rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Don't run crontab from unconfined_t

Browse Source
This commit is contained in:
Daniel J Walsh 2008-04-24 21:08:32 +00:00
parent ef5e600999
commit b4e933120a
2 changed files with 27 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
policy-20071130.patch
View File

@ -31339,7 +31339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-02-13 16:26:06.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-04-21 11:02:50.559558000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-04-24 16:57:46.339086000 -0400
@@ -6,35 +6,67 @@
# Declarations
#
@ -31412,7 +31412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@@ -42,23 +74,36 @@
@@ -42,37 +74,44 @@
logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@ -31439,38 +31439,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+ tunable_policy(`allow_unconfined_nsplugin_transition', `
+ nsplugin_use(unconfined, unconfined_t)
+ ')
+')
+
+optional_policy(`
')
optional_policy(`
- apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- apache_per_role_template(unconfined, unconfined_t, unconfined_r)
- # this is disallowed usage:
- unconfined_domain(httpd_unconfined_script_t)
+ ada_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- apache_per_role_template(unconfined, unconfined_t, unconfined_r)
- # this is disallowed usage:
- unconfined_domain(httpd_unconfined_script_t)
- bind_run_ndc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
@@ -69,11 +114,11 @@
bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ bind_run_ndc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
-optional_policy(`
optional_policy(`
- cron_per_role_template(unconfined, unconfined_t, unconfined_r)
- # this is disallowed usage:
- unconfined_domain(unconfined_crond_t)
-')
+#optional_policy(`
+# cron_per_role_template(unconfined, unconfined_t, unconfined_r)
+# unconfined_domain(unconfined_crontab_t)
+# role system_r types unconfined_crontab_t;
+#')
+ bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
init_dbus_chat_script(unconfined_t)
@@ -101,12 +146,24 @@
@@ -101,12 +140,24 @@
')
optional_policy(`
@ -31495,7 +31492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
@@ -118,11 +175,7 @@
@@ -118,11 +169,7 @@
')
optional_policy(`
@ -31508,7 +31505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
@@ -134,82 +187,92 @@
@@ -134,82 +181,97 @@
')
optional_policy(`
@ -31550,6 +31547,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
- # cjp: this should probably be removed:
- postfix_domtrans_master(unconfined_t)
+ cron_per_role_template(unconfined, unconfined_t, unconfined_r)
+ # this is disallowed usage:
+ unconfined_domain(unconfined_crond_t)
+ unconfined_domain(unconfined_crontab_t)
+ role system_r types unconfined_crontab_t;
+ rpm_transition_script(unconfined_crond_t)
')
-
@ -31626,7 +31628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
########################################
@@ -219,14 +282,35 @@
@@ -219,14 +281,35 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)

4
selinux-policy.spec
View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
Release: 40%{?dist}
Release: 41%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -385,7 +385,7 @@ exit 0
%endif
%changelog
* Thu Apr 24 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-40
* Thu Apr 24 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-41
- Don't run crontab from unconfined_t
* Wed Apr 23 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-39