- Allow certmaster to override dac permissions

This commit is contained in:
Daniel J Walsh 2009-07-27 22:09:57 +00:00
parent ca183583d7
commit 9160520a0e
4 changed files with 127 additions and 89 deletions

View File

@ -243,10 +243,6 @@ allow_nsplugin_execmem=true
#
allow_unconfined_nsplugin_transition=true
# Allow unconfined domains mmap low kernel memory
#
allow_unconfined_mmap_low = false
# System uses init upstart program
#
init_upstart = true

View File

@ -243,10 +243,6 @@ allow_nsplugin_execmem=true
#
allow_unconfined_nsplugin_transition=true
# Allow unconfined domains mmap low kernel memory
#
allow_unconfined_mmap_low = false
# System uses init upstart program
#
init_upstart = true

View File

@ -262,7 +262,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Mak
$(verbose) $(INSTALL) -m 644 $< $@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.23/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2009-07-23 14:11:04.000000000 -0400
+++ serefpolicy-3.6.23/policy/global_tunables 2009-07-23 16:39:09.000000000 -0400
+++ serefpolicy-3.6.23/policy/global_tunables 2009-07-27 13:55:41.000000000 -0400
@@ -61,15 +61,6 @@
## <desc>
@ -293,10 +293,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+## <desc>
+## <p>
+## Allow unconfined domain to map low memory in the kernel
+## Allow certain domains to map low memory in the kernel
+## </p>
+## </desc>
+gen_tunable(allow_unconfined_mmap_low, false)
+gen_tunable(mmap_low_allowed, false)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.23/policy/mcs
--- nsaserefpolicy/policy/mcs 2009-07-14 14:19:57.000000000 -0400
@ -1488,16 +1488,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.23/policy/modules/admin/vbetool.te
--- nsaserefpolicy/policy/modules/admin/vbetool.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/admin/vbetool.te 2009-07-23 16:39:09.000000000 -0400
@@ -23,6 +23,7 @@
+++ serefpolicy-3.6.23/policy/modules/admin/vbetool.te 2009-07-27 13:54:52.000000000 -0400
@@ -23,7 +23,11 @@
dev_rwx_zero(vbetool_t)
dev_read_sysfs(vbetool_t)
+domain_mmap_low_type(vbetool_t)
+tunable_policy(`mmap_low_allowed',`
domain_mmap_low(vbetool_t)
+')
+
term_use_unallocated_ttys(vbetool_t)
@@ -34,3 +35,9 @@
@@ -34,3 +38,9 @@
hal_write_log(vbetool_t)
hal_dontaudit_append_lib_files(vbetool_t)
')
@ -4650,8 +4654,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.23/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/apps/wine.te 2009-07-23 16:39:09.000000000 -0400
@@ -9,20 +9,33 @@
+++ serefpolicy-3.6.23/policy/modules/apps/wine.te 2009-07-27 13:54:28.000000000 -0400
@@ -9,20 +9,35 @@
type wine_t;
type wine_exec_t;
application_domain(wine_t, wine_exec_t)
@ -4669,7 +4673,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- unconfined_domain_noaudit(wine_t)
+
+domain_mmap_low_type(wine_t)
+domain_mmap_low(wine_t)
+tunable_policy(`mmap_low_allowed',`
+ domain_mmap_low(wine_t)
+')
+
files_execmod_all_files(wine_t)
@ -8754,7 +8760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.23/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/services/apache.te 2009-07-23 16:39:09.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/services/apache.te 2009-07-27 14:13:27.000000000 -0400
@@ -19,6 +19,8 @@
# Declarations
#
@ -8798,7 +8804,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Allow HTTPD scripts and modules to connect to the network using TCP.
## </p>
## </desc>
@@ -108,6 +124,29 @@
@@ -87,6 +103,13 @@
## <desc>
## <p>
+## Allow httpd to read user content
+## </p>
+## </desc>
+gen_tunable(httpd_read_user_content, false)
+
+## <desc>
+## <p>
## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
## </p>
## </desc>
@@ -108,6 +131,29 @@
## </desc>
gen_tunable(httpd_unified, false)
@ -8828,7 +8848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
attribute httpdcontent;
attribute httpd_user_content_type;
@@ -140,6 +179,9 @@
@@ -140,6 +186,9 @@
domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
role system_r types httpd_helper_t;
@ -8838,7 +8858,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type httpd_lock_t;
files_lock_file(httpd_lock_t)
@@ -180,6 +222,10 @@
@@ -180,6 +229,10 @@
# setup the system domain for system CGI scripts
apache_content_template(sys)
@ -8849,7 +8869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
@@ -187,15 +233,20 @@
@@ -187,15 +240,20 @@
files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
@ -8873,7 +8893,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
@@ -230,7 +281,7 @@
@@ -230,7 +288,7 @@
# Apache server local policy
#
@ -8882,7 +8902,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
@@ -272,6 +323,7 @@
@@ -272,6 +330,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@ -8890,7 +8910,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
@@ -283,9 +335,9 @@
@@ -283,9 +342,9 @@
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
@ -8903,7 +8923,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -301,6 +353,7 @@
@@ -301,6 +360,7 @@
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
@ -8911,7 +8931,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file })
@@ -312,6 +365,7 @@
@@ -312,6 +372,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@ -8919,7 +8939,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
@@ -322,6 +376,7 @@
@@ -322,6 +383,7 @@
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@ -8927,7 +8947,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
corenet_sendrecv_http_server_packets(httpd_t)
@@ -335,12 +390,11 @@
@@ -335,12 +397,11 @@
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@ -8942,7 +8962,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_use_interactive_fds(httpd_t)
@@ -358,6 +412,10 @@
@@ -358,6 +419,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@ -8953,7 +8973,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
libs_read_lib_files(httpd_t)
@@ -372,18 +430,33 @@
@@ -372,18 +437,33 @@
userdom_use_unpriv_users_fds(httpd_t)
@ -8991,7 +9011,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
@@ -391,20 +464,54 @@
@@ -391,20 +471,54 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@ -9047,7 +9067,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
@@ -415,20 +522,28 @@
@@ -415,20 +529,28 @@
corenet_tcp_bind_ftp_port(httpd_t)
')
@ -9080,7 +9100,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
@@ -451,6 +566,10 @@
@@ -451,6 +573,10 @@
')
optional_policy(`
@ -9091,7 +9111,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cron_system_entry(httpd_t, httpd_exec_t)
')
@@ -459,8 +578,13 @@
@@ -459,8 +585,13 @@
')
optional_policy(`
@ -9107,7 +9127,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -468,22 +592,18 @@
@@ -468,22 +599,18 @@
mailman_domtrans_cgi(httpd_t)
# should have separate types for public and private archives
mailman_search_data(httpd_t)
@ -9132,7 +9152,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -494,12 +614,23 @@
@@ -494,12 +621,23 @@
')
optional_policy(`
@ -9156,7 +9176,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
@@ -508,6 +639,7 @@
@@ -508,6 +646,7 @@
')
optional_policy(`
@ -9164,7 +9184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
@@ -535,6 +667,22 @@
@@ -535,6 +674,22 @@
userdom_use_user_terminals(httpd_helper_t)
@ -9187,7 +9207,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Apache PHP script local policy
@@ -564,20 +712,25 @@
@@ -564,20 +719,25 @@
fs_search_auto_mountpoints(httpd_php_t)
@ -9219,7 +9239,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -595,23 +748,24 @@
@@ -595,23 +755,24 @@
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
@ -9248,7 +9268,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
@@ -624,6 +778,7 @@
@@ -624,6 +785,7 @@
logging_send_syslog_msg(httpd_suexec_t)
miscfiles_read_localization(httpd_suexec_t)
@ -9256,7 +9276,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
@@ -641,12 +796,20 @@
@@ -641,12 +803,20 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@ -9280,7 +9300,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -672,15 +835,14 @@
@@ -672,15 +842,14 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@ -9299,7 +9319,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -699,12 +861,24 @@
@@ -699,12 +868,24 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@ -9326,7 +9346,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -712,6 +886,35 @@
@@ -712,6 +893,35 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@ -9362,7 +9382,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
@@ -724,6 +927,10 @@
@@ -724,6 +934,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@ -9373,7 +9393,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -735,6 +942,8 @@
@@ -735,6 +949,8 @@
# httpd_rotatelogs local policy
#
@ -9382,7 +9402,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
@@ -754,6 +963,12 @@
@@ -754,6 +970,12 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@ -9395,11 +9415,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
# allow accessing files/dirs below the users home dir
@@ -762,3 +977,67 @@
@@ -762,3 +984,76 @@
userdom_search_user_home_dirs(httpd_suexec_t)
userdom_search_user_home_dirs(httpd_user_script_t)
')
+
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_user_script_t)
+ userdom_read_user_home_content_files(httpd_suexec_t)
+')
+
+tunable_policy(`httpd_read_user_content && httpd_builtin_scripting',`
+ userdom_read_user_home_content_files(httpd_t)
+')
+
+#============= bugzilla policy ==============
+apache_content_template(bugzilla)
+
@ -9607,6 +9636,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.23/policy/modules/services/certmaster.te
--- nsaserefpolicy/policy/modules/services/certmaster.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/services/certmaster.te 2009-07-27 14:06:05.000000000 -0400
@@ -30,7 +30,7 @@
# certmaster local policy
#
-allow certmaster_t self:capability sys_tty_config;
+allow certmaster_t self:capability { dac_read_search dac_override sys_tty_config };
allow certmaster_t self:tcp_socket create_stream_socket_perms;
# config files
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.23/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2009-07-23 14:11:04.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/services/clamav.te 2009-07-23 16:39:09.000000000 -0400
@ -10486,8 +10527,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.23/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/services/cups.fc 2009-07-23 16:39:09.000000000 -0400
@@ -5,27 +5,40 @@
+++ serefpolicy-3.6.23/policy/modules/services/cups.fc 2009-07-27 13:42:47.000000000 -0400
@@ -5,27 +5,38 @@
/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@ -10526,13 +10567,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+# keep as separate lines to ensure proper sorting
+/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/lib/cups/filter/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+/usr/lib64/cups/filter/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+
/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
@@ -33,7 +46,7 @@
@@ -33,7 +44,7 @@
/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@ -10541,7 +10580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -43,10 +56,19 @@
@@ -43,10 +54,19 @@
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
@ -14810,13 +14849,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.6.23/policy/modules/services/policykit.fc
--- nsaserefpolicy/policy/modules/services/policykit.fc 2009-07-23 14:11:04.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/services/policykit.fc 2009-07-23 16:39:09.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/services/policykit.fc 2009-07-27 09:04:55.000000000 -0400
@@ -1,7 +1,7 @@
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
-/usr/libexec/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
+/usr/libexec/polkitd.* gen_context(system_u:object_r:policykit_exec_t,s0)
/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
@ -14874,7 +14913,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.23/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-07-23 14:11:04.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/services/policykit.te 2009-07-23 16:39:09.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/services/policykit.te 2009-07-27 11:48:01.000000000 -0400
@@ -38,9 +38,10 @@
allow policykit_t self:capability { setgid setuid };
@ -14888,8 +14927,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
policykit_domtrans_auth(policykit_t)
@@ -70,6 +71,14 @@
@@ -68,8 +69,17 @@
miscfiles_read_localization(policykit_t)
+userdom_getattr_all_users(policykit_t)
userdom_read_all_users_state(policykit_t)
+optional_policy(`
@ -14903,7 +14945,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# polkit_auth local policy
@@ -77,7 +86,8 @@
@@ -77,7 +87,8 @@
allow policykit_auth_t self:capability setgid;
allow policykit_auth_t self:process getattr;
@ -14913,7 +14955,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
@@ -104,6 +114,8 @@
@@ -104,6 +115,8 @@
userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
optional_policy(`
@ -14922,7 +14964,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
@@ -116,6 +128,10 @@
@@ -116,6 +129,10 @@
hal_read_state(policykit_auth_t)
')
@ -14933,7 +14975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# polkit_grant local policy
@@ -123,7 +139,8 @@
@@ -123,7 +140,8 @@
allow policykit_grant_t self:capability setuid;
allow policykit_grant_t self:process getattr;
@ -14943,7 +14985,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
@@ -153,9 +170,12 @@
@@ -153,9 +171,12 @@
userdom_read_all_users_state(policykit_grant_t)
optional_policy(`
@ -14957,7 +14999,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
consolekit_dbus_chat(policykit_grant_t)
')
')
@@ -167,7 +187,8 @@
@@ -167,7 +188,8 @@
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
allow policykit_resolve_t self:process getattr;
@ -15234,7 +15276,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.23/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2009-07-23 14:11:04.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/services/postfix.te 2009-07-23 16:39:09.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/services/postfix.te 2009-07-27 09:06:16.000000000 -0400
@@ -6,6 +6,15 @@
# Declarations
#
@ -16840,7 +16882,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.23/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/services/samba.te 2009-07-23 16:39:09.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/services/samba.te 2009-07-27 11:16:18.000000000 -0400
@@ -66,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
@ -17001,13 +17043,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
@@ -333,25 +361,33 @@
@@ -333,25 +361,34 @@
tunable_policy(`samba_domain_controller',`
usermanage_domtrans_passwd(smbd_t)
+ usermanage_kill_passwd(smbd_t)
usermanage_domtrans_useradd(smbd_t)
usermanage_domtrans_groupadd(smbd_t)
+ allow smbd_t self:passwd passwd;
')
tunable_policy(`samba_enable_home_dirs',`
@ -17041,7 +17084,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
@@ -359,6 +395,16 @@
@@ -359,6 +396,16 @@
optional_policy(`
kerberos_use(smbd_t)
@ -17058,7 +17101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -376,13 +422,15 @@
@@ -376,13 +423,15 @@
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@ -17075,7 +17118,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_read_all_files_except_shadow(nmbd_t)
')
@@ -391,8 +439,8 @@
@@ -391,8 +440,8 @@
auth_manage_all_files_except_shadow(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
auth_manage_all_files_except_shadow(nmbd_t)
@ -17085,7 +17128,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
@@ -417,14 +465,11 @@
@@ -417,14 +466,11 @@
files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
@ -17101,7 +17144,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
@@ -553,21 +598,36 @@
@@ -553,21 +599,36 @@
userdom_use_user_terminals(smbmount_t)
userdom_use_all_users_fds(smbmount_t)
@ -17141,7 +17184,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
append_files_pattern(swat_t, samba_log_t, samba_log_t)
@@ -585,6 +645,9 @@
@@ -585,6 +646,9 @@
files_pid_filetrans(swat_t, swat_var_run_t, file)
allow swat_t winbind_exec_t:file mmap_file_perms;
@ -17151,7 +17194,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
@@ -609,6 +672,7 @@
@@ -609,6 +673,7 @@
dev_read_urand(swat_t)
@ -17159,7 +17202,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(swat_t)
files_search_home(swat_t)
files_read_usr_files(swat_t)
@@ -618,6 +682,7 @@
@@ -618,6 +683,7 @@
auth_use_nsswitch(swat_t)
logging_send_syslog_msg(swat_t)
@ -17167,7 +17210,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
@@ -635,14 +700,25 @@
@@ -635,14 +701,25 @@
kerberos_use(swat_t)
')
@ -17195,7 +17238,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow winbind_t self:fifo_file rw_fifo_file_perms;
allow winbind_t self:unix_dgram_socket create_socket_perms;
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
@@ -683,9 +759,10 @@
@@ -683,9 +760,10 @@
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
files_pid_filetrans(winbind_t, winbind_var_run_t, file)
@ -17208,7 +17251,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(winbind_t)
corenet_all_recvfrom_netlabel(winbind_t)
@@ -709,10 +786,12 @@
@@ -709,10 +787,12 @@
auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
@ -17221,7 +17264,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(winbind_t)
@@ -768,8 +847,13 @@
@@ -768,8 +848,13 @@
userdom_use_user_terminals(winbind_helper_t)
optional_policy(`
@ -17235,7 +17278,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -778,6 +862,16 @@
@@ -778,6 +863,16 @@
#
optional_policy(`
@ -17252,7 +17295,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
@@ -788,9 +882,43 @@
@@ -788,9 +883,43 @@
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@ -19889,7 +19932,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.23/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/services/xserver.fc 2009-07-23 16:39:09.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/services/xserver.fc 2009-07-27 13:50:30.000000000 -0400
@@ -3,12 +3,16 @@
#
HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0)
@ -19953,7 +19996,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/slim.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/slim\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
+/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
@ -25143,7 +25186,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.23/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/system/unconfined.if 2009-07-23 16:39:09.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/system/unconfined.if 2009-07-27 13:54:34.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@ -25188,7 +25231,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+ ubac_process_exempt($1)
+
+ tunable_policy(`allow_unconfined_mmap_low',`
+ tunable_policy(`mmap_low_allowed',`
+ domain_mmap_low($1)
+ ')
+
@ -25888,7 +25931,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.23/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-07-23 14:11:04.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/system/userdomain.if 2009-07-23 16:39:09.000000000 -0400
+++ serefpolicy-3.6.23/policy/modules/system/userdomain.if 2009-07-27 14:11:20.000000000 -0400
@@ -30,8 +30,9 @@
')

View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.23
Release: 1%{?dist}
Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -475,6 +475,9 @@ exit 0
%endif
%changelog
* Mon Jul 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.23-2
- Allow certmaster to override dac permissions
* Thu Jul 22 2009 Dan Walsh <dwalsh@redhat.com> 3.6.23-1
- Update to upstream