- Fix dbus chat to not happen for xguest and guest users

2007-08-10 16:10:27 +00:00 · 2007-08-10 16:10:27 +00:00 · bf33202534
commit bf33202534
parent d44a393484
2 changed files with 85 additions and 121 deletions
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -594,7 +594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.0.5/policy/modules/admin/logwatch.te
 --- nsaserefpolicy/policy/modules/admin/logwatch.te	2007-07-25 10:37:43.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/admin/logwatch.te	2007-08-07 10:18:57.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/admin/logwatch.te	2007-08-10 11:56:22.000000000 -0400
@@ -29,7 +29,6 @@
 allow logwatch_t self:process signal;
 allow logwatch_t self:fifo_file rw_file_perms;
@ -608,7 +608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
 
 dev_read_urand(logwatch_t)
 -dev_search_sysfs(logwatch_t)
-+dev_list_sysfs(logwatch_t)
+dev_read_sysfs(logwatch_t)
 
 # Read /proc/PID directories for all domains.
 domain_read_all_domains_state(logwatch_t)
@ -4119,17 +4119,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind
 corenet_sendrecv_rndc_client_packets(ndc_t)
 
 fs_getattr_xattr_fs(ndc_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.0.5/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te	2007-08-02 08:17:27.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/bluetooth.te	2007-08-07 09:39:49.000000000 -0400
-@@ -128,6 +128,7 @@
- 	dbus_system_bus_client_template(bluetooth,bluetooth_t)
- 	dbus_connect_system_bus(bluetooth_t)
- 	dbus_send_system_bus(bluetooth_t)
-+	userdom_dbus_chat_all_users(bluetooth_t)
- ')
- 
- optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.0.5/policy/modules/services/clamav.fc
 --- nsaserefpolicy/policy/modules/services/clamav.fc	2007-05-29 14:10:57.000000000 -0400
 +++ serefpolicy-3.0.5/policy/modules/services/clamav.fc	2007-08-07 09:39:49.000000000 -0400
@ -4192,7 +4181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.0.5/policy/modules/services/consolekit.te
 --- nsaserefpolicy/policy/modules/services/consolekit.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/consolekit.te	2007-08-07 09:39:49.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/consolekit.te	2007-08-10 11:40:51.000000000 -0400
@@ -10,7 +10,6 @@
 type consolekit_exec_t;
 init_daemon_domain(consolekit_t, consolekit_exec_t)
@ -4233,12 +4222,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
 optional_policy(`
 	dbus_system_bus_client_template(consolekit, consolekit_t)
 	dbus_send_system_bus(consolekit_t)
-@@ -62,9 +68,17 @@
+@@ -62,9 +68,16 @@
 	optional_policy(`
 		unconfined_dbus_chat(consolekit_t)
 	')
 +
-+	userdom_dbus_chat_all_users(consolekit_t)
 ')
 
 optional_policy(`
@ -4671,7 +4659,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +/usr/local/Brother/inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.5/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/cups.te	2007-08-07 09:39:49.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/cups.te	2007-08-10 11:32:15.000000000 -0400
@@ -81,12 +81,11 @@
 # /usr/lib/cups/backend/serial needs sys_admin(?!)
 allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
@ -4784,18 +4772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 	cron_system_entry(cupsd_t, cupsd_exec_t)
 ')
 
-@@ -250,6 +278,10 @@
- 	optional_policy(`
- 		hal_dbus_chat(cupsd_t)
- 	')
-+
-+	optional_policy(`
-+		userdom_dbus_chat_all_users(cupsd_t)
-+	')
- ')
- 
- optional_policy(`
-@@ -265,16 +297,16 @@
+@@ -265,16 +293,16 @@
 ')
 
 optional_policy(`
@ -4816,7 +4793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 	seutil_sigchld_newrole(cupsd_t)
 ')
 
-@@ -379,6 +411,14 @@
+@@ -379,6 +407,14 @@
 ')
 
 optional_policy(`
@ -4831,7 +4808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 	cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
 ')
 
-@@ -562,7 +602,7 @@
+@@ -562,7 +598,7 @@
 dev_read_urand(hplip_t)
 dev_read_rand(hplip_t)
 dev_rw_generic_usb_dev(hplip_t)
@ -4840,7 +4817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 
 fs_getattr_all_fs(hplip_t)
 fs_search_auto_mountpoints(hplip_t)
-@@ -589,8 +629,6 @@
+@@ -589,8 +625,6 @@
 userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
 userdom_dontaudit_search_all_users_home_content(hplip_t)
 
@ -5431,7 +5408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.5/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/hal.te	2007-08-09 14:46:39.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/hal.te	2007-08-10 11:34:53.000000000 -0400
@@ -22,6 +22,12 @@
 type hald_log_t;
 files_type(hald_log_t)
@ -5495,18 +5472,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 	alsa_read_rw_config(hald_t)
 ')
 
-@@ -228,6 +242,10 @@
+@@ -228,6 +242,7 @@
 	optional_policy(`
 		networkmanager_dbus_chat(hald_t)
 	')
 +
-+	optional_policy(`
-+		userdom_dbus_chat_all_users(hald_t)
-+	')
 ')
 
 optional_policy(`
-@@ -283,6 +301,7 @@
+@@ -283,6 +298,7 @@
 #
 
 allow hald_acl_t self:capability { dac_override fowner };
@ -5514,7 +5488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 allow hald_acl_t self:fifo_file read_fifo_file_perms;
 
 domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
-@@ -296,7 +315,10 @@
+@@ -296,7 +312,10 @@
 corecmd_exec_bin(hald_acl_t)
 
 dev_getattr_all_chr_files(hald_acl_t)
@ -5525,7 +5499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 dev_setattr_sound_dev(hald_acl_t)
 dev_setattr_generic_usb_dev(hald_acl_t)
 dev_setattr_usbfs_files(hald_acl_t)
-@@ -358,3 +380,25 @@
+@@ -358,3 +377,25 @@
 libs_use_shared_libs(hald_sonypic_t)
 
 miscfiles_read_localization(hald_sonypic_t)
@ -5987,7 +5961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.5/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/networkmanager.te	2007-08-07 09:39:49.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/networkmanager.te	2007-08-10 11:35:13.000000000 -0400
@@ -41,6 +41,8 @@
 kernel_read_kernel_sysctls(NetworkManager_t)
 kernel_load_module(NetworkManager_t)
@ -5997,15 +5971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 corenet_all_recvfrom_unlabeled(NetworkManager_t)
 corenet_all_recvfrom_netlabel(NetworkManager_t)
 corenet_tcp_sendrecv_all_if(NetworkManager_t)
-@@ -136,6 +138,7 @@
- 	dbus_system_bus_client_template(NetworkManager,NetworkManager_t)
- 	dbus_connect_system_bus(NetworkManager_t)
- 	dbus_send_system_bus(NetworkManager_t)
-+	userdom_dbus_chat_all_users(NetworkManager_t)
- ')
- 
- optional_policy(`
-@@ -152,6 +155,11 @@
+@@ -152,6 +154,11 @@
 ')
 
 optional_policy(`
@ -6017,7 +5983,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 	ppp_domtrans(NetworkManager_t)
 	ppp_read_pid_files(NetworkManager_t)
 	ppp_signal(NetworkManager_t)
-@@ -166,6 +174,7 @@
+@@ -166,6 +173,7 @@
 ')
 
 optional_policy(`
@ -11153,7 +11119,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +corecmd_exec_all_executables(unconfined_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.5/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/userdomain.if	2007-08-07 10:28:24.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/userdomain.if	2007-08-10 11:57:57.000000000 -0400
@@ -62,6 +62,10 @@
 
 	allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
@ -11451,7 +11417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	optional_policy(`
 		alsa_read_rw_config($1_t)
 	')
-@@ -829,34 +777,14 @@
+@@ -829,11 +777,6 @@
 	')
 
 	optional_policy(`
@ -11463,56 +11429,59 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 		allow $1_t self:dbus send_msg;
 		dbus_system_bus_client_template($1,$1_t)
 
- 		optional_policy(`
-			bluetooth_dbus_chat($1_t)
-		')
-
-		optional_policy(`
- 			evolution_dbus_chat($1,$1_t)
- 			evolution_alarm_dbus_chat($1,$1_t)
+@@ -842,21 +785,18 @@
 		')
 
-		optional_policy(`
+ 		optional_policy(`
+-			evolution_dbus_chat($1,$1_t)
+-			evolution_alarm_dbus_chat($1,$1_t)
+			consolekit_dbus_chat($1_t)
+ 		')
+ 
+ 		optional_policy(`
 -			cups_dbus_chat_config($1_t)
-		')
-
-		optional_policy(`
+			networkmanager_dbus_chat($1_t)
+ 		')
+ 
+ 		optional_policy(`
 -			hal_dbus_chat($1_t)
-		')
-
+			evolution_dbus_chat($1,$1_t)
+			evolution_alarm_dbus_chat($1,$1_t)
+ 		')
+ 
 -		optional_policy(`
 -			networkmanager_dbus_chat($1_t)
 -		')
 	')
 
 	optional_policy(`
-@@ -884,17 +812,19 @@
+@@ -884,17 +824,17 @@
 	')
 
 	optional_policy(`
 -		nis_use_ypbind($1_t)
-	')
-
-	optional_policy(`
- 		tunable_policy(`allow_user_mysql_connect',`
- 			mysql_stream_connect($1_t)
- 		')
+		alsa_read_rw_config($1_t)
 	')
 
 -	optional_policy(`
-		nscd_socket_use($1_t)
+-		tunable_policy(`allow_user_mysql_connect',`
+-			mysql_stream_connect($1_t)
+-		')
+-	')
 +	 optional_policy(`
 +	          tunable_policy(`allow_user_postgresql_connect',`
 +			postgresql_stream_connect($1_t)
 +		  ')
 +        ')
-+
+ 
+-	optional_policy(`
+-		nscd_socket_use($1_t)
 +	tunable_policy(`user_ttyfile_stat',`
 +		term_getattr_all_user_ttys($1_t)
 	')
 
 	optional_policy(`
-@@ -908,16 +838,6 @@
+@@ -908,16 +848,6 @@
 	')
 
 	optional_policy(`
@ -11529,7 +11498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 		resmgr_stream_connect($1_t)
 	')
 
-@@ -927,11 +847,6 @@
+@@ -927,11 +857,6 @@
 	')
 
 	optional_policy(`
@ -11541,7 +11510,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 		samba_stream_connect_winbind($1_t)
 	')
 
-@@ -962,21 +877,162 @@
+@@ -962,21 +887,162 @@
 ##	</summary>
 ## </param>
 #
@ -11710,7 +11679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	domain_interactive_fd($1_t)
 
 	typeattribute $1_devpts_t user_ptynode;
-@@ -985,15 +1041,53 @@
+@@ -985,15 +1051,53 @@
 	typeattribute $1_tmp_t user_tmpfile;
 	typeattribute $1_tty_device_t user_ttynode;
 
@ -11768,10 +11737,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 
 	# port access is audited even if dac would not have allowed it, so dontaudit it here
 	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1029,15 +1123,7 @@
- 	# and may change other protocols
- 	tunable_policy(`user_tcp_server',`
- 		corenet_tcp_bind_all_nodes($1_t)
+@@ -1024,20 +1128,12 @@
+ 		kernel_dontaudit_read_ring_buffer($1_t)
+ 	')
+ 
+-	# Allow users to run TCP servers (bind to ports and accept connection from
+-	# the same domain and outside users)  disabling this forces FTP passive mode
+-	# and may change other protocols
+-	tunable_policy(`user_tcp_server',`
+-		corenet_tcp_bind_all_nodes($1_t)
 -		corenet_tcp_bind_generic_port($1_t)
 -	')
 -
@ -11781,11 +11755,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -
 -	optional_policy(`
 -		loadkeys_run($1_t,$1_r,$1_tty_device_t)
+	# Allow users to run TCP servers (bind to ports and accept connection from
+	# the same domain and outside users)  disabling this forces FTP passive mode
+	# and may change other protocols
+	tunable_policy(`user_tcp_server',`
+		corenet_tcp_bind_all_nodes($1_t)
 +		corenet_tcp_bind_all_unreserved_ports($1_t)
 	')
 
 	optional_policy(`
-@@ -1054,17 +1140,6 @@
+@@ -1054,17 +1150,6 @@
 		setroubleshoot_stream_connect($1_t)
 	')
 
@ -11803,7 +11782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 #######################################
-@@ -1102,6 +1177,8 @@
+@@ -1102,6 +1187,8 @@
 		class passwd { passwd chfn chsh rootok crontab };
 	')
 
@ -11812,7 +11791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	##############################
 	#
 	# Declarations
-@@ -1127,7 +1204,7 @@
+@@ -1127,7 +1214,7 @@
 	# $1_t local policy
 	#
 
@ -11821,7 +11800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	allow $1_t self:process { setexec setfscreate };
 
 	# Set password information for other users.
-@@ -1139,7 +1216,11 @@
+@@ -1139,7 +1226,11 @@
 	# Manipulate other users crontab.
 	allow $1_t self:passwd crontab;
 
@ -11834,7 +11813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
-@@ -1902,6 +1983,41 @@
+@@ -1902,6 +1993,41 @@
 
 ########################################
 ## <summary>
@ -11876,7 +11855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ##	Do not audit attempts to set the
 ##	attributes of user home files.
 ## </summary>
-@@ -3078,7 +3194,7 @@
+@@ -3078,7 +3204,7 @@
 #
 template(`userdom_tmp_filetrans_user_tmp',`
 	gen_require(`
@ -11885,7 +11864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 
 	files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -5323,7 +5439,7 @@
+@@ -5323,7 +5449,7 @@
 		attribute user_tmpfile;
 	')
 
@ -11894,34 +11873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 
 ########################################
-@@ -5548,6 +5664,26 @@
- 
- ########################################
- ## <summary>
-+##	Send a dbus message to all user domains.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`userdom_dbus_chat_all_users',`
-+	gen_require(`
-+		attribute userdomain;
-+		class dbus send_msg;
-+	')
-+
-+	allow $1 userdomain:dbus send_msg;
-+	allow userdomain $1:dbus send_msg;
-+')
-+
-+########################################
-+## <summary>
- ##	Unconfined access to user domains.  (Deprecated)
- ## </summary>
- ## <param name="domain">
-@@ -5559,3 +5695,275 @@
+@@ -5559,3 +5685,280 @@
 interface(`userdom_unconfined',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
@ -12113,6 +12065,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	dbus_per_role_template($1, $1_t, $1_r)
 +	dbus_system_bus_client_template($1, $1_t)
 +	allow $1_t self:dbus send_msg;
+
+	optional_policy(`
+		cups_dbus_chat($1_t)
+	')
+
 +')
 +
 +optional_policy(`
@ -12396,13 +12353,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.i
 +## <summary>Policy for guest user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.0.5/policy/modules/users/guest.te
 --- nsaserefpolicy/policy/modules/users/guest.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.5/policy/modules/users/guest.te	2007-08-07 09:39:49.000000000 -0400
-@@ -0,0 +1,5 @@
+++ serefpolicy-3.0.5/policy/modules/users/guest.te	2007-08-10 11:34:33.000000000 -0400
+@@ -0,0 +1,9 @@
 +policy_module(guest,1.0.0)
 +userdom_unpriv_login_user(guest)
 +userdom_unpriv_login_user(gadmin)
 +userdom_unpriv_xwindows_login_user(xguest)
 +mozilla_per_role_template(xguest, xguest_t, xguest_r)
+# Allow mounting of file systems
+optional_policy(`
+	hal_dbus_chat(xguest_t)
+')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.0.5/policy/modules/users/logadm.fc
 --- nsaserefpolicy/policy/modules/users/logadm.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.0.5/policy/modules/users/logadm.fc	2007-08-07 09:39:49.000000000 -0400
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.5
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -360,6 +360,9 @@ exit 0
 %endif

 %changelog
+* Fri Aug 10 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-4
+- Fix dbus chat to not happen for xguest and guest users
+
 * Mon Aug 6 2007 Dan Walsh <dwalsh@redhat.com> 3.0.5-3
 - Fix nagios cgi
 - allow squid to communicate with winbind