- Fix to add xguest account when inititial install

- Allow mono, java, wine to run in userdomains
This commit is contained in:
Daniel J Walsh 2007-09-20 17:21:13 +00:00
parent c67a1217e2
commit a9d4b80f50
2 changed files with 151 additions and 79 deletions

View File

@ -1618,7 +1618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.0.8/policy/modules/apps/mono.if
--- nsaserefpolicy/policy/modules/apps/mono.if 2007-05-29 14:10:48.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/mono.if 2007-09-20 08:56:35.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/mono.if 2007-09-20 11:42:05.000000000 -0400
@@ -18,3 +18,102 @@
corecmd_search_bin($1)
domtrans_pattern($1, mono_exec_t, mono_t)
@ -1714,7 +1714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if
+
+ userdom_unpriv_usertype($1, $1_mono_t)
+
+ allow $1_mono_t self:process { execheap execmem };
+ allow $1_mono_t self:process { signal getsched execheap execmem };
+
+ domtrans_pattern($2, mono_exec_t, $1_mono_t)
+
@ -1724,7 +1724,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.0.8/policy/modules/apps/mono.te
--- nsaserefpolicy/policy/modules/apps/mono.te 2007-05-29 14:10:48.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/mono.te 2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/mono.te 2007-09-20 11:41:50.000000000 -0400
@@ -15,7 +15,7 @@
# Local policy
#
-allow mono_t self:process { execheap execmem };
+allow mono_t self:process { signal getsched execheap execmem };
userdom_generic_user_home_dir_filetrans_generic_user_home_content(mono_t,{ dir file lnk_file fifo_file sock_file })
@@ -46,3 +46,7 @@
unconfined_dbus_chat(mono_t)
unconfined_dbus_connect(mono_t)
@ -4206,6 +4215,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audi
dev_read_sound(entropyd_t)
fs_getattr_all_fs(entropyd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.0.8/policy/modules/services/automount.if
--- nsaserefpolicy/policy/modules/services/automount.if 2007-05-29 14:10:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/automount.if 2007-09-20 11:17:32.000000000 -0400
@@ -74,3 +74,21 @@
dontaudit $1 automount_tmp_t:dir getattr;
')
+
+########################################
+## <summary>
+## Do not audit attempts to file descriptors for automount.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`automount_dontaudit_use_fds',`
+ gen_require(`
+ type automount_t;
+ ')
+
+ dontaudit $1 automount_t:fd use;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.0.8/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/automount.te 2007-09-17 16:20:18.000000000 -0400
@ -5150,7 +5184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.8/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-07-03 07:06:27.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2007-09-20 12:01:41.000000000 -0400
@@ -50,6 +50,12 @@
## </param>
#
@ -5172,7 +5206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
allow $1_dbusd_t self:file { getattr read write };
allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
allow $1_dbusd_t self:dbus { send_msg acquire_svc };
@@ -135,6 +142,19 @@
@@ -135,7 +142,21 @@
selinux_compute_relabel_context($1_dbusd_t)
selinux_compute_user_contexts($1_dbusd_t)
@ -5190,9 +5224,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+ userdom_read_user_home_content_files($1, $1_dbusd_t)
+
auth_read_pam_console_data($1_dbusd_t)
+ auth_use_nsswitch($1_dbusd_t)
libs_use_ld_so($1_dbusd_t)
@@ -193,6 +213,7 @@
libs_use_shared_libs($1_dbusd_t)
@@ -193,6 +214,7 @@
gen_require(`
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t;
@ -5200,7 +5236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
class dbus send_msg;
')
@@ -202,9 +223,12 @@
@@ -202,9 +224,12 @@
# SE-DBus specific permissions
allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg;
@ -5213,7 +5249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
')
#######################################
@@ -271,6 +295,32 @@
@@ -271,6 +296,32 @@
allow $2 $1_dbusd_t:dbus send_msg;
')
@ -5246,7 +5282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
########################################
## <summary>
## Read dbus configuration.
@@ -286,6 +336,7 @@
@@ -286,6 +337,7 @@
type dbusd_etc_t;
')
@ -5254,7 +5290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
allow $1 dbusd_etc_t:file read_file_perms;
')
@@ -346,3 +397,23 @@
@@ -346,3 +398,23 @@
allow $1 system_dbusd_t:dbus *;
')
@ -5280,7 +5316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.0.8/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dbus.te 2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dbus.te 2007-09-20 12:01:29.000000000 -0400
@@ -23,6 +23,9 @@
type system_dbusd_var_run_t;
files_pid_file(system_dbusd_var_run_t)
@ -7986,7 +8022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.8/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/rpc.te 2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/rpc.te 2007-09-20 11:18:24.000000000 -0400
@@ -59,10 +59,14 @@
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@ -8002,7 +8038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
fs_list_rpc(rpcd_t)
fs_read_rpc_files(rpcd_t)
@@ -76,9 +80,11 @@
@@ -76,9 +80,16 @@
miscfiles_read_certs(rpcd_t)
seutil_dontaudit_search_config(rpcd_t)
@ -8011,10 +8047,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
optional_policy(`
nis_read_ypserv_config(rpcd_t)
+ nis_use_ypbind(rpcd_t)
+')
+
+# automount -> mount -> rpcd
+optional_policy(`
+ automount_dontaudit_use_fds(rpcd_t)
')
########################################
@@ -91,9 +97,13 @@
@@ -91,9 +102,13 @@
allow nfsd_t exports_t:file { getattr read };
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
@ -8028,7 +8069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
@@ -123,6 +133,7 @@
@@ -123,6 +138,7 @@
tunable_policy(`nfs_export_all_rw',`
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
@ -8036,7 +8077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
')
tunable_policy(`nfs_export_all_ro',`
@@ -143,6 +154,9 @@
@@ -143,6 +159,9 @@
manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@ -8046,7 +8087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
@@ -158,6 +172,9 @@
@@ -158,6 +177,9 @@
miscfiles_read_certs(gssd_t)
@ -9489,7 +9530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-07-03 07:06:27.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-09-20 10:52:36.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-09-20 12:07:15.000000000 -0400
@@ -126,6 +126,8 @@
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev($1_xserver_t)
@ -9512,7 +9553,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
term_setattr_unallocated_ttys($1_xserver_t)
term_use_unallocated_ttys($1_xserver_t)
@@ -353,12 +356,6 @@
@@ -282,6 +285,7 @@
domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
allow $1_xserver_t $1_xauth_home_t:file { getattr read };
+ allow xdm_t $1_xauth_home_t:file append_file_perms;
domtrans_pattern($2, xserver_exec_t, $1_xserver_t)
allow $1_xserver_t $2:process signal;
@@ -353,12 +357,6 @@
# allow ps to show xauth
ps_process_pattern($2,$1_xauth_t)
@ -9525,7 +9574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
domain_use_interactive_fds($1_xauth_t)
files_read_etc_files($1_xauth_t)
@@ -387,6 +384,14 @@
@@ -387,6 +385,14 @@
')
optional_policy(`
@ -9540,16 +9589,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
nis_use_ypbind($1_xauth_t)
')
@@ -537,16 +542,14 @@
@@ -537,16 +543,14 @@
gen_require(`
type xdm_t, xdm_tmp_t;
- type $1_xauth_home_t, $1_iceauth_home_t, $1_xserver_t, $1_xserver_tmpfs_t;
')
allow $2 self:shm create_shm_perms;
allow $2 self:unix_dgram_socket create_socket_perms;
allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
- allow $2 self:shm create_shm_perms;
- allow $2 self:unix_dgram_socket create_socket_perms;
- allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow $2 $2:shm create_shm_perms;
+ allow $2 $2:unix_dgram_socket create_socket_perms;
+ allow $2 $2:unix_stream_socket { connectto create_stream_socket_perms };
- # Read .Xauthority file
- allow $2 $1_xauth_home_t:file { getattr read };
@ -9559,7 +9611,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
@@ -555,25 +558,52 @@
@@ -555,25 +559,52 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@ -9620,7 +9672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
')
@@ -626,6 +656,24 @@
@@ -626,6 +657,24 @@
########################################
## <summary>
@ -9645,7 +9697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Transition to a user Xauthority domain.
## </summary>
## <desc>
@@ -659,6 +707,73 @@
@@ -659,6 +708,73 @@
########################################
## <summary>
@ -9719,7 +9771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Transition to a user Xauthority domain.
## </summary>
## <desc>
@@ -927,6 +1042,7 @@
@@ -927,6 +1043,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@ -9727,7 +9779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
@@ -987,6 +1103,37 @@
@@ -987,6 +1104,37 @@
########################################
## <summary>
@ -9765,7 +9817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
@@ -1136,7 +1283,7 @@
@@ -1136,7 +1284,7 @@
type xdm_xserver_tmp_t;
')
@ -9774,7 +9826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
@@ -1325,3 +1472,62 @@
@@ -1325,3 +1473,62 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@ -10057,7 +10109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-20 09:08:43.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-20 11:14:45.000000000 -0400
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
@ -10088,7 +10140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
domain_type($1)
domain_subj_id_change_exemption($1)
@@ -176,11 +177,23 @@
@@ -176,11 +177,24 @@
domain_obj_id_change_exemption($1)
role system_r types $1;
@ -10098,6 +10150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+
+ auth_keyring_domain($1)
+ allow $1 keyring_type:key { search link };
+ auth_domtrans_chk_passwd($1)
+
+ files_list_var_lib($1)
+ manage_files_pattern($1, var_auth_t, var_auth_t)
@ -10112,7 +10165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
selinux_get_fs_mount($1)
selinux_validate_context($1)
selinux_compute_access_vector($1)
@@ -196,22 +209,33 @@
@@ -196,22 +210,33 @@
mls_fd_share_all_levels($1)
auth_domtrans_chk_passwd($1)
@ -10147,7 +10200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
')
@@ -309,9 +333,6 @@
@@ -309,9 +334,6 @@
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
')
@ -10157,7 +10210,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
corecmd_search_bin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
@@ -329,6 +350,7 @@
@@ -329,6 +351,7 @@
optional_policy(`
kerberos_use($1)
@ -10165,7 +10218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
optional_policy(`
@@ -347,6 +369,37 @@
@@ -347,6 +370,37 @@
########################################
## <summary>
@ -10203,7 +10256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
## Get the attributes of the shadow passwords file.
## </summary>
## <param name="domain">
@@ -695,6 +748,24 @@
@@ -695,6 +749,24 @@
########################################
## <summary>
@ -10228,7 +10281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
## Execute pam programs in the PAM domain.
## </summary>
## <param name="domain">
@@ -1318,14 +1389,9 @@
@@ -1318,14 +1390,9 @@
## </param>
#
interface(`auth_use_nsswitch',`
@ -10243,7 +10296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
files_list_var_lib($1)
miscfiles_read_certs($1)
@@ -1381,3 +1447,163 @@
@@ -1381,3 +1448,163 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@ -12135,7 +12188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.8/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-05-30 11:47:29.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-09-20 09:37:08.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-09-20 11:56:27.000000000 -0400
@@ -432,6 +432,7 @@
role $2 types run_init_t;
allow run_init_t $3:chr_file rw_term_perms;
@ -12249,7 +12302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
## Full management of the semanage
## module store.
## </summary>
@@ -1058,3 +1134,124 @@
@@ -1058,3 +1134,133 @@
files_search_etc($1)
rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t)
')
@ -12300,6 +12353,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+ corecmd_search_bin($2)
+ domtrans_pattern($2,setsebool_exec_t,$1_setsebool_t)
+ seutil_semanage_policy($1_setsebool_t)
+
+ # Need to define per type booleans
+ selinux_set_boolean($1_setsebool_t)
+
+ # Bug in semanage
+ seutil_domtrans_setfiles($1_setsebool_t)
+ seutil_manage_file_contexts($1_setsebool_t)
+ seutil_manage_default_contexts($1_setsebool_t)
+ seutil_manage_selinux_config($1_setsebool_t)
+')
+
+#######################################
@ -12376,7 +12438,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.8/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-09-12 10:34:51.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-09-20 09:31:29.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-09-20 11:55:54.000000000 -0400
@@ -76,7 +76,6 @@
type restorecond_exec_t;
init_daemon_domain(restorecond_t,restorecond_exec_t)
@ -12506,7 +12568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
auth_dontaudit_read_shadow(run_init_t)
corecmd_exec_bin(run_init_t)
@@ -423,77 +426,50 @@
@@ -423,77 +426,53 @@
nscd_socket_use(run_init_t)
')
@ -12520,6 +12582,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+selinux_set_boolean(setsebool_t)
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_selinux_config(setsebool_t)
-allow semanage_t self:capability { dac_override audit_write };
-allow semanage_t self:unix_stream_socket create_stream_socket_perms;
@ -12610,7 +12675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
@@ -521,6 +497,8 @@
@@ -521,6 +500,8 @@
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
@ -12619,7 +12684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
kernel_read_system_state(setfiles_t)
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
kernel_relabelfrom_unlabeled_files(setfiles_t)
@@ -537,6 +515,7 @@
@@ -537,6 +518,7 @@
fs_getattr_xattr_fs(setfiles_t)
fs_list_all(setfiles_t)
@ -12627,7 +12692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
fs_search_auto_mountpoints(setfiles_t)
fs_relabelfrom_noxattr_fs(setfiles_t)
@@ -592,6 +571,10 @@
@@ -592,6 +574,10 @@
ifdef(`hide_broken_symptoms',`
optional_policy(`
@ -13163,7 +13228,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-20 10:55:37.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-20 12:06:52.000000000 -0400
@@ -29,8 +29,9 @@
')
@ -13503,26 +13568,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
- # Needed for escd, remove if we get escd policy
- xserver_manage_xdm_tmp_files($1_t)
- ')
+ dev_rw_xserver_misc($1_t)
+ dev_rw_power_management($1_t)
+ dev_read_input($1_t)
+ dev_read_misc($1_t)
+ dev_write_misc($1_t)
+ dev_rw_xserver_misc($1_usertype)
+ dev_rw_power_management($1_usertype)
+ dev_read_input($1_usertype)
+ dev_read_misc($1_usertype)
+ dev_write_misc($1_usertype)
+ # open office is looking for the following
+ dev_getattr_agp_dev($1_t)
+ dev_dontaudit_rw_dri($1_t)
+ dev_getattr_agp_dev($1_usertype)
+ dev_dontaudit_rw_dri($1_usertype)
+ # GNOME checks for usb and other devices:
+ dev_rw_usbfs($1_t)
+ xserver_user_client_template($1,$1_t,$1_tmpfs_t)
+ xserver_xsession_entry_type($1_t)
+ xserver_dontaudit_write_log($1_t)
+ xserver_stream_connect_xdm($1_t)
+ dev_rw_usbfs($1_usertype)
+ xserver_user_client_template($1,$1_usertype,$1_tmpfs_t)
+ xserver_xsession_entry_type($1_usertype)
+ xserver_dontaudit_write_log($1_usertype)
+ xserver_stream_connect_xdm($1_usertype)
+ # certain apps want to read xdm.pid file
+ xserver_read_xdm_pid($1_t)
+ xserver_read_xdm_pid($1_usertype)
+ # gnome-session creates socket under /tmp/.ICE-unix/
+ xserver_create_xdm_tmp_sockets($1_t)
+ xserver_create_xdm_tmp_sockets($1_usertype)
+ # Needed for escd, remove if we get escd policy
+ xserver_manage_xdm_tmp_files($1_t)
+ xserver_manage_xdm_tmp_files($1_usertype)
')
#######################################
@ -14056,10 +14121,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
@@ -1902,6 +1987,41 @@
@@ -1894,10 +1979,46 @@
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
type $1_home_dir_t, $1_home_t;
+ attribute user_home_type;
')
########################################
## <summary>
files_search_home($2)
- manage_dirs_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
+ manage_dirs_pattern($2,{ $1_home_dir_t user_home_type },$1_home_t)
+')
+
+########################################
+## <summary>
+## dontaudit attemps to Create files
+## in a user home subdirectory.
+## </summary>
@ -14091,14 +14166,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ ')
+
+ dontaudit $2 $1_home_dir_t:file create;
+')
+
+########################################
+## <summary>
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
@@ -3078,7 +3198,7 @@
')
########################################
@@ -3078,7 +3199,7 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@ -14107,7 +14178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
files_tmp_filetrans($2,$1_tmp_t,$3)
@@ -4615,6 +4735,24 @@
@@ -4615,6 +4736,24 @@
files_list_home($1)
allow $1 home_dir_type:dir search_dir_perms;
')
@ -14132,7 +14203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
########################################
## <summary>
@@ -4633,6 +4771,14 @@
@@ -4633,6 +4772,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@ -14147,7 +14218,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -5323,7 +5469,7 @@
@@ -5323,7 +5470,7 @@
attribute user_tmpfile;
')
@ -14156,7 +14227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -5559,3 +5705,375 @@
@@ -5559,3 +5706,375 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')

View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
Release: 4%{?dist}
Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -364,6 +364,7 @@ exit 0
%changelog
* Wed Sep 19 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-4
- Fix to add xguest account when inititial install
- Allow mono, java, wine to run in userdomains
* Wed Sep 19 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-3
- Allow xserver to search devpts_t