- Don't run crontab from unconfined_t

2008-04-24 21:08:32 +00:00 · 2008-04-24 21:08:32 +00:00 · b4e933120a
parent ef5e600999
commit b4e933120a
2 changed files with 27 additions and 25 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -31339,7 +31339,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2008-02-13 16:26:06.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te	2008-04-21 11:02:50.559558000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te	2008-04-24 16:57:46.339086000 -0400
@@ -6,35 +6,67 @@
 # Declarations
 #
@ -31412,7 +31412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 
 libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 
-@@ -42,23 +74,36 @@
+@@ -42,37 +74,44 @@
 logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 
 mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@ -31439,38 +31439,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +	tunable_policy(`allow_unconfined_nsplugin_transition', `
 +		nsplugin_use(unconfined, unconfined_t)
 +	')
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+-	apache_per_role_template(unconfined, unconfined_t, unconfined_r)
+-	# this is disallowed usage:
+-	unconfined_domain(httpd_unconfined_script_t)
 +	ada_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 ')
 
 optional_policy(`
- 	apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-	apache_per_role_template(unconfined, unconfined_t, unconfined_r)
-	# this is disallowed usage:
-	unconfined_domain(httpd_unconfined_script_t)
+-	bind_run_ndc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+	apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 ')
 
 optional_policy(`
-@@ -69,11 +114,11 @@
- 	bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+-	bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+	bind_run_ndc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
 ')
 
-optional_policy(`
+ optional_policy(`
 -	cron_per_role_template(unconfined, unconfined_t, unconfined_r)
 -	# this is disallowed usage:
 -	unconfined_domain(unconfined_crond_t)
-')
-+#optional_policy(`
-+#	cron_per_role_template(unconfined, unconfined_t, unconfined_r)
-+#	unconfined_domain(unconfined_crontab_t)
-+#	role system_r types unconfined_crontab_t;
-+#')
+	bootloader_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ ')
 
 optional_policy(`
- 	init_dbus_chat_script(unconfined_t)
-@@ -101,12 +146,24 @@
+@@ -101,12 +140,24 @@
 	')
 
 	optional_policy(`
@ -31495,7 +31492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 optional_policy(`
-@@ -118,11 +175,7 @@
+@@ -118,11 +169,7 @@
 ')
 
 optional_policy(`
@ -31508,7 +31505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 optional_policy(`
-@@ -134,82 +187,92 @@
+@@ -134,82 +181,97 @@
 ')
 
 optional_policy(`
@ -31550,6 +31547,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 -	# cjp: this should probably be removed:
 -	postfix_domtrans_master(unconfined_t)
 +	cron_per_role_template(unconfined, unconfined_t, unconfined_r)
+	# this is disallowed usage:
+	unconfined_domain(unconfined_crond_t)
+	unconfined_domain(unconfined_crontab_t)
+	role system_r types unconfined_crontab_t;
+	rpm_transition_script(unconfined_crond_t)
 ')
 
 -
@ -31626,7 +31628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 ########################################
-@@ -219,14 +282,35 @@
+@@ -219,14 +281,35 @@
 
 allow unconfined_execmem_t self:process { execstack execmem };
 unconfined_domain_noaudit(unconfined_execmem_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 40%{?dist}
+Release: 41%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -385,7 +385,7 @@ exit 0
 %endif

 %changelog
-* Thu Apr 24 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-40 
+* Thu Apr 24 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-41
 - Don't run crontab from unconfined_t

 * Wed Apr 23 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-39