rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Allow rpm to chat with networkmanager

Browse Source
This commit is contained in:
Daniel J Walsh 2007-10-17 03:20:10 +00:00
parent 84032d2d32
commit cca59cee5a
1 changed files with 336 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

380
policy-20070703.patch
View File

@ -1300,7 +1300,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.0.8/policy/modules/admin/rpm.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.0.8/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-30 11:47:29.000000000 -0400 --- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-30 11:47:29.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/rpm.if 2007-10-03 11:10:24.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/admin/rpm.if 2007-10-15 13:34:30.000000000 -0400
@@ -152,6 +152,24 @@ @@ -152,6 +152,24 @@
######################################## ########################################
@ -1382,7 +1382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
') ')
######################################## ########################################
@@ -289,3 +346,84 @@ @@ -289,3 +346,111 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
') ')
@ -1467,21 +1467,68 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
+ +
+ dontaudit $1 rpm_t:shm rw_shm_perms; + dontaudit $1 rpm_t:shm rw_shm_perms;
+') +')
+
+########################################
+## <summary>
+## Read/write rpm tmpfs files.
+## </summary>
+## <desc>
+## <p>
+## Read/write rpm tmpfs files.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_rw_tmpfs_files',`
+ gen_require(`
+ type rpm_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ allow $1 rpm_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1,rpm_tmpfs_t,rpm_tmpfs_t)
+ read_lnk_files_pattern($1,rpm_tmpfs_t,rpm_tmpfs_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.0.8/policy/modules/admin/rpm.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.0.8/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2007-08-22 07:14:14.000000000 -0400 --- nsaserefpolicy/policy/modules/admin/rpm.te 2007-08-22 07:14:14.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/rpm.te 2007-10-10 15:20:46.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/admin/rpm.te 2007-10-16 22:35:42.000000000 -0400
@@ -184,6 +184,10 @@ @@ -139,6 +139,7 @@
auth_relabel_all_files_except_shadow(rpm_t)
auth_manage_all_files_except_shadow(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
+auth_use_nsswith(rpm_t)
# transition to rpm script:
rpm_domtrans_script(rpm_t)
@@ -180,11 +181,18 @@
') ')
optional_policy(` optional_policy(`
+ dbus_system_domain(rpm_t,rpm_exec_t) - hal_dbus_chat(rpm_t)
-')
+ optional_policy(`
+ hal_dbus_chat(rpm_t)
+ ') + ')
+ +
+ optional_policy(` + optional_policy(`
nis_use_ypbind(rpm_t) + networkmanager_dbus_chat(rpm_t)
+ ')
+
+ optional_policy(`
+ dbus_system_domain(rpm_t,rpm_exec_t)
+ ')
-optional_policy(`
- nis_use_ypbind(rpm_t)
') ')
@@ -321,6 +325,7 @@ optional_policy(`
@@ -321,6 +329,7 @@
seutil_domtrans_loadpolicy(rpm_script_t) seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t) seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t) seutil_domtrans_semanage(rpm_script_t)
@ -6599,7 +6646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
+ +
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.0.8/policy/modules/services/exim.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.0.8/policy/modules/services/exim.if
--- nsaserefpolicy/policy/modules/services/exim.if 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/services/exim.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/services/exim.if 2007-10-10 15:50:21.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/exim.if 2007-10-15 13:07:49.000000000 -0400
@@ -0,0 +1,157 @@ @@ -0,0 +1,157 @@
+## <summary>Exim service</summary> +## <summary>Exim service</summary>
+ +
@ -7547,8 +7594,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
+files_type(mailscanner_spool_t) +files_type(mailscanner_spool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.8/policy/modules/services/mta.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.8/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2007-07-25 10:37:42.000000000 -0400 --- nsaserefpolicy/policy/modules/services/mta.if 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/mta.if 2007-10-03 11:10:24.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/mta.if 2007-10-15 13:10:26.000000000 -0400
@@ -226,6 +226,15 @@ @@ -142,6 +142,12 @@
sendmail_create_log($1_mail_t)
')
+ optional_policy(`
+ exim_read_logs($1_mail_t)
+ exim_manage_spool($1_mail_t)
+ ')
+
+
')
#######################################
@@ -226,6 +232,15 @@
tunable_policy(`use_samba_home_dirs',` tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_mail_t) fs_manage_cifs_files($1_mail_t)
fs_manage_cifs_symlinks($1_mail_t) fs_manage_cifs_symlinks($1_mail_t)
@ -7564,7 +7624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
') ')
optional_policy(` optional_policy(`
@@ -314,6 +323,24 @@ @@ -314,6 +329,24 @@
######################################## ########################################
## <summary> ## <summary>
@ -7589,7 +7649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
## Modified mailserver interface for ## Modified mailserver interface for
## sendmail daemon use. ## sendmail daemon use.
## </summary> ## </summary>
@@ -392,6 +419,7 @@ @@ -392,6 +425,7 @@
allow $1 mail_spool_t:dir list_dir_perms; allow $1 mail_spool_t:dir list_dir_perms;
create_files_pattern($1,mail_spool_t,mail_spool_t) create_files_pattern($1,mail_spool_t,mail_spool_t)
read_files_pattern($1,mail_spool_t,mail_spool_t) read_files_pattern($1,mail_spool_t,mail_spool_t)
@ -7597,7 +7657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
create_lnk_files_pattern($1,mail_spool_t,mail_spool_t) create_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
read_lnk_files_pattern($1,mail_spool_t,mail_spool_t) read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
@@ -447,20 +475,18 @@ @@ -447,20 +481,18 @@
interface(`mta_send_mail',` interface(`mta_send_mail',`
gen_require(` gen_require(`
attribute mta_user_agent; attribute mta_user_agent;
@ -7624,7 +7684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
') ')
######################################## ########################################
@@ -595,6 +621,25 @@ @@ -595,6 +627,25 @@
files_search_etc($1) files_search_etc($1)
allow $1 etc_aliases_t:file { rw_file_perms setattr }; allow $1 etc_aliases_t:file { rw_file_perms setattr };
') ')
@ -7652,7 +7712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
## <summary> ## <summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-07-25 10:37:42.000000000 -0400 --- nsaserefpolicy/policy/modules/services/mta.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-10-06 08:52:41.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-10-15 13:11:26.000000000 -0400
@@ -6,6 +6,7 @@ @@ -6,6 +6,7 @@
# Declarations # Declarations
# #
@ -9675,7 +9735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.8/policy/modules/services/samba.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.8/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-07-25 10:37:42.000000000 -0400 --- nsaserefpolicy/policy/modules/services/samba.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/samba.te 2007-10-09 11:56:37.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/samba.te 2007-10-16 21:18:19.000000000 -0400
@@ -137,6 +137,11 @@ @@ -137,6 +137,11 @@
type winbind_var_run_t; type winbind_var_run_t;
files_pid_file(winbind_var_run_t) files_pid_file(winbind_var_run_t)
@ -11291,7 +11351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ +
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-08-22 07:14:07.000000000 -0400 --- nsaserefpolicy/policy/modules/services/xserver.te 2007-08-22 07:14:07.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-10-11 10:50:27.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-10-15 13:34:37.000000000 -0400
@@ -16,6 +16,13 @@ @@ -16,6 +16,13 @@
## <desc> ## <desc>
@ -11434,13 +11494,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
resmgr_stream_connect(xdm_t) resmgr_stream_connect(xdm_t)
') ')
@@ -434,47 +464,24 @@ @@ -434,47 +464,25 @@
') ')
optional_policy(` optional_policy(`
- unconfined_domain_noaudit(xdm_xserver_t) - unconfined_domain_noaudit(xdm_xserver_t)
- unconfined_domtrans(xdm_xserver_t) - unconfined_domtrans(xdm_xserver_t)
+ rpm_dontaudit_rw_shm(xdm_xserver_t) + rpm_dontaudit_rw_shm(xdm_xserver_t)
+ rpm_rw_tmpfs_files(xdm_xserver_t)
+') +')
- ifndef(`distro_redhat',` - ifndef(`distro_redhat',`
@ -12638,16 +12699,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
') ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.0.8/policy/modules/system/ipsec.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.0.8/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2007-07-25 10:37:42.000000000 -0400 --- nsaserefpolicy/policy/modules/system/ipsec.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/ipsec.te 2007-10-03 11:10:25.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/ipsec.te 2007-10-15 12:10:49.000000000 -0400
@@ -56,7 +56,6 @@ @@ -55,11 +55,11 @@
allow ipsec_t self:capability { net_admin dac_override dac_read_search }; allow ipsec_t self:capability { net_admin dac_override dac_read_search };
dontaudit ipsec_t self:capability sys_tty_config; dontaudit ipsec_t self:capability sys_tty_config;
allow ipsec_t self:process signal; -allow ipsec_t self:process signal;
-allow ipsec_t self:netlink_route_socket r_netlink_socket_perms; -allow ipsec_t self:netlink_route_socket r_netlink_socket_perms;
+allow ipsec_t self:process { signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms; allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:key_socket { create write read setopt }; allow ipsec_t self:key_socket { create write read setopt };
allow ipsec_t self:fifo_file { read getattr }; allow ipsec_t self:fifo_file { read getattr };
@@ -84,6 +83,8 @@ +allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
read_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t)
@@ -69,7 +69,7 @@
read_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
-allow ipsec_t ipsec_var_run_t:file manage_file_perms;
+manage_files_pattern(ipsec_t,ipsec_var_run_t, ipsec_var_run_t)
allow ipsec_t ipsec_var_run_t:sock_file manage_sock_file_perms;
files_pid_filetrans(ipsec_t,ipsec_var_run_t,{ file sock_file })
@@ -84,6 +84,8 @@
allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms; allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms;
allow ipsec_mgmt_t ipsec_t:process sigchld; allow ipsec_mgmt_t ipsec_t:process sigchld;
@ -12656,7 +12732,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
kernel_read_kernel_sysctls(ipsec_t) kernel_read_kernel_sysctls(ipsec_t)
kernel_list_proc(ipsec_t) kernel_list_proc(ipsec_t)
kernel_read_proc_symlinks(ipsec_t) kernel_read_proc_symlinks(ipsec_t)
@@ -134,16 +135,10 @@ @@ -104,6 +106,11 @@
corenet_tcp_bind_all_nodes(ipsec_t)
corenet_tcp_bind_reserved_port(ipsec_t)
corenet_tcp_bind_isakmp_port(ipsec_t)
+
+corenet_udp_bind_all_nodes(ipsec_t)
+corenet_udp_bind_isakmp_port(ipsec_t)
+corenet_udp_bind_ipsecnat_port(ipsec_t)
+
corenet_sendrecv_generic_server_packets(ipsec_t)
corenet_sendrecv_isakmp_server_packets(ipsec_t)
@@ -134,16 +141,10 @@
miscfiles_read_localization(ipsec_t) miscfiles_read_localization(ipsec_t)
@ -12673,7 +12761,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
seutil_sigchld_newrole(ipsec_t) seutil_sigchld_newrole(ipsec_t)
') ')
@@ -278,11 +273,11 @@ @@ -170,6 +171,8 @@
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file)
+logging_send_syslog_msg(ipsec_mgmt_t)
+
manage_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
@@ -225,6 +228,7 @@
# the ipsec wrapper wants to run /usr/bin/logger (should we put
# it in its own domain?)
corecmd_exec_bin(ipsec_mgmt_t)
+corecmd_exec_shell(ipsec_mgmt_t)
domain_use_interactive_fds(ipsec_mgmt_t)
# denials when ps tries to search /proc. Do not audit these denials.
@@ -278,11 +282,11 @@
# #
allow racoon_t self:capability { net_admin net_bind_service }; allow racoon_t self:capability { net_admin net_bind_service };
@ -12686,7 +12791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# manage pid file # manage pid file
manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t) manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
@@ -299,11 +294,15 @@ @@ -299,11 +303,15 @@
allow racoon_t ipsec_spd_t:association setcontext; allow racoon_t ipsec_spd_t:association setcontext;
@ -14225,7 +14330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.8/policy/modules/system/selinuxutil.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.8/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-09-12 10:34:51.000000000 -0400 --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-09-12 10:34:51.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-10-09 15:59:34.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-10-16 22:49:31.000000000 -0400
@@ -76,7 +76,6 @@ @@ -76,7 +76,6 @@
type restorecond_exec_t; type restorecond_exec_t;
init_daemon_domain(restorecond_t,restorecond_exec_t) init_daemon_domain(restorecond_t,restorecond_exec_t)
@ -14245,7 +14350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
type semanage_store_t; type semanage_store_t;
files_type(semanage_store_t) files_type(semanage_store_t)
@@ -194,10 +197,15 @@ @@ -194,10 +197,19 @@
# cjp: cover up stray file descriptors. # cjp: cover up stray file descriptors.
dontaudit load_policy_t selinux_config_t:file write; dontaudit load_policy_t selinux_config_t:file write;
optional_policy(` optional_policy(`
@ -14254,6 +14359,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
') ')
') ')
+optional_policy(`
+ rpm_dontaudit_rw_pipes(load_policy_t)
+')
+
+optional_policy(` +optional_policy(`
+ usermanage_dontaudit_useradd_use_fds(load_policy_t) + usermanage_dontaudit_useradd_use_fds(load_policy_t)
+') +')
@ -14262,7 +14371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
######################################## ########################################
# #
# Newrole local policy # Newrole local policy
@@ -215,7 +223,7 @@ @@ -215,7 +227,7 @@
allow newrole_t self:msg { send receive }; allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@ -14271,7 +14380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
read_files_pattern(newrole_t,selinux_config_t,selinux_config_t) read_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
read_lnk_files_pattern(newrole_t,selinux_config_t,selinux_config_t) read_lnk_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
@@ -252,8 +260,11 @@ @@ -252,8 +264,11 @@
term_getattr_unallocated_ttys(newrole_t) term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t) term_dontaudit_use_unallocated_ttys(newrole_t)
@ -14283,7 +14392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
corecmd_list_bin(newrole_t) corecmd_list_bin(newrole_t)
corecmd_read_bin_symlinks(newrole_t) corecmd_read_bin_symlinks(newrole_t)
@@ -273,6 +284,7 @@ @@ -273,6 +288,7 @@
libs_use_ld_so(newrole_t) libs_use_ld_so(newrole_t)
libs_use_shared_libs(newrole_t) libs_use_shared_libs(newrole_t)
@ -14291,7 +14400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
logging_send_syslog_msg(newrole_t) logging_send_syslog_msg(newrole_t)
miscfiles_read_localization(newrole_t) miscfiles_read_localization(newrole_t)
@@ -294,14 +306,6 @@ @@ -294,14 +310,6 @@
files_polyinstantiate_all(newrole_t) files_polyinstantiate_all(newrole_t)
') ')
@ -14306,7 +14415,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
######################################## ########################################
# #
# Restorecond local policy # Restorecond local policy
@@ -309,11 +313,12 @@ @@ -309,11 +317,12 @@
allow restorecond_t self:capability { dac_override dac_read_search fowner }; allow restorecond_t self:capability { dac_override dac_read_search fowner };
allow restorecond_t self:fifo_file rw_fifo_file_perms; allow restorecond_t self:fifo_file rw_fifo_file_perms;
@ -14320,7 +14429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
kernel_use_fds(restorecond_t) kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t) kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t) kernel_read_system_state(restorecond_t)
@@ -343,15 +348,12 @@ @@ -343,15 +352,12 @@
miscfiles_read_localization(restorecond_t) miscfiles_read_localization(restorecond_t)
@ -14338,7 +14447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
################################# #################################
# #
@@ -361,7 +363,7 @@ @@ -361,7 +367,7 @@
allow run_init_t self:process setexec; allow run_init_t self:process setexec;
allow run_init_t self:capability setuid; allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms; allow run_init_t self:fifo_file rw_file_perms;
@ -14347,7 +14456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# often the administrator runs such programs from a directory that is owned # often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit # by a different user or has restrictive SE permissions, do not want to audit
@@ -375,6 +377,7 @@ @@ -375,6 +381,7 @@
term_dontaudit_list_ptys(run_init_t) term_dontaudit_list_ptys(run_init_t)
auth_domtrans_chk_passwd(run_init_t) auth_domtrans_chk_passwd(run_init_t)
@ -14355,7 +14464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
auth_dontaudit_read_shadow(run_init_t) auth_dontaudit_read_shadow(run_init_t)
corecmd_exec_bin(run_init_t) corecmd_exec_bin(run_init_t)
@@ -423,77 +426,52 @@ @@ -423,77 +430,52 @@
nscd_socket_use(run_init_t) nscd_socket_use(run_init_t)
') ')
@ -14381,19 +14490,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
- -
-kernel_read_system_state(semanage_t) -kernel_read_system_state(semanage_t)
-kernel_read_kernel_sysctls(semanage_t) -kernel_read_kernel_sysctls(semanage_t)
-
-corecmd_exec_bin(semanage_t)
-
-dev_read_urand(semanage_t)
+init_dontaudit_use_fds(setsebool_t) +init_dontaudit_use_fds(setsebool_t)
-domain_use_interactive_fds(semanage_t) -corecmd_exec_bin(semanage_t)
+# Bug in semanage +# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t) +seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t) +seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t) +seutil_manage_default_contexts(setsebool_t)
+seutil_manage_selinux_config(setsebool_t) +seutil_manage_selinux_config(setsebool_t)
-dev_read_urand(semanage_t)
-
-domain_use_interactive_fds(semanage_t)
-
-files_read_etc_files(semanage_t) -files_read_etc_files(semanage_t)
-files_read_etc_runtime_files(semanage_t) -files_read_etc_runtime_files(semanage_t)
-files_read_usr_files(semanage_t) -files_read_usr_files(semanage_t)
@ -14459,7 +14568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
# cjp: need a more general way to handle this: # cjp: need a more general way to handle this:
ifdef(`enable_mls',` ifdef(`enable_mls',`
# read secadm tmp files # read secadm tmp files
@@ -521,6 +499,8 @@ @@ -521,6 +503,8 @@
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms; allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms; allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
@ -14468,7 +14577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
kernel_read_system_state(setfiles_t) kernel_read_system_state(setfiles_t)
kernel_relabelfrom_unlabeled_dirs(setfiles_t) kernel_relabelfrom_unlabeled_dirs(setfiles_t)
kernel_relabelfrom_unlabeled_files(setfiles_t) kernel_relabelfrom_unlabeled_files(setfiles_t)
@@ -537,6 +517,7 @@ @@ -537,6 +521,7 @@
fs_getattr_xattr_fs(setfiles_t) fs_getattr_xattr_fs(setfiles_t)
fs_list_all(setfiles_t) fs_list_all(setfiles_t)
@ -14476,7 +14585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
fs_search_auto_mountpoints(setfiles_t) fs_search_auto_mountpoints(setfiles_t)
fs_relabelfrom_noxattr_fs(setfiles_t) fs_relabelfrom_noxattr_fs(setfiles_t)
@@ -590,8 +571,16 @@ @@ -590,8 +575,16 @@
fs_relabel_tmpfs_chr_file(setfiles_t) fs_relabel_tmpfs_chr_file(setfiles_t)
') ')
@ -14626,7 +14735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2007-09-12 10:34:51.000000000 -0400 --- nsaserefpolicy/policy/modules/system/udev.te 2007-09-12 10:34:51.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/udev.te 2007-10-09 16:07:36.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/udev.te 2007-10-15 13:54:06.000000000 -0400
@@ -132,6 +132,7 @@ @@ -132,6 +132,7 @@
init_read_utmp(udev_t) init_read_utmp(udev_t)
@ -14659,7 +14768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) +/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-06-15 14:54:34.000000000 -0400 --- nsaserefpolicy/policy/modules/system/unconfined.if 2007-06-15 14:54:34.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-10-11 14:50:56.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-10-15 13:33:52.000000000 -0400
@@ -12,14 +12,13 @@ @@ -12,14 +12,13 @@
# #
interface(`unconfined_domain_noaudit',` interface(`unconfined_domain_noaudit',`
@ -17206,3 +17315,182 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy
$(call parse-rolemap,base,$@) $(call parse-rolemap,base,$@)
$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files) $(tmpdir)/rolemap.conf $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files) $(tmpdir)/rolemap.conf
diff --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.0.8/support/Makefile.devel
--- nsaserefpolicy/support/Makefile.devel 2007-05-29 13:53:56.000000000 -0400
+++ serefpolicy-3.0.8/support/Makefile.devel 2007-10-15 16:12:34.000000000 -0400
@@ -31,10 +31,10 @@
genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py
-docs = doc
-polxml = $(docs)/policy.xml
-xmldtd = $(HEADERDIR)/support/policy.dtd
-metaxml = metadata.xml
+docs := doc
+polxml := $(docs)/policy.xml
+xmldtd := $(HEADERDIR)/support/policy.dtd
+metaxml := metadata.xml
globaltun = $(HEADERDIR)/global_tunables.xml
globalbool = $(HEADERDIR)/global_booleans.xml
@@ -76,35 +76,23 @@
# policy headers
m4support = $(wildcard $(HEADERDIR)/support/*.spt)
-all_layers = $(filter-out $(HEADERDIR)/support,$(shell find $(wildcard $(HEADERDIR)/*) -maxdepth 0 -type d))
-all_interfaces = $(foreach layer,$(all_layers),$(wildcard $(layer)/*.if))
-rolemap = $(HEADERDIR)/rolemap
-
-detected_layers = $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d))
-
-clayers = $(addprefix $(CURDIR)/, $(filter $(notdir $(detected_layers)), $(notdir $(all_layers))))
-all_layers_subset = $(addprefix $(HEADERDIR)/, $(filter-out $(notdir $(detected_layers)), $(notdir $(all_layers))))
-detected_layers_subset = $(addprefix $(CURDIR)/, $(filter-out $(notdir $(clayers)), $(notdir $(detected_layers))))
-
-3rd_party_mods = $(wildcard *.te)
-detected_mods = $(3rd_party_mods) $(foreach layer,$(detected_layers),$(wildcard $(layer)/*.te))
-detected_mods_subset = $(3rd_party_mods) $(foreach layer,$(detected_layers_subset),$(wildcard $(layer)/*.te))
-
-detected_ifs = $(detected_mods:.te=.if)
-detected_fcs = $(detected_mods:.te=.fc)
-all_packages = $(notdir $(detected_mods:.te=.pp))
-
-modxml = $(addprefix $(CURDIR)/, $(detected_mods_subset:.te=.xml))
-layerxml = $(addprefix tmp/, $(notdir $(addsuffix .xml, $(detected_layers_subset) $(CURDIR))))
-
-hmodxml = $(all_interfaces:.if=.xml)
-hlayerxml = $(addsuffix .xml, $(addprefix tmp/, $(notdir $(all_layers_subset))))
-hmetaxml = $(foreach layer, $(all_layers_subset), $(layer)/$(metaxml))
-
-cmods = $(foreach layer, $(clayers), $(wildcard $(layer)/*.te))
-cmodxml = $(cmods:.te=.xml)
-clayerxml= $(addsuffix .xml, $(addprefix tmp/, $(notdir $(clayers))))
-cmetaxml = $(foreach layer, $(notdir $(clayers)), $(HEADERDIR)/$(layer)/$(metaxml))
+header_layers := $(filter-out $(HEADERDIR)/support,$(shell find $(wildcard $(HEADERDIR)/*) -maxdepth 0 -type d))
+header_xml := $(addsuffix .xml,$(header_layers))
+header_interfaces := $(foreach layer,$(header_layers),$(wildcard $(layer)/*.if))
+
+rolemap := $(HEADERDIR)/rolemap
+
+local_layers := $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d))
+local_xml := $(addprefix tmp/, $(addsuffix .xml,$(local_layers)))
+
+all_layer_names := $(sort $(notdir $(header_layers) $(local_layers)))
+
+3rd_party_mods := $(wildcard *.te)
+detected_mods := $(3rd_party_mods) $(foreach layer,$(local_layers),$(wildcard $(layer)/*.te))
+
+detected_ifs := $(detected_mods:.te=.if)
+detected_fcs := $(detected_mods:.te=.fc)
+all_packages := $(notdir $(detected_mods:.te=.pp))
# figure out what modules we may want to reload
loaded_mods = $(addsuffix .pp,$(shell $(SEMODULE) -l | $(CUT) -f1))
@@ -112,9 +100,9 @@
match_sys = $(filter $(addprefix $(SHAREDIR)/$(NAME)/,$(loaded_mods)),$(sys_mods))
match_loc = $(filter $(all_packages),$(loaded_mods))
-vpath %.te $(detected_layers)
-vpath %.if $(detected_layers)
-vpath %.fc $(detected_layers)
+vpath %.te $(local_layers)
+vpath %.if $(local_layers)
+vpath %.fc $(local_layers)
########################################
#
@@ -192,7 +180,7 @@
#
tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
@$(EINFO) "Compiling $(NAME) $(basename $(@F)) module"
- @test -d tmp || mkdir -p tmp
+ @test -d $(@D) || mkdir -p $(@D)
$(call peruser-expansion,$(basename $(@F)),$@.role)
$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
@@ -204,55 +192,50 @@
@echo "Creating $(NAME) $(@F) policy package"
$(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
-tmp/all_interfaces.conf: $(m4support) $(all_interfaces) $(detected_ifs)
- @test -d tmp || mkdir -p tmp
- $(verbose) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
+tmp/all_interfaces.conf: $(m4support) $(header_interfaces) $(detected_ifs)
+ @test -d $(@D) || mkdir -p $(@D)
+ @echo "ifdef(\`__if_error',\`m4exit(1)')" > tmp/iferror.m4
+ @echo "divert(-1)" > $@
+ $(verbose) $(M4) $^ tmp/iferror.m4 | sed -e s/dollarsstar/\$$\*/g >> $@
+ @echo "divert" >> $@
# so users dont have to make empty .fc and .if files
-$(detected_ifs) $(detected_fcs):
+$(detected_fcs):
@touch $@
+
+$(detected_ifs):
+ @echo "## <summary>$(basename $(@D))</summary>" > $@
########################################
#
# Documentation generation
#
+tmp/%.xml: %/*.te %/*.if
+ @test -d $(@D) || mkdir -p $(@D)
+ $(verbose) test -f $(HEADERDIR)/$*.xml || cat $*/$(metaxml) > $@
+ $(verbose) $(genxml) -w -m $(sort $(basename $^)) >> $@
-$(clayerxml): %.xml: $(cmodxml) $(hmodxml) $(cmetaxml)
- @test -d tmp || mkdir -p tmp
- $(verbose) echo '<layer name="$(*F)">' > $@
- $(verbose) cat $(addprefix $(HEADERDIR)/, $(notdir $*)/$(metaxml)) >> $@;
- $(verbose) cat $(filter $(addprefix $(CURDIR)/, $(notdir $*))/%, $(cmodxml)) >> $@
- $(verbose) cat $(filter-out $(addprefix $(HEADERDIR)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(HEADERDIR)/, $(notdir $*))/%, $(hmodxml))) >> $@
- $(verbose) echo '</layer>' >> $@
-
-$(hlayerxml): %.xml: $(hmodxml) $(hmetaxml)
- @test -d tmp || mkdir -p tmp
- $(verbose) echo '<layer name="$(*F)">' > $@
- $(verbose) cat $(addprefix $(HEADERDIR)/, $(notdir $*)/$(metaxml)) >> $@;
- $(verbose) cat $(filter-out $(addprefix $(HEADERDIR)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(HEADERDIR)/, $(notdir $*))/%, $(hmodxml))) >> $@
- $(verbose) echo '</layer>' >> $@
-
-$(cmodxml) $(modxml): %.xml: %.if %.te
- $(verbose) $(genxml) -w -m $* > $@
-
-$(layerxml): %.xml: $(modxml)
- @test -d tmp || mkdir -p tmp
- $(verbose) echo '<layer name="$(*F)">' > $@
- $(verbose) if test -f '$(metaxml)'; then \
- cat $(metaxml) >> $@; \
- else \
- echo '<summary>This is all third-party generated modules.</summary>' >> $@; \
- fi
- $(verbose) cat $(filter-out %/$(metaxml), $^) >> $@
- $(verbose) echo '</layer>' >> $@
+vars: $(local_xml)
-$(polxml): $(clayerxml) $(hlayerxml) $(layerxml) $(globaltun) $(globalbool)
+$(polxml): $(header_xml) $(local_xml) $(globaltun) $(globalbool) $(detected_mods) $(detected_ifs)
@echo "Creating $(@F)"
- @test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml))
+ @test -d $(@D) || mkdir -p $(@D)
$(verbose) echo '<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>' > $@
$(verbose) echo '<!DOCTYPE policy SYSTEM "$(notdir $(xmldtd))">' >> $@
$(verbose) echo '<policy>' >> $@
- $(verbose) cat $(sort $(clayerxml) $(hlayerxml) $(layerxml)) $(globaltun) $(globalbool) >> $@
+ $(verbose) for i in $(all_layer_names); do \
+ echo "<layer name=\"$$i\">" >> $@ ;\
+ test -f $(HEADERDIR)/$$i.xml && cat $(HEADERDIR)/$$i.xml >> $@ ;\
+ test -f tmp/$$i.xml && cat tmp/$$i.xml >> $@ ;\
+ echo "</layer>" >> $@ ;\
+ done
+ifneq "$(strip $(3rd_party_mods))" ""
+ $(verbose) echo "<layer name=\"third_party\">" >> $@
+ $(verbose) echo "<summary>These are all third-party modules.</summary>" >> $@
+ $(verbose) $(genxml) -w -m $(addprefix ./,$(basename $(3rd_party_mods))) >> $@
+ $(verbose) echo "</layer>" >> $@
+endif
+ $(verbose) cat $(globaltun) $(globalbool) >> $@
$(verbose) echo '</policy>' >> $@
$(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
$(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\