- Default to user_u:system_r:unconfined_t

2007-07-02 20:32:38 +00:00 · 2007-07-02 20:32:38 +00:00 · b267b6f201
commit b267b6f201
parent b529ed6a06
2 changed files with 73 additions and 33 deletions
--- a/policy-20070525.patch
+++ b/policy-20070525.patch
@ -3121,7 +3121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.1/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/apache.te	2007-06-19 17:06:27.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/services/apache.te	2007-07-02 12:44:51.000000000 -0400
@@ -47,6 +47,13 @@
 ## Allow http daemon to tcp connect
 ## </p>
@ -3662,19 +3662,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.0.1/policy/modules/services/bind.te
 --- nsaserefpolicy/policy/modules/services/bind.te	2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/bind.te	2007-06-19 17:06:27.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/services/bind.te	2007-07-02 11:10:15.000000000 -0400
-@@ -119,6 +119,10 @@
+@@ -118,6 +118,11 @@
 corenet_sendrecv_dns_client_packets(named_t)
 corenet_sendrecv_rndc_server_packets(named_t)
 corenet_sendrecv_rndc_client_packets(named_t)
- 
+corenet_udp_bind_all_unreserved_ports(named_t)
 +
 +#dnsmasq 
 +corenet_tcp_bind_dhcpd_port(named_t)
 +corenet_udp_bind_dhcpd_port(named_t)
-+
+ 
 dev_read_sysfs(named_t)
 dev_read_rand(named_t)
- 
+@@ -230,6 +235,7 @@
@@ -230,6 +234,7 @@
 corenet_tcp_sendrecv_all_nodes(ndc_t)
 corenet_tcp_sendrecv_all_ports(ndc_t)
 corenet_tcp_connect_rndc_port(ndc_t)
@ -3682,7 +3683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
 corenet_sendrecv_rndc_client_packets(ndc_t)
 fs_getattr_xattr_fs(ndc_t)
-@@ -257,6 +262,10 @@
+@@ -257,6 +263,10 @@
 	allow ndc_t named_conf_t:dir search;
 ')
@ -5536,7 +5537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
 corenet_tcp_connect_all_ports(ypxfr_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.0.1/policy/modules/services/nscd.te
 --- nsaserefpolicy/policy/modules/services/nscd.te	2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/nscd.te	2007-06-19 17:06:27.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/services/nscd.te	2007-07-02 11:38:32.000000000 -0400
@@ -28,14 +28,14 @@
 # Local policy
 #
@ -5555,7 +5556,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
 allow nscd_t self:tcp_socket create_socket_perms;
 allow nscd_t self:udp_socket create_socket_perms;
-@@ -92,6 +92,7 @@
+@@ -72,6 +72,8 @@
 corenet_udp_sendrecv_all_nodes(nscd_t)
 corenet_tcp_sendrecv_all_ports(nscd_t)
 corenet_udp_sendrecv_all_ports(nscd_t)
 +corenet_udp_bind_all_nodes(nscd_t)
 +corenet_udp_bind_all_nodes(nscd_t)
 corenet_tcp_connect_all_ports(nscd_t)
 corenet_sendrecv_all_client_packets(nscd_t)
 corenet_rw_tun_tap_dev(nscd_t)
@@ -92,6 +94,7 @@
 libs_use_ld_so(nscd_t)
 libs_use_shared_libs(nscd_t)
@ -5563,7 +5573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
 logging_send_syslog_msg(nscd_t)
 miscfiles_read_localization(nscd_t)
-@@ -113,3 +114,11 @@
+@@ -113,3 +116,12 @@
 	xen_dontaudit_rw_unix_stream_sockets(nscd_t)
 	xen_append_log(nscd_t)
 ')
@ -5573,8 +5583,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
 +		samba_append_log(nscd_t)
 +		samba_dontaudit_use_fds(nscd_t)
 +	')
 +	samba_read_config(nscd_t)
 +	samba_read_var_files(nscd_t)
 +')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.0.1/policy/modules/services/ntp.te
 --- nsaserefpolicy/policy/modules/services/ntp.te	2007-06-11 16:05:30.000000000 -0400
 +++ serefpolicy-3.0.1/policy/modules/services/ntp.te	2007-06-19 17:06:27.000000000 -0400
@ -5666,8 +5677,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.0.1/policy/modules/services/openvpn.te
 --- nsaserefpolicy/policy/modules/services/openvpn.te	2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/openvpn.te	2007-06-19 17:06:27.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/services/openvpn.te	2007-07-02 12:46:29.000000000 -0400
-@@ -42,8 +42,8 @@
+@@ -6,6 +6,13 @@
 # Declarations
 #
 +## <desc>
 +## <p>
 +## Allow openvpn to read home directories
 +## </p>
 +## </desc>
 +gen_tunable(openvpn_enable_homedirs,false)
 +
 # main openvpn domain
 type openvpn_t;
 type openvpn_exec_t;
@@ -42,8 +49,8 @@
 allow openvpn_t openvpn_var_log_t:file manage_file_perms;
 logging_log_filetrans(openvpn_t,openvpn_var_log_t,file)
@ -5678,7 +5703,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
 kernel_read_kernel_sysctls(openvpn_t)
 kernel_read_net_sysctls(openvpn_t)
-@@ -66,6 +66,7 @@
+@@ -66,6 +73,7 @@
 corenet_udp_bind_openvpn_port(openvpn_t)
 corenet_sendrecv_openvpn_server_packets(openvpn_t)
 corenet_rw_tun_tap_dev(openvpn_t)
@ -5686,18 +5711,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
 dev_search_sysfs(openvpn_t)
 dev_read_rand(openvpn_t)
-@@ -84,6 +85,11 @@
+@@ -80,10 +88,23 @@
 logging_send_syslog_msg(openvpn_t)
 miscfiles_read_localization(openvpn_t)
 +miscfiles_read_certs(openvpn_t)
 sysnet_dns_name_resolve(openvpn_t)
 sysnet_exec_ifconfig(openvpn_t)
-+ifdef(`targeted_policy',`
+tunable_policy(`openvpn_enable_homedirs',`
-+	# Need to interact with terminals if config option "auth-user-pass" is used
+	userdom_read_unpriv_users_home_content_files(openvpn_t)
 +	term_use_generic_ptys(openvpn_t)
 +')
 +
 optional_policy(`
 	daemontools_service_domain(openvpn_t,openvpn_exec_t)
 ')
 +
 +# Need to interact with terminals if config option "auth-user-pass" is used
 +userdom_use_sysadm_terms(openvpn_t)
 +
 +optional_policy(`
 +	unconfined_use_terminals(openvpn_t)
 +')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-3.0.1/policy/modules/services/pegasus.if
 --- nsaserefpolicy/policy/modules/services/pegasus.if	2007-05-29 14:10:57.000000000 -0400
 +++ serefpolicy-3.0.1/policy/modules/services/pegasus.if	2007-06-19 17:06:27.000000000 -0400
@ -7221,7 +7258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.1/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/xserver.te	2007-06-20 09:48:35.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/services/xserver.te	2007-07-02 12:10:01.000000000 -0400
@@ -16,6 +16,13 @@
 ## <desc>
@ -7236,7 +7273,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ## Allow xdm logins as sysadm
 ## </p>
 ## </desc>
-@@ -132,6 +139,7 @@
+@@ -132,15 +139,19 @@
 manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
 manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
 fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@ -7244,7 +7281,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)	
 manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
-@@ -140,7 +148,8 @@
+ files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file)
 +# Read machine-id
 +files_read_var_lib_files(xdm_t)
 manage_dirs_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
 manage_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
 manage_fifo_files_pattern(xdm_t,xdm_var_run_t,xdm_var_run_t)
@ -7254,7 +7294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 allow xdm_t xdm_xserver_t:process signal;
 allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -245,6 +254,7 @@
+@@ -245,6 +256,7 @@
 auth_domtrans_pam_console(xdm_t)
 auth_manage_pam_pid(xdm_t)
 auth_manage_pam_console_data(xdm_t)
@ -7262,7 +7302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 auth_rw_faillog(xdm_t)
 auth_write_login_records(xdm_t)
-@@ -256,6 +266,7 @@
+@@ -256,6 +268,7 @@
 libs_exec_lib_files(xdm_t)
 logging_read_generic_logs(xdm_t)
@ -7270,7 +7310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 miscfiles_read_localization(xdm_t)
 miscfiles_read_fonts(xdm_t)
-@@ -270,6 +281,10 @@
+@@ -270,6 +283,10 @@
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
@ -7281,7 +7321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
-@@ -305,6 +320,8 @@
+@@ -305,6 +322,8 @@
 optional_policy(`
 	consolekit_dbus_chat(xdm_t)
@ -7290,7 +7330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 optional_policy(`
-@@ -347,12 +364,8 @@
+@@ -347,12 +366,8 @@
 ')
 optional_policy(`
@ -7304,7 +7344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	ifdef(`distro_rhel4',`
 		allow xdm_t self:process { execheap execmem };
-@@ -424,6 +437,10 @@
+@@ -424,6 +439,10 @@
 ')
 optional_policy(`
@ -7315,7 +7355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	resmgr_stream_connect(xdm_t)
 ')
-@@ -433,47 +450,15 @@
+@@ -433,47 +452,15 @@
 ')
 optional_policy(`
@ -8767,12 +8807,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
 files_dontaudit_search_isid_type_dirs(syslogd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.0.1/policy/modules/system/lvm.fc
 --- nsaserefpolicy/policy/modules/system/lvm.fc	2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/lvm.fc	2007-06-19 17:06:27.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/system/lvm.fc	2007-07-02 16:25:30.000000000 -0400
@@ -15,6 +15,7 @@
 #
 /etc/lvm(/.*)?			gen_context(system_u:object_r:lvm_etc_t,s0)
 /etc/lvm/\.cache	--	gen_context(system_u:object_r:lvm_metadata_t,s0)
-+/etc/lvm/cache(./*)?		gen_context(system_u:object_r:lvm_metadata_t,s0)
+/etc/lvm/cache(/.*)?		gen_context(system_u:object_r:lvm_metadata_t,s0)
 /etc/lvm/archive(/.*)?		gen_context(system_u:object_r:lvm_metadata_t,s0)
 /etc/lvm/backup(/.*)?		gen_context(system_u:object_r:lvm_metadata_t,s0)
 /etc/lvm/lock(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
@ -9534,7 +9574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.1/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/unconfined.if	2007-06-22 11:17:20.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/system/unconfined.if	2007-07-02 12:39:12.000000000 -0400
@@ -12,14 +12,13 @@
 #
 interface(`unconfined_domain_noaudit',`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.1
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz