From a3e038c1a1dfc59139b49c780b021b06517a63aa Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mon, 27 Oct 2008 21:07:05 +0000 Subject: [PATCH] - Allow openoffice execstack/execmem privs --- policy-20080710.patch | 410 +++++++++++++++++++++--------------------- selinux-policy.spec | 5 +- 2 files changed, 204 insertions(+), 211 deletions(-) diff --git a/policy-20080710.patch b/policy-20080710.patch index 4fb9d26f..fe943ea4 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -355,6 +355,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con +system_r:sshd_t xguest_r:xguest_t +system_r:crond_t xguest_r:xguest_crond_t +system_r:xdm_t xguest_r:xguest_t +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.5.13/man/man8/httpd_selinux.8 +--- nsaserefpolicy/man/man8/httpd_selinux.8 2008-08-25 09:12:31.000000000 -0400 ++++ serefpolicy-3.5.13/man/man8/httpd_selinux.8 2008-10-27 10:41:03.000000000 -0400 +@@ -57,8 +57,7 @@ + .EE + + .SH BOOLEANS +-SELinux policy is customizable based on least access required. So by +-default SElinux prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible. ++SELinux policy can be customizable based on least access required. So SElinux can prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible. + .PP + httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this + +@@ -75,7 +74,7 @@ + .EE + + .PP +-httpd by default is not allowed access to the controling terminal. In most cases this is prefered, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access. ++httpd by can be configured to not allow access to the controling terminal. In most cases this is prefered, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access. + + .EX + setsebool -P httpd_tty_comm 1 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.5.13/policy/flask/access_vectors --- nsaserefpolicy/policy/flask/access_vectors 2008-08-07 11:15:00.000000000 -0400 +++ serefpolicy-3.5.13/policy/flask/access_vectors 2008-10-17 10:31:26.000000000 -0400 @@ -4375,8 +4397,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.13/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-10-23 14:17:48.000000000 -0400 -@@ -0,0 +1,255 @@ ++++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-10-27 10:05:44.000000000 -0400 +@@ -0,0 +1,256 @@ + +policy_module(nsplugin, 1.0.0) + @@ -4571,6 +4593,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms; + +fs_list_inotifyfs(nsplugin_config_t) ++fs_search_auto_mountpoints(nsplugin_config_t) + +can_exec(nsplugin_config_t, nsplugin_rw_t) +manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) @@ -6169,6 +6192,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 self:capability sys_chroot; ') + ######################################## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in +--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2008-08-07 11:15:01.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in 2008-10-27 09:53:12.000000000 -0400 +@@ -1441,10 +1441,11 @@ + # + interface(`corenet_tcp_bind_all_unreserved_ports',` + gen_require(` +- attribute port_type, reserved_port_type; ++ attribute port_type; ++ type reserved_port_t; + ') + +- allow $1 { port_type -reserved_port_type }:tcp_socket name_bind; ++ allow $1 { port_type -reserved_port_t }:tcp_socket name_bind; + ') + + ######################################## +@@ -1459,10 +1460,11 @@ + # + interface(`corenet_udp_bind_all_unreserved_ports',` + gen_require(` +- attribute port_type, reserved_port_type; ++ attribute port_type; ++ type reserved_port_t; + ') + +- allow $1 { port_type -reserved_port_type }:udp_socket name_bind; ++ allow $1 { port_type -reserved_port_t }:udp_socket name_bind; + ') + ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-14 11:58:07.000000000 -0400 @@ -10595,7 +10649,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-23 10:30:58.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-27 16:11:48.000000000 -0400 @@ -20,6 +20,8 @@ # Declarations # @@ -11259,7 +11313,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# Removal of fastcgi, will cause problems without the following +typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t; +typealias httpd_sys_content_t alias httpd_fastcgi_content_t; -+typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t; ++typealias httpd_sys_script_rw_t alias httpd_fastcgi_content_rw_t; +typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t; +typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t; +typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t; @@ -11812,8 +11866,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.5.13/policy/modules/services/bind.te --- nsaserefpolicy/policy/modules/services/bind.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/bind.te 2008-10-17 10:31:27.000000000 -0400 -@@ -247,6 +247,8 @@ ++++ serefpolicy-3.5.13/policy/modules/services/bind.te 2008-10-27 09:51:11.000000000 -0400 +@@ -118,6 +118,7 @@ + corenet_tcp_bind_dns_port(named_t) + corenet_udp_bind_dns_port(named_t) + corenet_tcp_bind_rndc_port(named_t) ++corenet_udp_bind_all_ports(named_t) + corenet_tcp_connect_all_ports(named_t) + corenet_sendrecv_dns_server_packets(named_t) + corenet_sendrecv_dns_client_packets(named_t) +@@ -247,6 +248,8 @@ sysnet_read_config(ndc_t) sysnet_dns_name_resolve(ndc_t) @@ -11909,7 +11971,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.5.13/policy/modules/services/bluetooth.te --- nsaserefpolicy/policy/modules/services/bluetooth.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/bluetooth.te 2008-10-17 10:31:27.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/bluetooth.te 2008-10-27 12:54:15.000000000 -0400 @@ -20,6 +20,9 @@ type bluetooth_helper_exec_t; application_executable_file(bluetooth_helper_exec_t) @@ -11967,20 +12029,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sysadm_dontaudit_use_ptys(bluetooth_t) sysadm_dontaudit_search_home_dirs(bluetooth_t) -@@ -126,12 +130,13 @@ - sysadm_dontaudit_search_home_dirs(bluetooth_t) - +@@ -128,10 +132,15 @@ optional_policy(` -- dbus_system_bus_client_template(bluetooth, bluetooth_t) -- dbus_connect_system_bus(bluetooth_t) -+ cups_dbus_chat(bluetooth_t) + dbus_system_bus_client_template(bluetooth, bluetooth_t) + dbus_connect_system_bus(bluetooth_t) ++ dbus_system_domain(bluetooth_t, bluetooth_exec_t) ++ ++ optional_policy(` ++ cups_dbus_chat(bluetooth_t) ') optional_policy(` - nis_use_ypbind(bluetooth_t) -+ dbus_system_bus_client_template(bluetooth, bluetooth_t) -+ dbus_connect_system_bus(bluetooth_t) -+ dbus_system_domain(bluetooth_t, bluetooth_exec_t) ++ hal_dbus_chat(bluetooth_t) ++ ') ') optional_policy(` @@ -29644,7 +29706,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.5.13/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2008-10-24 10:26:04.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2008-10-27 09:05:47.000000000 -0400 @@ -6,35 +6,76 @@ # Declarations # @@ -29941,7 +30003,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -229,14 +295,50 @@ +@@ -229,14 +295,57 @@ allow unconfined_execmem_t self:process { execstack execmem }; unconfined_domain_noaudit(unconfined_execmem_t) @@ -29966,7 +30028,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +optional_policy(` + xserver_rw_xdm_xserver_shm(unconfined_execmem_t) -+') + ') + +######################################## +# @@ -29983,7 +30045,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + gen_require(` + type mplayer_exec_t; - ') ++ ') + domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t) +') + @@ -29994,6 +30056,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t) +') + ++optional_policy(` ++ gen_require(` ++ type openoffice_exec_t; ++ ') ++ domtrans_pattern(unconfined_t, openoffice_exec_t, unconfined_execmem_t) ++') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.5.13/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-08-07 11:15:12.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/system/userdomain.fc 2008-10-17 10:31:27.000000000 -0400 @@ -30009,7 +30078,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-10-17 17:49:05.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-10-27 09:43:09.000000000 -0400 @@ -28,10 +28,14 @@ class context contains; ') @@ -31135,6 +31204,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

##

## This template creates a user domain, types, and +@@ -1158,7 +1152,7 @@ + # + + # Inherit rules for ordinary users. +- userdom_restricted_user_template($1) ++ userdom_restricted_xwindows_user_template($1) + userdom_common_user_template($1) + + ############################## @@ -1167,11 +1161,10 @@ # @@ -31148,7 +31226,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -1189,36 +1182,45 @@ +@@ -1189,36 +1182,41 @@ ') ') @@ -31165,33 +31243,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_all_nodes($1_t) - corenet_tcp_bind_generic_port($1_t) + corenet_tcp_bind_all_unreserved_ports($1_t) -+ ') -+ + ') + + # Run pppd in pppd_t by default for user -+ optional_policy(` + optional_policy(` +- netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) +- netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) + ppp_run_cond($1_t, $1_r, { $1_tty_device_t $1_devpts_t }) ') - optional_policy(` -- netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) -- netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) -+ games_rw_data($1_usertype) - ') - optional_policy(` - postgresql_userdom_template($1,$1_t,$1_r) -+ mount_run($1_t, $1_r, { $1_tty_device_t $1_devpts_t }) ++ games_rw_data($1_usertype) ') - # Run pppd in pppd_t by default for user optional_policy(` - ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) -+ cron_per_role_template($1, $1_t, $1_r) ++ mount_run($1_t, $1_r, { $1_tty_device_t $1_devpts_t }) ') optional_policy(` - setroubleshoot_stream_connect($1_t) -+ polkit_per_role_template($1, $1_usertype, $1_r) ++ cron_per_role_template($1, $1_t, $1_r) + ') + + optional_policy(` @@ -31207,7 +31281,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1295,8 +1297,6 @@ +@@ -1295,8 +1293,6 @@ # Manipulate other users crontab. allow $1_t self:passwd crontab; @@ -31216,7 +31290,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1318,8 +1318,6 @@ +@@ -1318,8 +1314,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -31225,7 +31299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1374,13 +1372,6 @@ +@@ -1374,13 +1368,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -31239,7 +31313,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1432,6 +1423,7 @@ +@@ -1432,6 +1419,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -31247,7 +31321,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1461,10 +1453,6 @@ +@@ -1461,10 +1449,6 @@ seutil_run_semanage($1,$2,$3) seutil_run_setfiles($1, $2, $3) @@ -31258,7 +31332,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` aide_run($1,$2, $3) ') -@@ -1484,6 +1472,14 @@ +@@ -1484,6 +1468,14 @@ optional_policy(` netlabel_run_mgmt($1,$2, $3) ') @@ -31273,7 +31347,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1741,11 +1737,15 @@ +@@ -1741,11 +1733,15 @@ # template(`userdom_user_home_content',` gen_require(` @@ -31292,7 +31366,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1841,11 +1841,11 @@ +@@ -1841,11 +1837,11 @@ # template(`userdom_search_user_home_dirs',` gen_require(` @@ -31306,7 +31380,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1875,11 +1875,11 @@ +@@ -1875,11 +1871,11 @@ # template(`userdom_list_user_home_dirs',` gen_require(` @@ -31320,7 +31394,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1923,12 +1923,12 @@ +@@ -1923,12 +1919,12 @@ # template(`userdom_user_home_domtrans',` gen_require(` @@ -31336,7 +31410,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1958,10 +1958,11 @@ +@@ -1958,10 +1954,11 @@ # template(`userdom_dontaudit_list_user_home_dirs',` gen_require(` @@ -31350,7 +31424,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1993,11 +1994,47 @@ +@@ -1993,11 +1990,47 @@ # template(`userdom_manage_user_home_content_dirs',` gen_require(` @@ -31400,7 +31474,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2029,10 +2066,10 @@ +@@ -2029,10 +2062,10 @@ # template(`userdom_dontaudit_setattr_user_home_content_files',` gen_require(` @@ -31413,7 +31487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2062,11 +2099,11 @@ +@@ -2062,11 +2095,11 @@ # template(`userdom_read_user_home_content_files',` gen_require(` @@ -31427,7 +31501,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2096,11 +2133,11 @@ +@@ -2096,11 +2129,11 @@ # template(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -31442,7 +31516,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2130,10 +2167,14 @@ +@@ -2130,10 +2163,14 @@ # template(`userdom_dontaudit_write_user_home_content_files',` gen_require(` @@ -31459,7 +31533,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2163,11 +2204,11 @@ +@@ -2163,11 +2200,11 @@ # template(`userdom_read_user_home_content_symlinks',` gen_require(` @@ -31473,7 +31547,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2197,11 +2238,11 @@ +@@ -2197,11 +2234,11 @@ # template(`userdom_exec_user_home_content_files',` gen_require(` @@ -31487,7 +31561,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2231,10 +2272,10 @@ +@@ -2231,10 +2268,10 @@ # template(`userdom_dontaudit_exec_user_home_content_files',` gen_require(` @@ -31500,7 +31574,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2266,12 +2307,12 @@ +@@ -2266,12 +2303,12 @@ # template(`userdom_manage_user_home_content_files',` gen_require(` @@ -31516,7 +31590,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2303,10 +2344,10 @@ +@@ -2303,10 +2340,10 @@ # template(`userdom_dontaudit_manage_user_home_content_dirs',` gen_require(` @@ -31529,7 +31603,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2338,12 +2379,12 @@ +@@ -2338,12 +2375,12 @@ # template(`userdom_manage_user_home_content_symlinks',` gen_require(` @@ -31545,7 +31619,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2375,12 +2416,12 @@ +@@ -2375,12 +2412,12 @@ # template(`userdom_manage_user_home_content_pipes',` gen_require(` @@ -31561,7 +31635,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2412,12 +2453,12 @@ +@@ -2412,12 +2449,12 @@ # template(`userdom_manage_user_home_content_sockets',` gen_require(` @@ -31577,7 +31651,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2462,11 +2503,11 @@ +@@ -2462,11 +2499,11 @@ # template(`userdom_user_home_dir_filetrans',` gen_require(` @@ -31591,7 +31665,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2511,11 +2552,11 @@ +@@ -2511,11 +2548,11 @@ # template(`userdom_user_home_content_filetrans',` gen_require(` @@ -31605,7 +31679,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2555,11 +2596,11 @@ +@@ -2555,11 +2592,11 @@ # template(`userdom_user_home_dir_filetrans_user_home_content',` gen_require(` @@ -31619,7 +31693,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2589,11 +2630,11 @@ +@@ -2589,11 +2626,11 @@ # template(`userdom_write_user_tmp_sockets',` gen_require(` @@ -31633,7 +31707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2623,11 +2664,11 @@ +@@ -2623,11 +2660,11 @@ # template(`userdom_list_user_tmp',` gen_require(` @@ -31647,7 +31721,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2659,10 +2700,10 @@ +@@ -2659,10 +2696,10 @@ # template(`userdom_dontaudit_list_user_tmp',` gen_require(` @@ -31660,7 +31734,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2694,10 +2735,10 @@ +@@ -2694,10 +2731,10 @@ # template(`userdom_dontaudit_manage_user_tmp_dirs',` gen_require(` @@ -31673,7 +31747,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2727,12 +2768,12 @@ +@@ -2727,12 +2764,12 @@ # template(`userdom_read_user_tmp_files',` gen_require(` @@ -31689,7 +31763,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2764,10 +2805,10 @@ +@@ -2764,10 +2801,10 @@ # template(`userdom_dontaudit_read_user_tmp_files',` gen_require(` @@ -31702,7 +31776,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2799,10 +2840,10 @@ +@@ -2799,10 +2836,10 @@ # template(`userdom_dontaudit_append_user_tmp_files',` gen_require(` @@ -31715,7 +31789,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2832,12 +2873,12 @@ +@@ -2832,12 +2869,12 @@ # template(`userdom_rw_user_tmp_files',` gen_require(` @@ -31731,7 +31805,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2869,10 +2910,10 @@ +@@ -2869,10 +2906,10 @@ # template(`userdom_dontaudit_manage_user_tmp_files',` gen_require(` @@ -31744,7 +31818,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2904,12 +2945,12 @@ +@@ -2904,12 +2941,12 @@ # template(`userdom_read_user_tmp_symlinks',` gen_require(` @@ -31760,7 +31834,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2941,11 +2982,11 @@ +@@ -2941,11 +2978,11 @@ # template(`userdom_manage_user_tmp_dirs',` gen_require(` @@ -31774,7 +31848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2977,11 +3018,11 @@ +@@ -2977,11 +3014,11 @@ # template(`userdom_manage_user_tmp_files',` gen_require(` @@ -31788,7 +31862,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3013,11 +3054,11 @@ +@@ -3013,11 +3050,11 @@ # template(`userdom_manage_user_tmp_symlinks',` gen_require(` @@ -31802,7 +31876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3049,11 +3090,11 @@ +@@ -3049,11 +3086,11 @@ # template(`userdom_manage_user_tmp_pipes',` gen_require(` @@ -31816,7 +31890,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3085,11 +3126,11 @@ +@@ -3085,11 +3122,11 @@ # template(`userdom_manage_user_tmp_sockets',` gen_require(` @@ -31830,7 +31904,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -3134,10 +3175,10 @@ +@@ -3134,10 +3171,10 @@ # template(`userdom_user_tmp_filetrans',` gen_require(` @@ -31843,7 +31917,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_search_tmp($2) ') -@@ -3178,19 +3219,19 @@ +@@ -3178,19 +3215,19 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -31867,7 +31941,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

##

## This is a templated interface, and should only -@@ -3211,13 +3252,13 @@ +@@ -3211,13 +3248,13 @@ # template(`userdom_rw_user_tmpfs_files',` gen_require(` @@ -31885,7 +31959,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4616,11 +4657,11 @@ +@@ -4616,11 +4653,11 @@ # interface(`userdom_search_all_users_home_dirs',` gen_require(` @@ -31899,7 +31973,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4640,6 +4681,14 @@ +@@ -4640,6 +4677,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -31914,7 +31988,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4677,6 +4726,8 @@ +@@ -4677,6 +4722,8 @@ ') dontaudit $1 { home_dir_type home_type }:dir search_dir_perms; @@ -31923,7 +31997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4721,6 +4772,25 @@ +@@ -4721,6 +4768,25 @@ ######################################## ##

@@ -31949,7 +32023,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete all files ## in all users home directories. ## -@@ -4946,7 +5016,7 @@ +@@ -4946,7 +5012,7 @@ ######################################## ## @@ -31958,147 +32032,63 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -5318,7 +5388,7 @@ +@@ -5318,6 +5384,42 @@ ######################################## ## --## Read and write unprivileged user ttys. +## Write all unprivileged users files in /tmp - ## - ## - ## -@@ -5326,18 +5396,17 @@ - ## - ## - # --interface(`userdom_use_unpriv_users_ttys',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`userdom_manage_unpriv_users_tmp_files',` - gen_require(` -- attribute user_ttynode; ++ gen_require(` + type user_tmp_t; - ') - -- allow $1 user_ttynode:chr_file rw_term_perms; ++ ') ++ + manage_files_pattern($1, user_tmp_t, user_tmp_t) - ') - - ######################################## - ## --## Do not audit attempts to use unprivileged --## user ttys. ++') ++ ++######################################## ++## +## Write all unprivileged users lnk_files in /tmp - ## - ## - ## -@@ -5345,17 +5414,17 @@ - ## - ## - # --interface(`userdom_dontaudit_use_unpriv_users_ttys',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`userdom_manage_unpriv_users_tmp_symlinks',` - gen_require(` -- attribute user_ttynode; ++ gen_require(` + type user_tmp_t; - ') - -- dontaudit $1 user_ttynode:chr_file rw_file_perms; ++ ') ++ + manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) - ') - - ######################################## - ## --## Read the process state of all user domains. -+## Read and write unprivileged user ttys. ++') ++ ++######################################## ++## + ## Read and write unprivileged user ttys. ## ## - ## -@@ -5363,18 +5432,18 @@ - ## - ## - # --interface(`userdom_read_all_users_state',` -+interface(`userdom_use_unpriv_users_ttys',` - gen_require(` -- attribute userdomain; -+ attribute user_ttynode; +@@ -5368,7 +5470,7 @@ + attribute userdomain; ') - read_files_pattern($1,userdomain,userdomain) -- kernel_search_proc($1) -+ allow $1 user_ttynode:chr_file rw_term_perms; - ') - - ######################################## - ## --## Get the attributes of all user domains. -+## Do not audit attempts to use unprivileged -+## user ttys. - ## - ## - ## -@@ -5382,17 +5451,54 @@ - ## - ## - # --interface(`userdom_getattr_all_users',` -+interface(`userdom_dontaudit_use_unpriv_users_ttys',` - gen_require(` -- attribute userdomain; -+ attribute user_ttynode; - ') - -- allow $1 userdomain:process getattr; -+ dontaudit $1 user_ttynode:chr_file rw_file_perms; - ') - - ######################################## - ## --## Inherit the file descriptors from all user domains -+## Read the process state of all user domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_read_all_users_state',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ + ps_process_pattern($1, userdomain) -+ kernel_search_proc($1) -+') -+ -+######################################## -+## -+## Get the attributes of all user domains. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_getattr_all_users',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ -+ allow $1 userdomain:process getattr; -+') -+ -+######################################## -+## -+## Inherit the file descriptors from all user domains - ## - ## - ## -@@ -5483,6 +5589,42 @@ + kernel_search_proc($1) + ') + +@@ -5483,7 +5585,43 @@ ######################################## ## +-## Send a dbus message to all user domains. +## Manage keys for all user domains. +## +## @@ -32135,10 +32125,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## - ## Send a dbus message to all user domains. ++## Send a dbus message to all user domains. ## ## -@@ -5513,3 +5655,548 @@ + ## +@@ -5513,3 +5651,548 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -32689,7 +32680,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.5.13/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2008-10-14 11:58:09.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/userdomain.te 2008-10-17 10:31:27.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/userdomain.te 2008-10-27 09:04:14.000000000 -0400 @@ -8,13 +8,6 @@ ## @@ -32731,7 +32722,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # The privhome attribute identifies every domain that can create files under # regular user home directories in the regular context (IE act on behalf of # a user in writing regular files) -@@ -81,6 +73,76 @@ +@@ -81,6 +73,75 @@ # unprivileged user domains attribute unpriv_userdomain; @@ -32807,7 +32798,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_sock_files_pattern(privhome, cifs_t, cifs_t) + manage_fifo_files_pattern(privhome, cifs_t, cifs_t) +') -+ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.5.13/policy/modules/system/xen.fc --- nsaserefpolicy/policy/modules/system/xen.fc 2008-08-07 11:15:12.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/system/xen.fc 2008-10-17 10:31:27.000000000 -0400 diff --git a/selinux-policy.spec b/selinux-policy.spec index 3268e2dc..7acdfc1b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.5.13 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -462,6 +462,9 @@ exit 0 %endif %changelog +* Mon Oct 27 2008 Dan Walsh 3.5.13-9 +- Allow openoffice execstack/execmem privs + * Fri Oct 24 2008 Dan Walsh 3.5.13-8 - Allow mozilla to run with unconfined_execmem_t