- Allow users to exec restorecond

This commit is contained in:
Daniel J Walsh 2009-09-25 18:47:07 +00:00
parent f5a104d238
commit 85582d623f
4 changed files with 106 additions and 350 deletions

View File

@ -245,7 +245,7 @@ allow_nsplugin_execmem=true
# Allow unconfined domain to transition to confined domain # Allow unconfined domain to transition to confined domain
# #
allow_unconfined_nsplugin_transition=true allow_unconfined_nsplugin_transition=false
# System uses init upstart program # System uses init upstart program
# #

View File

@ -12909,7 +12909,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.32/policy/modules/services/networkmanager.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.32/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-08-14 13:14:31.000000000 -0700 --- nsaserefpolicy/policy/modules/services/networkmanager.te 2009-08-14 13:14:31.000000000 -0700
+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te 2009-09-21 19:37:35.000000000 -0700 +++ serefpolicy-3.6.32/policy/modules/services/networkmanager.te 2009-09-24 17:38:43.000000000 -0700
@@ -19,6 +19,9 @@ @@ -19,6 +19,9 @@
type NetworkManager_tmp_t; type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t) files_tmp_file(NetworkManager_tmp_t)
@ -12951,16 +12951,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
@@ -63,6 +70,8 @@ @@ -63,6 +70,9 @@
kernel_read_network_state(NetworkManager_t) kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t) kernel_read_kernel_sysctls(NetworkManager_t)
kernel_load_module(NetworkManager_t) kernel_load_module(NetworkManager_t)
+kernel_request_load_module(NetworkManager_t)
+kernel_read_debugfs(NetworkManager_t) +kernel_read_debugfs(NetworkManager_t)
+kernel_rw_net_sysctls(NetworkManager_t) +kernel_rw_net_sysctls(NetworkManager_t)
corenet_all_recvfrom_unlabeled(NetworkManager_t) corenet_all_recvfrom_unlabeled(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t) corenet_all_recvfrom_netlabel(NetworkManager_t)
@@ -81,13 +90,18 @@ @@ -81,13 +91,18 @@
corenet_sendrecv_isakmp_server_packets(NetworkManager_t) corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
corenet_sendrecv_all_client_packets(NetworkManager_t) corenet_sendrecv_all_client_packets(NetworkManager_t)
@ -12979,7 +12980,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mls_file_read_all_levels(NetworkManager_t) mls_file_read_all_levels(NetworkManager_t)
@@ -98,15 +112,20 @@ @@ -98,15 +113,20 @@
domain_use_interactive_fds(NetworkManager_t) domain_use_interactive_fds(NetworkManager_t)
domain_read_confined_domains_state(NetworkManager_t) domain_read_confined_domains_state(NetworkManager_t)
@ -13001,7 +13002,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(NetworkManager_t) logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t) miscfiles_read_localization(NetworkManager_t)
@@ -116,25 +135,40 @@ @@ -116,25 +136,40 @@
seutil_read_config(NetworkManager_t) seutil_read_config(NetworkManager_t)
@ -13049,7 +13050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -146,8 +180,25 @@ @@ -146,8 +181,25 @@
') ')
optional_policy(` optional_policy(`
@ -13077,7 +13078,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -155,23 +206,51 @@ @@ -155,23 +207,51 @@
') ')
optional_policy(` optional_policy(`
@ -13131,7 +13132,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -179,12 +258,15 @@ @@ -179,12 +259,15 @@
') ')
optional_policy(` optional_policy(`
@ -15843,7 +15844,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary> ## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.32/policy/modules/services/rpc.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.32/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2009-07-14 11:19:57.000000000 -0700 --- nsaserefpolicy/policy/modules/services/rpc.if 2009-07-14 11:19:57.000000000 -0700
+++ serefpolicy-3.6.32/policy/modules/services/rpc.if 2009-09-16 07:03:09.000000000 -0700 +++ serefpolicy-3.6.32/policy/modules/services/rpc.if 2009-09-25 07:42:34.000000000 -0700
@@ -54,7 +54,7 @@ @@ -54,7 +54,7 @@
allow $1_t self:unix_dgram_socket create_socket_perms; allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms; allow $1_t self:unix_stream_socket create_stream_socket_perms;
@ -15853,7 +15854,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t) manage_dirs_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
manage_files_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t) manage_files_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
@@ -109,6 +109,10 @@ @@ -99,6 +99,7 @@
files_read_etc_runtime_files($1_t)
files_search_var($1_t)
files_search_var_lib($1_t)
+ files_list_home($1_t)
auth_use_nsswitch($1_t)
@@ -109,6 +110,10 @@
userdom_dontaudit_use_unpriv_user_fds($1_t) userdom_dontaudit_use_unpriv_user_fds($1_t)
optional_policy(` optional_policy(`
@ -15866,7 +15875,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.32/policy/modules/services/rpc.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.32/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 13:14:31.000000000 -0700 --- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 13:14:31.000000000 -0700
+++ serefpolicy-3.6.32/policy/modules/services/rpc.te 2009-09-16 07:03:09.000000000 -0700 +++ serefpolicy-3.6.32/policy/modules/services/rpc.te 2009-09-25 07:42:43.000000000 -0700
@@ -53,7 +53,7 @@
# RPC local policy
#
-allow rpcd_t self:capability { chown dac_override setgid setuid };
+allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
allow rpcd_t self:fifo_file rw_fifo_file_perms;
allow rpcd_t rpcd_var_run_t:dir setattr;
@@ -91,6 +91,8 @@ @@ -91,6 +91,8 @@
seutil_dontaudit_search_config(rpcd_t) seutil_dontaudit_search_config(rpcd_t)
@ -19016,7 +19034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 11:19:57.000000000 -0700 --- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 11:19:57.000000000 -0700
+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2009-09-16 07:03:09.000000000 -0700 +++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2009-09-25 07:58:35.000000000 -0700
@@ -3,12 +3,17 @@ @@ -3,12 +3,17 @@
# #
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
@ -19028,7 +19046,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0) +HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+HOME_DIR/\.dmrc -- gen_context(system_u:object_r:xdm_home_t,s0) +HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+/root/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/root/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +/root/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
@ -23546,8 +23564,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.32/policy/modules/system/selinuxutil.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.32/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-07-14 11:19:57.000000000 -0700 --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-07-14 11:19:57.000000000 -0700
+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.if 2009-09-16 07:03:09.000000000 -0700 +++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.if 2009-09-24 20:11:24.000000000 -0700
@@ -535,6 +535,53 @@ @@ -351,6 +351,27 @@
########################################
## <summary>
+## Execute restorecond in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`seutil_exec_restorecond',`
+ gen_require(`
+ type restorecond_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ can_exec($1, restorecond_exec_t)
+')
+
+########################################
+## <summary>
## Execute run_init in the run_init domain.
## </summary>
## <param name="domain">
@@ -535,6 +556,53 @@
######################################## ########################################
## <summary> ## <summary>
@ -23601,7 +23647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Execute setfiles in the caller domain. ## Execute setfiles in the caller domain.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -680,6 +727,7 @@ @@ -680,6 +748,7 @@
') ')
files_search_etc($1) files_search_etc($1)
@ -23609,7 +23655,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern($1, selinux_config_t, selinux_config_t) manage_files_pattern($1, selinux_config_t, selinux_config_t)
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
') ')
@@ -999,6 +1047,26 @@ @@ -999,6 +1068,26 @@
######################################## ########################################
## <summary> ## <summary>
@ -23636,7 +23682,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Execute semanage in the semanage domain, and ## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain, ## allow the specified role the semanage domain,
## and use the caller's terminal. ## and use the caller's terminal.
@@ -1010,7 +1078,7 @@ @@ -1010,7 +1099,7 @@
## </param> ## </param>
## <param name="role"> ## <param name="role">
## <summary> ## <summary>
@ -23645,7 +23691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary> ## </summary>
## </param> ## </param>
## <rolecap/> ## <rolecap/>
@@ -1028,6 +1096,33 @@ @@ -1028,6 +1117,33 @@
######################################## ########################################
## <summary> ## <summary>
@ -23679,7 +23725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Full management of the semanage ## Full management of the semanage
## module store. ## module store.
## </summary> ## </summary>
@@ -1139,3 +1234,194 @@ @@ -1139,3 +1255,194 @@
selinux_dontaudit_get_fs_mount($1) selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1) seutil_dontaudit_read_config($1)
') ')
@ -25608,7 +25654,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+HOME_DIR/\.gvfs(/.*)? <<none>> +HOME_DIR/\.gvfs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 10:30:04.000000000 -0700 --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 10:30:04.000000000 -0700
+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-09-21 05:24:59.000000000 -0700 +++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-09-24 20:12:04.000000000 -0700
@@ -30,8 +30,9 @@ @@ -30,8 +30,9 @@
') ')
@ -26055,7 +26101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
############################## ##############################
# #
@@ -508,182 +515,208 @@ @@ -508,182 +515,209 @@
# evolution and gnome-session try to create a netlink socket # evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@ -26160,6 +26206,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_exec_checkpolicy($1_t) seutil_exec_checkpolicy($1_t)
- seutil_exec_setfiles($1_t) - seutil_exec_setfiles($1_t)
+ seutil_exec_setfiles($1_usertype) + seutil_exec_setfiles($1_usertype)
+ seutil_exec_restorecond($1_usertype)
# for when the network connection is killed # for when the network connection is killed
# this is needed when a login role can change # this is needed when a login role can change
# to this one. # to this one.
@ -26337,7 +26384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
####################################### #######################################
@@ -711,13 +744,26 @@ @@ -711,13 +745,26 @@
userdom_base_user_template($1) userdom_base_user_template($1)
@ -26369,7 +26416,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_change_password_template($1) userdom_change_password_template($1)
@@ -735,70 +781,71 @@ @@ -735,70 +782,71 @@
allow $1_t self:context contains; allow $1_t self:context contains;
@ -26474,7 +26521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
') ')
@@ -835,6 +882,32 @@ @@ -835,6 +883,32 @@
# Local policy # Local policy
# #
@ -26507,7 +26554,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(` optional_policy(`
loadkeys_run($1_t,$1_r) loadkeys_run($1_t,$1_r)
') ')
@@ -865,51 +938,81 @@ @@ -865,51 +939,81 @@
userdom_restricted_user_template($1) userdom_restricted_user_template($1)
@ -26602,7 +26649,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
') ')
@@ -943,8 +1046,8 @@ @@ -943,8 +1047,8 @@
# Declarations # Declarations
# #
@ -26612,7 +26659,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_common_user_template($1) userdom_common_user_template($1)
############################## ##############################
@@ -953,11 +1056,12 @@ @@ -953,11 +1057,12 @@
# #
# port access is audited even if dac would not have allowed it, so dontaudit it here # port access is audited even if dac would not have allowed it, so dontaudit it here
@ -26627,7 +26674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cjp: why? # cjp: why?
files_read_kernel_symbol_table($1_t) files_read_kernel_symbol_table($1_t)
@@ -975,36 +1079,53 @@ @@ -975,36 +1080,53 @@
') ')
') ')
@ -26695,7 +26742,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
') ')
@@ -1040,7 +1161,7 @@ @@ -1040,7 +1162,7 @@
template(`userdom_admin_user_template',` template(`userdom_admin_user_template',`
gen_require(` gen_require(`
attribute admindomain; attribute admindomain;
@ -26704,7 +26751,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
############################## ##############################
@@ -1049,8 +1170,7 @@ @@ -1049,8 +1171,7 @@
# #
# Inherit rules for ordinary users. # Inherit rules for ordinary users.
@ -26714,7 +26761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_obj_id_change_exemption($1_t) domain_obj_id_change_exemption($1_t)
role system_r types $1_t; role system_r types $1_t;
@@ -1075,6 +1195,9 @@ @@ -1075,6 +1196,9 @@
# Skip authentication when pam_rootok is specified. # Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok; allow $1_t self:passwd rootok;
@ -26724,7 +26771,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_software_raid_state($1_t) kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t) kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t) kernel_getattr_message_if($1_t)
@@ -1089,6 +1212,7 @@ @@ -1089,6 +1213,7 @@
kernel_sigstop_unlabeled($1_t) kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t) kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t) kernel_sigchld_unlabeled($1_t)
@ -26732,7 +26779,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_generic_port($1_t) corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels # allow setting up tunnels
@@ -1096,8 +1220,6 @@ @@ -1096,8 +1221,6 @@
dev_getattr_generic_blk_files($1_t) dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t) dev_getattr_generic_chr_files($1_t)
@ -26741,7 +26788,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow MAKEDEV to work # Allow MAKEDEV to work
dev_create_all_blk_files($1_t) dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t) dev_create_all_chr_files($1_t)
@@ -1124,6 +1246,8 @@ @@ -1124,6 +1247,8 @@
files_exec_usr_src_files($1_t) files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t) fs_getattr_all_fs($1_t)
@ -26750,7 +26797,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_set_all_quotas($1_t) fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t) fs_exec_noxattr($1_t)
@@ -1152,20 +1276,6 @@ @@ -1152,20 +1277,6 @@
# But presently necessary for installing the file_contexts file. # But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t) seutil_manage_bin_policy($1_t)
@ -26771,7 +26818,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(` optional_policy(`
postgresql_unconfined($1_t) postgresql_unconfined($1_t)
') ')
@@ -1211,6 +1321,7 @@ @@ -1211,6 +1322,7 @@
dev_relabel_all_dev_nodes($1) dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1) files_create_boot_flag($1)
@ -26779,7 +26826,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Necessary for managing /boot/efi # Necessary for managing /boot/efi
fs_manage_dos_files($1) fs_manage_dos_files($1)
@@ -1276,11 +1387,15 @@ @@ -1276,11 +1388,15 @@
interface(`userdom_user_home_content',` interface(`userdom_user_home_content',`
gen_require(` gen_require(`
type user_home_t; type user_home_t;
@ -26795,7 +26842,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1391,12 +1506,13 @@ @@ -1391,12 +1507,13 @@
') ')
allow $1 user_home_dir_t:dir search_dir_perms; allow $1 user_home_dir_t:dir search_dir_perms;
@ -26810,7 +26857,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -1429,6 +1545,14 @@ @@ -1429,6 +1546,14 @@
allow $1 user_home_dir_t:dir list_dir_perms; allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1) files_search_home($1)
@ -26825,7 +26872,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1444,9 +1568,11 @@ @@ -1444,9 +1569,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(` gen_require(`
type user_home_dir_t; type user_home_dir_t;
@ -26837,7 +26884,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1503,6 +1629,25 @@ @@ -1503,6 +1630,25 @@
allow $1 user_home_dir_t:dir relabelto; allow $1 user_home_dir_t:dir relabelto;
') ')
@ -26863,7 +26910,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
######################################## ########################################
## <summary> ## <summary>
## Create directories in the home dir root with ## Create directories in the home dir root with
@@ -1577,6 +1722,8 @@ @@ -1577,6 +1723,8 @@
') ')
dontaudit $1 user_home_t:dir search_dir_perms; dontaudit $1 user_home_t:dir search_dir_perms;
@ -26872,7 +26919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1670,6 +1817,7 @@ @@ -1670,6 +1818,7 @@
type user_home_dir_t, user_home_t; type user_home_dir_t, user_home_t;
') ')
@ -26880,7 +26927,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1) files_search_home($1)
') ')
@@ -1797,19 +1945,32 @@ @@ -1797,19 +1946,32 @@
# #
interface(`userdom_exec_user_home_content_files',` interface(`userdom_exec_user_home_content_files',`
gen_require(` gen_require(`
@ -26920,7 +26967,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1844,6 +2005,7 @@ @@ -1844,6 +2006,7 @@
interface(`userdom_manage_user_home_content_files',` interface(`userdom_manage_user_home_content_files',`
gen_require(` gen_require(`
type user_home_dir_t, user_home_t; type user_home_dir_t, user_home_t;
@ -26928,7 +26975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
manage_files_pattern($1, user_home_t, user_home_t) manage_files_pattern($1, user_home_t, user_home_t)
@@ -2391,27 +2553,7 @@ @@ -2391,27 +2554,7 @@
######################################## ########################################
## <summary> ## <summary>
@ -26957,7 +27004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -2765,11 +2907,32 @@ @@ -2765,11 +2908,32 @@
# #
interface(`userdom_search_user_home_content',` interface(`userdom_search_user_home_content',`
gen_require(` gen_require(`
@ -26992,7 +27039,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -2897,7 +3060,25 @@ @@ -2897,7 +3061,25 @@
type user_tmp_t; type user_tmp_t;
') ')
@ -27019,7 +27066,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -2934,6 +3115,7 @@ @@ -2934,6 +3116,7 @@
') ')
read_files_pattern($1, userdomain, userdomain) read_files_pattern($1, userdomain, userdomain)
@ -27027,7 +27074,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_search_proc($1) kernel_search_proc($1)
') ')
@@ -3064,3 +3246,559 @@ @@ -3064,3 +3247,559 @@
allow $1 userdomain:dbus send_msg; allow $1 userdomain:dbus send_msg;
') ')

View File

@ -1,297 +1,3 @@
#! /usr/bin/env python #!/bin/sh
# Copyright (C) 2006 Red Hat echo "$0 is no longer supported, better tools exist for creating policy"
# see file 'COPYING' for use and warranty information echo "Please use /usr/bin/sepolgen, slide or polgengui to generate policy"
#
# policygentool is a tool for the initial generation of SELinux policy
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
# 02111-1307 USA
#
#
import os, sys, getopt
import re
########################### Interface File #############################
interface="""\
## <summary>policy for TEMPLATETYPE</summary>
########################################
## <summary>
## Execute a domain transition to run TEMPLATETYPE.
## </summary>
## <param name=\"domain\">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`TEMPLATETYPE_domtrans',`
gen_require(`
type TEMPLATETYPE_t, TEMPLATETYPE_exec_t;
')
domain_auto_trans($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t)
allow TEMPLATETYPE_t $1:fd use;
allow TEMPLATETYPE_t $1:fifo_file rw_file_perms;
allow TEMPLATETYPE_t $1:process sigchld;
')
"""
########################### Type Enforcement File #############################
te="""\
policy_module(TEMPLATETYPE,1.0.0)
########################################
#
# Declarations
#
type TEMPLATETYPE_t;
type TEMPLATETYPE_exec_t;
domain_type(TEMPLATETYPE_t)
init_daemon_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
"""
te_logfile="""
# log files
type TEMPLATETYPE_var_log_t;
logging_log_file(TEMPLATETYPE_var_log_t)
"""
te_pidfile="""
# pid files
type TEMPLATETYPE_var_run_t;
files_pid_file(TEMPLATETYPE_var_run_t)
"""
te_libfile="""
# var/lib files
type TEMPLATETYPE_var_lib_t;
files_type(TEMPLATETYPE_var_lib_t)
"""
te_sep="""
########################################
#
# TEMPLATETYPE local policy
#
# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
# Some common macros (you might be able to remove some)
files_read_etc_files(TEMPLATETYPE_t)
libs_use_ld_so(TEMPLATETYPE_t)
libs_use_shared_libs(TEMPLATETYPE_t)
miscfiles_read_localization(TEMPLATETYPE_t)
## internal communication is often done using fifo and unix sockets.
allow TEMPLATETYPE_t self:fifo_file { read write };
allow TEMPLATETYPE_t self:unix_stream_socket create_stream_socket_perms;
"""
te_pidfile2="""
# pid file
allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:file manage_file_perms;
allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:sock_file manage_file_perms;
allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:dir rw_dir_perms;
files_pid_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_run_t, { file sock_file })
"""
te_logfile2="""
# log files
allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:file create_file_perms;
allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:sock_file create_file_perms;
allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:dir { rw_dir_perms setattr };
logging_log_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_log_t,{ sock_file file dir })
"""
te_libfile2="""
# var/lib files for TEMPLATETYPE
allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:file create_file_perms;
allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:sock_file create_file_perms;
allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:dir create_dir_perms;
files_var_lib_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_lib_t, { file dir sock_file })
"""
te_network2="""
## Networking basics (adjust to your needs!)
sysnet_dns_name_resolve(TEMPLATETYPE_t)
corenet_tcp_sendrecv_all_if(TEMPLATETYPE_t)
corenet_tcp_sendrecv_all_nodes(TEMPLATETYPE_t)
corenet_tcp_sendrecv_all_ports(TEMPLATETYPE_t)
corenet_non_ipsec_sendrecv(TEMPLATETYPE_t)
corenet_tcp_connect_http_port(TEMPLATETYPE_t)
#corenet_tcp_connect_all_ports(TEMPLATETYPE_t)
## if it is a network daemon, consider these:
#corenet_tcp_bind_all_ports(TEMPLATETYPE_t)
#corenet_tcp_bind_all_nodes(TEMPLATETYPE_t)
allow TEMPLATETYPE_t self:tcp_socket { listen accept };
"""
te_initsc2="""
# Init script handling
init_use_fds(TEMPLATETYPE_t)
init_use_script_ptys(TEMPLATETYPE_t)
domain_use_interactive_fds(TEMPLATETYPE_t)
"""
########################### File Context ##################################
fc="""\
# TEMPLATETYPE executable will have:
# label: system_u:object_r:TEMPLATETYPE_exec_t
# MLS sensitivity: s0
# MCS categories: <none>
EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0)
"""
fc_pidfile="""\
FILENAME gen_context(system_u:object_r:TEMPLATETYPE_var_run_t,s0)
"""
fc_logfile="""\
FILENAME gen_context(system_u:object_r:TEMPLATETYPE_var_log_t,s0)
"""
fc_libfile="""\
FILENAME gen_context(system_u:object_r:TEMPLATETYPE_var_lib_t,s0)
"""
def errorExit(error):
sys.stderr.write("%s: " % sys.argv[0])
sys.stderr.write("%s\n" % error)
sys.stderr.flush()
sys.exit(1)
def write_te_file(module, pidfile, logfile, libfile, network, initsc):
file="%s.te" % module
newte=re.sub("TEMPLATETYPE", module, te)
if libfile:
newte= newte + re.sub("TEMPLATETYPE", module, te_libfile)
if logfile:
newte= newte + re.sub("TEMPLATETYPE", module, te_logfile)
if pidfile:
newte= newte + re.sub("TEMPLATETYPE", module, te_pidfile)
newte= newte + re.sub("TEMPLATETYPE", module, te_sep)
if libfile:
newte= newte + re.sub("TEMPLATETYPE", module, te_libfile2)
if logfile:
newte= newte + re.sub("TEMPLATETYPE", module, te_logfile2)
if pidfile:
newte= newte + re.sub("TEMPLATETYPE", module, te_pidfile2)
if network:
newte= newte + re.sub("TEMPLATETYPE", module, te_network2)
if initsc:
newte= newte + re.sub("TEMPLATETYPE", module, te_initsc2)
if os.path.exists(file):
errorExit("%s already exists" % file)
fd = open(file, 'w')
fd.write(newte)
fd.close()
def write_if_file(module):
file="%s.if" % module
newif=re.sub("TEMPLATETYPE", module, interface)
if os.path.exists(file):
errorExit("%s already exists" % file)
fd = open(file, 'w')
fd.write(newif)
fd.close()
def write_fc_file(module, executable, pidfile, logfile, libfile):
file="%s.fc" % module
temp=re.sub("TEMPLATETYPE", module, fc)
newfc=re.sub("EXECUTABLE", executable, temp)
if pidfile:
temp=re.sub("TEMPLATETYPE", module, fc_pidfile)
newfc=newfc + re.sub("FILENAME", pidfile, temp)
if logfile:
temp=re.sub("TEMPLATETYPE", module, fc_logfile)
newfc=newfc + re.sub("FILENAME", logfile, temp)
if libfile:
temp=re.sub("TEMPLATETYPE", module, fc_libfile)
newfc=newfc + re.sub("FILENAME", libfile, temp)
if os.path.exists(file):
errorExit("%s already exists" % file)
fd = open(file, 'w')
fd.write(newfc)
fd.close()
def gen_policy(module, executable, pidfile, logfile, libfile, initsc, network):
write_te_file(module, pidfile, logfile, libfile, initsc, network)
write_if_file(module)
write_fc_file(module, executable, pidfile, logfile, libfile)
if __name__ == '__main__':
def usage(message = ""):
print '%s ModuleName Executable' % sys.argv[0]
sys.exit(1)
if len(sys.argv) != 3:
usage()
print """\n
This tool generate three files for policy development, A Type Enforcement (te)
file, a File Context (fc), and a Interface File(if). Most of the policy rules
will be written in the te file. Use the File Context file to associate file
paths with security context. Use the interface rules to allow other protected
domains to interact with the newly defined domains.
After generating these files use the /usr/share/selinux/devel/Makefile to
compile your policy package. Then use the semodule tool to load it.
# /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp
# make -f /usr/share/selinux/devel/Makefile
# semodule -i myapp.pp
# restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"
Now you can turn on permissive mode, start your application and avc messages
will be generated. You can use audit2allow to help translate the avc messages
into policy.
# setenforce 0
# service myapp start
# audit2allow -R -i /var/log/audit/audit.log
Return to continue:"""
sys.stdin.readline().rstrip()
print 'If the module uses pidfiles, what is the pidfile called?'
pidfile = sys.stdin.readline().rstrip()
if pidfile == "":
pidfile = None
print 'If the module uses logfiles, where are they stored?'
logfile = sys.stdin.readline().rstrip()
if logfile == "":
logfile = None
print 'If the module has var/lib files, where are they stored?'
libfile = sys.stdin.readline().rstrip()
if libfile == "":
libfile = None
print 'Does the module have a init script? [yN]'
initsc = sys.stdin.readline().rstrip()
if initsc == "" or initsc == "n" or initsc == "N":
initsc = False
elif initsc == "y" or initsc == "Y":
initsc = True
else:
raise "Please answer with 'y' or 'n'!"
print 'Does the module use the network? [yN]'
network = sys.stdin.readline().rstrip()
if network == "" or network == "n" or network == "N":
network = False
elif network == "y" or network == "Y":
network = True
else:
raise "Please answer with 'y' or 'n'!"
gen_policy(
module=sys.argv[1],
executable=sys.argv[2],
pidfile=pidfile,
logfile=logfile,
libfile=libfile,
initsc=initsc,
network=network
)

View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.6.32 Version: 3.6.32
Release: 10%{?dist} Release: 11%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -448,6 +448,9 @@ exit 0
%endif %endif
%changelog %changelog
* Thu Sep 24 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-11
- Allow users to exec restorecond
* Tue Sep 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-10 * Tue Sep 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-10
- Allow sendmail to request kernel modules load - Allow sendmail to request kernel modules load