- Allow wine to run in system role

This commit is contained in:
Daniel J Walsh 2007-09-07 19:03:11 +00:00
parent 37d6a1ce3f
commit c7e443c95c
2 changed files with 122 additions and 21 deletions

View File

@ -2401,9 +2401,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if
+ role $2 types wine_t;
+ allow wine_t $3:chr_file rw_term_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.0.7/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2007-07-25 10:37:37.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/apps/wine.te 2007-09-07 09:04:03.000000000 -0400
@@ -9,6 +9,7 @@
type wine_t;
type wine_exec_t;
application_domain(wine_t,wine_exec_t)
+role system_r types wine_t;
########################################
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.7/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-08-22 07:14:06.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/kernel/corecommands.fc 2007-09-06 15:43:06.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/kernel/corecommands.fc 2007-09-07 13:47:17.000000000 -0400
@@ -36,6 +36,11 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
@ -2437,6 +2448,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -259,3 +265,7 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
+
+/etc/gdm/XKeepsCrashing[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
+/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.0.7/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2007-07-03 07:05:38.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/kernel/corenetwork.if.in 2007-09-06 15:43:06.000000000 -0400
@ -2486,7 +2505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.7/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-07-03 07:05:38.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/kernel/corenetwork.te.in 2007-09-06 15:43:06.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/kernel/corenetwork.te.in 2007-09-07 15:02:19.000000000 -0400
@@ -55,6 +55,11 @@
type reserved_port_t, port_type, reserved_port_type;
@ -2528,11 +2547,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
network_port(nessus, tcp,1241,s0)
network_port(netsupport, tcp,5405,s0, udp,5405,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
@@ -160,13 +166,17 @@
@@ -146,7 +152,7 @@
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
network_port(spamd, tcp,783,s0)
network_port(ssh, tcp,22,s0)
-network_port(soundd, tcp,8000,s0, tcp,9433,s0)
+network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
@@ -160,13 +166,18 @@
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
network_port(vnc, tcp,5900,s0)
+network_port(wccp, udp,2048,s0)
+network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
-network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
+network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0, tcp,6020,s0)
@ -5920,7 +5949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
allow $1 self:tcp_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.0.7/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/kerberos.te 2007-09-06 15:43:06.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/kerberos.te 2007-09-07 10:31:47.000000000 -0400
@@ -62,7 +62,7 @@
# Use capabilities. Surplus capabilities may be allowed.
allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
@ -5964,6 +5993,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
')
optional_policy(`
@@ -151,7 +157,7 @@
# Use capabilities. Surplus capabilities may be allowed.
allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
dontaudit krb5kdc_t self:capability sys_tty_config;
-allow krb5kdc_t self:process { setsched getsched signal_perms };
+allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
allow krb5kdc_t self:udp_socket create_socket_perms;
@@ -223,6 +229,7 @@
miscfiles_read_localization(krb5kdc_t)
@ -5972,6 +6010,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
@@ -233,6 +240,7 @@
optional_policy(`
seutil_sigchld_newrole(krb5kdc_t)
+ seutil_read_file_contexts(krb5kdc_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.0.7/policy/modules/services/ktalk.te
--- nsaserefpolicy/policy/modules/services/ktalk.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/ktalk.te 2007-09-06 15:43:06.000000000 -0400
@ -7732,7 +7778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
fs_search_auto_mountpoints($1_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.7/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/rpc.te 2007-09-06 15:43:06.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/rpc.te 2007-09-07 10:32:33.000000000 -0400
@@ -59,10 +59,14 @@
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@ -7782,16 +7828,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
')
tunable_policy(`nfs_export_all_ro',`
@@ -143,6 +154,8 @@
@@ -143,6 +154,9 @@
manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
+auth_use_nsswitch(gssd_t)
+
+kernel_read_system_state(gssd_t)
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
@@ -158,6 +171,9 @@
@@ -158,6 +172,9 @@
miscfiles_read_certs(gssd_t)
@ -9287,7 +9334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.7/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-08-22 07:14:07.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/xserver.te 2007-09-06 15:43:06.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/services/xserver.te 2007-09-07 15:02:10.000000000 -0400
@@ -16,6 +16,13 @@
## <desc>
@ -9323,7 +9370,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
@@ -246,6 +257,7 @@
@@ -189,6 +200,7 @@
corenet_sendrecv_all_client_packets(xdm_t)
# xdm tries to bind to biff_port_t
corenet_dontaudit_tcp_bind_all_ports(xdm_t)
+corenet_udp_bind_xdmcp_ports(xdm_t)
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
@@ -246,6 +258,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@ -9331,7 +9386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
@@ -257,6 +269,7 @@
@@ -257,6 +270,7 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
@ -9339,7 +9394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
miscfiles_read_localization(xdm_t)
miscfiles_read_fonts(xdm_t)
@@ -271,6 +284,10 @@
@@ -271,6 +285,10 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@ -9350,7 +9405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
@@ -306,6 +323,8 @@
@@ -306,6 +324,8 @@
optional_policy(`
consolekit_dbus_chat(xdm_t)
@ -9359,7 +9414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
@@ -348,12 +367,8 @@
@@ -348,12 +368,8 @@
')
optional_policy(`
@ -9373,7 +9428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
@@ -385,7 +400,7 @@
@@ -385,7 +401,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@ -9382,7 +9437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
@@ -425,6 +440,10 @@
@@ -425,6 +441,10 @@
')
optional_policy(`
@ -9393,7 +9448,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
resmgr_stream_connect(xdm_t)
')
@@ -434,47 +453,19 @@
@@ -434,47 +454,19 @@
')
optional_policy(`
@ -11333,7 +11388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc
/etc/lvm/lock(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.0.7/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/system/lvm.te 2007-09-06 15:43:06.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/system/lvm.te 2007-09-07 09:00:42.000000000 -0400
@@ -150,7 +150,9 @@
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
@ -11362,7 +11417,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te
term_getattr_all_user_ttys(lvm_t)
term_list_ptys(lvm_t)
@@ -293,5 +298,15 @@
@@ -275,6 +280,8 @@
seutil_search_default_contexts(lvm_t)
seutil_sigchld_newrole(lvm_t)
+userdom_dontaudit_search_sysadm_home_dirs(lvm_t)
+
ifdef(`distro_redhat',`
# this is from the initrd:
files_rw_isid_type_dirs(lvm_t)
@@ -293,5 +300,15 @@
')
optional_policy(`
@ -13971,7 +14035,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.0.7/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/system/xen.te 2007-09-06 15:43:06.000000000 -0400
+++ serefpolicy-3.0.7/policy/modules/system/xen.te 2007-09-07 08:48:47.000000000 -0400
@@ -95,7 +95,7 @@
read_lnk_files_pattern(xend_t,xen_image_t,xen_image_t)
rw_blk_files_pattern(xend_t,xen_image_t,xen_image_t)
-allow xend_t xenctl_t:fifo_file manage_file_perms;
+allow xend_t xenctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(xend_t, xenctl_t, fifo_file)
manage_files_pattern(xend_t,xend_tmp_t,xend_tmp_t)
@@ -126,7 +126,7 @@
domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
allow xenstored_t xend_t:fd use;
allow xenstored_t xend_t:process sigchld;
-allow xenstored_t xend_t:fifo_file write;
+allow xenstored_t xend_t:fifo_file write_fifo_file_perms;
# transition to console
domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t)
@@ -176,6 +176,7 @@
files_manage_etc_runtime_files(xend_t)
files_etc_filetrans_etc_runtime(xend_t,file)
@ -13980,6 +14062,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
storage_raw_read_fixed_disk(xend_t)
storage_raw_write_fixed_disk(xend_t)
@@ -224,7 +225,7 @@
allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
-allow xenconsoled_t self:fifo_file { read write };
+allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
@@ -257,7 +258,7 @@
miscfiles_read_localization(xenconsoled_t)
@ -13998,7 +14089,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
allow xenstored_t self:unix_dgram_socket create_socket_perms;
@@ -324,6 +325,7 @@
@@ -318,12 +319,13 @@
allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
# internal communication is often done using fifo and unix sockets.
-allow xm_t self:fifo_file { read write };
+allow xm_t self:fifo_file rw_fifo_file_perms;
allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xm_t self:tcp_socket create_stream_socket_perms;
manage_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)
manage_fifo_files_pattern(xm_t,xend_var_lib_t,xend_var_lib_t)

View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.7
Release: 5%{?dist}
Release: 6%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -362,6 +362,9 @@ exit 0
%endif
%changelog
* Fri Sep 7 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-6
- Allow wine to run in system role
* Thu Sep 6 2007 Dan Walsh <dwalsh@redhat.com> 3.0.7-5
- Fix java labeling