- Allow kpropd to create tmp files

2009-06-24 13:15:55 +00:00 · 2009-06-24 13:15:55 +00:00 · 9850f4d30d
commit 9850f4d30d
parent 93dc66eaeb
3 changed files with 84 additions and 72 deletions
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -836,6 +836,13 @@ mount = base
 # 
 mozilla = module

+# Layer: services
+# Module: nslcd
+#
+# Policy for nslcd
+# 
+nslcd = module
+
 # Layer: apps
 # Module: nsplugin
 #
--- a/policy-F12.patch
+++ b/policy-F12.patch
@ -2832,7 +2832,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.18/policy/modules/apps/mozilla.te
 --- nsaserefpolicy/policy/modules/apps/mozilla.te	2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/apps/mozilla.te	2009-06-20 06:49:47.000000000 -0400
+++ serefpolicy-3.6.18/policy/modules/apps/mozilla.te	2009-06-24 08:35:55.000000000 -0400
@@ -105,6 +105,7 @@
 # Should not need other ports
 corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
@ -2849,7 +2849,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 logging_send_syslog_msg(mozilla_t)
 
-@@ -243,6 +245,8 @@
+@@ -143,6 +145,7 @@
+ userdom_manage_user_tmp_dirs(mozilla_t)
+ userdom_manage_user_tmp_files(mozilla_t)
+ userdom_manage_user_tmp_sockets(mozilla_t)
+userdom_use_user_ptys(mozilla_t)
+ 
+ xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
+ xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
+@@ -243,6 +246,8 @@
 
 optional_policy(`
 	gnome_stream_connect_gconf(mozilla_t)
@ -2858,7 +2866,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -263,5 +267,10 @@
+@@ -263,5 +268,10 @@
 ')
 
 optional_policy(`
@ -14343,7 +14351,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.18/policy/modules/services/kerberos.te
 --- nsaserefpolicy/policy/modules/services/kerberos.te	2009-03-23 13:47:11.000000000 -0400
-+++ serefpolicy-3.6.18/policy/modules/services/kerberos.te	2009-06-20 06:49:47.000000000 -0400
+++ serefpolicy-3.6.18/policy/modules/services/kerberos.te	2009-06-23 16:51:48.000000000 -0400
@@ -33,6 +33,7 @@
 type kpropd_t;
 type kpropd_exec_t;
@ -14362,13 +14370,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # kadmind local policy
-@@ -281,7 +285,9 @@
+@@ -281,7 +285,13 @@
 
 allow kpropd_t krb5_keytab_t:file read_file_perms;
 
 +manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t)
 manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t)
 +filetrans_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t, file)
+
+manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
 
 corecmd_exec_bin(kpropd_t)
 
@ -16949,8 +16961,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/lib/misc/PolicyKit.reload			gen_context(system_u:object_r:polkit_reload_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.18/policy/modules/services/polkit.if
 --- nsaserefpolicy/policy/modules/services/polkit.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/services/polkit.if	2009-06-20 06:49:47.000000000 -0400
-@@ -0,0 +1,241 @@
+++ serefpolicy-3.6.18/policy/modules/services/polkit.if	2009-06-24 08:29:05.000000000 -0400
+@@ -0,0 +1,242 @@
 +
 +## <summary>policy for polkit_auth</summary>
 +
@ -17170,6 +17182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	polkit_run_grant($2, $1)
 +	polkit_read_lib($2)
 +	polkit_read_reload($2)
+	polkit_dbus_chat($2)
 +')
 +
 +########################################
@ -23396,7 +23409,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.18/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/services/xserver.if	2009-06-20 06:49:47.000000000 -0400
+++ serefpolicy-3.6.18/policy/modules/services/xserver.if	2009-06-24 08:47:55.000000000 -0400
@@ -90,7 +90,7 @@
 	allow $2 xauth_home_t:file manage_file_perms;
 	allow $2 xauth_home_t:file { relabelfrom relabelto };
@ -23689,7 +23702,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	domtrans_pattern($1, xserver_exec_t, xserver_t)
 ')
 
-@@ -1159,6 +1263,275 @@
+@@ -1159,6 +1263,276 @@
 
 ########################################
 ## <summary>
@ -23859,6 +23872,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	xserver_read_xdm_tmp_files($1)
 +	xserver_xdm_stream_connect($1)
 +	xserver_setattr_xdm_tmp_dirs($1)
+	xserver_read_xdm_pid($1)
 +
 +	allow $1 xdm_t:x_client { getattr destroy };
 +	allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child add_child };
@ -23965,7 +23979,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Interface to provide X object permissions on a given X server to
 ##	an X client domain.  Gives the domain complete control over the
 ##	display.
-@@ -1172,7 +1545,103 @@
+@@ -1172,7 +1546,103 @@
 interface(`xserver_unconfined',`
 	gen_require(`
 		attribute xserver_unconfined_type;
@ -29177,7 +29191,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.18/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.18/policy/modules/system/userdomain.if	2009-06-20 06:49:47.000000000 -0400
+++ serefpolicy-3.6.18/policy/modules/system/userdomain.if	2009-06-24 08:35:26.000000000 -0400
@@ -30,8 +30,9 @@
 	')
 
@ -30100,19 +30114,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	logging_dontaudit_send_audit_msgs($1_t)
 
 	# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -899,28 +961,33 @@
+@@ -899,28 +961,43 @@
 	selinux_get_enforce_mode($1_t)
 
 	optional_policy(`
 -		alsa_read_rw_config($1_t)
 +		alsa_read_rw_config($1_usertype)
+	')
+
+	optional_policy(`
+		apache_role($1_r, $1_usertype)
+	')
+
+	optional_policy(`
+		devicekit_dbus_chat($1_usertype)
+		devicekit_power_dbus_chat($1_usertype)
+		devicekit_disk_dbus_chat($1_usertype)
 	')
 
 	optional_policy(`
 -		dbus_role_template($1, $1_r, $1_t)
 -		dbus_system_bus_client($1_t)
-+		apache_role($1_r, $1_usertype)
-+	')
+		gnomeclock_dbus_chat($1_t)
+	')	  
 
 		optional_policy(`
 -			consolekit_dbus_chat($1_t)
@ -30141,7 +30165,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
 
-@@ -954,8 +1021,8 @@
+@@ -954,8 +1031,8 @@
 	# Declarations
 	#
 
@ -30151,7 +30175,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	userdom_common_user_template($1)
 
 	##############################
-@@ -964,11 +1031,12 @@
+@@ -964,11 +1041,12 @@
 	#
 
 	# port access is audited even if dac would not have allowed it, so dontaudit it here
@ -30166,7 +30190,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# cjp: why?
 	files_read_kernel_symbol_table($1_t)
 
-@@ -986,37 +1054,55 @@
+@@ -986,37 +1064,55 @@
 		')
 	')
 
@ -30236,7 +30260,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 #######################################
-@@ -1050,7 +1136,7 @@
+@@ -1050,7 +1146,7 @@
 #
 template(`userdom_admin_user_template',`
 	gen_require(`
@ -30245,7 +30269,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 
 	##############################
-@@ -1059,8 +1145,7 @@
+@@ -1059,8 +1155,7 @@
 	#
 
 	# Inherit rules for ordinary users.
@ -30255,7 +30279,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	domain_obj_id_change_exemption($1_t)
 	role system_r types $1_t;
-@@ -1083,7 +1168,8 @@
+@@ -1083,7 +1178,8 @@
 	# Skip authentication when pam_rootok is specified.
 	allow $1_t self:passwd rootok;
 
@ -30265,7 +30289,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
-@@ -1099,6 +1185,7 @@
+@@ -1099,6 +1195,7 @@
 	kernel_sigstop_unlabeled($1_t)
 	kernel_signull_unlabeled($1_t)
 	kernel_sigchld_unlabeled($1_t)
@ -30273,7 +30297,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	corenet_tcp_bind_generic_port($1_t)
 	# allow setting up tunnels
-@@ -1106,8 +1193,6 @@
+@@ -1106,8 +1203,6 @@
 
 	dev_getattr_generic_blk_files($1_t)
 	dev_getattr_generic_chr_files($1_t)
@ -30282,7 +30306,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# Allow MAKEDEV to work
 	dev_create_all_blk_files($1_t)
 	dev_create_all_chr_files($1_t)
-@@ -1162,20 +1247,6 @@
+@@ -1162,20 +1257,6 @@
 	# But presently necessary for installing the file_contexts file.
 	seutil_manage_bin_policy($1_t)
 
@ -30303,7 +30327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	optional_policy(`
 		postgresql_unconfined($1_t)
 	')
-@@ -1221,6 +1292,7 @@
+@@ -1221,6 +1302,7 @@
 	dev_relabel_all_dev_nodes($1)
 
 	files_create_boot_flag($1)
@ -30311,7 +30335,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	# Necessary for managing /boot/efi
 	fs_manage_dos_files($1)
-@@ -1286,11 +1358,15 @@
+@@ -1286,11 +1368,15 @@
 interface(`userdom_user_home_content',`
 	gen_require(`
 		type user_home_t;
@ -30327,7 +30351,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1387,7 +1463,7 @@
+@@ -1387,7 +1473,7 @@
 
 ########################################
 ## <summary>
@ -30336,7 +30360,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -1420,6 +1496,14 @@
+@@ -1420,6 +1506,14 @@
 
 	allow $1 user_home_dir_t:dir list_dir_perms;
 	files_search_home($1)
@ -30351,7 +30375,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1435,9 +1519,11 @@
+@@ -1435,9 +1529,11 @@
 interface(`userdom_dontaudit_list_user_home_dirs',`
 	gen_require(`
 		type user_home_dir_t;
@ -30363,7 +30387,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1494,6 +1580,25 @@
+@@ -1494,6 +1590,25 @@
 	allow $1 user_home_dir_t:dir relabelto;
 ')
 
@ -30389,7 +30413,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 ## <summary>
 ##	Create directories in the home dir root with
-@@ -1568,6 +1673,8 @@
+@@ -1568,6 +1683,8 @@
 	')
 
 	dontaudit $1 user_home_t:dir search_dir_perms;
@ -30398,7 +30422,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1643,6 +1750,7 @@
+@@ -1643,6 +1760,7 @@
 		type user_home_dir_t, user_home_t;
 	')
 
@ -30406,7 +30430,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
 	files_search_home($1)
 ')
-@@ -1741,30 +1849,80 @@
+@@ -1741,30 +1859,80 @@
 
 ########################################
 ## <summary>
@ -30497,7 +30521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -1787,6 +1945,46 @@
+@@ -1787,6 +1955,46 @@
 
 ########################################
 ## <summary>
@ -30544,7 +30568,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Create, read, write, and delete files
 ##	in a user home subdirectory.
 ## </summary>
-@@ -1799,6 +1997,7 @@
+@@ -1799,6 +2007,7 @@
 interface(`userdom_manage_user_home_content_files',`
 	gen_require(`
 		type user_home_dir_t, user_home_t;
@ -30552,7 +30576,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 
 	manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2328,7 +2527,7 @@
+@@ -2328,7 +2537,7 @@
 
 ########################################
 ## <summary>
@ -30561,7 +30585,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2682,16 +2881,17 @@
+@@ -2682,11 +2891,32 @@
 #
 interface(`userdom_search_user_home_content',`
 	gen_require(`
@ -30573,35 +30597,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	files_list_home($1)
 -	allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
 +	allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
- ')
- 
- ########################################
- ## <summary>
-##	Send general signals to unprivileged user domains.
-+##	List users home directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2699,12 +2899,32 @@
- ##	</summary>
- ## </param>
- #
-interface(`userdom_signal_unpriv_users',`
-+interface(`userdom_list_user_home_content',`
- 	gen_require(`
-		attribute unpriv_userdomain;
-+		type user_home_dir_t;
-+		attribute user_home_type;
- 	')
- 
-	allow $1 unpriv_userdomain:process signal;
-+	files_list_home($1)
-+	allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Send general signals to unprivileged user domains.
+##	List users home directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@ -30609,16 +30609,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_signal_unpriv_users',`
+interface(`userdom_list_user_home_content',`
 +	gen_require(`
-+		attribute unpriv_userdomain;
+		type user_home_dir_t;
+		attribute user_home_type;
 +	')
 +
-+	allow $1 unpriv_userdomain:process signal;
+	files_list_home($1)
+	allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
 ')
 
 ########################################
-@@ -2814,7 +3034,25 @@
+@@ -2814,7 +3044,25 @@
 		type user_tmp_t;
 	')
 
@ -30645,7 +30647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -2851,6 +3089,7 @@
+@@ -2851,6 +3099,7 @@
 	')
 
 	read_files_pattern($1,userdomain,userdomain)
@ -30653,7 +30655,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	kernel_search_proc($1)
 ')
 
-@@ -2981,3 +3220,481 @@
+@@ -2981,3 +3230,481 @@
 
 	allow $1 userdomain:dbus send_msg;
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.19
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -295,7 +295,7 @@ Summary: SELinux targeted base policy
 Provides: selinux-policy-base
 Group: System Environment/Base
 Obsoletes: selinux-policy-targeted-sources < 2
-Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
+Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER}
 Requires(pre): coreutils
 Requires(pre): selinux-policy = %{version}-%{release}
 Conflicts:  audispd-plugins <= 1.7.7-1
@ -381,7 +381,7 @@ exit 0
 Summary: SELinux minimum base policy
 Provides: selinux-policy-base
 Group: System Environment/Base
-Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
+Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER}
 Requires(pre): coreutils
 Requires(pre): selinux-policy = %{version}-%{release}

@ -415,7 +415,7 @@ exit 0
 Summary: SELinux olpc base policy
 Group: System Environment/Base
 Provides: selinux-policy-base
-Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
+Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER}
 Requires(pre): coreutils
 Requires(pre): selinux-policy = %{version}-%{release}

@ -446,7 +446,7 @@ Group: System Environment/Base
 Provides: selinux-policy-base
 Obsoletes: selinux-policy-mls-sources < 2
 Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd
-Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
+Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER}
 Requires(pre): coreutils
 Requires(pre): selinux-policy = %{version}-%{release}

@ -473,6 +473,9 @@ exit 0
 %endif

 %changelog
+* Tue Jun 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.19-3
+- Allow kpropd to create tmp files
+
 * Tue Jun 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.19-2
 - Fix last duplicate /var/log/rpmpkgs