- Allow wine to run in system role

2007-09-07 19:03:11 +00:00 · 2007-09-07 19:03:11 +00:00 · c7e443c95c
parent 37d6a1ce3f
commit c7e443c95c
2 changed files with 122 additions and 21 deletions
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -2401,9 +2401,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if
 +	role $2 types wine_t;
 +	allow wine_t $3:chr_file rw_term_perms;
 +')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.0.7/policy/modules/apps/wine.te
+--- nsaserefpolicy/policy/modules/apps/wine.te	2007-07-25 10:37:37.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/apps/wine.te	2007-09-07 09:04:03.000000000 -0400
+@@ -9,6 +9,7 @@
+ type wine_t;
+ type wine_exec_t;
+ application_domain(wine_t,wine_exec_t)
+role system_r types wine_t;
+ 
+ ########################################
+ #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.7/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/corecommands.fc	2007-09-06 15:43:06.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/kernel/corecommands.fc	2007-09-07 13:47:17.000000000 -0400
@@ -36,6 +36,11 @@
 /etc/cipe/ip-up.*		--	gen_context(system_u:object_r:bin_t,s0)
 /etc/cipe/ip-down.*		--	gen_context(system_u:object_r:bin_t,s0)
@ -2437,6 +2448,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 
 /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 
+@@ -259,3 +265,7 @@
+ ifdef(`distro_suse',`
+ /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
+ ')
+
+/etc/gdm/XKeepsCrashing[^/]*	--	gen_context(system_u:object_r:bin_t,s0)
+/etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0)
+/etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.0.7/policy/modules/kernel/corenetwork.if.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in	2007-07-03 07:05:38.000000000 -0400
 +++ serefpolicy-3.0.7/policy/modules/kernel/corenetwork.if.in	2007-09-06 15:43:06.000000000 -0400
@ -2486,7 +2505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
 ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.7/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/kernel/corenetwork.te.in	2007-09-06 15:43:06.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/kernel/corenetwork.te.in	2007-09-07 15:02:19.000000000 -0400
@@ -55,6 +55,11 @@
 type reserved_port_t, port_type, reserved_port_type;
 
@ -2528,11 +2547,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
 network_port(nessus, tcp,1241,s0)
 network_port(netsupport, tcp,5405,s0, udp,5405,s0)
 network_port(nmbd, udp,137,s0, udp,138,s0)
-@@ -160,13 +166,17 @@
+@@ -146,7 +152,7 @@
+ network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
+ network_port(spamd, tcp,783,s0)
+ network_port(ssh, tcp,22,s0)
+-network_port(soundd, tcp,8000,s0, tcp,9433,s0)
+network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
+ type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
+ type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
+ network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
+@@ -160,13 +166,18 @@
 type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
 network_port(uucpd, tcp,540,s0)
 network_port(vnc, tcp,5900,s0)
 +network_port(wccp, udp,2048,s0)
+network_port(xdmcp, udp,177,s0, tcp,177,s0)
 network_port(xen, tcp,8002,s0)
 -network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
 +network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0, tcp,6020,s0)
@ -5920,7 +5949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
 		allow $1 self:tcp_socket create_socket_perms;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.0.7/policy/modules/services/kerberos.te
 --- nsaserefpolicy/policy/modules/services/kerberos.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/kerberos.te	2007-09-06 15:43:06.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/kerberos.te	2007-09-07 10:31:47.000000000 -0400
@@ -62,7 +62,7 @@
 # Use capabilities. Surplus capabilities may be allowed.
 allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
@ -5964,6 +5993,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
 ')
 
 optional_policy(`
+@@ -151,7 +157,7 @@
+ # Use capabilities. Surplus capabilities may be allowed.
+ allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
+ dontaudit krb5kdc_t self:capability sys_tty_config;
+-allow krb5kdc_t self:process { setsched getsched signal_perms };
+allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
+ allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
+ allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
+ allow krb5kdc_t self:udp_socket create_socket_perms;
@@ -223,6 +229,7 @@
 miscfiles_read_localization(krb5kdc_t)
 
@ -5972,6 +6010,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
 
 userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
 userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
+@@ -233,6 +240,7 @@
+ 
+ optional_policy(`
+ 	seutil_sigchld_newrole(krb5kdc_t)
+	seutil_read_file_contexts(krb5kdc_t)
+ ')
+ 
+ optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.0.7/policy/modules/services/ktalk.te
 --- nsaserefpolicy/policy/modules/services/ktalk.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.7/policy/modules/services/ktalk.te	2007-09-06 15:43:06.000000000 -0400
@ -7732,7 +7778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
 	fs_search_auto_mountpoints($1_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.7/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/rpc.te	2007-09-06 15:43:06.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/rpc.te	2007-09-07 10:32:33.000000000 -0400
@@ -59,10 +59,14 @@
 manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
 files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@ -7782,16 +7828,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
 ')
 
 tunable_policy(`nfs_export_all_ro',`
-@@ -143,6 +154,8 @@
+@@ -143,6 +154,9 @@
 manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
 files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
 
 +auth_use_nsswitch(gssd_t)
 +
+kernel_read_system_state(gssd_t)
 kernel_read_network_state(gssd_t)
 kernel_read_network_state_symlinks(gssd_t)	
 kernel_search_network_sysctl(gssd_t)	
-@@ -158,6 +171,9 @@
+@@ -158,6 +172,9 @@
 
 miscfiles_read_certs(gssd_t)
 
@ -9287,7 +9334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.7/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/services/xserver.te	2007-09-06 15:43:06.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/xserver.te	2007-09-07 15:02:10.000000000 -0400
@@ -16,6 +16,13 @@
 
 ## <desc>
@ -9323,7 +9370,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 allow xdm_t xdm_xserver_t:process signal;
 allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -246,6 +257,7 @@
+@@ -189,6 +200,7 @@
+ corenet_sendrecv_all_client_packets(xdm_t)
+ # xdm tries to bind to biff_port_t
+ corenet_dontaudit_tcp_bind_all_ports(xdm_t)
+corenet_udp_bind_xdmcp_ports(xdm_t)
+ 
+ dev_read_rand(xdm_t)
+ dev_read_sysfs(xdm_t)
+@@ -246,6 +258,7 @@
 auth_domtrans_pam_console(xdm_t)
 auth_manage_pam_pid(xdm_t)
 auth_manage_pam_console_data(xdm_t)
@ -9331,7 +9386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 auth_rw_faillog(xdm_t)
 auth_write_login_records(xdm_t)
 
-@@ -257,6 +269,7 @@
+@@ -257,6 +270,7 @@
 libs_exec_lib_files(xdm_t)
 
 logging_read_generic_logs(xdm_t)
@ -9339,7 +9394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 miscfiles_read_localization(xdm_t)
 miscfiles_read_fonts(xdm_t)
-@@ -271,6 +284,10 @@
+@@ -271,6 +285,10 @@
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
@ -9350,7 +9405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
 
-@@ -306,6 +323,8 @@
+@@ -306,6 +324,8 @@
 
 optional_policy(`
 	consolekit_dbus_chat(xdm_t)
@ -9359,7 +9414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 
 optional_policy(`
-@@ -348,12 +367,8 @@
+@@ -348,12 +368,8 @@
 ')
 
 optional_policy(`
@ -9373,7 +9428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 	ifdef(`distro_rhel4',`
 		allow xdm_t self:process { execheap execmem };
-@@ -385,7 +400,7 @@
+@@ -385,7 +401,7 @@
 allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
 
@ -9382,7 +9437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 # Label pid and temporary files with derived types.
 manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -425,6 +440,10 @@
+@@ -425,6 +441,10 @@
 ')
 
 optional_policy(`
@ -9393,7 +9448,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	resmgr_stream_connect(xdm_t)
 ')
 
-@@ -434,47 +453,19 @@
+@@ -434,47 +454,19 @@
 ')
 
 optional_policy(`
@ -11333,7 +11388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc
 /etc/lvm/lock(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.0.7/policy/modules/system/lvm.te
 --- nsaserefpolicy/policy/modules/system/lvm.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/lvm.te	2007-09-06 15:43:06.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/system/lvm.te	2007-09-07 09:00:42.000000000 -0400
@@ -150,7 +150,9 @@
 
 # DAC overrides and mknod for modifying /dev entries (vgmknodes)
@ -11362,7 +11417,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
 
 term_getattr_all_user_ttys(lvm_t)
 term_list_ptys(lvm_t)
-@@ -293,5 +298,15 @@
+@@ -275,6 +280,8 @@
+ seutil_search_default_contexts(lvm_t)
+ seutil_sigchld_newrole(lvm_t)
+ 
+userdom_dontaudit_search_sysadm_home_dirs(lvm_t)
+
+ ifdef(`distro_redhat',`
+ 	# this is from the initrd:
+ 	files_rw_isid_type_dirs(lvm_t)
+@@ -293,5 +300,15 @@
 ')
 
 optional_policy(`
@ -13971,7 +14035,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.0.7/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.7/policy/modules/system/xen.te	2007-09-06 15:43:06.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/system/xen.te	2007-09-07 08:48:47.000000000 -0400
+@@ -95,7 +95,7 @@
+ read_lnk_files_pattern(xend_t,xen_image_t,xen_image_t)
+ rw_blk_files_pattern(xend_t,xen_image_t,xen_image_t)
+ 
+-allow xend_t xenctl_t:fifo_file manage_file_perms;
+allow xend_t xenctl_t:fifo_file manage_fifo_file_perms;
+ dev_filetrans(xend_t, xenctl_t, fifo_file)
+ 
+ manage_files_pattern(xend_t,xend_tmp_t,xend_tmp_t)
+@@ -126,7 +126,7 @@
+ domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
+ allow xenstored_t xend_t:fd use;
+ allow xenstored_t xend_t:process sigchld;
+-allow xenstored_t xend_t:fifo_file write;
+allow xenstored_t xend_t:fifo_file write_fifo_file_perms;
+ 
+ # transition to console
+ domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t)
@@ -176,6 +176,7 @@
 files_manage_etc_runtime_files(xend_t)
 files_etc_filetrans_etc_runtime(xend_t,file)
@ -13980,6 +14062,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
 
 storage_raw_read_fixed_disk(xend_t)
 storage_raw_write_fixed_disk(xend_t)
+@@ -224,7 +225,7 @@
+ 
+ allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
+ allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
+-allow xenconsoled_t self:fifo_file { read write };
+allow xenconsoled_t self:fifo_file  rw_fifo_file_perms;
+ 
+ allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
+ 
@@ -257,7 +258,7 @@
 
 miscfiles_read_localization(xenconsoled_t)
@ -13998,7 +14089,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
 allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
 allow xenstored_t self:unix_dgram_socket create_socket_perms;
 
-@@ -324,6 +325,7 @@
+@@ -318,12 +319,13 @@
+ allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
+ 
+ # internal communication is often done using fifo and unix sockets.
+-allow xm_t self:fifo_file { read write };
+allow xm_t self:fifo_file  rw_fifo_file_perms;
+ allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow xm_t self:tcp_socket create_stream_socket_perms;
 
 manage_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
 manage_fifo_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.7
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -362,6 +362,9 @@ exit 0
 %endif

 %changelog
+* Fri Sep 7 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-6
+- Allow wine to run in system role
+
 * Thu Sep 6 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-5
 - Fix java labeling