- Allow kpropd to create tmp files

This commit is contained in:
Daniel J Walsh 2009-06-24 13:15:55 +00:00
parent 93dc66eaeb
commit 9850f4d30d
3 changed files with 84 additions and 72 deletions

View File

@ -836,6 +836,13 @@ mount = base
#
mozilla = module
# Layer: services
# Module: nslcd
#
# Policy for nslcd
#
nslcd = module
# Layer: apps
# Module: nsplugin
#

View File

@ -2832,7 +2832,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.18/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-01-19 11:03:28.000000000 -0500
+++ serefpolicy-3.6.18/policy/modules/apps/mozilla.te 2009-06-20 06:49:47.000000000 -0400
+++ serefpolicy-3.6.18/policy/modules/apps/mozilla.te 2009-06-24 08:35:55.000000000 -0400
@@ -105,6 +105,7 @@
# Should not need other ports
corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
@ -2849,7 +2849,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(mozilla_t)
@@ -243,6 +245,8 @@
@@ -143,6 +145,7 @@
userdom_manage_user_tmp_dirs(mozilla_t)
userdom_manage_user_tmp_files(mozilla_t)
userdom_manage_user_tmp_sockets(mozilla_t)
+userdom_use_user_ptys(mozilla_t)
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
@@ -243,6 +246,8 @@
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
@ -2858,7 +2866,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -263,5 +267,10 @@
@@ -263,5 +268,10 @@
')
optional_policy(`
@ -14343,7 +14351,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.18/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2009-03-23 13:47:11.000000000 -0400
+++ serefpolicy-3.6.18/policy/modules/services/kerberos.te 2009-06-20 06:49:47.000000000 -0400
+++ serefpolicy-3.6.18/policy/modules/services/kerberos.te 2009-06-23 16:51:48.000000000 -0400
@@ -33,6 +33,7 @@
type kpropd_t;
type kpropd_exec_t;
@ -14362,13 +14370,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# kadmind local policy
@@ -281,7 +285,9 @@
@@ -281,7 +285,13 @@
allow kpropd_t krb5_keytab_t:file read_file_perms;
+manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t)
manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t)
+filetrans_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t, file)
+
+manage_dirs_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+manage_files_pattern(kpropd_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
corecmd_exec_bin(kpropd_t)
@ -16949,8 +16961,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:polkit_reload_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.6.18/policy/modules/services/polkit.if
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.18/policy/modules/services/polkit.if 2009-06-20 06:49:47.000000000 -0400
@@ -0,0 +1,241 @@
+++ serefpolicy-3.6.18/policy/modules/services/polkit.if 2009-06-24 08:29:05.000000000 -0400
@@ -0,0 +1,242 @@
+
+## <summary>policy for polkit_auth</summary>
+
@ -17170,6 +17182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ polkit_run_grant($2, $1)
+ polkit_read_lib($2)
+ polkit_read_reload($2)
+ polkit_dbus_chat($2)
+')
+
+########################################
@ -23396,7 +23409,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.18/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.18/policy/modules/services/xserver.if 2009-06-20 06:49:47.000000000 -0400
+++ serefpolicy-3.6.18/policy/modules/services/xserver.if 2009-06-24 08:47:55.000000000 -0400
@@ -90,7 +90,7 @@
allow $2 xauth_home_t:file manage_file_perms;
allow $2 xauth_home_t:file { relabelfrom relabelto };
@ -23689,7 +23702,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domtrans_pattern($1, xserver_exec_t, xserver_t)
')
@@ -1159,6 +1263,275 @@
@@ -1159,6 +1263,276 @@
########################################
## <summary>
@ -23859,6 +23872,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_read_xdm_tmp_files($1)
+ xserver_xdm_stream_connect($1)
+ xserver_setattr_xdm_tmp_dirs($1)
+ xserver_read_xdm_pid($1)
+
+ allow $1 xdm_t:x_client { getattr destroy };
+ allow $1 xdm_t:x_drawable { read receive get_property getattr send list_child add_child };
@ -23965,7 +23979,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain complete control over the
## display.
@@ -1172,7 +1545,103 @@
@@ -1172,7 +1546,103 @@
interface(`xserver_unconfined',`
gen_require(`
attribute xserver_unconfined_type;
@ -29177,7 +29191,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.18/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
+++ serefpolicy-3.6.18/policy/modules/system/userdomain.if 2009-06-20 06:49:47.000000000 -0400
+++ serefpolicy-3.6.18/policy/modules/system/userdomain.if 2009-06-24 08:35:26.000000000 -0400
@@ -30,8 +30,9 @@
')
@ -30100,18 +30114,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
@@ -899,28 +961,33 @@
@@ -899,28 +961,43 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
- alsa_read_rw_config($1_t)
+ alsa_read_rw_config($1_usertype)
+ ')
+
+ optional_policy(`
+ apache_role($1_r, $1_usertype)
+ ')
+
+ optional_policy(`
+ devicekit_dbus_chat($1_usertype)
+ devicekit_power_dbus_chat($1_usertype)
+ devicekit_disk_dbus_chat($1_usertype)
')
optional_policy(`
- dbus_role_template($1, $1_r, $1_t)
- dbus_system_bus_client($1_t)
+ apache_role($1_r, $1_usertype)
+ gnomeclock_dbus_chat($1_t)
+ ')
optional_policy(`
@ -30141,7 +30165,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
@@ -954,8 +1021,8 @@
@@ -954,8 +1031,8 @@
# Declarations
#
@ -30151,7 +30175,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_common_user_template($1)
##############################
@@ -964,11 +1031,12 @@
@@ -964,11 +1041,12 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@ -30166,7 +30190,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cjp: why?
files_read_kernel_symbol_table($1_t)
@@ -986,37 +1054,55 @@
@@ -986,37 +1064,55 @@
')
')
@ -30236,7 +30260,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
@@ -1050,7 +1136,7 @@
@@ -1050,7 +1146,7 @@
#
template(`userdom_admin_user_template',`
gen_require(`
@ -30245,7 +30269,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
##############################
@@ -1059,8 +1145,7 @@
@@ -1059,8 +1155,7 @@
#
# Inherit rules for ordinary users.
@ -30255,7 +30279,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
@@ -1083,7 +1168,8 @@
@@ -1083,7 +1178,8 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@ -30265,7 +30289,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
@@ -1099,6 +1185,7 @@
@@ -1099,6 +1195,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@ -30273,7 +30297,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
@@ -1106,8 +1193,6 @@
@@ -1106,8 +1203,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@ -30282,7 +30306,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
@@ -1162,20 +1247,6 @@
@@ -1162,20 +1257,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@ -30303,7 +30327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
postgresql_unconfined($1_t)
')
@@ -1221,6 +1292,7 @@
@@ -1221,6 +1302,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@ -30311,7 +30335,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
@@ -1286,11 +1358,15 @@
@@ -1286,11 +1368,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@ -30327,7 +30351,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -1387,7 +1463,7 @@
@@ -1387,7 +1473,7 @@
########################################
## <summary>
@ -30336,7 +30360,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
@@ -1420,6 +1496,14 @@
@@ -1420,6 +1506,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@ -30351,7 +30375,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -1435,9 +1519,11 @@
@@ -1435,9 +1529,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@ -30363,7 +30387,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -1494,6 +1580,25 @@
@@ -1494,6 +1590,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@ -30389,7 +30413,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
## <summary>
## Create directories in the home dir root with
@@ -1568,6 +1673,8 @@
@@ -1568,6 +1683,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@ -30398,7 +30422,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -1643,6 +1750,7 @@
@@ -1643,6 +1760,7 @@
type user_home_dir_t, user_home_t;
')
@ -30406,7 +30430,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
@@ -1741,30 +1849,80 @@
@@ -1741,30 +1859,80 @@
########################################
## <summary>
@ -30497,7 +30521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -1787,6 +1945,46 @@
@@ -1787,6 +1955,46 @@
########################################
## <summary>
@ -30544,7 +30568,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Create, read, write, and delete files
## in a user home subdirectory.
## </summary>
@@ -1799,6 +1997,7 @@
@@ -1799,6 +2007,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@ -30552,7 +30576,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
manage_files_pattern($1, user_home_t, user_home_t)
@@ -2328,7 +2527,7 @@
@@ -2328,7 +2537,7 @@
########################################
## <summary>
@ -30561,7 +30585,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
@@ -2682,16 +2881,17 @@
@@ -2682,11 +2891,32 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@ -30573,35 +30597,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_list_home($1)
- allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
+ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
')
########################################
## <summary>
-## Send general signals to unprivileged user domains.
+## List users home directories.
## </summary>
## <param name="domain">
## <summary>
@@ -2699,12 +2899,32 @@
## </summary>
## </param>
#
-interface(`userdom_signal_unpriv_users',`
+interface(`userdom_list_user_home_content',`
gen_require(`
- attribute unpriv_userdomain;
+ type user_home_dir_t;
+ attribute user_home_type;
')
- allow $1 unpriv_userdomain:process signal;
+ files_list_home($1)
+ allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Send general signals to unprivileged user domains.
+## List users home directories.
+## </summary>
+## <param name="domain">
+## <summary>
@ -30609,16 +30609,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## </summary>
+## </param>
+#
+interface(`userdom_signal_unpriv_users',`
+interface(`userdom_list_user_home_content',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ type user_home_dir_t;
+ attribute user_home_type;
+ ')
+
+ allow $1 unpriv_userdomain:process signal;
+ files_list_home($1)
+ allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
')
########################################
@@ -2814,7 +3034,25 @@
@@ -2814,7 +3044,25 @@
type user_tmp_t;
')
@ -30645,7 +30647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -2851,6 +3089,7 @@
@@ -2851,6 +3099,7 @@
')
read_files_pattern($1,userdomain,userdomain)
@ -30653,7 +30655,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_search_proc($1)
')
@@ -2981,3 +3220,481 @@
@@ -2981,3 +3230,481 @@
allow $1 userdomain:dbus send_msg;
')

View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.19
Release: 2%{?dist}
Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -295,7 +295,7 @@ Summary: SELinux targeted base policy
Provides: selinux-policy-base
Group: System Environment/Base
Obsoletes: selinux-policy-targeted-sources < 2
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER}
Requires(pre): coreutils
Requires(pre): selinux-policy = %{version}-%{release}
Conflicts: audispd-plugins <= 1.7.7-1
@ -381,7 +381,7 @@ exit 0
Summary: SELinux minimum base policy
Provides: selinux-policy-base
Group: System Environment/Base
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER}
Requires(pre): coreutils
Requires(pre): selinux-policy = %{version}-%{release}
@ -415,7 +415,7 @@ exit 0
Summary: SELinux olpc base policy
Group: System Environment/Base
Provides: selinux-policy-base
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER}
Requires(pre): coreutils
Requires(pre): selinux-policy = %{version}-%{release}
@ -446,7 +446,7 @@ Group: System Environment/Base
Provides: selinux-policy-base
Obsoletes: selinux-policy-mls-sources < 2
Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Requires(pre): policycoreutils-python >= %{POLICYCOREUTILSVER}
Requires(pre): coreutils
Requires(pre): selinux-policy = %{version}-%{release}
@ -473,6 +473,9 @@ exit 0
%endif
%changelog
* Tue Jun 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.19-3
- Allow kpropd to create tmp files
* Tue Jun 23 2009 Dan Walsh <dwalsh@redhat.com> 3.6.19-2
- Fix last duplicate /var/log/rpmpkgs