- Allow iptables to talk to terminals

This commit is contained in:
Daniel J Walsh 2008-12-04 20:36:26 +00:00
parent 01ce3df8a6
commit c136db3296
2 changed files with 59 additions and 38 deletions

View File

@ -21556,7 +21556,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.1/policy/modules/system/authlogin.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.1/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500 --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/system/authlogin.if 2008-12-03 09:10:20.000000000 -0500 +++ serefpolicy-3.6.1/policy/modules/system/authlogin.if 2008-12-04 14:13:34.000000000 -0500
@@ -43,6 +43,7 @@ @@ -43,6 +43,7 @@
interface(`auth_login_pgm_domain',` interface(`auth_login_pgm_domain',`
gen_require(` gen_require(`
@ -21601,13 +21601,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
init_rw_utmp($1) init_rw_utmp($1)
@@ -100,8 +117,39 @@ @@ -100,8 +117,40 @@
seutil_read_config($1) seutil_read_config($1)
seutil_read_default_contexts($1) seutil_read_default_contexts($1)
+ userdom_set_rlimitnh($1) + userdom_set_rlimitnh($1)
+ userdom_read_user_home_content_symlinks($1) + userdom_read_user_home_content_symlinks($1)
+ userdom_delete_user_tmp_files($1) + userdom_delete_user_tmp_files($1)
+ userdom_search_admin_dir($1)
+ +
+ optional_policy(` + optional_policy(`
+ dbus_system_bus_client($1) + dbus_system_bus_client($1)
@ -21641,7 +21642,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
') ')
@@ -207,19 +255,16 @@ @@ -207,19 +256,16 @@
dev_read_rand($1) dev_read_rand($1)
dev_read_urand($1) dev_read_urand($1)
@ -21666,7 +21667,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -230,6 +275,29 @@ @@ -230,6 +276,29 @@
optional_policy(` optional_policy(`
samba_stream_connect_winbind($1) samba_stream_connect_winbind($1)
') ')
@ -21696,7 +21697,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -254,6 +322,7 @@ @@ -254,6 +323,7 @@
auth_domtrans_chk_passwd($1) auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t; role $2 types chkpwd_t;
@ -21704,7 +21705,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1031,6 +1100,32 @@ @@ -1031,6 +1101,32 @@
######################################## ########################################
## <summary> ## <summary>
@ -21737,7 +21738,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Manage all files on the filesystem, except ## Manage all files on the filesystem, except
## the shadow passwords and listed exceptions. ## the shadow passwords and listed exceptions.
## </summary> ## </summary>
@@ -1297,6 +1392,10 @@ @@ -1297,6 +1393,10 @@
') ')
optional_policy(` optional_policy(`
@ -21748,7 +21749,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
nis_use_ypbind($1) nis_use_ypbind($1)
') ')
@@ -1307,6 +1406,7 @@ @@ -1307,6 +1407,7 @@
optional_policy(` optional_policy(`
samba_stream_connect_winbind($1) samba_stream_connect_winbind($1)
samba_read_var_files($1) samba_read_var_files($1)
@ -21756,7 +21757,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
') ')
@@ -1341,3 +1441,61 @@ @@ -1341,3 +1442,61 @@
typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords;
') ')
@ -25462,7 +25463,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-11-13 18:40:02.000000000 -0500 --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-11-13 18:40:02.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-04 13:27:59.000000000 -0500 +++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-04 14:28:00.000000000 -0500
@@ -30,8 +30,9 @@ @@ -30,8 +30,9 @@
') ')
@ -25714,10 +25715,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- gen_require(` - gen_require(`
- type $1_t; - type $1_t;
- ') - ')
- +interface(`userdom_basic_networking',`
- allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:tcp_socket create_stream_socket_perms;
- allow $1_t self:udp_socket create_socket_perms; - allow $1_t self:udp_socket create_socket_perms;
+interface(`userdom_basic_networking',` + allow $1 self:tcp_socket create_stream_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
- corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_unlabeled($1_t)
- corenet_all_recvfrom_netlabel($1_t) - corenet_all_recvfrom_netlabel($1_t)
@ -25729,9 +25732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- corenet_udp_sendrecv_all_ports($1_t) - corenet_udp_sendrecv_all_ports($1_t)
- corenet_tcp_connect_all_ports($1_t) - corenet_tcp_connect_all_ports($1_t)
- corenet_sendrecv_all_client_packets($1_t) - corenet_sendrecv_all_client_packets($1_t)
+ allow $1 self:tcp_socket create_stream_socket_perms; -
+ allow $1 self:udp_socket create_socket_perms;
- corenet_all_recvfrom_labeled($1_t, $1_t) - corenet_all_recvfrom_labeled($1_t, $1_t)
+ corenet_all_recvfrom_unlabeled($1) + corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1) + corenet_all_recvfrom_netlabel($1)
@ -25848,26 +25849,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ kernel_get_sysvipc_info($1_usertype) + kernel_get_sysvipc_info($1_usertype)
# Find CDROM devices: # Find CDROM devices:
- kernel_read_device_sysctls($1_t) - kernel_read_device_sysctls($1_t)
-
- corecmd_exec_bin($1_t)
+ kernel_read_device_sysctls($1_usertype) + kernel_read_device_sysctls($1_usertype)
- corenet_udp_bind_all_nodes($1_t) - corecmd_exec_bin($1_t)
- corenet_udp_bind_generic_port($1_t)
+ corenet_udp_bind_all_nodes($1_usertype) + corenet_udp_bind_all_nodes($1_usertype)
+ corenet_udp_bind_generic_port($1_usertype) + corenet_udp_bind_generic_port($1_usertype)
- dev_read_rand($1_t) - corenet_udp_bind_all_nodes($1_t)
- dev_write_sound($1_t) - corenet_udp_bind_generic_port($1_t)
- dev_read_sound($1_t)
- dev_read_sound_mixer($1_t)
- dev_write_sound_mixer($1_t)
+ dev_read_rand($1_usertype) + dev_read_rand($1_usertype)
+ dev_write_sound($1_usertype) + dev_write_sound($1_usertype)
+ dev_read_sound($1_usertype) + dev_read_sound($1_usertype)
+ dev_read_sound_mixer($1_usertype) + dev_read_sound_mixer($1_usertype)
+ dev_write_sound_mixer($1_usertype) + dev_write_sound_mixer($1_usertype)
- dev_read_rand($1_t)
- dev_write_sound($1_t)
- dev_read_sound($1_t)
- dev_read_sound_mixer($1_t)
- dev_write_sound_mixer($1_t)
-
- files_exec_etc_files($1_t) - files_exec_etc_files($1_t)
- files_search_locks($1_t) - files_search_locks($1_t)
+ files_exec_etc_files($1_usertype) + files_exec_etc_files($1_usertype)
@ -26066,16 +26067,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- postgresql_stream_connect($1_t) - postgresql_stream_connect($1_t)
- postgresql_tcp_connect($1_t) - postgresql_tcp_connect($1_t)
+ postgresql_stream_connect($1_usertype) + postgresql_stream_connect($1_usertype)
+ ')
') ')
+
+ optional_policy(`
+ # to allow monitoring of pcmcia status
+ pcmcia_read_pid($1_usertype)
') ')
optional_policy(` optional_policy(`
- resmgr_stream_connect($1_t) - resmgr_stream_connect($1_t)
+ # to allow monitoring of pcmcia status
+ pcmcia_read_pid($1_usertype)
+ ')
+
+ optional_policy(`
+ pcscd_read_pub_files($1_usertype) + pcscd_read_pub_files($1_usertype)
+ pcscd_stream_connect($1_usertype) + pcscd_stream_connect($1_usertype)
') ')
@ -26111,19 +26112,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- userdom_manage_home_role($1_r, $1_t) - userdom_manage_home_role($1_r, $1_t)
+ userdom_change_password_template($1) + userdom_change_password_template($1)
+
+ userdom_manage_home_role($1_r, $1_usertype)
- userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t)
+ userdom_manage_tmp_role($1_r, $1_usertype) + userdom_manage_home_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
- userdom_exec_user_tmp_files($1_t) - userdom_exec_user_tmp_files($1_t)
- userdom_exec_user_home_content_files($1_t) - userdom_exec_user_home_content_files($1_t)
+ gen_tunable(allow_$1_exec_content, true) + userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
- userdom_change_password_template($1) - userdom_change_password_template($1)
+ gen_tunable(allow_$1_exec_content, true)
+
+ tunable_policy(`allow_$1_exec_content',` + tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype)
@ -26288,11 +26289,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_role($1_r, $1_t) auth_role($1_r, $1_t)
- auth_search_pam_console_data($1_t) - auth_search_pam_console_data($1_t)
+ auth_search_pam_console_data($1_usertype) + auth_search_pam_console_data($1_usertype)
+
+ xserver_role($1_r, $1_t)
- dev_read_sound($1_t) - dev_read_sound($1_t)
- dev_write_sound($1_t) - dev_write_sound($1_t)
+ xserver_role($1_r, $1_t)
+
+ dev_read_sound($1_usertype) + dev_read_sound($1_usertype)
+ dev_write_sound($1_usertype) + dev_write_sound($1_usertype)
# gnome keyring wants to read this. # gnome keyring wants to read this.
@ -26759,7 +26760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Send a dbus message to all user domains. ## Send a dbus message to all user domains.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -2981,3 +3172,245 @@ @@ -2981,3 +3172,262 @@
allow $1 userdomain:dbus send_msg; allow $1 userdomain:dbus send_msg;
') ')
@ -26931,6 +26932,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
+ dontaudit $1 admin_home_t:dir search_dir_perms; + dontaudit $1 admin_home_t:dir search_dir_perms;
+') +')
+########################################
+## <summary>
+## dontaudit list /root
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_list_admin_dir',`
+ gen_require(`
+ type admin_home_t;
+ ')
+
+ dontaudit $1 admin_home_t:dir list_dir_perms;
+')
+ +
+######################################## +########################################
+## <summary> +## <summary>

View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.6.1 Version: 3.6.1
Release: 5%{?dist} Release: 6%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -446,6 +446,9 @@ exit 0
%endif %endif
%changelog %changelog
* Thu Dec 4 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-6
- Allow iptables to talk to terminals
* Thu Dec 4 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-5 * Thu Dec 4 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-5
- Allow iptables to talk to terminals - Allow iptables to talk to terminals