- Allow login programs to read symlinks on homedirs
This commit is contained in:
parent
e8b5993e52
commit
bc85a6bb23
@ -7053,6 +7053,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi
|
||||
|
||||
sysnet_read_config(radiusd_t)
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.0.6/policy/modules/services/remotelogin.te
|
||||
--- nsaserefpolicy/policy/modules/services/remotelogin.te 2007-06-11 16:05:30.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/services/remotelogin.te 2007-08-28 11:20:57.000000000 -0400
|
||||
@@ -85,6 +85,7 @@
|
||||
|
||||
miscfiles_read_localization(remote_login_t)
|
||||
|
||||
+userdom_read_all_users_home_dirs_symlinks(remote_login_t)
|
||||
userdom_use_unpriv_users_fds(remote_login_t)
|
||||
userdom_search_all_users_home_content(remote_login_t)
|
||||
# Only permit unprivileged user domains to be entered via rlogin,
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhgb.te serefpolicy-3.0.6/policy/modules/services/rhgb.te
|
||||
--- nsaserefpolicy/policy/modules/services/rhgb.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/services/rhgb.te 2007-08-22 08:03:53.000000000 -0400
|
||||
@ -8165,7 +8176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.0.6/policy/modules/services/ssh.te
|
||||
--- nsaserefpolicy/policy/modules/services/ssh.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/services/ssh.te 2007-08-22 08:03:53.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/services/ssh.te 2007-08-28 11:18:37.000000000 -0400
|
||||
@@ -24,7 +24,7 @@
|
||||
|
||||
# Type for the ssh-agent executable.
|
||||
@ -8184,7 +8195,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
|
||||
kernel_search_key(sshd_t)
|
||||
kernel_link_key(sshd_t)
|
||||
|
||||
@@ -100,6 +102,11 @@
|
||||
@@ -80,6 +82,8 @@
|
||||
corenet_tcp_bind_xserver_port(sshd_t)
|
||||
corenet_sendrecv_xserver_server_packets(sshd_t)
|
||||
|
||||
+userdom_read_all_users_home_dirs_symlinks(sshd_t)
|
||||
+
|
||||
tunable_policy(`ssh_sysadm_login',`
|
||||
# Relabel and access ptys created by sshd
|
||||
# ioctl is necessary for logout() processing for utmp entry and for w to
|
||||
@@ -100,6 +104,11 @@
|
||||
userdom_use_unpriv_users_ptys(sshd_t)
|
||||
')
|
||||
|
||||
@ -8196,7 +8216,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
|
||||
optional_policy(`
|
||||
daemontools_service_domain(sshd_t, sshd_exec_t)
|
||||
')
|
||||
@@ -119,7 +126,12 @@
|
||||
@@ -119,7 +128,12 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -10023,7 +10043,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
|
||||
')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.0.6/policy/modules/system/locallogin.te
|
||||
--- nsaserefpolicy/policy/modules/system/locallogin.te 2007-07-25 10:37:42.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/system/locallogin.te 2007-08-22 08:03:53.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/system/locallogin.te 2007-08-28 11:20:41.000000000 -0400
|
||||
@@ -97,6 +97,11 @@
|
||||
term_setattr_all_user_ttys(local_login_t)
|
||||
term_setattr_unallocated_ttys(local_login_t)
|
||||
@ -10036,7 +10056,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
|
||||
auth_rw_login_records(local_login_t)
|
||||
auth_rw_faillog(local_login_t)
|
||||
auth_manage_pam_console_data(local_login_t)
|
||||
@@ -160,6 +165,15 @@
|
||||
@@ -130,6 +135,7 @@
|
||||
|
||||
miscfiles_read_localization(local_login_t)
|
||||
|
||||
+userdom_read_all_users_home_dirs_symlinks(local_login_t)
|
||||
userdom_spec_domtrans_all_users(local_login_t)
|
||||
userdom_signal_all_users(local_login_t)
|
||||
userdom_search_all_users_home_content(local_login_t)
|
||||
@@ -160,6 +166,15 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -10052,7 +10080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
|
||||
gpm_getattr_gpmctl(local_login_t)
|
||||
gpm_setattr_gpmctl(local_login_t)
|
||||
')
|
||||
@@ -178,13 +192,18 @@
|
||||
@@ -178,13 +193,18 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -11067,7 +11095,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.6/policy/modules/system/selinuxutil.te
|
||||
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-08-22 07:14:13.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/system/selinuxutil.te 2007-08-22 08:03:53.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/system/selinuxutil.te 2007-08-28 11:34:21.000000000 -0400
|
||||
@@ -1,5 +1,5 @@
|
||||
|
||||
-policy_module(selinuxutil,1.6.2)
|
||||
@ -11138,7 +11166,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||
logging_send_syslog_msg(newrole_t)
|
||||
|
||||
miscfiles_read_localization(newrole_t)
|
||||
@@ -361,7 +369,7 @@
|
||||
@@ -343,6 +351,8 @@
|
||||
|
||||
miscfiles_read_localization(restorecond_t)
|
||||
|
||||
+userdom_read_all_users_home_dirs_symlinks(restorecond_t)
|
||||
+
|
||||
optional_policy(`
|
||||
rpm_use_script_fds(restorecond_t)
|
||||
')
|
||||
@@ -361,7 +371,7 @@
|
||||
allow run_init_t self:process setexec;
|
||||
allow run_init_t self:capability setuid;
|
||||
allow run_init_t self:fifo_file rw_file_perms;
|
||||
@ -11147,7 +11184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||
|
||||
# often the administrator runs such programs from a directory that is owned
|
||||
# by a different user or has restrictive SE permissions, do not want to audit
|
||||
@@ -375,6 +383,7 @@
|
||||
@@ -375,6 +385,7 @@
|
||||
term_dontaudit_list_ptys(run_init_t)
|
||||
|
||||
auth_domtrans_chk_passwd(run_init_t)
|
||||
@ -11155,7 +11192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||
auth_dontaudit_read_shadow(run_init_t)
|
||||
|
||||
corecmd_exec_bin(run_init_t)
|
||||
@@ -431,7 +440,7 @@
|
||||
@@ -431,7 +442,7 @@
|
||||
allow semanage_t self:capability { dac_override audit_write };
|
||||
allow semanage_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow semanage_t self:unix_dgram_socket create_socket_perms;
|
||||
@ -11164,7 +11201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||
|
||||
allow semanage_t policy_config_t:file { read write };
|
||||
|
||||
@@ -442,7 +451,10 @@
|
||||
@@ -442,7 +453,10 @@
|
||||
kernel_read_system_state(semanage_t)
|
||||
kernel_read_kernel_sysctls(semanage_t)
|
||||
|
||||
@ -11175,7 +11212,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||
|
||||
dev_read_urand(semanage_t)
|
||||
|
||||
@@ -465,6 +477,8 @@
|
||||
@@ -465,6 +479,8 @@
|
||||
|
||||
# Running genhomedircon requires this for finding all users
|
||||
auth_use_nsswitch(semanage_t)
|
||||
@ -11184,7 +11221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||
|
||||
libs_use_ld_so(semanage_t)
|
||||
libs_use_shared_libs(semanage_t)
|
||||
@@ -488,6 +502,17 @@
|
||||
@@ -488,6 +504,17 @@
|
||||
# netfilter_contexts:
|
||||
seutil_manage_default_contexts(semanage_t)
|
||||
|
||||
@ -11202,7 +11239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||
# cjp: need a more general way to handle this:
|
||||
ifdef(`enable_mls',`
|
||||
# read secadm tmp files
|
||||
@@ -515,6 +540,8 @@
|
||||
@@ -515,6 +542,8 @@
|
||||
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
|
||||
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
|
||||
|
||||
@ -11211,7 +11248,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||
kernel_read_system_state(setfiles_t)
|
||||
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
|
||||
kernel_relabelfrom_unlabeled_files(setfiles_t)
|
||||
@@ -531,6 +558,7 @@
|
||||
@@ -531,6 +560,7 @@
|
||||
|
||||
fs_getattr_xattr_fs(setfiles_t)
|
||||
fs_list_all(setfiles_t)
|
||||
@ -11219,7 +11256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||
fs_search_auto_mountpoints(setfiles_t)
|
||||
fs_relabelfrom_noxattr_fs(setfiles_t)
|
||||
|
||||
@@ -586,6 +614,10 @@
|
||||
@@ -586,6 +616,10 @@
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
optional_policy(`
|
||||
@ -11789,9 +11826,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
|
||||
')
|
||||
+
|
||||
+corecmd_exec_all_executables(unconfined_t)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.0.6/policy/modules/system/userdomain.fc
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2007-05-29 14:10:58.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/system/userdomain.fc 2007-08-28 11:11:29.000000000 -0400
|
||||
@@ -1,4 +1,5 @@
|
||||
HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
|
||||
+HOME_DIR -l gen_context(system_u:object_r:ROLE_home_dir_t,s0-mls_systemhigh)
|
||||
HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0)
|
||||
|
||||
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.6/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/system/userdomain.if 2007-08-22 08:03:53.000000000 -0400
|
||||
+++ serefpolicy-3.0.6/policy/modules/system/userdomain.if 2007-08-28 11:17:43.000000000 -0400
|
||||
@@ -62,6 +62,10 @@
|
||||
|
||||
allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
|
||||
@ -12386,15 +12432,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
|
||||
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
||||
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
|
||||
@@ -1024,20 +1120,12 @@
|
||||
kernel_dontaudit_read_ring_buffer($1_t)
|
||||
')
|
||||
|
||||
- # Allow users to run TCP servers (bind to ports and accept connection from
|
||||
- # the same domain and outside users) disabling this forces FTP passive mode
|
||||
- # and may change other protocols
|
||||
- tunable_policy(`user_tcp_server',`
|
||||
- corenet_tcp_bind_all_nodes($1_t)
|
||||
@@ -1029,15 +1125,7 @@
|
||||
# and may change other protocols
|
||||
tunable_policy(`user_tcp_server',`
|
||||
corenet_tcp_bind_all_nodes($1_t)
|
||||
- corenet_tcp_bind_generic_port($1_t)
|
||||
- ')
|
||||
-
|
||||
@ -12404,11 +12445,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
-
|
||||
- optional_policy(`
|
||||
- loadkeys_run($1_t,$1_r,$1_tty_device_t)
|
||||
+ # Allow users to run TCP servers (bind to ports and accept connection from
|
||||
+ # the same domain and outside users) disabling this forces FTP passive mode
|
||||
+ # and may change other protocols
|
||||
+ tunable_policy(`user_tcp_server',`
|
||||
+ corenet_tcp_bind_all_nodes($1_t)
|
||||
+ corenet_tcp_bind_all_unreserved_ports($1_t)
|
||||
')
|
||||
|
||||
@ -12462,17 +12498,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
|
||||
kernel_read_software_raid_state($1_t)
|
||||
kernel_getattr_core_if($1_t)
|
||||
@@ -1902,6 +1985,41 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## dontaudit attemps to Create files
|
||||
+## in a user home subdirectory.
|
||||
@@ -1817,27 +1900,62 @@
|
||||
## </param>
|
||||
## <param name="target_domain">
|
||||
## <summary>
|
||||
-## Domain to transition to.
|
||||
+## Domain to transition to.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+template(`userdom_user_home_domtrans',`
|
||||
+ gen_require(`
|
||||
+ type $1_home_dir_t, $1_home_t;
|
||||
+ ')
|
||||
+
|
||||
+ files_search_home($2)
|
||||
+ allow $2 $1_home_dir_t:dir search_dir_perms;
|
||||
+ domain_auto_trans($2,$1_home_t,$3)
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Do not audit attempts to list user home subdirectories.
|
||||
+## </summary>
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Create, read, write, and delete directories
|
||||
+## in a user home subdirectory.
|
||||
+## Do not audit attempts to list user home subdirectories.
|
||||
+## </p>
|
||||
+## <p>
|
||||
+## This is a templated interface, and should only
|
||||
@ -12487,23 +12538,82 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
+## </param>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+template(`userdom_dontaudit_create_user_home_content_files',`
|
||||
+ gen_require(`
|
||||
+## Domain to not audit
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-template(`userdom_user_home_domtrans',`
|
||||
+template(`userdom_dontaudit_list_user_home_dirs',`
|
||||
gen_require(`
|
||||
- type $1_home_dir_t, $1_home_t;
|
||||
+ type $1_home_dir_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $2 $1_home_dir_t:file create;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Do not audit attempts to set the
|
||||
## attributes of user home files.
|
||||
')
|
||||
|
||||
- files_search_home($2)
|
||||
- allow $2 $1_home_dir_t:dir search_dir_perms;
|
||||
- domain_auto_trans($2,$1_home_t,$3)
|
||||
+ dontaudit $2 $1_home_dir_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Do not audit attempts to list user home subdirectories.
|
||||
+## Create, read, write, and delete directories
|
||||
+## in a user home subdirectory.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
-## Do not audit attempts to list user home subdirectories.
|
||||
+## Create, read, write, and delete directories
|
||||
+## in a user home subdirectory.
|
||||
## </p>
|
||||
## <p>
|
||||
## This is a templated interface, and should only
|
||||
@@ -1852,21 +1970,22 @@
|
||||
## </param>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
-## Domain to not audit
|
||||
+## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-template(`userdom_dontaudit_list_user_home_dirs',`
|
||||
+template(`userdom_manage_user_home_content_dirs',`
|
||||
gen_require(`
|
||||
- type $1_home_dir_t;
|
||||
+ type $1_home_dir_t, $1_home_t;
|
||||
')
|
||||
|
||||
- dontaudit $2 $1_home_dir_t:dir list_dir_perms;
|
||||
+ files_search_home($2)
|
||||
+ manage_dirs_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
-## Create, read, write, and delete directories
|
||||
+## dontaudit attemps to Create files
|
||||
## in a user home subdirectory.
|
||||
## </summary>
|
||||
## <desc>
|
||||
@@ -1891,13 +2010,12 @@
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
-template(`userdom_manage_user_home_content_dirs',`
|
||||
+template(`userdom_dontaudit_create_user_home_content_files',`
|
||||
gen_require(`
|
||||
- type $1_home_dir_t, $1_home_t;
|
||||
+ type $1_home_dir_t;
|
||||
')
|
||||
|
||||
- files_search_home($2)
|
||||
- manage_dirs_pattern($2,{ $1_home_dir_t $1_home_t },$1_home_t)
|
||||
+ dontaudit $2 $1_home_dir_t:file create;
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -3078,7 +3196,7 @@
|
||||
#
|
||||
template(`userdom_tmp_filetrans_user_tmp',`
|
||||
@ -12513,7 +12623,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
files_tmp_filetrans($2,$1_tmp_t,$3)
|
||||
@@ -5323,7 +5441,7 @@
|
||||
@@ -4615,6 +4733,24 @@
|
||||
files_list_home($1)
|
||||
allow $1 home_dir_type:dir search_dir_perms;
|
||||
')
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read all users home directories symlinks.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_read_all_users_home_dirs_symlinks',`
|
||||
+ gen_require(`
|
||||
+ attribute home_dir_type;
|
||||
+ ')
|
||||
+
|
||||
+ files_list_home($1)
|
||||
+ allow $1 home_dir_type:lnk_file read_lnk_file_perms;
|
||||
+')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -5323,7 +5459,7 @@
|
||||
attribute user_tmpfile;
|
||||
')
|
||||
|
||||
@ -12522,7 +12657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -5559,3 +5677,280 @@
|
||||
@@ -5559,3 +5695,280 @@
|
||||
interface(`userdom_unconfined',`
|
||||
refpolicywarn(`$0($*) has been deprecated.')
|
||||
')
|
||||
|
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.0.7
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -362,6 +362,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Aug 28 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-2
|
||||
- Allow login programs to read symlinks on homedirs
|
||||
|
||||
* Mon Aug 27 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-1
|
||||
- Update an readd modules
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user