- Allow users to exec restorecond
This commit is contained in:
parent
f5a104d238
commit
85582d623f
@ -245,7 +245,7 @@ allow_nsplugin_execmem=true
|
||||
|
||||
# Allow unconfined domain to transition to confined domain
|
||||
#
|
||||
allow_unconfined_nsplugin_transition=true
|
||||
allow_unconfined_nsplugin_transition=false
|
||||
|
||||
# System uses init upstart program
|
||||
#
|
||||
|
149
policy-F12.patch
149
policy-F12.patch
@ -12909,7 +12909,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.32/policy/modules/services/networkmanager.te
|
||||
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-08-14 13:14:31.000000000 -0700
|
||||
+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te 2009-09-21 19:37:35.000000000 -0700
|
||||
+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te 2009-09-24 17:38:43.000000000 -0700
|
||||
@@ -19,6 +19,9 @@
|
||||
type NetworkManager_tmp_t;
|
||||
files_tmp_file(NetworkManager_tmp_t)
|
||||
@ -12951,16 +12951,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
||||
manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
||||
@@ -63,6 +70,8 @@
|
||||
@@ -63,6 +70,9 @@
|
||||
kernel_read_network_state(NetworkManager_t)
|
||||
kernel_read_kernel_sysctls(NetworkManager_t)
|
||||
kernel_load_module(NetworkManager_t)
|
||||
+kernel_request_load_module(NetworkManager_t)
|
||||
+kernel_read_debugfs(NetworkManager_t)
|
||||
+kernel_rw_net_sysctls(NetworkManager_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(NetworkManager_t)
|
||||
corenet_all_recvfrom_netlabel(NetworkManager_t)
|
||||
@@ -81,13 +90,18 @@
|
||||
@@ -81,13 +91,18 @@
|
||||
corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
|
||||
corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
|
||||
corenet_sendrecv_all_client_packets(NetworkManager_t)
|
||||
@ -12979,7 +12980,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
mls_file_read_all_levels(NetworkManager_t)
|
||||
|
||||
@@ -98,15 +112,20 @@
|
||||
@@ -98,15 +113,20 @@
|
||||
|
||||
domain_use_interactive_fds(NetworkManager_t)
|
||||
domain_read_confined_domains_state(NetworkManager_t)
|
||||
@ -13001,7 +13002,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
logging_send_syslog_msg(NetworkManager_t)
|
||||
|
||||
miscfiles_read_localization(NetworkManager_t)
|
||||
@@ -116,25 +135,40 @@
|
||||
@@ -116,25 +136,40 @@
|
||||
|
||||
seutil_read_config(NetworkManager_t)
|
||||
|
||||
@ -13049,7 +13050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -146,8 +180,25 @@
|
||||
@@ -146,8 +181,25 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -13077,7 +13078,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -155,23 +206,51 @@
|
||||
@@ -155,23 +207,51 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -13131,7 +13132,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -179,12 +258,15 @@
|
||||
@@ -179,12 +259,15 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -15843,7 +15844,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.32/policy/modules/services/rpc.if
|
||||
--- nsaserefpolicy/policy/modules/services/rpc.if 2009-07-14 11:19:57.000000000 -0700
|
||||
+++ serefpolicy-3.6.32/policy/modules/services/rpc.if 2009-09-16 07:03:09.000000000 -0700
|
||||
+++ serefpolicy-3.6.32/policy/modules/services/rpc.if 2009-09-25 07:42:34.000000000 -0700
|
||||
@@ -54,7 +54,7 @@
|
||||
allow $1_t self:unix_dgram_socket create_socket_perms;
|
||||
allow $1_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@ -15853,7 +15854,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
manage_dirs_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
|
||||
manage_files_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
|
||||
@@ -109,6 +109,10 @@
|
||||
@@ -99,6 +99,7 @@
|
||||
files_read_etc_runtime_files($1_t)
|
||||
files_search_var($1_t)
|
||||
files_search_var_lib($1_t)
|
||||
+ files_list_home($1_t)
|
||||
|
||||
auth_use_nsswitch($1_t)
|
||||
|
||||
@@ -109,6 +110,10 @@
|
||||
userdom_dontaudit_use_unpriv_user_fds($1_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -15866,7 +15875,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.32/policy/modules/services/rpc.te
|
||||
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 13:14:31.000000000 -0700
|
||||
+++ serefpolicy-3.6.32/policy/modules/services/rpc.te 2009-09-16 07:03:09.000000000 -0700
|
||||
+++ serefpolicy-3.6.32/policy/modules/services/rpc.te 2009-09-25 07:42:43.000000000 -0700
|
||||
@@ -53,7 +53,7 @@
|
||||
# RPC local policy
|
||||
#
|
||||
|
||||
-allow rpcd_t self:capability { chown dac_override setgid setuid };
|
||||
+allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
|
||||
allow rpcd_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
allow rpcd_t rpcd_var_run_t:dir setattr;
|
||||
@@ -91,6 +91,8 @@
|
||||
|
||||
seutil_dontaudit_search_config(rpcd_t)
|
||||
@ -19016,7 +19034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
|
||||
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 11:19:57.000000000 -0700
|
||||
+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2009-09-16 07:03:09.000000000 -0700
|
||||
+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2009-09-25 07:58:35.000000000 -0700
|
||||
@@ -3,12 +3,17 @@
|
||||
#
|
||||
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
|
||||
@ -19028,7 +19046,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||
+HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
|
||||
+HOME_DIR/\.dmrc -- gen_context(system_u:object_r:xdm_home_t,s0)
|
||||
+HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
|
||||
|
||||
+/root/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||
+/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
|
||||
@ -23546,8 +23564,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.32/policy/modules/system/selinuxutil.if
|
||||
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-07-14 11:19:57.000000000 -0700
|
||||
+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.if 2009-09-16 07:03:09.000000000 -0700
|
||||
@@ -535,6 +535,53 @@
|
||||
+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.if 2009-09-24 20:11:24.000000000 -0700
|
||||
@@ -351,6 +351,27 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Execute restorecond in the caller domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`seutil_exec_restorecond',`
|
||||
+ gen_require(`
|
||||
+ type restorecond_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_usr($1)
|
||||
+ corecmd_search_bin($1)
|
||||
+ can_exec($1, restorecond_exec_t)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Execute run_init in the run_init domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -535,6 +556,53 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -23601,7 +23647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Execute setfiles in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -680,6 +727,7 @@
|
||||
@@ -680,6 +748,7 @@
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
@ -23609,7 +23655,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
manage_files_pattern($1, selinux_config_t, selinux_config_t)
|
||||
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
|
||||
')
|
||||
@@ -999,6 +1047,26 @@
|
||||
@@ -999,6 +1068,26 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -23636,7 +23682,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Execute semanage in the semanage domain, and
|
||||
## allow the specified role the semanage domain,
|
||||
## and use the caller's terminal.
|
||||
@@ -1010,7 +1078,7 @@
|
||||
@@ -1010,7 +1099,7 @@
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
@ -23645,7 +23691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
@@ -1028,6 +1096,33 @@
|
||||
@@ -1028,6 +1117,33 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -23679,7 +23725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## Full management of the semanage
|
||||
## module store.
|
||||
## </summary>
|
||||
@@ -1139,3 +1234,194 @@
|
||||
@@ -1139,3 +1255,194 @@
|
||||
selinux_dontaudit_get_fs_mount($1)
|
||||
seutil_dontaudit_read_config($1)
|
||||
')
|
||||
@ -25608,7 +25654,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+HOME_DIR/\.gvfs(/.*)? <<none>>
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 10:30:04.000000000 -0700
|
||||
+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-09-21 05:24:59.000000000 -0700
|
||||
+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-09-24 20:12:04.000000000 -0700
|
||||
@@ -30,8 +30,9 @@
|
||||
')
|
||||
|
||||
@ -26055,7 +26101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
##############################
|
||||
#
|
||||
@@ -508,182 +515,208 @@
|
||||
@@ -508,182 +515,209 @@
|
||||
# evolution and gnome-session try to create a netlink socket
|
||||
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
|
||||
@ -26160,6 +26206,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
seutil_exec_checkpolicy($1_t)
|
||||
- seutil_exec_setfiles($1_t)
|
||||
+ seutil_exec_setfiles($1_usertype)
|
||||
+ seutil_exec_restorecond($1_usertype)
|
||||
# for when the network connection is killed
|
||||
# this is needed when a login role can change
|
||||
# to this one.
|
||||
@ -26337,7 +26384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
#######################################
|
||||
@@ -711,13 +744,26 @@
|
||||
@@ -711,13 +745,26 @@
|
||||
|
||||
userdom_base_user_template($1)
|
||||
|
||||
@ -26369,7 +26416,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
userdom_change_password_template($1)
|
||||
|
||||
@@ -735,70 +781,71 @@
|
||||
@@ -735,70 +782,71 @@
|
||||
|
||||
allow $1_t self:context contains;
|
||||
|
||||
@ -26474,7 +26521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -835,6 +882,32 @@
|
||||
@@ -835,6 +883,32 @@
|
||||
# Local policy
|
||||
#
|
||||
|
||||
@ -26507,7 +26554,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
loadkeys_run($1_t,$1_r)
|
||||
')
|
||||
@@ -865,51 +938,81 @@
|
||||
@@ -865,51 +939,81 @@
|
||||
|
||||
userdom_restricted_user_template($1)
|
||||
|
||||
@ -26602,7 +26649,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -943,8 +1046,8 @@
|
||||
@@ -943,8 +1047,8 @@
|
||||
# Declarations
|
||||
#
|
||||
|
||||
@ -26612,7 +26659,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
userdom_common_user_template($1)
|
||||
|
||||
##############################
|
||||
@@ -953,11 +1056,12 @@
|
||||
@@ -953,11 +1057,12 @@
|
||||
#
|
||||
|
||||
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
||||
@ -26627,7 +26674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# cjp: why?
|
||||
files_read_kernel_symbol_table($1_t)
|
||||
|
||||
@@ -975,36 +1079,53 @@
|
||||
@@ -975,36 +1080,53 @@
|
||||
')
|
||||
')
|
||||
|
||||
@ -26695,7 +26742,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -1040,7 +1161,7 @@
|
||||
@@ -1040,7 +1162,7 @@
|
||||
template(`userdom_admin_user_template',`
|
||||
gen_require(`
|
||||
attribute admindomain;
|
||||
@ -26704,7 +26751,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
##############################
|
||||
@@ -1049,8 +1170,7 @@
|
||||
@@ -1049,8 +1171,7 @@
|
||||
#
|
||||
|
||||
# Inherit rules for ordinary users.
|
||||
@ -26714,7 +26761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
domain_obj_id_change_exemption($1_t)
|
||||
role system_r types $1_t;
|
||||
@@ -1075,6 +1195,9 @@
|
||||
@@ -1075,6 +1196,9 @@
|
||||
# Skip authentication when pam_rootok is specified.
|
||||
allow $1_t self:passwd rootok;
|
||||
|
||||
@ -26724,7 +26771,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kernel_read_software_raid_state($1_t)
|
||||
kernel_getattr_core_if($1_t)
|
||||
kernel_getattr_message_if($1_t)
|
||||
@@ -1089,6 +1212,7 @@
|
||||
@@ -1089,6 +1213,7 @@
|
||||
kernel_sigstop_unlabeled($1_t)
|
||||
kernel_signull_unlabeled($1_t)
|
||||
kernel_sigchld_unlabeled($1_t)
|
||||
@ -26732,7 +26779,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corenet_tcp_bind_generic_port($1_t)
|
||||
# allow setting up tunnels
|
||||
@@ -1096,8 +1220,6 @@
|
||||
@@ -1096,8 +1221,6 @@
|
||||
|
||||
dev_getattr_generic_blk_files($1_t)
|
||||
dev_getattr_generic_chr_files($1_t)
|
||||
@ -26741,7 +26788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
# Allow MAKEDEV to work
|
||||
dev_create_all_blk_files($1_t)
|
||||
dev_create_all_chr_files($1_t)
|
||||
@@ -1124,6 +1246,8 @@
|
||||
@@ -1124,6 +1247,8 @@
|
||||
files_exec_usr_src_files($1_t)
|
||||
|
||||
fs_getattr_all_fs($1_t)
|
||||
@ -26750,7 +26797,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
fs_set_all_quotas($1_t)
|
||||
fs_exec_noxattr($1_t)
|
||||
|
||||
@@ -1152,20 +1276,6 @@
|
||||
@@ -1152,20 +1277,6 @@
|
||||
# But presently necessary for installing the file_contexts file.
|
||||
seutil_manage_bin_policy($1_t)
|
||||
|
||||
@ -26771,7 +26818,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
optional_policy(`
|
||||
postgresql_unconfined($1_t)
|
||||
')
|
||||
@@ -1211,6 +1321,7 @@
|
||||
@@ -1211,6 +1322,7 @@
|
||||
dev_relabel_all_dev_nodes($1)
|
||||
|
||||
files_create_boot_flag($1)
|
||||
@ -26779,7 +26826,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
# Necessary for managing /boot/efi
|
||||
fs_manage_dos_files($1)
|
||||
@@ -1276,11 +1387,15 @@
|
||||
@@ -1276,11 +1388,15 @@
|
||||
interface(`userdom_user_home_content',`
|
||||
gen_require(`
|
||||
type user_home_t;
|
||||
@ -26795,7 +26842,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1391,12 +1506,13 @@
|
||||
@@ -1391,12 +1507,13 @@
|
||||
')
|
||||
|
||||
allow $1 user_home_dir_t:dir search_dir_perms;
|
||||
@ -26810,7 +26857,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -1429,6 +1545,14 @@
|
||||
@@ -1429,6 +1546,14 @@
|
||||
|
||||
allow $1 user_home_dir_t:dir list_dir_perms;
|
||||
files_search_home($1)
|
||||
@ -26825,7 +26872,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1444,9 +1568,11 @@
|
||||
@@ -1444,9 +1569,11 @@
|
||||
interface(`userdom_dontaudit_list_user_home_dirs',`
|
||||
gen_require(`
|
||||
type user_home_dir_t;
|
||||
@ -26837,7 +26884,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1503,6 +1629,25 @@
|
||||
@@ -1503,6 +1630,25 @@
|
||||
allow $1 user_home_dir_t:dir relabelto;
|
||||
')
|
||||
|
||||
@ -26863,7 +26910,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
## <summary>
|
||||
## Create directories in the home dir root with
|
||||
@@ -1577,6 +1722,8 @@
|
||||
@@ -1577,6 +1723,8 @@
|
||||
')
|
||||
|
||||
dontaudit $1 user_home_t:dir search_dir_perms;
|
||||
@ -26872,7 +26919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1670,6 +1817,7 @@
|
||||
@@ -1670,6 +1818,7 @@
|
||||
type user_home_dir_t, user_home_t;
|
||||
')
|
||||
|
||||
@ -26880,7 +26927,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
|
||||
files_search_home($1)
|
||||
')
|
||||
@@ -1797,19 +1945,32 @@
|
||||
@@ -1797,19 +1946,32 @@
|
||||
#
|
||||
interface(`userdom_exec_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -26920,7 +26967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1844,6 +2005,7 @@
|
||||
@@ -1844,6 +2006,7 @@
|
||||
interface(`userdom_manage_user_home_content_files',`
|
||||
gen_require(`
|
||||
type user_home_dir_t, user_home_t;
|
||||
@ -26928,7 +26975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
manage_files_pattern($1, user_home_t, user_home_t)
|
||||
@@ -2391,27 +2553,7 @@
|
||||
@@ -2391,27 +2554,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -26957,7 +27004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -2765,11 +2907,32 @@
|
||||
@@ -2765,11 +2908,32 @@
|
||||
#
|
||||
interface(`userdom_search_user_home_content',`
|
||||
gen_require(`
|
||||
@ -26992,7 +27039,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2897,7 +3060,25 @@
|
||||
@@ -2897,7 +3061,25 @@
|
||||
type user_tmp_t;
|
||||
')
|
||||
|
||||
@ -27019,7 +27066,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2934,6 +3115,7 @@
|
||||
@@ -2934,6 +3116,7 @@
|
||||
')
|
||||
|
||||
read_files_pattern($1, userdomain, userdomain)
|
||||
@ -27027,7 +27074,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
kernel_search_proc($1)
|
||||
')
|
||||
|
||||
@@ -3064,3 +3246,559 @@
|
||||
@@ -3064,3 +3247,559 @@
|
||||
|
||||
allow $1 userdomain:dbus send_msg;
|
||||
')
|
||||
|
300
policygentool
300
policygentool
@ -1,297 +1,3 @@
|
||||
#! /usr/bin/env python
|
||||
# Copyright (C) 2006 Red Hat
|
||||
# see file 'COPYING' for use and warranty information
|
||||
#
|
||||
# policygentool is a tool for the initial generation of SELinux policy
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU General Public License as
|
||||
# published by the Free Software Foundation; either version 2 of
|
||||
# the License, or (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
|
||||
# 02111-1307 USA
|
||||
#
|
||||
#
|
||||
import os, sys, getopt
|
||||
import re
|
||||
|
||||
########################### Interface File #############################
|
||||
interface="""\
|
||||
## <summary>policy for TEMPLATETYPE</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run TEMPLATETYPE.
|
||||
## </summary>
|
||||
## <param name=\"domain\">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`TEMPLATETYPE_domtrans',`
|
||||
gen_require(`
|
||||
type TEMPLATETYPE_t, TEMPLATETYPE_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t)
|
||||
|
||||
allow TEMPLATETYPE_t $1:fd use;
|
||||
allow TEMPLATETYPE_t $1:fifo_file rw_file_perms;
|
||||
allow TEMPLATETYPE_t $1:process sigchld;
|
||||
')
|
||||
"""
|
||||
|
||||
########################### Type Enforcement File #############################
|
||||
te="""\
|
||||
policy_module(TEMPLATETYPE,1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type TEMPLATETYPE_t;
|
||||
type TEMPLATETYPE_exec_t;
|
||||
domain_type(TEMPLATETYPE_t)
|
||||
init_daemon_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
|
||||
"""
|
||||
te_logfile="""
|
||||
# log files
|
||||
type TEMPLATETYPE_var_log_t;
|
||||
logging_log_file(TEMPLATETYPE_var_log_t)
|
||||
"""
|
||||
te_pidfile="""
|
||||
# pid files
|
||||
type TEMPLATETYPE_var_run_t;
|
||||
files_pid_file(TEMPLATETYPE_var_run_t)
|
||||
"""
|
||||
te_libfile="""
|
||||
# var/lib files
|
||||
type TEMPLATETYPE_var_lib_t;
|
||||
files_type(TEMPLATETYPE_var_lib_t)
|
||||
"""
|
||||
te_sep="""
|
||||
########################################
|
||||
#
|
||||
# TEMPLATETYPE local policy
|
||||
#
|
||||
# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
|
||||
|
||||
# Some common macros (you might be able to remove some)
|
||||
files_read_etc_files(TEMPLATETYPE_t)
|
||||
libs_use_ld_so(TEMPLATETYPE_t)
|
||||
libs_use_shared_libs(TEMPLATETYPE_t)
|
||||
miscfiles_read_localization(TEMPLATETYPE_t)
|
||||
## internal communication is often done using fifo and unix sockets.
|
||||
allow TEMPLATETYPE_t self:fifo_file { read write };
|
||||
allow TEMPLATETYPE_t self:unix_stream_socket create_stream_socket_perms;
|
||||
"""
|
||||
te_pidfile2="""
|
||||
# pid file
|
||||
allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:file manage_file_perms;
|
||||
allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:sock_file manage_file_perms;
|
||||
allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_run_t, { file sock_file })
|
||||
"""
|
||||
te_logfile2="""
|
||||
# log files
|
||||
allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:file create_file_perms;
|
||||
allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:sock_file create_file_perms;
|
||||
allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:dir { rw_dir_perms setattr };
|
||||
logging_log_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_log_t,{ sock_file file dir })
|
||||
"""
|
||||
te_libfile2="""
|
||||
# var/lib files for TEMPLATETYPE
|
||||
allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:file create_file_perms;
|
||||
allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:sock_file create_file_perms;
|
||||
allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:dir create_dir_perms;
|
||||
files_var_lib_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_lib_t, { file dir sock_file })
|
||||
"""
|
||||
te_network2="""
|
||||
## Networking basics (adjust to your needs!)
|
||||
sysnet_dns_name_resolve(TEMPLATETYPE_t)
|
||||
corenet_tcp_sendrecv_all_if(TEMPLATETYPE_t)
|
||||
corenet_tcp_sendrecv_all_nodes(TEMPLATETYPE_t)
|
||||
corenet_tcp_sendrecv_all_ports(TEMPLATETYPE_t)
|
||||
corenet_non_ipsec_sendrecv(TEMPLATETYPE_t)
|
||||
corenet_tcp_connect_http_port(TEMPLATETYPE_t)
|
||||
#corenet_tcp_connect_all_ports(TEMPLATETYPE_t)
|
||||
## if it is a network daemon, consider these:
|
||||
#corenet_tcp_bind_all_ports(TEMPLATETYPE_t)
|
||||
#corenet_tcp_bind_all_nodes(TEMPLATETYPE_t)
|
||||
allow TEMPLATETYPE_t self:tcp_socket { listen accept };
|
||||
"""
|
||||
te_initsc2="""
|
||||
# Init script handling
|
||||
init_use_fds(TEMPLATETYPE_t)
|
||||
init_use_script_ptys(TEMPLATETYPE_t)
|
||||
domain_use_interactive_fds(TEMPLATETYPE_t)
|
||||
"""
|
||||
|
||||
########################### File Context ##################################
|
||||
fc="""\
|
||||
# TEMPLATETYPE executable will have:
|
||||
# label: system_u:object_r:TEMPLATETYPE_exec_t
|
||||
# MLS sensitivity: s0
|
||||
# MCS categories: <none>
|
||||
|
||||
EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0)
|
||||
"""
|
||||
fc_pidfile="""\
|
||||
FILENAME gen_context(system_u:object_r:TEMPLATETYPE_var_run_t,s0)
|
||||
"""
|
||||
fc_logfile="""\
|
||||
FILENAME gen_context(system_u:object_r:TEMPLATETYPE_var_log_t,s0)
|
||||
"""
|
||||
fc_libfile="""\
|
||||
FILENAME gen_context(system_u:object_r:TEMPLATETYPE_var_lib_t,s0)
|
||||
"""
|
||||
def errorExit(error):
|
||||
sys.stderr.write("%s: " % sys.argv[0])
|
||||
sys.stderr.write("%s\n" % error)
|
||||
sys.stderr.flush()
|
||||
sys.exit(1)
|
||||
|
||||
|
||||
def write_te_file(module, pidfile, logfile, libfile, network, initsc):
|
||||
file="%s.te" % module
|
||||
newte=re.sub("TEMPLATETYPE", module, te)
|
||||
if libfile:
|
||||
newte= newte + re.sub("TEMPLATETYPE", module, te_libfile)
|
||||
if logfile:
|
||||
newte= newte + re.sub("TEMPLATETYPE", module, te_logfile)
|
||||
if pidfile:
|
||||
newte= newte + re.sub("TEMPLATETYPE", module, te_pidfile)
|
||||
newte= newte + re.sub("TEMPLATETYPE", module, te_sep)
|
||||
if libfile:
|
||||
newte= newte + re.sub("TEMPLATETYPE", module, te_libfile2)
|
||||
if logfile:
|
||||
newte= newte + re.sub("TEMPLATETYPE", module, te_logfile2)
|
||||
if pidfile:
|
||||
newte= newte + re.sub("TEMPLATETYPE", module, te_pidfile2)
|
||||
if network:
|
||||
newte= newte + re.sub("TEMPLATETYPE", module, te_network2)
|
||||
if initsc:
|
||||
newte= newte + re.sub("TEMPLATETYPE", module, te_initsc2)
|
||||
if os.path.exists(file):
|
||||
errorExit("%s already exists" % file)
|
||||
fd = open(file, 'w')
|
||||
fd.write(newte)
|
||||
fd.close()
|
||||
|
||||
def write_if_file(module):
|
||||
file="%s.if" % module
|
||||
newif=re.sub("TEMPLATETYPE", module, interface)
|
||||
if os.path.exists(file):
|
||||
errorExit("%s already exists" % file)
|
||||
fd = open(file, 'w')
|
||||
fd.write(newif)
|
||||
fd.close()
|
||||
|
||||
def write_fc_file(module, executable, pidfile, logfile, libfile):
|
||||
file="%s.fc" % module
|
||||
temp=re.sub("TEMPLATETYPE", module, fc)
|
||||
newfc=re.sub("EXECUTABLE", executable, temp)
|
||||
if pidfile:
|
||||
temp=re.sub("TEMPLATETYPE", module, fc_pidfile)
|
||||
newfc=newfc + re.sub("FILENAME", pidfile, temp)
|
||||
if logfile:
|
||||
temp=re.sub("TEMPLATETYPE", module, fc_logfile)
|
||||
newfc=newfc + re.sub("FILENAME", logfile, temp)
|
||||
if libfile:
|
||||
temp=re.sub("TEMPLATETYPE", module, fc_libfile)
|
||||
newfc=newfc + re.sub("FILENAME", libfile, temp)
|
||||
if os.path.exists(file):
|
||||
errorExit("%s already exists" % file)
|
||||
fd = open(file, 'w')
|
||||
fd.write(newfc)
|
||||
fd.close()
|
||||
|
||||
def gen_policy(module, executable, pidfile, logfile, libfile, initsc, network):
|
||||
write_te_file(module, pidfile, logfile, libfile, initsc, network)
|
||||
write_if_file(module)
|
||||
write_fc_file(module, executable, pidfile, logfile, libfile)
|
||||
|
||||
if __name__ == '__main__':
|
||||
def usage(message = ""):
|
||||
print '%s ModuleName Executable' % sys.argv[0]
|
||||
sys.exit(1)
|
||||
|
||||
if len(sys.argv) != 3:
|
||||
usage()
|
||||
|
||||
print """\n
|
||||
This tool generate three files for policy development, A Type Enforcement (te)
|
||||
file, a File Context (fc), and a Interface File(if). Most of the policy rules
|
||||
will be written in the te file. Use the File Context file to associate file
|
||||
paths with security context. Use the interface rules to allow other protected
|
||||
domains to interact with the newly defined domains.
|
||||
|
||||
After generating these files use the /usr/share/selinux/devel/Makefile to
|
||||
compile your policy package. Then use the semodule tool to load it.
|
||||
|
||||
# /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp
|
||||
# make -f /usr/share/selinux/devel/Makefile
|
||||
# semodule -i myapp.pp
|
||||
# restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"
|
||||
|
||||
Now you can turn on permissive mode, start your application and avc messages
|
||||
will be generated. You can use audit2allow to help translate the avc messages
|
||||
into policy.
|
||||
|
||||
# setenforce 0
|
||||
# service myapp start
|
||||
# audit2allow -R -i /var/log/audit/audit.log
|
||||
|
||||
Return to continue:"""
|
||||
sys.stdin.readline().rstrip()
|
||||
|
||||
print 'If the module uses pidfiles, what is the pidfile called?'
|
||||
pidfile = sys.stdin.readline().rstrip()
|
||||
if pidfile == "":
|
||||
pidfile = None
|
||||
print 'If the module uses logfiles, where are they stored?'
|
||||
logfile = sys.stdin.readline().rstrip()
|
||||
if logfile == "":
|
||||
logfile = None
|
||||
print 'If the module has var/lib files, where are they stored?'
|
||||
libfile = sys.stdin.readline().rstrip()
|
||||
if libfile == "":
|
||||
libfile = None
|
||||
print 'Does the module have a init script? [yN]'
|
||||
initsc = sys.stdin.readline().rstrip()
|
||||
if initsc == "" or initsc == "n" or initsc == "N":
|
||||
initsc = False
|
||||
elif initsc == "y" or initsc == "Y":
|
||||
initsc = True
|
||||
else:
|
||||
raise "Please answer with 'y' or 'n'!"
|
||||
print 'Does the module use the network? [yN]'
|
||||
network = sys.stdin.readline().rstrip()
|
||||
if network == "" or network == "n" or network == "N":
|
||||
network = False
|
||||
elif network == "y" or network == "Y":
|
||||
network = True
|
||||
else:
|
||||
raise "Please answer with 'y' or 'n'!"
|
||||
|
||||
gen_policy(
|
||||
module=sys.argv[1],
|
||||
executable=sys.argv[2],
|
||||
pidfile=pidfile,
|
||||
logfile=logfile,
|
||||
libfile=libfile,
|
||||
initsc=initsc,
|
||||
network=network
|
||||
)
|
||||
|
||||
|
||||
#!/bin/sh
|
||||
echo "$0 is no longer supported, better tools exist for creating policy"
|
||||
echo "Please use /usr/bin/sepolgen, slide or polgengui to generate policy"
|
||||
|
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.6.32
|
||||
Release: 10%{?dist}
|
||||
Release: 11%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -448,6 +448,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Sep 24 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-11
|
||||
- Allow users to exec restorecond
|
||||
|
||||
* Tue Sep 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-10
|
||||
- Allow sendmail to request kernel modules load
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user