- Fix labeling on /var/spool/rsyslog

2008-12-02 19:41:59 +00:00 · 2008-12-02 19:41:59 +00:00 · b3d78ec348
commit b3d78ec348
parent 359d6dac92
1 changed files with 58 additions and 36 deletions
--- a/policy-20081111.patch
+++ b/policy-20081111.patch
@ -24786,8 +24786,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.1/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/unconfined.te	2008-11-25 09:45:43.000000000 -0500
-@@ -6,35 +6,75 @@
+++ serefpolicy-3.6.1/policy/modules/system/unconfined.te	2008-12-02 14:32:40.000000000 -0500
+@@ -6,35 +6,76 @@
 # Declarations
 #
 
@ -24822,6 +24822,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +userdom_restricted_user_template(unconfined)
 +#userdom_common_user_template(unconfined)
 +#userdom_xwindows_client_template(unconfined)
+userdom_execmod_user_home_files(unconfined_t)
 
 type unconfined_exec_t;
 init_system_domain(unconfined_t, unconfined_exec_t)
@ -24870,7 +24871,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 libs_run_ldconfig(unconfined_t, unconfined_r)
 
-@@ -42,26 +82,39 @@
+@@ -42,26 +83,39 @@
 logging_run_auditctl(unconfined_t, unconfined_r)
 
 mount_run_unconfined(unconfined_t, unconfined_r)
@ -24912,7 +24913,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -102,12 +155,24 @@
+@@ -102,12 +156,24 @@
 	')
 
 	optional_policy(`
@ -24937,7 +24938,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -119,7 +184,7 @@
+@@ -119,7 +185,7 @@
 ')
 
 optional_policy(`
@ -24946,7 +24947,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -127,23 +192,25 @@
+@@ -127,23 +193,25 @@
 ')
 
 optional_policy(`
@ -24977,7 +24978,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -155,36 +222,38 @@
+@@ -155,36 +223,38 @@
 ')
 
 optional_policy(`
@ -25028,7 +25029,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -192,7 +261,7 @@
+@@ -192,7 +262,7 @@
 ')
 
 optional_policy(`
@ -25037,7 +25038,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -204,11 +273,12 @@
+@@ -204,11 +274,12 @@
 ')
 
 optional_policy(`
@ -25052,7 +25053,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -218,14 +288,58 @@
+@@ -218,14 +289,58 @@
 
 allow unconfined_execmem_t self:process { execstack execmem };
 unconfined_domain_noaudit(unconfined_execmem_t)
@ -25125,7 +25126,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-11-13 18:40:02.000000000 -0500
-+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if	2008-12-02 11:36:42.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if	2008-12-02 14:39:39.000000000 -0500
@@ -30,8 +30,9 @@
 	')
 
@ -25377,10 +25378,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -	gen_require(`
 -		type $1_t;
 -	')
-
+interface(`userdom_basic_networking',`
+ 
 -	allow $1_t self:tcp_socket create_stream_socket_perms;
 -	allow $1_t self:udp_socket create_socket_perms;
-+interface(`userdom_basic_networking',`
+	allow $1 self:tcp_socket create_stream_socket_perms;
+	allow $1 self:udp_socket create_socket_perms;
 
 -	corenet_all_recvfrom_unlabeled($1_t)
 -	corenet_all_recvfrom_netlabel($1_t)
@ -25392,9 +25395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -	corenet_udp_sendrecv_all_ports($1_t)
 -	corenet_tcp_connect_all_ports($1_t)
 -	corenet_sendrecv_all_client_packets($1_t)
-+	allow $1 self:tcp_socket create_stream_socket_perms;
-+	allow $1 self:udp_socket create_socket_perms;
- 
+-
 -	corenet_all_recvfrom_labeled($1_t, $1_t)
 +	corenet_all_recvfrom_unlabeled($1)
 +	corenet_all_recvfrom_netlabel($1)
@ -25511,26 +25512,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	kernel_get_sysvipc_info($1_usertype)
 	# Find CDROM devices:
 -	kernel_read_device_sysctls($1_t)
-
-	corecmd_exec_bin($1_t)
 +	kernel_read_device_sysctls($1_usertype)
 
-	corenet_udp_bind_all_nodes($1_t)
-	corenet_udp_bind_generic_port($1_t)
+-	corecmd_exec_bin($1_t)
 +	corenet_udp_bind_all_nodes($1_usertype)
 +	corenet_udp_bind_generic_port($1_usertype)
 
-	dev_read_rand($1_t)
-	dev_write_sound($1_t)
-	dev_read_sound($1_t)
-	dev_read_sound_mixer($1_t)
-	dev_write_sound_mixer($1_t)
+-	corenet_udp_bind_all_nodes($1_t)
+-	corenet_udp_bind_generic_port($1_t)
 +	dev_read_rand($1_usertype)
 +	dev_write_sound($1_usertype)
 +	dev_read_sound($1_usertype)
 +	dev_read_sound_mixer($1_usertype)
 +	dev_write_sound_mixer($1_usertype)
 
+-	dev_read_rand($1_t)
+-	dev_write_sound($1_t)
+-	dev_read_sound($1_t)
+-	dev_read_sound_mixer($1_t)
+-	dev_write_sound_mixer($1_t)
+-
 -	files_exec_etc_files($1_t)
 -	files_search_locks($1_t)
 +	files_exec_etc_files($1_usertype)
@ -25967,29 +25968,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	optional_policy(`
 -		alsa_read_rw_config($1_t)
-	')
-
-	optional_policy(`
+		alsa_read_rw_config($1_usertype)
+ 	')
+ 
+ 	optional_policy(`
 -		dbus_role_template($1, $1_r, $1_t)
 -		dbus_system_bus_client($1_t)
 -
 -		optional_policy(`
 -			consolekit_dbus_chat($1_t)
-+		alsa_read_rw_config($1_usertype)
+		apache_role($1_r, $1_usertype)
 		')
 
 		optional_policy(`
 -			cups_dbus_chat($1_t)
 -		')
-+		apache_role($1_r, $1_usertype)
- 	')
- 
- 	optional_policy(`
-		java_role($1_r, $1_t)
 +		openoffice_role_template($1, $1_r, $1_usertype)
 	')
 
 	optional_policy(`
+-		java_role($1_r, $1_t)
+-	')
+-
+-	optional_policy(`
 -		setroubleshoot_dontaudit_stream_connect($1_t)
 +		polkit_role($1_r, $1_usertype)
 	')
@ -26413,7 +26414,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Send a dbus message to all user domains.
 ## </summary>
 ## <param name="domain">
-@@ -2981,3 +3165,226 @@
+@@ -2981,3 +3165,247 @@
 
 	allow $1 userdomain:dbus send_msg;
 ')
@ -26638,7 +26639,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		attribute 
 +	')
 +
-+	allow $1 unpriv_userdomain;:unix_dgram_socket sendto;
+	allow $1 unpriv_userdomain:unix_dgram_socket sendto;
+')
+
+
+
+#######################################
+## <summary>
+##	Allow execmod on files in homedirectory 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolebase/>
+#
+interface(`userdom_execmod_user_home_files',`
+	gen_require(`
+		type user_home_t;
+	')
+
+	allow $1 user_home_t:file execmod;
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.1/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2008-11-13 18:40:02.000000000 -0500