- Fix nsplugin to allow flashplugin to work in enforcing mode

2008-01-24 18:12:25 +00:00 · 2008-01-24 18:12:25 +00:00 · 7c7d59935b
parent 0939872058
commit 7c7d59935b
2 changed files with 68 additions and 26 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -1635,7 +1635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal
 /usr/sbin/tethereal.*		--	gen_context(system_u:object_r:tethereal_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.if serefpolicy-3.2.5/policy/modules/apps/ethereal.if
 --- nsaserefpolicy/policy/modules/apps/ethereal.if	2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/apps/ethereal.if	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/ethereal.if	2008-01-24 12:40:27.000000000 -0500
@@ -48,12 +48,10 @@
 	application_domain($1_ethereal_t,ethereal_exec_t)
 	role $3 types $1_ethereal_t;
@ -3608,7 +3608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.2.5/policy/modules/apps/mozilla.te
 --- nsaserefpolicy/policy/modules/apps/mozilla.te	2007-12-19 05:32:09.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.te	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/mozilla.te	2008-01-24 11:30:22.000000000 -0500
@@ -6,15 +6,15 @@
 # Declarations
 #
@ -3734,16 +3734,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.2.5/policy/modules/apps/nsplugin.fc
 --- nsaserefpolicy/policy/modules/apps/nsplugin.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.fc	2008-01-21 17:31:09.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.fc	2008-01-24 12:34:08.000000000 -0500
-@@ -0,0 +1,4 @@
+@@ -0,0 +1,7 @@
 +
 +/usr/lib(64)?/nspluginwrapper/npviewer.bin	--	gen_context(system_u:object_r:nsplugin_exec_t,s0)
 +/usr/lib(64)?/nspluginwrapper/plugin-config	--	gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
 +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)?			gen_context(system_u:object_r:nsplugin_rw_t,s0)
 +
 +HOME_DIR/\.adobe(/.*)?			gen_context(system_u:object_r:user_nsplugin_home_t,s0)
 +HOME_DIR/\.macromedia(/.*)?			gen_context(system_u:object_r:user_nsplugin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.2.5/policy/modules/apps/nsplugin.if
 --- nsaserefpolicy/policy/modules/apps/nsplugin.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.if	2008-01-23 11:19:15.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.if	2008-01-24 13:03:01.000000000 -0500
-@@ -0,0 +1,332 @@
+@@ -0,0 +1,336 @@
 +
 +## <summary>policy for nsplugin</summary>
 +
@ -3899,16 +3902,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +
 +	nsplugin_config_domtrans($2)
 +
 +	list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
 +	read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
 +	read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
 +	can_exec($2, nsplugin_rw_t)
 +
 +	allow nsplugin_t $2:udp_socket { read write };
 +	allow nsplugin_t $2:tcp_socket { read write };
 +	allow nsplugin_t $2:unix_stream_socket connectto;
 +	dontaudit nsplugin_t $2:process ptrace;
 +	allow nsplugin_t $1_tmpfs_t:file { read getattr };
 +
 +	allow $2 nsplugin_t:process { getattr ptrace signal_perms };
 +	allow $2 nsplugin_t:unix_stream_socket connectto;
-+	userdom_use_user_terminals($1, $2)
+	userdom_use_user_terminals($1, nsplugin_t)
 +')
 +
 +#######################################
@ -4078,8 +4085,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.2.5/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te	2008-01-23 11:16:36.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te	2008-01-24 13:03:48.000000000 -0500
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,129 @@
 +policy_module(nsplugin,1.0.0)
 +
 +########################################
@ -4097,10 +4104,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +application_domain(nsplugin_config_t, nsplugin_config_exec_t)
 +role system_r types nsplugin_config_t;
 +
 +
 +type nsplugin_rw_t;
 +files_type(nsplugin_rw_t)
 +
 +type user_nsplugin_home_t;
 +files_poly_member(user_nsplugin_home_t)
 +userdom_user_home_content(user,user_nsplugin_home_t)
 +
 +########################################
 +#
 +# nsplugin local policy
@ -4108,8 +4118,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +allow nsplugin_t self:fifo_file rw_file_perms;
 +allow nsplugin_t self:process getsched;
 +
-+corecmd_exec_bin(nsplugin_config_t)
+manage_dirs_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t)
-+corecmd_exec_shell(nsplugin_config_t)
+manage_files_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t)
 +manage_lnk_files_pattern(nsplugin_t, user_nsplugin_home_t, user_nsplugin_home_t)
 +userdom_user_home_dir_filetrans(user, nsplugin_t, user_nsplugin_home_t, {file dir})
 +
 +corecmd_exec_bin(nsplugin_t)
 +corecmd_exec_shell(nsplugin_t)
 +
 +corenet_all_recvfrom_unlabeled(nsplugin_t)
 +corenet_all_recvfrom_netlabel(nsplugin_t)
 +corenet_tcp_connect_flash_port(nsplugin_t)
 +corenet_tcp_sendrecv_generic_if(nsplugin_t)
 +corenet_tcp_sendrecv_all_nodes(nsplugin_t)
 +
 +domain_dontaudit_read_all_domains_state(nsplugin_t)
 +
@ -4122,7 +4143,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +files_read_etc_files(nsplugin_t)
 +
 +fs_list_inotifyfs(nsplugin_t)
-+fs_rw_tmpfs_files(nsplugin_t)
+fs_manage_tmpfs_files(nsplugin_t)
 +fs_getattr_tmpfs(nsplugin_t)
 +
 +auth_use_nsswitch(nsplugin_t)
 +
@ -4130,9 +4152,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +libs_use_shared_libs(nsplugin_t)
 +
 +miscfiles_read_localization(nsplugin_t)
 +miscfiles_read_fonts(nsplugin_t)
 +
 +optional_policy(`
 +	userdom_read_user_home_content_files(user, nsplugin_t)
 +	userdom_write_user_tmp_sockets(user, nsplugin_t)
 +')
 +
 +optional_policy(`
@ -4153,9 +4177,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +
 +## internal communication is often done using fifo and unix sockets.
 +allow nsplugin_config_t self:capability { sys_nice setuid setgid };
-+allow nsplugin_config_t self:process { setsched getsched };
+allow nsplugin_config_t self:process { setsched getsched execmem };
-+allow nsplugin_t self:sem rw_sem_perms;
+allow nsplugin_t self:sem create_sem_perms;
-+allow nsplugin_t self:shm rw_shm_perms;
+allow nsplugin_t self:shm create_shm_perms;
 +
 +allow nsplugin_config_t self:fifo_file rw_file_perms;
 +allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
@ -4165,6 +4189,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
 +manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
 +
 +manage_dirs_pattern(nsplugin_config_t, user_nsplugin_home_t, user_nsplugin_home_t)
 +manage_files_pattern(nsplugin_config_t, user_nsplugin_home_t, user_nsplugin_home_t)
 +manage_lnk_files_pattern(nsplugin_config_t, user_nsplugin_home_t, user_nsplugin_home_t)
 +
 +corecmd_exec_bin(nsplugin_config_t)
 +corecmd_exec_shell(nsplugin_config_t)
 +
@ -4181,10 +4209,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +miscfiles_read_localization(nsplugin_config_t)
 +miscfiles_read_fonts(nsplugin_config_t)
 +
-+userdom_dontaudit_search_all_users_home_content(nsplugin_config_t)
+userdom_search_all_users_home_content(nsplugin_config_t)
 +
 +
 +nsplugin_domtrans(nsplugin_config_t)
 +
 +dev_read_sound(nsplugin_t)
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.2.5/policy/modules/apps/screen.fc
 --- nsaserefpolicy/policy/modules/apps/screen.fc	2007-10-12 08:56:02.000000000 -0400
 +++ serefpolicy-3.2.5/policy/modules/apps/screen.fc	2008-01-18 12:40:46.000000000 -0500
@ -4740,7 +4771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2007-11-29 13:29:34.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in	2008-01-22 09:05:42.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/kernel/corenetwork.te.in	2008-01-24 12:39:48.000000000 -0500
@@ -82,6 +82,7 @@
 network_port(clockspeed, udp,4041,s0)
 network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
@ -4749,7 +4780,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
 network_port(cvs, tcp,2401,s0, udp,2401,s0)
 network_port(dcc, udp,6276,s0, udp,6277,s0)
 network_port(dbskkd, tcp,1178,s0)
-@@ -122,6 +123,8 @@
+@@ -91,6 +92,7 @@
 network_port(distccd, tcp,3632,s0)
 network_port(dns, udp,53,s0, tcp,53,s0)
 network_port(fingerd, tcp,79,s0)
 +network_port(flash, tcp,1935,s0, udp,1935,s0)
 network_port(ftp_data, tcp,20,s0)
 network_port(ftp, tcp,21,s0)
 network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
@@ -122,6 +124,8 @@
 network_port(mmcc, tcp,5050,s0, udp,5050,s0)
 network_port(monopd, tcp,1234,s0)
 network_port(msnp, tcp,1863,s0, udp,1863,s0)
@ -4758,7 +4797,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
 network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
 portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
 network_port(nessus, tcp,1241,s0)
-@@ -133,6 +136,7 @@
+@@ -133,6 +137,7 @@
 network_port(pegasus_http, tcp,5988,s0)
 network_port(pegasus_https, tcp,5989,s0)
 network_port(postfix_policyd, tcp,10031,s0)
@ -4766,7 +4805,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
 network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
 network_port(portmap, udp,111,s0, tcp,111,s0)
 network_port(postgresql, tcp,5432,s0)
-@@ -148,7 +152,7 @@
+@@ -148,7 +153,7 @@
 network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
 network_port(rlogind, tcp,513,s0)
 network_port(rndc, tcp,953,s0)
@ -5391,7 +5430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 # etc_runtime_t is the type of various
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.2.5/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2007-10-24 15:00:24.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/kernel/filesystem.if	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/kernel/filesystem.if	2008-01-24 12:36:13.000000000 -0500
@@ -1171,6 +1171,25 @@
 ########################################
@ -23401,7 +23440,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if	2008-01-23 13:14:20.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if	2008-01-24 13:04:29.000000000 -0500
@@ -29,9 +29,14 @@
 	')
@ -24625,7 +24664,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	files_search_tmp($2)
 -	allow $2 $1_tmp_t:sock_file write;
-+	allow $2 user_tmp_t:sock_file write;
+	write_sock_files_pattern($2, user_tmp_t, user_tmp_t)
 ')
 ########################################
@ -26681,7 +26720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/file_patterns
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.2.5/policy/support/obj_perm_sets.spt
 --- nsaserefpolicy/policy/support/obj_perm_sets.spt	2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.5/policy/support/obj_perm_sets.spt	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/support/obj_perm_sets.spt	2008-01-24 11:37:33.000000000 -0500
@@ -204,7 +204,7 @@
 define(`getattr_file_perms',`{ getattr }')
 define(`setattr_file_perms',`{ setattr }')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.2.5
-Release: 18%{?dist}
+Release: 19%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -387,6 +387,9 @@ exit 0
 %endif
 %changelog
 * Thu Jan 24 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-19
 - Fix nsplugin to allow flashplugin to work in enforcing mode
 * Wed Jan 23 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-18
 - Allow pam_selinux_permit to kill all processes