rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Remove homedir_template

Browse Source
This commit is contained in:
Daniel J Walsh 2007-10-05 11:43:46 +00:00
parent 24ccb8b103
commit 922f646a26
3 changed files with 67 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
booleans-targeted.conf
View File

@ -1,6 +1,6 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. # Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
# #
allow_execmem = false allow_execmem = True
# Allow making a modified private filemapping executable (text relocation). # Allow making a modified private filemapping executable (text relocation).
# #
@ -8,7 +8,7 @@ allow_execmod = false
# Allow making the stack executable via mprotect.Also requires allow_execmem. # Allow making the stack executable via mprotect.Also requires allow_execmem.
# #
allow_execstack = false allow_execstack = True
# Allow ftpd to read cifs directories. # Allow ftpd to read cifs directories.
# #

86
policy-20070703.patch
View File

@ -1746,8 +1746,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.0.8/policy/modules/apps/mono.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.0.8/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2007-05-29 14:10:48.000000000 -0400 --- nsaserefpolicy/policy/modules/apps/mono.if 2007-05-29 14:10:48.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/mono.if 2007-10-03 11:10:24.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/apps/mono.if 2007-10-04 13:08:55.000000000 -0400
@@ -18,3 +18,103 @@ @@ -18,3 +18,105 @@
corecmd_search_bin($1) corecmd_search_bin($1)
domtrans_pattern($1, mono_exec_t, mono_t) domtrans_pattern($1, mono_exec_t, mono_t)
') ')
@ -1842,11 +1842,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if
+ +
+ userdom_unpriv_usertype($1, $1_mono_t) + userdom_unpriv_usertype($1, $1_mono_t)
+ +
+ allow $1_mono_t self:process { signal getsched execheap execmem }; + allow $1_mono_t self:process { execheap execmem };
+ allow $2 $1_mono_t:process noatsecure; + allow $2 $1_mono_t:process noatsecure;
+ +
+ domtrans_pattern($2, mono_exec_t, $1_mono_t) + domtrans_pattern($2, mono_exec_t, $1_mono_t)
+ +
+ fs_dontaudit_rw_tmpfs_files($1_mono_t)
+
+ optional_policy(` + optional_policy(`
+ xserver_xdm_rw_shm($1_mono_t) + xserver_xdm_rw_shm($1_mono_t)
+ ') + ')
@ -3001,7 +3003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
# #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-08-22 07:14:06.000000000 -0400 --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-08-22 07:14:06.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-10-03 11:10:24.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-10-04 12:58:42.000000000 -0400
@@ -271,45 +271,6 @@ @@ -271,45 +271,6 @@
######################################## ########################################
@ -6313,7 +6315,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
######################################## ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.0.8/policy/modules/services/ftp.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.0.8/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2007-07-25 10:37:42.000000000 -0400 --- nsaserefpolicy/policy/modules/services/ftp.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/ftp.te 2007-10-03 11:10:24.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/ftp.te 2007-10-04 10:58:28.000000000 -0400
@@ -88,6 +88,7 @@ @@ -88,6 +88,7 @@
allow ftpd_t self:unix_stream_socket create_stream_socket_perms; allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms; allow ftpd_t self:tcp_socket create_stream_socket_perms;
@ -6322,7 +6324,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
allow ftpd_t ftpd_etc_t:file read_file_perms; allow ftpd_t ftpd_etc_t:file read_file_perms;
@@ -122,6 +123,7 @@ @@ -105,9 +106,10 @@
manage_sock_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+manage_dirs_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
manage_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
manage_sock_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
-files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
+files_pid_filetrans(ftpd_t,ftpd_var_run_t,{ file dir} )
# proftpd requires the client side to bind a socket so that
# it can stat the socket to perform access control decisions,
@@ -122,6 +124,7 @@
kernel_read_kernel_sysctls(ftpd_t) kernel_read_kernel_sysctls(ftpd_t)
kernel_read_system_state(ftpd_t) kernel_read_system_state(ftpd_t)
@ -6330,7 +6344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
dev_read_sysfs(ftpd_t) dev_read_sysfs(ftpd_t)
dev_read_urand(ftpd_t) dev_read_urand(ftpd_t)
@@ -157,6 +159,7 @@ @@ -157,6 +160,7 @@
auth_use_nsswitch(ftpd_t) auth_use_nsswitch(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t) auth_domtrans_chk_passwd(ftpd_t)
@ -6338,7 +6352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
# Append to /var/log/wtmp. # Append to /var/log/wtmp.
auth_append_login_records(ftpd_t) auth_append_login_records(ftpd_t)
#kerberized ftp requires the following #kerberized ftp requires the following
@@ -168,7 +171,9 @@ @@ -168,7 +172,9 @@
libs_use_ld_so(ftpd_t) libs_use_ld_so(ftpd_t)
libs_use_shared_libs(ftpd_t) libs_use_shared_libs(ftpd_t)
@ -6348,7 +6362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
miscfiles_read_localization(ftpd_t) miscfiles_read_localization(ftpd_t)
miscfiles_read_public_files(ftpd_t) miscfiles_read_public_files(ftpd_t)
@@ -217,6 +222,11 @@ @@ -217,6 +223,11 @@
userdom_manage_all_users_home_content_dirs(ftpd_t) userdom_manage_all_users_home_content_dirs(ftpd_t)
userdom_manage_all_users_home_content_files(ftpd_t) userdom_manage_all_users_home_content_files(ftpd_t)
userdom_manage_all_users_home_content_symlinks(ftpd_t) userdom_manage_all_users_home_content_symlinks(ftpd_t)
@ -6360,7 +6374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
') ')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
@@ -252,7 +262,10 @@ @@ -252,7 +263,10 @@
') ')
optional_policy(` optional_policy(`
@ -13016,7 +13030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.8/policy/modules/system/selinuxutil.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.8/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-05-30 11:47:29.000000000 -0400 --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-05-30 11:47:29.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-10-04 09:25:55.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-10-05 07:42:17.000000000 -0400
@@ -432,6 +432,7 @@ @@ -432,6 +432,7 @@
role $2 types run_init_t; role $2 types run_init_t;
allow run_init_t $3:chr_file rw_term_perms; allow run_init_t $3:chr_file rw_term_perms;
@ -13025,6 +13039,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
') ')
######################################## ########################################
@@ -585,7 +586,7 @@
type selinux_config_t;
')
- dontaudit $1 selinux_config_t:dir search;
+ dontaudit $1 selinux_config_t:dir search_dir_perms;
')
########################################
@@ -604,7 +605,7 @@
type selinux_config_t;
')
- dontaudit $1 selinux_config_t:dir search;
+ dontaudit $1 selinux_config_t:dir search_dir_perms;
dontaudit $1 selinux_config_t:file { getattr read };
')
@@ -669,6 +670,7 @@ @@ -669,6 +670,7 @@
') ')
@ -13703,7 +13735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-06-15 14:54:34.000000000 -0400 --- nsaserefpolicy/policy/modules/system/unconfined.if 2007-06-15 14:54:34.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-10-03 11:10:25.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-10-04 17:36:52.000000000 -0400
@@ -12,14 +12,13 @@ @@ -12,14 +12,13 @@
# #
interface(`unconfined_domain_noaudit',` interface(`unconfined_domain_noaudit',`
@ -13731,10 +13763,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
- allow $1 self:dbus *; - allow $1 self:dbus *;
- allow $1 self:passwd *; - allow $1 self:passwd *;
- allow $1 self:association *; - allow $1 self:association *;
+ allow $1 self:nscd all_nscd; + allow $1 self:nscd all_nscd_perms;
+ allow $1 self:dbus all_dbus; + allow $1 self:dbus all_dbus_perms;
+ allow $1 self:passwd all_passwd; + allow $1 self:passwd all_passwd_perms;
+ allow $1 self:association all_association; + allow $1 self:association all_association_perms;
kernel_unconfined($1) kernel_unconfined($1)
corenet_unconfined($1) corenet_unconfined($1)
@ -14154,7 +14186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400 --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-10-03 12:00:01.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-10-04 17:33:14.000000000 -0400
@@ -29,8 +29,9 @@ @@ -29,8 +29,9 @@
') ')
@ -14195,7 +14227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- kernel_dontaudit_getattr_unlabeled_sockets($1_t) - kernel_dontaudit_getattr_unlabeled_sockets($1_t)
- kernel_dontaudit_getattr_unlabeled_blk_files($1_t) - kernel_dontaudit_getattr_unlabeled_blk_files($1_t)
- kernel_dontaudit_getattr_unlabeled_chr_files($1_t) - kernel_dontaudit_getattr_unlabeled_chr_files($1_t)
+ allow $1_t $1_usertype:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr }; + allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
+ allow $1_usertype $1_usertype:fd use; + allow $1_usertype $1_usertype:fd use;
+ allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms; + allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms;
+ allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto }; + allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto };
@ -15167,7 +15199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
') ')
######################################## ########################################
@@ -5559,3 +5710,376 @@ @@ -5559,3 +5710,380 @@
interface(`userdom_unconfined',` interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.') refpolicywarn(`$0($*) has been deprecated.')
') ')
@ -15364,7 +15396,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+userdom_xwindows_client_template($1) +userdom_xwindows_client_template($1)
+ +
+logging_send_syslog_msg($1_usertype) +logging_send_syslog_msg($1_usertype)
+logging_dontaudit_send_audit_msgs($1_usertype) +logging_dontaudit_send_audit_msgs($1_t)
+
+# Need to to this just so screensaver will work. Should be moved to screensaver domain
+logging_send_audit_msgs($1_t)
+selinux_get_enforce_mode($1_t)
+ +
+optional_policy(` +optional_policy(`
+ alsa_read_rw_config($1_usertype) + alsa_read_rw_config($1_usertype)
@ -16031,7 +16067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.
+allow webadm_t gadmin_t:dir getattr; +allow webadm_t gadmin_t:dir getattr;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.0.8/policy/support/obj_perm_sets.spt diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.0.8/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-08-22 07:14:18.000000000 -0400 --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-08-22 07:14:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/support/obj_perm_sets.spt 2007-10-03 11:10:25.000000000 -0400 +++ serefpolicy-3.0.8/policy/support/obj_perm_sets.spt 2007-10-04 17:36:29.000000000 -0400
@@ -216,7 +216,7 @@ @@ -216,7 +216,7 @@
define(`getattr_file_perms',`{ getattr }') define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }') define(`setattr_file_perms',`{ setattr }')
@ -16049,10 +16085,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets
+define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control } +define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control }
+') +')
+ +
+define(`all_nscd', `{ getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost } ') +define(`all_nscd_perms', `{ getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost } ')
+define(`all_dbus', `{ acquire_svc send_msg } ') +define(`all_dbus_perms', `{ acquire_svc send_msg } ')
+define(`all_passwd', `{ passwd chfn chsh rootok crontab } ') +define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
+define(`all_association', `{ sendto recvfrom setcontext polmatch } ') +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
+ +
+ +
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.0.8/policy/users diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.0.8/policy/users

7
selinux-policy.spec
View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.0.8 Version: 3.0.8
Release: 17%{?dist} Release: 18%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -100,7 +100,6 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/booleans \
touch %{buildroot}%{_sysconfdir}/selinux/%1/seusers \ touch %{buildroot}%{_sysconfdir}/selinux/%1/seusers \
touch %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \ touch %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/homedir_template \
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
install -m0644 $RPM_SOURCE_DIR/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \ install -m0644 $RPM_SOURCE_DIR/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
install -m0644 $RPM_SOURCE_DIR/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ install -m0644 $RPM_SOURCE_DIR/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
@ -132,7 +131,6 @@ install -m0644 $RPM_SOURCE_DIR/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinu
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \
%dir %{_sysconfdir}/selinux/%1/contexts/files \ %dir %{_sysconfdir}/selinux/%1/contexts/files \
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \ %ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
%ghost %{_sysconfdir}/selinux/%1/contexts/files/homedir_template \
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \ %ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
%config %{_sysconfdir}/selinux/%1/contexts/files/media \ %config %{_sysconfdir}/selinux/%1/contexts/files/media \
%dir %{_sysconfdir}/selinux/%1/contexts/users \ %dir %{_sysconfdir}/selinux/%1/contexts/users \
@ -372,6 +370,9 @@ exit 0
%endif %endif
%changelog %changelog
* Thu Oct 4 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-18
- Remove homedir_template
* Tue Oct 2 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-17 * Tue Oct 2 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-17
- Check asound.state - Check asound.state