From a9d4b80f503f250eef0c18bef55941ff3e49799d Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 20 Sep 2007 17:21:13 +0000 Subject: [PATCH] - Fix to add xguest account when inititial install - Allow mono, java, wine to run in userdomains --- policy-20070703.patch | 227 +++++++++++++++++++++++++++--------------- selinux-policy.spec | 3 +- 2 files changed, 151 insertions(+), 79 deletions(-) diff --git a/policy-20070703.patch b/policy-20070703.patch index 7dc7e81c..8e6c152d 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -1618,7 +1618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.0.8/policy/modules/apps/mono.if --- nsaserefpolicy/policy/modules/apps/mono.if 2007-05-29 14:10:48.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/apps/mono.if 2007-09-20 08:56:35.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/apps/mono.if 2007-09-20 11:42:05.000000000 -0400 @@ -18,3 +18,102 @@ corecmd_search_bin($1) domtrans_pattern($1, mono_exec_t, mono_t) @@ -1714,7 +1714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if + + userdom_unpriv_usertype($1, $1_mono_t) + -+ allow $1_mono_t self:process { execheap execmem }; ++ allow $1_mono_t self:process { signal getsched execheap execmem }; + + domtrans_pattern($2, mono_exec_t, $1_mono_t) + @@ -1724,7 +1724,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.0.8/policy/modules/apps/mono.te --- nsaserefpolicy/policy/modules/apps/mono.te 2007-05-29 14:10:48.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/apps/mono.te 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/apps/mono.te 2007-09-20 11:41:50.000000000 -0400 +@@ -15,7 +15,7 @@ + # Local policy + # + +-allow mono_t self:process { execheap execmem }; ++allow mono_t self:process { signal getsched execheap execmem }; + + userdom_generic_user_home_dir_filetrans_generic_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file }) + @@ -46,3 +46,7 @@ unconfined_dbus_chat(mono_t) unconfined_dbus_connect(mono_t) @@ -4206,6 +4215,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audi dev_read_sound(entropyd_t) fs_getattr_all_fs(entropyd_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.0.8/policy/modules/services/automount.if +--- nsaserefpolicy/policy/modules/services/automount.if 2007-05-29 14:10:57.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/automount.if 2007-09-20 11:17:32.000000000 -0400 +@@ -74,3 +74,21 @@ + + dontaudit $1 automount_tmp_t:dir getattr; + ') ++ ++######################################## ++## ++## Do not audit attempts to file descriptors for automount. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`automount_dontaudit_use_fds',` ++ gen_require(` ++ type automount_t; ++ ') ++ ++ dontaudit $1 automount_t:fd use; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.0.8/policy/modules/services/automount.te --- nsaserefpolicy/policy/modules/services/automount.te 2007-07-25 10:37:42.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/automount.te 2007-09-17 16:20:18.000000000 -0400 @@ -5150,7 +5184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.8/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2007-07-03 07:06:27.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2007-09-20 12:01:41.000000000 -0400 @@ -50,6 +50,12 @@ ## # @@ -5172,7 +5206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus allow $1_dbusd_t self:file { getattr read write }; allow $1_dbusd_t self:fifo_file rw_fifo_file_perms; allow $1_dbusd_t self:dbus { send_msg acquire_svc }; -@@ -135,6 +142,19 @@ +@@ -135,7 +142,21 @@ selinux_compute_relabel_context($1_dbusd_t) selinux_compute_user_contexts($1_dbusd_t) @@ -5190,9 +5224,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + userdom_read_user_home_content_files($1, $1_dbusd_t) + auth_read_pam_console_data($1_dbusd_t) ++ auth_use_nsswitch($1_dbusd_t) libs_use_ld_so($1_dbusd_t) -@@ -193,6 +213,7 @@ + libs_use_shared_libs($1_dbusd_t) +@@ -193,6 +214,7 @@ gen_require(` type system_dbusd_t, system_dbusd_t; type system_dbusd_var_run_t; @@ -5200,7 +5236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus class dbus send_msg; ') -@@ -202,9 +223,12 @@ +@@ -202,9 +224,12 @@ # SE-DBus specific permissions allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg; @@ -5213,7 +5249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ') ####################################### -@@ -271,6 +295,32 @@ +@@ -271,6 +296,32 @@ allow $2 $1_dbusd_t:dbus send_msg; ') @@ -5246,7 +5282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ######################################## ## ## Read dbus configuration. -@@ -286,6 +336,7 @@ +@@ -286,6 +337,7 @@ type dbusd_etc_t; ') @@ -5254,7 +5290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus allow $1 dbusd_etc_t:file read_file_perms; ') -@@ -346,3 +397,23 @@ +@@ -346,3 +398,23 @@ allow $1 system_dbusd_t:dbus *; ') @@ -5280,7 +5316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.0.8/policy/modules/services/dbus.te --- nsaserefpolicy/policy/modules/services/dbus.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/dbus.te 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/dbus.te 2007-09-20 12:01:29.000000000 -0400 @@ -23,6 +23,9 @@ type system_dbusd_var_run_t; files_pid_file(system_dbusd_var_run_t) @@ -7986,7 +8022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.8/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2007-07-25 10:37:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/rpc.te 2007-09-17 16:20:18.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/rpc.te 2007-09-20 11:18:24.000000000 -0400 @@ -59,10 +59,14 @@ manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t) files_pid_filetrans(rpcd_t,rpcd_var_run_t,file) @@ -8002,7 +8038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. fs_list_rpc(rpcd_t) fs_read_rpc_files(rpcd_t) -@@ -76,9 +80,11 @@ +@@ -76,9 +80,16 @@ miscfiles_read_certs(rpcd_t) seutil_dontaudit_search_config(rpcd_t) @@ -8011,10 +8047,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. optional_policy(` nis_read_ypserv_config(rpcd_t) + nis_use_ypbind(rpcd_t) ++') ++ ++# automount -> mount -> rpcd ++optional_policy(` ++ automount_dontaudit_use_fds(rpcd_t) ') ######################################## -@@ -91,9 +97,13 @@ +@@ -91,9 +102,13 @@ allow nfsd_t exports_t:file { getattr read }; allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; @@ -8028,7 +8069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. corenet_tcp_bind_all_rpc_ports(nfsd_t) corenet_udp_bind_all_rpc_ports(nfsd_t) -@@ -123,6 +133,7 @@ +@@ -123,6 +138,7 @@ tunable_policy(`nfs_export_all_rw',` fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) @@ -8036,7 +8077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ') tunable_policy(`nfs_export_all_ro',` -@@ -143,6 +154,9 @@ +@@ -143,6 +159,9 @@ manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) @@ -8046,7 +8087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_search_network_sysctl(gssd_t) -@@ -158,6 +172,9 @@ +@@ -158,6 +177,9 @@ miscfiles_read_certs(gssd_t) @@ -9489,7 +9530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-09-20 10:52:36.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-09-20 12:07:15.000000000 -0400 @@ -126,6 +126,8 @@ # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev($1_xserver_t) @@ -9512,7 +9553,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser term_setattr_unallocated_ttys($1_xserver_t) term_use_unallocated_ttys($1_xserver_t) -@@ -353,12 +356,6 @@ +@@ -282,6 +285,7 @@ + domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t) + + allow $1_xserver_t $1_xauth_home_t:file { getattr read }; ++ allow xdm_t $1_xauth_home_t:file append_file_perms; + + domtrans_pattern($2, xserver_exec_t, $1_xserver_t) + allow $1_xserver_t $2:process signal; +@@ -353,12 +357,6 @@ # allow ps to show xauth ps_process_pattern($2,$1_xauth_t) @@ -9525,7 +9574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser domain_use_interactive_fds($1_xauth_t) files_read_etc_files($1_xauth_t) -@@ -387,6 +384,14 @@ +@@ -387,6 +385,14 @@ ') optional_policy(` @@ -9540,16 +9589,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser nis_use_ypbind($1_xauth_t) ') -@@ -537,16 +542,14 @@ +@@ -537,16 +543,14 @@ gen_require(` type xdm_t, xdm_tmp_t; - type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t; ') - allow $2 self:shm create_shm_perms; - allow $2 self:unix_dgram_socket create_socket_perms; - allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; +- allow $2 self:shm create_shm_perms; +- allow $2 self:unix_dgram_socket create_socket_perms; +- allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; ++ allow $2 $2:shm create_shm_perms; ++ allow $2 $2:unix_dgram_socket create_socket_perms; ++ allow $2 $2:unix_stream_socket { connectto create_stream_socket_perms }; - # Read .Xauthority file - allow $2 $1_xauth_home_t:file { getattr read }; @@ -9559,7 +9611,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -555,25 +558,52 @@ +@@ -555,25 +559,52 @@ allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; @@ -9620,7 +9672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ') -@@ -626,6 +656,24 @@ +@@ -626,6 +657,24 @@ ######################################## ## @@ -9645,7 +9697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -659,6 +707,73 @@ +@@ -659,6 +708,73 @@ ######################################## ## @@ -9719,7 +9771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -927,6 +1042,7 @@ +@@ -927,6 +1043,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t) @@ -9727,7 +9779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -987,6 +1103,37 @@ +@@ -987,6 +1104,37 @@ ######################################## ## @@ -9765,7 +9817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1136,7 +1283,7 @@ +@@ -1136,7 +1284,7 @@ type xdm_xserver_tmp_t; ') @@ -9774,7 +9826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1325,3 +1472,62 @@ +@@ -1325,3 +1473,62 @@ files_search_tmp($1) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') @@ -10057,7 +10109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-20 09:08:43.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-20 11:14:45.000000000 -0400 @@ -26,7 +26,8 @@ type $1_chkpwd_t, can_read_shadow_passwords; application_domain($1_chkpwd_t,chkpwd_exec_t) @@ -10088,7 +10140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo domain_type($1) domain_subj_id_change_exemption($1) -@@ -176,11 +177,23 @@ +@@ -176,11 +177,24 @@ domain_obj_id_change_exemption($1) role system_r types $1; @@ -10098,6 +10150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo + + auth_keyring_domain($1) + allow $1 keyring_type:key { search link }; ++ auth_domtrans_chk_passwd($1) + + files_list_var_lib($1) + manage_files_pattern($1, var_auth_t, var_auth_t) @@ -10112,7 +10165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo selinux_get_fs_mount($1) selinux_validate_context($1) selinux_compute_access_vector($1) -@@ -196,22 +209,33 @@ +@@ -196,22 +210,33 @@ mls_fd_share_all_levels($1) auth_domtrans_chk_passwd($1) @@ -10147,7 +10200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') ') -@@ -309,9 +333,6 @@ +@@ -309,9 +334,6 @@ type system_chkpwd_t, chkpwd_exec_t, shadow_t; ') @@ -10157,7 +10210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo corecmd_search_bin($1) domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t) -@@ -329,6 +350,7 @@ +@@ -329,6 +351,7 @@ optional_policy(` kerberos_use($1) @@ -10165,7 +10218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ') optional_policy(` -@@ -347,6 +369,37 @@ +@@ -347,6 +370,37 @@ ######################################## ## @@ -10203,7 +10256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ## Get the attributes of the shadow passwords file. ## ## -@@ -695,6 +748,24 @@ +@@ -695,6 +749,24 @@ ######################################## ## @@ -10228,7 +10281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo ## Execute pam programs in the PAM domain. ## ## -@@ -1318,14 +1389,9 @@ +@@ -1318,14 +1390,9 @@ ## # interface(`auth_use_nsswitch',` @@ -10243,7 +10296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo files_list_var_lib($1) miscfiles_read_certs($1) -@@ -1381,3 +1447,163 @@ +@@ -1381,3 +1448,163 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -12135,7 +12188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.8/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-05-30 11:47:29.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-09-20 09:37:08.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-09-20 11:56:27.000000000 -0400 @@ -432,6 +432,7 @@ role $2 types run_init_t; allow run_init_t $3:chr_file rw_term_perms; @@ -12249,7 +12302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Full management of the semanage ## module store. ## -@@ -1058,3 +1134,124 @@ +@@ -1058,3 +1134,133 @@ files_search_etc($1) rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t) ') @@ -12300,6 +12353,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu + corecmd_search_bin($2) + domtrans_pattern($2,setsebool_exec_t,$1_setsebool_t) + seutil_semanage_policy($1_setsebool_t) ++ ++ # Need to define per type booleans ++ selinux_set_boolean($1_setsebool_t) ++ ++ # Bug in semanage ++ seutil_domtrans_setfiles($1_setsebool_t) ++ seutil_manage_file_contexts($1_setsebool_t) ++ seutil_manage_default_contexts($1_setsebool_t) ++ seutil_manage_selinux_config($1_setsebool_t) +') + +####################################### @@ -12376,7 +12438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.8/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-09-12 10:34:51.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-09-20 09:31:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-09-20 11:55:54.000000000 -0400 @@ -76,7 +76,6 @@ type restorecond_exec_t; init_daemon_domain(restorecond_t,restorecond_exec_t) @@ -12506,7 +12568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu auth_dontaudit_read_shadow(run_init_t) corecmd_exec_bin(run_init_t) -@@ -423,77 +426,50 @@ +@@ -423,77 +426,53 @@ nscd_socket_use(run_init_t) ') @@ -12520,6 +12582,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +selinux_set_boolean(setsebool_t) +# Bug in semanage +seutil_domtrans_setfiles(setsebool_t) ++seutil_manage_file_contexts(setsebool_t) ++seutil_manage_default_contexts(setsebool_t) ++seutil_manage_selinux_config(setsebool_t) -allow semanage_t self:capability { dac_override audit_write }; -allow semanage_t self:unix_stream_socket create_stream_socket_perms; @@ -12610,7 +12675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files -@@ -521,6 +497,8 @@ +@@ -521,6 +500,8 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms; allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms; @@ -12619,7 +12684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu kernel_read_system_state(setfiles_t) kernel_relabelfrom_unlabeled_dirs(setfiles_t) kernel_relabelfrom_unlabeled_files(setfiles_t) -@@ -537,6 +515,7 @@ +@@ -537,6 +518,7 @@ fs_getattr_xattr_fs(setfiles_t) fs_list_all(setfiles_t) @@ -12627,7 +12692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu fs_search_auto_mountpoints(setfiles_t) fs_relabelfrom_noxattr_fs(setfiles_t) -@@ -592,6 +571,10 @@ +@@ -592,6 +574,10 @@ ifdef(`hide_broken_symptoms',` optional_policy(` @@ -13163,7 +13228,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-20 10:55:37.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-20 12:06:52.000000000 -0400 @@ -29,8 +29,9 @@ ') @@ -13503,26 +13568,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - # Needed for escd, remove if we get escd policy - xserver_manage_xdm_tmp_files($1_t) - ') -+ dev_rw_xserver_misc($1_t) -+ dev_rw_power_management($1_t) -+ dev_read_input($1_t) -+ dev_read_misc($1_t) -+ dev_write_misc($1_t) ++ dev_rw_xserver_misc($1_usertype) ++ dev_rw_power_management($1_usertype) ++ dev_read_input($1_usertype) ++ dev_read_misc($1_usertype) ++ dev_write_misc($1_usertype) + # open office is looking for the following -+ dev_getattr_agp_dev($1_t) -+ dev_dontaudit_rw_dri($1_t) ++ dev_getattr_agp_dev($1_usertype) ++ dev_dontaudit_rw_dri($1_usertype) + # GNOME checks for usb and other devices: -+ dev_rw_usbfs($1_t) -+ xserver_user_client_template($1,$1_t,$1_tmpfs_t) -+ xserver_xsession_entry_type($1_t) -+ xserver_dontaudit_write_log($1_t) -+ xserver_stream_connect_xdm($1_t) ++ dev_rw_usbfs($1_usertype) ++ xserver_user_client_template($1,$1_usertype,$1_tmpfs_t) ++ xserver_xsession_entry_type($1_usertype) ++ xserver_dontaudit_write_log($1_usertype) ++ xserver_stream_connect_xdm($1_usertype) + # certain apps want to read xdm.pid file -+ xserver_read_xdm_pid($1_t) ++ xserver_read_xdm_pid($1_usertype) + # gnome-session creates socket under /tmp/.ICE-unix/ -+ xserver_create_xdm_tmp_sockets($1_t) ++ xserver_create_xdm_tmp_sockets($1_usertype) + # Needed for escd, remove if we get escd policy -+ xserver_manage_xdm_tmp_files($1_t) ++ xserver_manage_xdm_tmp_files($1_usertype) ') ####################################### @@ -14056,10 +14121,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1902,6 +1987,41 @@ +@@ -1894,10 +1979,46 @@ + template(`userdom_manage_user_home_content_dirs',` + gen_require(` + type $1_home_dir_t, $1_home_t; ++ attribute user_home_type; + ') - ######################################## - ## + files_search_home($2) +- manage_dirs_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t) ++ manage_dirs_pattern($2,{ $1_home_dir_t user_home_type },$1_home_t) ++') ++ ++######################################## ++## +## dontaudit attemps to Create files +## in a user home subdirectory. +## @@ -14091,14 +14166,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo + ') + + dontaudit $2 $1_home_dir_t:file create; -+') -+ -+######################################## -+## - ## Do not audit attempts to set the - ## attributes of user home files. - ## -@@ -3078,7 +3198,7 @@ + ') + + ######################################## +@@ -3078,7 +3199,7 @@ # template(`userdom_tmp_filetrans_user_tmp',` gen_require(` @@ -14107,7 +14178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') files_tmp_filetrans($2,$1_tmp_t,$3) -@@ -4615,6 +4735,24 @@ +@@ -4615,6 +4736,24 @@ files_list_home($1) allow $1 home_dir_type:dir search_dir_perms; ') @@ -14132,7 +14203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ######################################## ## -@@ -4633,6 +4771,14 @@ +@@ -4633,6 +4772,14 @@ files_list_home($1) allow $1 home_dir_type:dir list_dir_perms; @@ -14147,7 +14218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5323,7 +5469,7 @@ +@@ -5323,7 +5470,7 @@ attribute user_tmpfile; ') @@ -14156,7 +14227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo ') ######################################## -@@ -5559,3 +5705,375 @@ +@@ -5559,3 +5706,375 @@ interface(`userdom_unconfined',` refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 816773f8..a610a50b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.8 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -364,6 +364,7 @@ exit 0 %changelog * Wed Sep 19 2007 Dan Walsh 3.0.8-4 - Fix to add xguest account when inititial install +- Allow mono, java, wine to run in userdomains * Wed Sep 19 2007 Dan Walsh 3.0.8-3 - Allow xserver to search devpts_t