ #######################################
+@@ -273,6 +291,31 @@
 
 ########################################
 ## <summary>
@ -3013,7 +3048,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 ##	Read dbus configuration.
 ## </summary>
 ## <param name="domain">
-@@ -286,6 +328,7 @@
+@@ -286,6 +329,7 @@
 		type dbusd_etc_t;
 	')
 
@ -3021,7 +3056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 	allow $1 dbusd_etc_t:file read_file_perms;
 ')
 
-@@ -346,3 +389,23 @@
+@@ -346,3 +390,23 @@
 
 	allow $1 system_dbusd_t:dbus *;
 ')
@ -3334,7 +3369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-2.6.4/policy/modules/services/hal.if
 --- nsaserefpolicy/policy/modules/services/hal.if	2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.6.4/policy/modules/services/hal.if	2007-05-08 09:59:33.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/hal.if	2007-05-14 15:45:53.000000000 -0400
@@ -208,3 +208,98 @@
 	files_search_pids($1)
 	allow $1 hald_var_run_t:file rw_file_perms;
@ -3788,6 +3823,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 
 	# apache should set close-on-exec
 	apache_dontaudit_append_log(system_mail_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-2.6.4/policy/modules/services/networkmanager.if
+--- nsaserefpolicy/policy/modules/services/networkmanager.if	2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-2.6.4/policy/modules/services/networkmanager.if	2007-05-16 08:30:20.000000000 -0400
+@@ -78,3 +78,22 @@
+ 	allow $1 NetworkManager_t:dbus send_msg;
+ 	allow NetworkManager_t $1:dbus send_msg;
+ ')
+
+########################################
+## <summary>
+##	Transition to NetworkManager 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_domtrans',`
+	gen_require(`
+		type NetworkManager_t, NetworkManager_exec_t;
+	')
+	corecmd_search_bin($1)
+	domtrans_pattern($1,NetworkManager_exec_t,NetworkManager_t)
+
+')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-2.6.4/policy/modules/services/nis.if
 --- nsaserefpolicy/policy/modules/services/nis.if	2007-03-26 10:39:04.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/services/nis.if	2007-05-08 09:59:33.000000000 -0400
@ -4708,8 +4769,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rwho
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-2.6.4/policy/modules/services/samba.fc
 --- nsaserefpolicy/policy/modules/services/samba.fc	2007-02-23 16:50:01.000000000 -0500
-+++ serefpolicy-2.6.4/policy/modules/services/samba.fc	2007-05-08 09:59:33.000000000 -0400
-@@ -27,6 +27,9 @@
+++ serefpolicy-2.6.4/policy/modules/services/samba.fc	2007-05-16 08:24:46.000000000 -0400
+@@ -3,6 +3,7 @@
+ # /etc
+ #
+ /etc/samba/MACHINE\.SID		--	gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba/passdb.tdb		--	gen_context(system_u:object_r:samba_secrets_t,s0)
+ /etc/samba/secrets\.tdb		--	gen_context(system_u:object_r:samba_secrets_t,s0)
+ /etc/samba/smbpasswd		--	gen_context(system_u:object_r:samba_secrets_t,s0)
+ /etc/samba(/.*)?			gen_context(system_u:object_r:samba_etc_t,s0)
+@@ -27,6 +28,9 @@
 /var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
 
 /var/lib/samba(/.*)?			gen_context(system_u:object_r:samba_var_t,s0)
@ -5377,6 +5446,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 ifdef(`TODO',`
 tunable_policy(`ssh_sysadm_login',`
 	# Relabel and access ptys created by sshd
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-2.6.4/policy/modules/services/tftp.te
+--- nsaserefpolicy/policy/modules/services/tftp.te	2007-04-23 09:36:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/tftp.te	2007-05-14 16:13:37.000000000 -0400
+@@ -69,6 +69,7 @@
+ logging_send_syslog_msg(tftpd_t)
+ 
+ miscfiles_read_localization(tftpd_t)
+miscfiles_read_public_files(tftpd_t)
+ 
+ sysnet_read_config(tftpd_t)
+ sysnet_use_ldap(tftpd_t)
+@@ -102,3 +103,4 @@
+ optional_policy(`
+         udev_read_db(tftpd_t)
+ ')
+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.fc serefpolicy-2.6.4/policy/modules/services/w3c.fc
 --- nsaserefpolicy/policy/modules/services/w3c.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-2.6.4/policy/modules/services/w3c.fc	2007-05-08 09:59:33.000000000 -0400
@ -6905,6 +6990,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 +	term_use_generic_ptys(mount_ntfs_t)
 +')
 +
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlabel.te serefpolicy-2.6.4/policy/modules/system/netlabel.te
+--- nsaserefpolicy/policy/modules/system/netlabel.te	2006-11-16 17:15:24.000000000 -0500
+++ serefpolicy-2.6.4/policy/modules/system/netlabel.te	2007-05-15 21:07:39.000000000 -0400
+@@ -20,6 +20,10 @@
+ allow netlabel_mgmt_t self:capability net_admin;
+ allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
+ 
+init_use_script_ptys(netlabel_mgmt_t)
+
+files_read_etc_files(netlabel_mgmt_t)
+
+ kernel_read_network_state(netlabel_mgmt_t)
+ 
+ libs_use_ld_so(netlabel_mgmt_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-2.6.4/policy/modules/system/raid.te
 --- nsaserefpolicy/policy/modules/system/raid.te	2007-04-23 09:36:02.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/system/raid.te	2007-05-08 09:59:33.000000000 -0400
@ -7321,7 +7420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.6.4/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-04-23 09:36:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/unconfined.te	2007-05-08 09:59:33.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/system/unconfined.te	2007-05-16 08:28:37.000000000 -0400
@@ -6,6 +6,15 @@
 # Declarations
 #
@ -7358,7 +7457,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 		init_dbus_chat_script(unconfined_t)
 
 		dbus_stub(unconfined_t)
-@@ -153,6 +160,8 @@
+@@ -93,6 +100,7 @@
+ 
+ 		optional_policy(`
+ 			networkmanager_dbus_chat(unconfined_t)
+			networkmanager_domtrans(unconfined_t)
+ 		')
+ 
+ 		optional_policy(`
+@@ -153,6 +161,8 @@
 
 	optional_policy(`
 		rpm_domtrans(unconfined_t)
@ -7367,7 +7474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 	')
 
 	optional_policy(`
-@@ -192,6 +201,9 @@
+@@ -192,6 +202,9 @@
 	optional_policy(`
 		xserver_domtrans_xdm_xserver(unconfined_t)
 	')
@ -7377,7 +7484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 ########################################
-@@ -200,10 +212,18 @@
+@@ -200,10 +213,18 @@
 #
 
 ifdef(`targeted_policy',`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.6.4
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -359,6 +359,10 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init
 %endif

 %changelog
+* Wed May 16 2007 Dan Walsh <dwalsh@redhat.com> 2.6.4-2
+- Allow unconfined_t to transition to NetworkManager_t
+- Fix netlabel policy
+
 * Mon May 14 2007 Dan Walsh <dwalsh@redhat.com> 2.6.4-1
 - Update to latest from upstream