From d4af172a643fa519a59df1b56847471a5930f086 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Sat, 11 Apr 2009 12:30:22 +0000 Subject: [PATCH] - Separate out the ucnonfined user from the unconfined.pp package --- modules-minimum.conf | 7 + modules-targeted.conf | 7 + policy-20090105.patch | 2876 ++++++++++++++++++++++++++++++----------- selinux-policy.spec | 13 +- 4 files changed, 2138 insertions(+), 765 deletions(-) diff --git a/modules-minimum.conf b/modules-minimum.conf index d90a8dd1..abdf2ef6 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -1676,6 +1676,13 @@ bitlbee = module # soundserver = module +# Layer: role +# Module: unconfineduser +# +# The unconfined user domain. +# +unconfineduser = module + # Layer:role # Module: staff # diff --git a/modules-targeted.conf b/modules-targeted.conf index d90a8dd1..abdf2ef6 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -1676,6 +1676,13 @@ bitlbee = module # soundserver = module +# Layer: role +# Module: unconfineduser +# +# The unconfined user domain. +# +unconfineduser = module + # Layer:role # Module: staff # diff --git a/policy-20090105.patch b/policy-20090105.patch index 1dd0d5d7..4800cdb1 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -1022,7 +1022,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.12/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/admin/rpm.te 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/admin/rpm.te 2009-04-09 04:59:09.000000000 -0400 @@ -31,6 +31,9 @@ files_type(rpm_var_lib_t) typealias rpm_var_lib_t alias var_lib_rpm_t; @@ -1101,7 +1101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_exec_ld_so(rpm_t) libs_exec_lib_files(rpm_t) -@@ -174,10 +190,20 @@ +@@ -174,17 +190,28 @@ ') optional_policy(` @@ -1122,8 +1122,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol prelink_domtrans(rpm_t) ') -@@ -185,6 +211,7 @@ - unconfined_domain(rpm_t) + optional_policy(` +- unconfined_domain(rpm_t) ++ unconfined_domain_noaudit(rpm_t) # yum-updatesd requires this unconfined_dbus_chat(rpm_t) + unconfined_dbus_chat(rpm_script_t) @@ -1514,6 +1515,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + xserver_write_pid(vbetool_t) +') + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ada.te serefpolicy-3.6.12/policy/modules/apps/ada.te +--- nsaserefpolicy/policy/modules/apps/ada.te 2009-01-05 15:39:38.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/apps/ada.te 2009-04-09 04:47:52.000000000 -0400 +@@ -21,5 +21,5 @@ + userdom_use_user_terminals(ada_t) + + optional_policy(` +- unconfined_domain_noaudit(ada_t) ++ unconfined_domain(ada_t) + ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.12/policy/modules/apps/awstats.te --- nsaserefpolicy/policy/modules/apps/awstats.te 2009-02-16 08:44:12.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/awstats.te 2009-04-07 16:01:44.000000000 -0400 @@ -2384,7 +2395,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_search_bin($1) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.12/policy/modules/apps/mono.te --- nsaserefpolicy/policy/modules/apps/mono.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/apps/mono.te 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/apps/mono.te 2009-04-09 04:48:20.000000000 -0400 @@ -15,7 +15,7 @@ # Local policy # @@ -2394,7 +2405,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol init_dbus_chat_script(mono_t) -@@ -46,3 +46,7 @@ +@@ -42,7 +42,11 @@ + ') + + optional_policy(` +- unconfined_domain_noaudit(mono_t) ++ unconfined_domain(mono_t) unconfined_dbus_chat(mono_t) unconfined_dbus_connect(mono_t) ') @@ -4272,7 +4288,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.12/policy/modules/apps/wine.te --- nsaserefpolicy/policy/modules/apps/wine.te 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/apps/wine.te 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/apps/wine.te 2009-04-09 04:47:36.000000000 -0400 @@ -9,6 +9,7 @@ type wine_t; type wine_exec_t; @@ -4285,9 +4301,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` allow wine_t self:process { execstack execmem execheap }; +- unconfined_domain_noaudit(wine_t) + domain_mmap_low_type(wine_t) + domain_mmap_low(wine_t) - unconfined_domain_noaudit(wine_t) ++ unconfined_domain(wine_t) files_execmod_all_files(wine_t) +') @@ -4689,7 +4706,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type urandom_device_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.12/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-04-09 10:10:17.000000000 -0400 @@ -629,6 +629,7 @@ dontaudit $1 unconfined_domain_type:dir search_dir_perms; @@ -4909,7 +4926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-09 10:14:04.000000000 -0400 @@ -110,6 +110,11 @@ ## # @@ -5118,7 +5135,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4532,7 +4662,8 @@ +@@ -4413,6 +4543,28 @@ + + ######################################## + ## ++## manage all lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_all_locks',` ++ gen_require(` ++ attribute lockfile; ++ type var_t, var_lock_t; ++ ') ++ ++ allow $1 { var_t var_lock_t }:dir search_dir_perms; ++ manage_dirs_pattern($1, lockfile, lockfile) ++ manage_files_pattern($1, lockfile, lockfile) ++ manage_lnk_files_pattern($1, lockfile, lockfile) ++') ++ ++######################################## ++## + ## Create an object in the locks directory, with a private + ## type using a type transition. + ## +@@ -4532,7 +4684,8 @@ type var_t, var_run_t; ') @@ -5128,7 +5174,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -4873,7 +5004,7 @@ +@@ -4873,7 +5026,7 @@ selinux_compute_member($1) # Need sys_admin capability for mounting @@ -5137,7 +5183,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Need to give access to the directories to be polyinstantiated allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -@@ -4895,12 +5026,15 @@ +@@ -4895,12 +5048,15 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -5154,7 +5200,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -4921,3 +5055,95 @@ +@@ -4921,3 +5077,95 @@ typeattribute $1 files_unconfined_type; ') @@ -5493,7 +5539,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.12/policy/modules/kernel/kernel.te --- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-02-03 22:50:50.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.te 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/kernel.te 2009-04-09 10:10:27.000000000 -0400 @@ -63,6 +63,15 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) @@ -5576,23 +5622,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`read_default_t',` files_list_default(kernel_t) files_read_default_files(kernel_t) -@@ -359,6 +384,10 @@ - unconfined_domain(kernel_t) +@@ -356,7 +381,11 @@ ') -+optional_policy(` -+ xserver_xdm_manage_spool(kernel_t) + optional_policy(` +- unconfined_domain(kernel_t) ++ unconfined_domain_noaudit(kernel_t) +') + ++optional_policy(` ++ xserver_xdm_manage_spool(kernel_t) + ') + ######################################## - # - # Unlabeled process local policy -@@ -388,3 +417,5 @@ +@@ -388,3 +417,7 @@ allow kern_unconfined unlabeled_t:association *; allow kern_unconfined unlabeled_t:packet *; allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; + +files_boot(kernel_t) ++ ++permissive kernel_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.12/policy/modules/kernel/selinux.if --- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-01-19 11:03:28.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/kernel/selinux.if 2009-04-07 16:01:44.000000000 -0400 @@ -5653,6 +5703,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_type($1) + mls_trusted_object($1) +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.6.12/policy/modules/kernel/terminal.fc +--- nsaserefpolicy/policy/modules/kernel/terminal.fc 2008-08-07 11:15:01.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/terminal.fc 2009-04-11 08:00:47.000000000 -0400 +@@ -13,6 +13,7 @@ + /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) + /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0) + /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) ++/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) + /dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) + /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) + /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.12/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-11-11 16:13:41.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/kernel/terminal.if 2009-04-07 16:01:44.000000000 -0400 @@ -6221,6 +6282,1088 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` yam_run(sysadm_t, sysadm_r) ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.12/policy/modules/roles/unconfineduser.fc +--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.fc 2009-04-09 04:44:48.000000000 -0400 +@@ -0,0 +1,30 @@ ++# Add programs here which should not be confined by SELinux ++# e.g.: ++# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) ++# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t ++/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) ++ ++/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ifdef(`distro_gentoo',` ++/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ++') ++/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ ++/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) ++/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) ++ ++/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ ++/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib(64)?/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ ++/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.12/policy/modules/roles/unconfineduser.if +--- nsaserefpolicy/policy/modules/roles/unconfineduser.if 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.if 2009-04-09 05:37:59.000000000 -0400 +@@ -0,0 +1,638 @@ ++## Unconfiend user role ++ ++######################################## ++## ++## Change from the unconfineduser role. ++## ++## ++##

++## Change from the unconfineduser role to ++## the specified role. ++##

++##

++## This is an interface to support third party modules ++## and its use is not allowed in upstream reference ++## policy. ++##

++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`unconfined_role_change_to',` ++ gen_require(` ++ role unconfined_r; ++ ') ++ ++ allow unconfined_r $1; ++') ++ ++######################################## ++## ++## Transition to the unconfined domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_domtrans',` ++ gen_require(` ++ type unconfined_t, unconfined_exec_t; ++ ') ++ ++ domtrans_pattern($1,unconfined_exec_t,unconfined_t) ++') ++ ++######################################## ++## ++## Execute specified programs in the unconfined domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++## ++## ++## The role to allow the unconfined domain. ++## ++## ++# ++interface(`unconfined_run',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ unconfined_domtrans($1) ++ role $2 types unconfined_t; ++') ++ ++######################################## ++## ++## Transition to the unconfined domain by executing a shell. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_shell_domtrans',` ++ gen_require(` ++ attribute unconfined_login_domain; ++ ') ++ typeattribute $1 unconfined_login_domain; ++') ++ ++######################################## ++## ++## Allow unconfined to execute the specified program in ++## the specified domain. ++## ++## ++##

++## Allow unconfined to execute the specified program in ++## the specified domain. ++##

++##

++## This is a interface to support third party modules ++## and its use is not allowed in upstream reference ++## policy. ++##

++## ++## ++## ++## Domain to execute in. ++## ++## ++## ++## ++## Domain entry point file. ++## ++## ++# ++interface(`unconfined_domtrans_to',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ domtrans_pattern(unconfined_t,$2,$1) ++') ++ ++######################################## ++## ++## Allow unconfined to execute the specified program in ++## the specified domain. Allow the specified domain the ++## unconfined role and use of unconfined user terminals. ++## ++## ++##

++## Allow unconfined to execute the specified program in ++## the specified domain. Allow the specified domain the ++## unconfined role and use of unconfined user terminals. ++##

++##

++## This is a interface to support third party modules ++## and its use is not allowed in upstream reference ++## policy. ++##

++## ++## ++## ++## Domain to execute in. ++## ++## ++## ++## ++## Domain entry point file. ++## ++## ++# ++interface(`unconfined_run_to',` ++ gen_require(` ++ type unconfined_t; ++ role unconfined_r; ++ ') ++ ++ domtrans_pattern(unconfined_t,$2,$1) ++ role unconfined_r types $1; ++ userdom_use_user_terminals($1) ++') ++ ++######################################## ++## ++## Inherit file descriptors from the unconfined domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_use_fds',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:fd use; ++') ++ ++######################################## ++## ++## Send a SIGCHLD signal to the unconfined domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_sigchld',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:process sigchld; ++') ++ ++######################################## ++## ++## Send a SIGNULL signal to the unconfined domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_signull',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:process signull; ++') ++ ++######################################## ++## ++## Send a SIGNULL signal to the unconfined execmem domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_execmem_signull',` ++ gen_require(` ++ type unconfined_execmem_t; ++ ') ++ ++ allow $1 unconfined_execmem_t:process signull; ++') ++ ++######################################## ++## ++## Send a signal to the unconfined execmem domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_execmem_signal',` ++ gen_require(` ++ type unconfined_execmem_t; ++ ') ++ ++ allow $1 unconfined_execmem_t:process signal; ++') ++ ++######################################## ++## ++## Send generic signals to the unconfined domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_signal',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:process signal; ++') ++ ++######################################## ++## ++## Read unconfined domain unnamed pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_read_pipes',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:fifo_file read_fifo_file_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to read unconfined domain unnamed pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_dontaudit_read_pipes',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ dontaudit $1 unconfined_t:fifo_file read; ++') ++ ++######################################## ++## ++## Read and write unconfined domain unnamed pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_rw_pipes',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:fifo_file rw_fifo_file_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to read and write ++## unconfined domain unnamed pipes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`unconfined_dontaudit_rw_pipes',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ dontaudit $1 unconfined_t:fifo_file rw_file_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to read and write ++## unconfined domain stream. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`unconfined_dontaudit_rw_stream',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms; ++') ++ ++######################################## ++## ++## Connect to the unconfined domain using ++## a unix domain stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_stream_connect',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:unix_stream_socket connectto; ++') ++ ++######################################## ++## ++## Do not audit attempts to read or write ++## unconfined domain tcp sockets. ++## ++## ++##

++## Do not audit attempts to read or write ++## unconfined domain tcp sockets. ++##

++##

++## This interface was added due to a broken ++## symptom in ldconfig. ++##

++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`unconfined_dontaudit_rw_tcp_sockets',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ dontaudit $1 unconfined_t:tcp_socket { read write }; ++') ++ ++######################################## ++## ++## Create keys for the unconfined domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_create_keys',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:key create; ++') ++ ++######################################## ++## ++## Send messages to the unconfined domain over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_dbus_send',` ++ gen_require(` ++ type unconfined_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 unconfined_t:dbus send_msg; ++') ++ ++######################################## ++## ++## Send and receive messages from ++## unconfined_t over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_dbus_chat',` ++ gen_require(` ++ type unconfined_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 unconfined_t:dbus send_msg; ++ allow unconfined_t $1:dbus send_msg; ++') ++ ++######################################## ++## ++## Connect to the the unconfined DBUS ++## for service (acquire_svc). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_dbus_connect',` ++ gen_require(` ++ type unconfined_t; ++ class dbus acquire_svc; ++ ') ++ ++ allow $1 unconfined_t:dbus acquire_svc; ++') ++ ++######################################## ++## ++## Allow ptrace of unconfined domain ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_ptrace',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:process ptrace; ++') ++ ++######################################## ++## ++## Read and write to unconfined shared memory. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`unconfined_rw_shm',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:shm rw_shm_perms; ++') ++ ++######################################## ++## ++## Read and write to unconfined execmem shared memory. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`unconfined_execmem_rw_shm',` ++ gen_require(` ++ type unconfined_execmem_t; ++ ') ++ ++ allow $1 unconfined_execmem_t:shm rw_shm_perms; ++') ++ ++######################################## ++## ++## Transition to the unconfined_execmem domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_execmem_domtrans',` ++ ++ gen_require(` ++ type unconfined_execmem_t, execmem_exec_t; ++ ') ++ ++ domtrans_pattern($1, execmem_exec_t, unconfined_execmem_t) ++') ++ ++######################################## ++## ++## execute the execmem applications ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_execmem_exec',` ++ ++ gen_require(` ++ type execmem_exec_t; ++ ') ++ ++ can_exec($1, execmem_exec_t) ++') ++ ++######################################## ++## ++## Allow apps to set rlimits on userdomain ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_set_rlimitnh',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:process rlimitinh; ++') ++ ++######################################## ++## ++## Get the process group of unconfined. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_getpgid',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:process getpgid; ++') ++ ++######################################## ++## ++## Change to the unconfined role. ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`unconfined_role_change',` ++ gen_require(` ++ role unconfined_r; ++ ') ++ ++ allow $1 unconfined_r; ++') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te +--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-04-09 05:43:27.000000000 -0400 +@@ -0,0 +1,402 @@ ++policy_module(unconfineduser, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++attribute unconfined_login_domain; ++ ++## ++##

++## Transition to confined nsplugin domains from unconfined user ++##

++## ++gen_tunable(allow_unconfined_nsplugin_transition, false) ++ ++## ++##

++## Allow a user to login as an unconfined domain ++##

++## ++gen_tunable(unconfined_login, true) ++ ++## ++##

++## Allow unconfined domain to map low memory in the kernel ++##

++## ++gen_tunable(allow_unconfined_mmap_low, false) ++ ++## ++##

++## Transition to confined qemu domains from unconfined user ++##

++## ++gen_tunable(allow_unconfined_qemu_transition, false) ++ ++# usage in this module of types created by these ++# calls is not correct, however we dont currently ++# have another method to add access to these types ++userdom_base_user_template(unconfined) ++userdom_manage_home_role(unconfined_r, unconfined_t) ++userdom_manage_tmp_role(unconfined_r, unconfined_t) ++userdom_manage_tmpfs_role(unconfined_r, unconfined_t) ++userdom_execmod_user_home_files(unconfined_t) ++ ++type unconfined_exec_t; ++init_system_domain(unconfined_t, unconfined_exec_t) ++role unconfined_r types unconfined_t; ++ ++domain_user_exemption_target(unconfined_t) ++allow system_r unconfined_r; ++allow unconfined_r system_r; ++init_script_role_transition(unconfined_r) ++role system_r types unconfined_t; ++typealias unconfined_t alias { unconfined_dbusd_t unconfined_crontab_t }; ++ ++type unconfined_execmem_t; ++type execmem_exec_t; ++init_system_domain(unconfined_execmem_t, execmem_exec_t) ++role unconfined_r types unconfined_execmem_t; ++typealias execmem_exec_t alias unconfined_execmem_exec_t; ++ ++type unconfined_notrans_t; ++type unconfined_notrans_exec_t; ++init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t) ++role unconfined_r types unconfined_notrans_t; ++ ++######################################## ++# ++# Local policy ++# ++ ++dontaudit unconfined_t self:dir write; ++ ++allow unconfined_t self:system syslog_read; ++dontaudit unconfined_t self:capability sys_module; ++ ++domtrans_pattern(unconfined_t, execmem_exec_t, unconfined_execmem_t) ++ ++files_create_boot_flag(unconfined_t) ++files_create_default_dir(unconfined_t) ++ ++mcs_killall(unconfined_t) ++mcs_ptrace_all(unconfined_t) ++mls_file_write_all_levels(unconfined_t) ++ ++init_run_daemon(unconfined_t, unconfined_r) ++init_domtrans_script(unconfined_t) ++ ++libs_run_ldconfig(unconfined_t, unconfined_r) ++ ++logging_send_syslog_msg(unconfined_t) ++logging_run_auditctl(unconfined_t, unconfined_r) ++ ++mount_run_unconfined(unconfined_t, unconfined_r) ++# Unconfined running as system_r ++mount_domtrans_unconfined(unconfined_t) ++ ++seutil_run_setsebool(unconfined_t, unconfined_r) ++seutil_run_setfiles(unconfined_t, unconfined_r) ++seutil_run_semanage(unconfined_t, unconfined_r) ++ ++unconfined_domain_noaudit(unconfined_t) ++domain_mmap_low(unconfined_t) ++ ++userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }) ++ ++usermanage_run_passwd(unconfined_t, unconfined_r) ++usermanage_run_chfn(unconfined_t, unconfined_r) ++ ++tunable_policy(`unconfined_login',` ++ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t) ++ allow unconfined_t unconfined_login_domain:fd use; ++ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms; ++ allow unconfined_t unconfined_login_domain:process sigchld; ++') ++ ++optional_policy(` ++ loadkeys_run(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ nsplugin_role_notrans(unconfined_r, unconfined_t) ++ tunable_policy(`allow_unconfined_nsplugin_transition',` ++ nsplugin_domtrans(unconfined_execmem_t) ++ nsplugin_domtrans_config(unconfined_execmem_t) ++ nsplugin_domtrans(unconfined_t) ++ nsplugin_domtrans_config(unconfined_t) ++ ') ++') ++ ++ifdef(`distro_gentoo',` ++ seutil_run_runinit(unconfined_t, unconfined_r) ++ seutil_init_script_run_runinit(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ ada_run(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ apache_run_helper(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ bind_run_ndc(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ bootloader_run(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ cron_unconfined_role(unconfined_r, unconfined_t) ++') ++ ++optional_policy(` ++ init_dbus_chat_script(unconfined_t) ++ ++ dbus_stub(unconfined_t) ++ ++ optional_policy(` ++ avahi_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ bluetooth_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ consolekit_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ cups_dbus_chat_config(unconfined_t) ++ ') ++ ++ optional_policy(` ++ hal_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ gnomeclock_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ kerneloops_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ networkmanager_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ oddjob_dbus_chat(unconfined_t) ++ ') ++ ++ optional_policy(` ++ vpnc_dbus_chat(unconfined_t) ++ ') ++') ++ ++optional_policy(` ++ firstboot_run(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ ftp_run_ftpdctl(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ gpsd_run(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ iptables_run(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ java_run_unconfined(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ kismet_run(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ livecd_run(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ lpd_run_checkpc(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ modutils_run_update_mods(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ mono_role_template(unconfined, unconfined_r, unconfined_t) ++ unconfined_domain_noaudit(unconfined_mono_t) ++ role system_r types unconfined_mono_t; ++') ++ ++optional_policy(` ++ oddjob_run_mkhomedir(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ prelink_run(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ portmap_run_helper(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ qemu_role_notrans(unconfined_r, unconfined_t) ++ qemu_unconfined_role(unconfined_r) ++ ++ tunable_policy(`allow_unconfined_qemu_transition',` ++ qemu_domtrans(unconfined_t) ++ ',` ++ qemu_domtrans_unconfined(unconfined_t) ++') ++') ++ ++optional_policy(` ++ rpm_run(unconfined_t, unconfined_r) ++ # Allow SELinux aware applications to request rpm_script execution ++ rpm_transition_script(unconfined_t) ++ rpm_role_transition(unconfined_r) ++') ++ ++optional_policy(` ++ samba_role_notrans(unconfined_r) ++ samba_run_unconfined_net(unconfined_t, unconfined_r) ++ samba_run_winbind_helper(unconfined_t, unconfined_r) ++ samba_run_smbcontrol(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ sendmail_run_unconfined(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ sysnet_run_dhcpc(unconfined_t, unconfined_r) ++ sysnet_dbus_chat_dhcpc(unconfined_t) ++ sysnet_role_transition_dhcpc(unconfined_r) ++') ++ ++optional_policy(` ++ tzdata_run(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ vbetool_run(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ vpn_run(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ webalizer_run(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ wine_run(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` ++ xserver_run(unconfined_t, unconfined_r) ++ xserver_rw_shm(unconfined_t) ++') ++ ++######################################## ++# ++# Unconfined Execmem Local policy ++# ++ ++allow unconfined_execmem_t self:process { execstack execmem }; ++unconfined_domain_noaudit(unconfined_execmem_t) ++allow unconfined_execmem_t unconfined_t:process transition; ++ ++optional_policy(` ++ init_dbus_chat_script(unconfined_execmem_t) ++ dbus_system_bus_client(unconfined_execmem_t) ++ unconfined_dbus_chat(unconfined_execmem_t) ++ unconfined_dbus_connect(unconfined_execmem_t) ++') ++ ++optional_policy(` ++ avahi_dbus_chat(unconfined_execmem_t) ++') ++ ++ optional_policy(` ++ hal_dbus_chat(unconfined_execmem_t) ++ ') ++ ++optional_policy(` ++ xserver_rw_shm(unconfined_execmem_t) ++') ++ ++######################################## ++# ++# Unconfined notrans Local policy ++# ++ ++allow unconfined_notrans_t self:process { execstack execmem }; ++unconfined_domain_noaudit(unconfined_notrans_t) ++domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t) ++# Allow SELinux aware applications to request rpm_script execution ++rpm_transition_script(unconfined_notrans_t) ++domain_ptrace_all_domains(unconfined_notrans_t) ++ ++optional_policy(` ++ gen_require(` ++ type mplayer_exec_t; ++ ') ++ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t) ++') ++ ++optional_policy(` ++tunable_policy(`allow_unconfined_nsplugin_transition',`', ` ++ gen_require(` ++ type mozilla_exec_t; ++ ') ++ domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t) ++') ++') ++ ++optional_policy(` ++ gen_require(` ++ type openoffice_exec_t; ++ ') ++ domtrans_pattern(unconfined_t, openoffice_exec_t, unconfined_execmem_t) ++') ++ ++######################################## ++# ++# Unconfined mount local policy ++# ++ ++optional_policy(` ++ gen_require(` ++ type unconfined_mount_t; ++ ') ++ ++ files_etc_filetrans_etc_runtime(unconfined_mount_t,file) ++ ++ rpc_domtrans_rpcd(unconfined_mount_t) ++ ++ unconfined_domain_noaudit(unconfined_mount_t) ++ optional_policy(` ++ hal_dbus_chat(unconfined_mount_t) ++ ') ++') ++ ++gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) ++ ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.12/policy/modules/roles/unprivuser.te --- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-11-11 16:13:47.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/roles/unprivuser.te 2009-04-07 16:01:44.000000000 -0400 @@ -9188,7 +10331,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.12/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/cron.te 2009-04-09 05:33:16.000000000 -0400 @@ -38,6 +38,10 @@ type cron_var_lib_t; files_type(cron_var_lib_t) @@ -9395,7 +10538,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that -@@ -314,9 +372,13 @@ +@@ -303,6 +361,7 @@ + allow system_cronjob_t crond_t:fd use; + allow system_cronjob_t crond_t:fifo_file rw_file_perms; + allow system_cronjob_t crond_t:process sigchld; ++allow crond_t system_cronjob_t:key manage_key_perms; + + # Write /var/lock/makewhatis.lock. + allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; +@@ -314,9 +373,13 @@ filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) @@ -9410,7 +10561,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) -@@ -370,7 +432,8 @@ +@@ -370,7 +433,8 @@ init_read_utmp(system_cronjob_t) init_dontaudit_rw_utmp(system_cronjob_t) # prelink tells init to restart it self, we either need to allow or dontaudit @@ -9420,7 +10571,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(system_cronjob_t) -@@ -378,6 +441,7 @@ +@@ -378,6 +442,7 @@ libs_exec_ld_so(system_cronjob_t) logging_read_generic_logs(system_cronjob_t) @@ -9428,7 +10579,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(system_cronjob_t) miscfiles_read_localization(system_cronjob_t) -@@ -418,6 +482,10 @@ +@@ -418,6 +483,10 @@ ') optional_policy(` @@ -9439,7 +10590,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ftp_read_log(system_cronjob_t) ') -@@ -428,11 +496,20 @@ +@@ -428,11 +497,20 @@ ') optional_policy(` @@ -9460,7 +10611,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -447,6 +524,7 @@ +@@ -447,6 +525,7 @@ prelink_read_cache(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_delete_cache(system_cronjob_t) @@ -9468,7 +10619,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -460,8 +538,7 @@ +@@ -460,8 +539,7 @@ ') optional_policy(` @@ -9478,7 +10629,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -469,24 +546,17 @@ +@@ -469,24 +547,17 @@ ') optional_policy(` @@ -9506,7 +10657,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cronjob_t self:process { signal_perms setsched }; allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; -@@ -570,6 +640,9 @@ +@@ -570,6 +641,9 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) @@ -9721,7 +10872,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.12/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/cups.te 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/cups.te 2009-04-08 08:57:24.000000000 -0400 @@ -20,9 +20,18 @@ type cupsd_etc_t; files_config_file(cupsd_etc_t) @@ -9752,7 +10903,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type hplip_etc_t; files_config_file(hplip_etc_t) -@@ -65,6 +78,16 @@ +@@ -55,6 +68,9 @@ + type hplip_var_run_t; + files_pid_file(hplip_var_run_t) + ++type hplip_tmp_t; ++files_tmp_file(hplip_tmp_t) ++ + type ptal_t; + type ptal_exec_t; + init_daemon_domain(ptal_t, ptal_exec_t) +@@ -65,6 +81,16 @@ type ptal_var_run_t; files_pid_file(ptal_var_run_t) @@ -9769,7 +10930,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`enable_mcs',` init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh) ') -@@ -79,13 +102,14 @@ +@@ -79,13 +105,14 @@ # # /usr/lib/cups/backend/serial needs sys_admin(?!) @@ -9787,7 +10948,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cupsd_t self:tcp_socket create_stream_socket_perms; allow cupsd_t self:udp_socket create_socket_perms; allow cupsd_t self:appletalk_socket create_socket_perms; -@@ -97,6 +121,9 @@ +@@ -97,6 +124,9 @@ read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) files_search_etc(cupsd_t) @@ -9797,7 +10958,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) -@@ -104,8 +131,11 @@ +@@ -104,8 +134,11 @@ # allow cups to execute its backend scripts can_exec(cupsd_t, cupsd_exec_t) @@ -9811,7 +10972,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) allow cupsd_t cupsd_log_t:dir setattr; -@@ -116,13 +146,20 @@ +@@ -116,13 +149,20 @@ manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t) files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file }) @@ -9834,7 +10995,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cupsd_t hplip_var_run_t:file read_file_perms; stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) -@@ -149,44 +186,49 @@ +@@ -149,44 +189,49 @@ corenet_tcp_bind_reserved_port(cupsd_t) corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) @@ -9889,7 +11050,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_list_world_readable(cupsd_t) files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) -@@ -195,15 +237,16 @@ +@@ -195,15 +240,16 @@ files_read_var_symlinks(cupsd_t) # for /etc/printcap files_dontaudit_write_etc_files(cupsd_t) @@ -9910,7 +11071,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(cupsd_t) # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.* -@@ -217,17 +260,21 @@ +@@ -217,17 +263,21 @@ miscfiles_read_fonts(cupsd_t) seutil_read_config(cupsd_t) @@ -9935,7 +11096,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -244,8 +291,16 @@ +@@ -244,8 +294,16 @@ userdom_dbus_send_all_users(cupsd_t) optional_policy(` @@ -9952,7 +11113,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -261,6 +316,10 @@ +@@ -261,6 +319,10 @@ ') optional_policy(` @@ -9963,7 +11124,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) -@@ -279,7 +338,7 @@ +@@ -279,7 +341,7 @@ # Cups configuration daemon local policy # @@ -9972,7 +11133,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit cupsd_config_t self:capability sys_tty_config; allow cupsd_config_t self:process signal_perms; allow cupsd_config_t self:fifo_file rw_fifo_file_perms; -@@ -302,8 +361,10 @@ +@@ -302,8 +364,10 @@ allow cupsd_config_t cupsd_log_t:file rw_file_perms; @@ -9985,7 +11146,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cupsd_config_t cupsd_var_run_t:file read_file_perms; -@@ -311,7 +372,7 @@ +@@ -311,7 +375,7 @@ files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file) kernel_read_system_state(cupsd_config_t) @@ -9994,7 +11155,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(cupsd_config_t) corenet_all_recvfrom_netlabel(cupsd_config_t) -@@ -324,6 +385,7 @@ +@@ -324,6 +388,7 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) @@ -10002,7 +11163,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(cupsd_config_t) fs_search_auto_mountpoints(cupsd_config_t) -@@ -341,13 +403,14 @@ +@@ -341,13 +406,14 @@ files_read_var_symlinks(cupsd_config_t) # Alternatives asks for this @@ -10018,7 +11179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_dontaudit_search_config(cupsd_config_t) -@@ -359,14 +422,16 @@ +@@ -359,14 +425,16 @@ lpd_read_config(cupsd_config_t) ifdef(`distro_redhat',` @@ -10037,7 +11198,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_system_entry(cupsd_config_t, cupsd_config_exec_t) ') -@@ -382,6 +447,7 @@ +@@ -382,6 +450,7 @@ optional_policy(` hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) @@ -10045,7 +11206,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -491,7 +557,10 @@ +@@ -491,7 +560,10 @@ allow hplip_t self:udp_socket create_socket_perms; allow hplip_t self:rawip_socket create_socket_perms; @@ -10057,18 +11218,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cups_stream_connect(hplip_t) -@@ -500,6 +569,10 @@ +@@ -500,6 +572,13 @@ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) +fs_rw_anon_inodefs_files(hplip_t) + +read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t) ++ ++manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) ++files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file ) + manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) -@@ -529,7 +602,8 @@ +@@ -529,7 +608,8 @@ dev_read_urand(hplip_t) dev_read_rand(hplip_t) dev_rw_generic_usb_dev(hplip_t) @@ -10078,7 +11242,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(hplip_t) fs_search_auto_mountpoints(hplip_t) -@@ -553,7 +627,9 @@ +@@ -553,7 +633,9 @@ userdom_dontaudit_search_user_home_dirs(hplip_t) userdom_dontaudit_search_user_home_content(hplip_t) @@ -10089,7 +11253,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` dbus_system_bus_client(hplip_t) -@@ -635,3 +711,49 @@ +@@ -635,3 +717,49 @@ optional_policy(` udev_read_db(ptal_t) ') @@ -10516,8 +11680,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_udp_sendrecv_all_ports(dcc_client_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.12/policy/modules/services/devicekit.fc --- nsaserefpolicy/policy/modules/services/devicekit.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/devicekit.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,8 @@ ++++ serefpolicy-3.6.12/policy/modules/services/devicekit.fc 2009-04-11 06:40:12.000000000 -0400 +@@ -0,0 +1,9 @@ + +/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0) +/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) @@ -10526,9 +11690,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) + +/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) ++/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.12/policy/modules/services/devicekit.if --- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/devicekit.if 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/devicekit.if 2009-04-09 05:23:51.000000000 -0400 @@ -0,0 +1,197 @@ + +## policy for devicekit @@ -10729,8 +11894,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.12/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/devicekit.te 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,217 @@ ++++ serefpolicy-3.6.12/policy/modules/services/devicekit.te 2009-04-11 08:02:27.000000000 -0400 +@@ -0,0 +1,235 @@ +policy_module(devicekit,1.0.0) + +######################################## @@ -10742,20 +11907,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +type devicekit_exec_t; +dbus_system_domain(devicekit_t, devicekit_exec_t) + -+permissive devicekit_t; -+ +type devicekit_power_t; +type devicekit_power_exec_t; +dbus_system_domain(devicekit_power_t, devicekit_power_exec_t) + -+permissive devicekit_power_t; -+ +type devicekit_disk_t; +type devicekit_disk_exec_t; +dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t) + -+permissive devicekit_disk_t; -+ +type devicekit_tmp_t; +files_tmp_file(devicekit_tmp_t) + @@ -10882,7 +12041,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# DeviceKit disk local policy +# + -+allow devicekit_disk_t self:capability { sys_nice sys_ptrace sys_rawio }; ++allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio }; +allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) @@ -10895,21 +12054,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +corecmd_exec_bin(devicekit_disk_t) + -+dev_read_sysfs(devicekit_disk_t) ++dev_rw_sysfs(devicekit_disk_t) +dev_read_urand(devicekit_disk_t) +dev_getattr_usbfs_dirs(devicekit_disk_t) +dev_manage_generic_files(devicekit_disk_t) + +kernel_read_software_raid_state(devicekit_disk_t) ++kernel_setsched(devicekit_disk_t) + +files_manage_mnt_dirs(devicekit_disk_t) +files_read_etc_files(devicekit_disk_t) +files_read_etc_runtime_files(devicekit_disk_t) +files_read_usr_files(devicekit_disk_t) ++files_manage_isid_type_dirs(devicekit_disk_t) + +fs_list_inotifyfs(devicekit_disk_t) ++fs_mount_all_fs(devicekit_disk_t) ++fs_unmount_all_fs(devicekit_disk_t) + +storage_raw_read_fixed_disk(devicekit_disk_t) ++storage_raw_write_fixed_disk(devicekit_disk_t) +storage_raw_read_removable_device(devicekit_disk_t) +storage_raw_write_removable_device(devicekit_disk_t) + @@ -10920,6 +12084,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_localization(devicekit_disk_t) + +userdom_read_all_users_state(devicekit_disk_t) ++userdom_search_user_home_dirs(devicekit_disk_t) + +optional_policy(` + fstools_domtrans(devicekit_disk_t) @@ -10948,6 +12113,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + consolekit_dbus_chat(devicekit_disk_t) + ') +') ++ ++optional_policy(` ++ udev_domtrans(devicekit_disk_t) ++ udev_read_db(devicekit_disk_t) ++') ++ ++ ++ifdef(`TESTING',` ++ permissive devicekit_t; ++ permissive devicekit_power_t; ++ permissive devicekit_disk_t; ++',` ++optional_policy(` ++ unconfined_domain(devicekit_t) ++ unconfined_domain(devicekit_power_t) ++ unconfined_domain(devicekit_disk_t) ++') ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.12/policy/modules/services/dhcp.if --- nsaserefpolicy/policy/modules/services/dhcp.if 2008-11-18 18:57:20.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/dhcp.if 2009-04-07 16:01:44.000000000 -0400 @@ -12025,7 +13208,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.12/policy/modules/services/hal.if --- nsaserefpolicy/policy/modules/services/hal.if 2008-11-19 11:51:44.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/hal.if 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/hal.if 2009-04-09 10:12:15.000000000 -0400 @@ -20,6 +20,24 @@ ######################################## @@ -12063,7 +13246,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -340,3 +355,62 @@ +@@ -170,6 +185,24 @@ + + ######################################## + ## ++## Allo read/write to a hal unix datagram socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`hal_rw_dgram_sockets',` ++ gen_require(` ++ type hald_t; ++ ') ++ ++ dontaudit $1 hald_t:unix_dgram_socket { read write }; ++') ++ ++######################################## ++## + ## Send to hal over a unix domain + ## stream socket. + ## +@@ -340,3 +373,62 @@ files_search_pids($1) allow $1 hald_var_run_t:file rw_file_perms; ') @@ -12128,7 +13336,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.12/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/hal.te 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/hal.te 2009-04-11 07:33:35.000000000 -0400 @@ -49,6 +49,15 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -12252,7 +13460,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(hald_mac_t) ######################################## -@@ -415,6 +456,53 @@ +@@ -415,6 +456,55 @@ dev_rw_input_dev(hald_keymap_t) @@ -12295,6 +13503,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +kernel_search_network_sysctl(hald_dccm_t) + ++logging_send_syslog_msg(hald_dccm_t) ++ +manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) +manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t) +files_search_var_lib(hald_dccm_t) @@ -22401,7 +23611,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.12/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-04-08 08:34:37.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/xserver.te 2009-04-09 05:40:02.000000000 -0400 @@ -34,6 +34,13 @@ ## @@ -22968,7 +24178,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; ') -@@ -774,6 +915,10 @@ +@@ -774,12 +915,16 @@ ') optional_policy(` @@ -22979,6 +24189,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rhgb_getpgid(xserver_t) rhgb_signal(xserver_t) ') + + optional_policy(` +- unconfined_domain_noaudit(xserver_t) ++ unconfined_domain(xserver_t) + unconfined_domtrans(xserver_t) + ') + @@ -806,7 +951,7 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -23049,7 +24266,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Colormaps # can use the default colormap allow x_domain rootwindow_t:x_colormap { read use add_color }; -@@ -972,17 +1134,51 @@ +@@ -972,17 +1134,49 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -23083,10 +24300,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + # xserver signals unconfined user on startx + unconfined_signal(xserver_t) + unconfined_getpgid(xserver_t) -+ unconfined_domain(xserver_t) +') + -+ +tunable_policy(`allow_xserver_execmem',` + allow xserver_t self:process { execheap execmem execstack }; +') @@ -23682,8 +24897,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.12/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/init.if 2009-04-07 16:01:44.000000000 -0400 -@@ -280,6 +280,28 @@ ++++ serefpolicy-3.6.12/policy/modules/system/init.if 2009-04-09 10:06:45.000000000 -0400 +@@ -280,6 +280,29 @@ kernel_dontaudit_use_fds($1) ') ') @@ -23709,10 +24924,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + optional_policy(` + xserver_rw_xdm_home_files($1) + ') ++ init_rw_script_stream_sockets($1) ') ######################################## -@@ -546,7 +568,7 @@ +@@ -546,7 +569,7 @@ # upstart uses a datagram socket instead of initctl pipe allow $1 self:unix_dgram_socket create_socket_perms; @@ -23721,7 +24937,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -619,18 +641,19 @@ +@@ -619,18 +642,19 @@ # interface(`init_spec_domtrans_script',` gen_require(` @@ -23745,7 +24961,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -646,23 +669,43 @@ +@@ -646,23 +670,43 @@ # interface(`init_domtrans_script',` gen_require(` @@ -23793,7 +25009,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute a init script in a specified domain. ## ## -@@ -1291,6 +1334,25 @@ +@@ -1291,6 +1335,25 @@ ######################################## ## @@ -23819,7 +25035,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create files in a init script ## temporary data directory. ## -@@ -1521,3 +1583,51 @@ +@@ -1521,3 +1584,51 @@ ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -23873,7 +25089,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-09 10:19:55.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart,false) @@ -23968,15 +25184,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol can_exec(initrc_t, init_script_file_type) -@@ -230,6 +258,7 @@ +@@ -230,10 +258,16 @@ allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t,initrc_var_run_t,file) +files_manage_generic_pids_symlinks(initrc_t) can_exec(initrc_t,initrc_tmp_t) - allow initrc_t initrc_tmp_t:file manage_file_perms; -@@ -249,15 +278,19 @@ +-allow initrc_t initrc_tmp_t:file manage_file_perms; +-allow initrc_t initrc_tmp_t:dir manage_dir_perms; ++allow initrc_t initrc_tmp_t:file relabelfrom; ++manage_chr_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) ++manage_blk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) ++manage_blk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) ++manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) ++manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) ++manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) + files_tmp_filetrans(initrc_t,initrc_tmp_t, { file dir }) + + init_write_initctl(initrc_t) +@@ -249,15 +283,19 @@ kernel_rw_all_sysctls(initrc_t) # for lsof which is used by alsa shutdown: kernel_dontaudit_getattr_message_if(initrc_t) @@ -24000,7 +25227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -274,7 +307,7 @@ +@@ -274,12 +312,14 @@ dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) @@ -24009,7 +25236,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -328,7 +361,7 @@ + # Wants to remove udev.tbl: + dev_delete_generic_symlinks(initrc_t) ++dev_getattr_all_blk_files(initrc_t) ++dev_getattr_all_chr_files(initrc_t) + + fs_register_binary_executable_type(initrc_t) + # rhgb-console writes to ramfs +@@ -328,7 +368,7 @@ domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -24018,7 +25252,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -366,7 +399,9 @@ +@@ -343,14 +383,13 @@ + files_getattr_all_pipes(initrc_t) + files_getattr_all_sockets(initrc_t) + files_purge_tmp(initrc_t) +-files_delete_all_locks(initrc_t) ++files_manage_all_locks(initrc_t) + files_read_all_pids(initrc_t) + files_delete_all_pids(initrc_t) + files_delete_all_pid_dirs(initrc_t) + files_read_etc_files(initrc_t) + files_manage_etc_runtime_files(initrc_t) + files_etc_filetrans_etc_runtime(initrc_t,file) +-files_manage_generic_locks(initrc_t) + files_exec_etc_files(initrc_t) + files_read_usr_files(initrc_t) + files_manage_urandom_seed(initrc_t) +@@ -366,7 +405,9 @@ libs_rw_ld_so_cache(initrc_t) libs_exec_lib_files(initrc_t) @@ -24028,7 +25278,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(initrc_t) logging_manage_generic_logs(initrc_t) logging_read_all_logs(initrc_t) -@@ -451,7 +486,7 @@ +@@ -451,7 +492,7 @@ # Red Hat systems seem to have a stray # fd open from the initrd @@ -24037,7 +25287,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_dontaudit_read_root_files(initrc_t) selinux_set_enforce_mode(initrc_t) -@@ -498,6 +533,7 @@ +@@ -465,6 +506,7 @@ + storage_raw_read_fixed_disk(initrc_t) + storage_raw_write_fixed_disk(initrc_t) + ++ files_create_boot_dirs(initrc_t) + files_create_boot_flag(initrc_t) + files_rw_boot_symlinks(initrc_t) + # wants to read /.fonts directory +@@ -498,6 +540,7 @@ optional_policy(` #for /etc/rc.d/init.d/nfs to create /etc/exports rpc_write_exports(initrc_t) @@ -24045,7 +25303,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -516,6 +552,31 @@ +@@ -516,6 +559,31 @@ ') ') @@ -24077,7 +25335,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -570,6 +631,10 @@ +@@ -570,6 +638,10 @@ dbus_read_config(initrc_t) optional_policy(` @@ -24088,7 +25346,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol networkmanager_dbus_chat(initrc_t) ') ') -@@ -655,12 +720,6 @@ +@@ -647,6 +719,11 @@ + ') + + optional_policy(` ++ iscsi_stream_connect(initrc_t) ++ iscsi_read_lib_files(initrc_t) ++') ++ ++optional_policy(` + mailman_list_data(initrc_t) + mailman_read_data_symlinks(initrc_t) + ') +@@ -655,12 +732,6 @@ mta_read_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') @@ -24101,7 +25371,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ifdef(`distro_redhat',` -@@ -721,6 +780,9 @@ +@@ -721,6 +792,9 @@ # why is this needed: rpm_manage_db(initrc_t) @@ -24111,7 +25381,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -733,10 +795,12 @@ +@@ -733,10 +807,12 @@ squid_manage_logs(initrc_t) ') @@ -24124,7 +25394,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -754,6 +818,11 @@ +@@ -754,6 +830,11 @@ uml_setattr_util_sockets(initrc_t) ') @@ -24136,7 +25406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` unconfined_domain(initrc_t) -@@ -761,6 +830,8 @@ +@@ -761,6 +842,8 @@ # system-config-services causes avc messages that should be dontaudited unconfined_dontaudit_rw_pipes(daemon) ') @@ -24145,7 +25415,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` mono_domtrans(initrc_t) -@@ -768,6 +839,10 @@ +@@ -768,6 +851,10 @@ ') optional_policy(` @@ -24156,7 +25426,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol vmware_read_system_config(initrc_t) vmware_append_system_config(initrc_t) ') -@@ -790,3 +865,19 @@ +@@ -790,3 +877,21 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -24176,6 +25446,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + fs_dontaudit_rw_cifs_files(daemon) + ') +') ++ ++init_rw_script_stream_sockets(daemon) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2009-04-06 12:42:08.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/ipsec.te 2009-04-07 16:01:44.000000000 -0400 @@ -24245,6 +25517,53 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(iptables_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.6.12/policy/modules/system/iscsi.if +--- nsaserefpolicy/policy/modules/system/iscsi.if 2008-08-07 11:15:12.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/iscsi.if 2009-04-09 10:18:10.000000000 -0400 +@@ -17,3 +17,43 @@ + + domtrans_pattern($1,iscsid_exec_t,iscsid_t) + ') ++ ++######################################## ++## ++## Read iscsi lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`iscsi_read_lib_files',` ++ gen_require(` ++ type iscsi_var_lib_t; ++ ') ++ ++ read_files_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t) ++ allow $1 iscsi_var_lib_t:dir list_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Connect to ISCSI using a unix domain stream socket. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`iscsi_stream_connect',` ++ gen_require(` ++ type iscsi_t, iscsi_var_lib_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1,iscsi_var_lib_t,iscsi_var_lib_t,iscsi_t) ++') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.12/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2009-03-20 12:39:39.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/system/iscsi.te 2009-04-07 16:01:44.000000000 -0400 @@ -24758,7 +26077,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.12/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/lvm.te 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/lvm.te 2009-04-09 10:07:34.000000000 -0400 @@ -10,6 +10,9 @@ type clvmd_exec_t; init_daemon_domain(clvmd_t,clvmd_exec_t) @@ -24899,15 +26218,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(lvm_t) kernel_read_kernel_sysctls(lvm_t) -@@ -192,6 +227,7 @@ +@@ -192,6 +227,8 @@ kernel_read_kernel_sysctls(lvm_t) # it has no reason to need this kernel_dontaudit_getattr_core_if(lvm_t) +kernel_use_fds(lvm_t) ++kernel_search_debugfs(lvm_t) selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) -@@ -221,6 +257,7 @@ +@@ -221,6 +258,7 @@ dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -24915,7 +26235,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_xattr_fs(lvm_t) fs_search_auto_mountpoints(lvm_t) -@@ -239,12 +276,18 @@ +@@ -239,12 +277,18 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) @@ -24934,7 +26254,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: -@@ -253,6 +296,7 @@ +@@ -253,6 +297,7 @@ init_use_fds(lvm_t) init_dontaudit_getattr_initctl(lvm_t) init_use_script_ptys(lvm_t) @@ -24942,7 +26262,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(lvm_t) -@@ -283,5 +327,22 @@ +@@ -283,5 +328,22 @@ ') optional_policy(` @@ -25134,7 +26454,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.12/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/mount.te 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/mount.te 2009-04-09 05:37:08.000000000 -0400 @@ -18,17 +18,21 @@ init_system_domain(mount_t,mount_exec_t) role system_r types mount_t; @@ -25324,7 +26644,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -185,6 +226,7 @@ +@@ -185,14 +226,24 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -25332,23 +26652,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -194,5 +236,30 @@ - - optional_policy(` - files_etc_filetrans_etc_runtime(unconfined_mount_t,file) -+ -+ rpc_domtrans_rpcd(unconfined_mount_t) -+ - unconfined_domain(unconfined_mount_t) -+ optional_policy(` -+ hal_dbus_chat(unconfined_mount_t) -+') -+') -+ -+######################################## -+# + # +-# Unconfined mount local policy +# ntfs local policy -+# + # +allow mount_t self:fifo_file rw_fifo_file_perms; +allow mount_t self:unix_stream_socket create_stream_socket_perms; +allow mount_t self:unix_dgram_socket create_socket_perms; @@ -25356,8 +26663,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +corecmd_exec_shell(mount_t) + +modutils_domtrans_insmod(mount_t) -+ -+optional_policy(` + + optional_policy(` +- files_etc_filetrans_etc_runtime(unconfined_mount_t,file) +- unconfined_domain(unconfined_mount_t) + hal_write_log(mount_t) + hal_use_fds(mount_t) + hal_rw_pipes(mount_t) @@ -25406,7 +26715,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.12/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/selinuxutil.if 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/selinuxutil.if 2009-04-09 09:12:25.000000000 -0400 @@ -535,6 +535,53 @@ ######################################## @@ -26586,19 +27895,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xen_append_log(ifconfig_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.12/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2009-04-07 15:53:36.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-04-07 16:01:44.000000000 -0400 -@@ -210,6 +210,10 @@ ++++ serefpolicy-3.6.12/policy/modules/system/udev.te 2009-04-09 05:27:54.000000000 -0400 +@@ -210,6 +210,11 @@ ') optional_policy(` + devicekit_read_pid_files(udev_t) ++ devicekit_dgram_send(udev_t) +') + +optional_policy(` lvm_domtrans(udev_t) ') -@@ -242,6 +246,10 @@ +@@ -219,6 +224,7 @@ + + optional_policy(` + hal_dgram_send(udev_t) ++ hal_rw_dgram_sockets(udev_t) + ') + + optional_policy(` +@@ -242,6 +248,10 @@ ') optional_policy(` @@ -26611,11 +27929,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xen_manage_log(udev_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.6.12/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-09-11 16:42:49.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/system/unconfined.fc 2009-04-07 16:01:44.000000000 -0400 -@@ -2,15 +2,28 @@ - # e.g.: - # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) - # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t ++++ serefpolicy-3.6.12/policy/modules/system/unconfined.fc 2009-04-09 04:45:11.000000000 -0400 +@@ -1,16 +1 @@ + # Add programs here which should not be confined by SELinux +-# e.g.: +-# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) +-# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t -/usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) @@ -26624,35 +27943,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) - -/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -+/usr/bin/valgrind -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) - -+/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) - ifdef(`distro_gentoo',` +- +-ifdef(`distro_gentoo',` -/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -+/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) - ') -+/usr/bin/sbcl -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ -+/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) -+/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) -+ -+/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ -+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib(64)?/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ -+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) +-') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.12/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/unconfined.if 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/unconfined.if 2009-04-09 04:57:07.000000000 -0400 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -26712,607 +28009,661 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -227,13 +238,9 @@ +@@ -111,6 +122,10 @@ + ## # - interface(`unconfined_shell_domtrans',` - gen_require(` + interface(`unconfined_domain',` ++ gen_require(` ++ attribute unconfined_services; ++ ') ++ + unconfined_domain_noaudit($1) + + tunable_policy(`allow_execheap',` +@@ -173,411 +188,3 @@ + refpolicywarn(`$0($1) has been deprecated.') + ') + +-######################################## +-## +-## Transition to the unconfined domain. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_domtrans',` +- gen_require(` +- type unconfined_t, unconfined_exec_t; +- ') +- +- domtrans_pattern($1,unconfined_exec_t,unconfined_t) +-') +- +-######################################## +-## +-## Execute specified programs in the unconfined domain. +-## +-## +-## +-## The type of the process performing this action. +-## +-## +-## +-## +-## The role to allow the unconfined domain. +-## +-## +-# +-interface(`unconfined_run',` +- gen_require(` - type unconfined_t; -+ attribute unconfined_login_domain; - ') +- ') +- +- unconfined_domtrans($1) +- role $2 types unconfined_t; +-') +- +-######################################## +-## +-## Transition to the unconfined domain by executing a shell. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_shell_domtrans',` +- gen_require(` +- type unconfined_t; +- ') - - corecmd_shell_domtrans($1,unconfined_t) - allow unconfined_t $1:fd use; - allow unconfined_t $1:fifo_file rw_file_perms; - allow unconfined_t $1:process sigchld; -+ typeattribute $1 unconfined_login_domain; - ') - - ######################################## -@@ -367,6 +374,42 @@ - - ######################################## - ## -+## Send a SIGNULL signal to the unconfined execmem domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_execmem_signull',` -+ gen_require(` -+ type unconfined_execmem_t; -+ ') -+ -+ allow $1 unconfined_execmem_t:process signull; -+') -+ -+######################################## -+## -+## Send a signal to the unconfined execmem domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_execmem_signal',` -+ gen_require(` -+ type unconfined_execmem_t; -+ ') -+ -+ allow $1 unconfined_execmem_t:process signal; -+') -+ -+######################################## -+## - ## Send generic signals to the unconfined domain. - ## - ## -@@ -458,6 +501,25 @@ - - ######################################## - ## -+## Do not audit attempts to read and write -+## unconfined domain stream. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`unconfined_dontaudit_rw_stream',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms; -+') -+ -+######################################## -+## - ## Connect to the unconfined domain using - ## a unix domain stream socket. - ## -@@ -581,3 +643,150 @@ - - allow $1 unconfined_t:dbus acquire_svc; - ') -+ -+######################################## -+## -+## Allow ptrace of unconfined domain -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_ptrace',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ allow $1 unconfined_t:process ptrace; -+') -+ -+######################################## -+## -+## Read and write to unconfined shared memory. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`unconfined_rw_shm',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ allow $1 unconfined_t:shm rw_shm_perms; -+') -+ -+######################################## -+## -+## Read and write to unconfined execmem shared memory. -+## -+## -+## -+## The type of the process performing this action. -+## -+## -+# -+interface(`unconfined_execmem_rw_shm',` -+ gen_require(` -+ type unconfined_execmem_t; -+ ') -+ -+ allow $1 unconfined_execmem_t:shm rw_shm_perms; -+') -+ -+######################################## -+## -+## Transition to the unconfined_execmem domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_execmem_domtrans',` -+ -+ gen_require(` -+ type unconfined_execmem_t, execmem_exec_t; -+ ') -+ -+ domtrans_pattern($1, execmem_exec_t, unconfined_execmem_t) -+') -+ -+######################################## -+## -+## execute the execmem applications -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_execmem_exec',` -+ -+ gen_require(` -+ type execmem_exec_t; -+ ') -+ -+ can_exec($1, execmem_exec_t) -+') -+ -+######################################## -+## -+## Allow apps to set rlimits on userdomain -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_set_rlimitnh',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ allow $1 unconfined_t:process rlimitinh; -+') -+ -+######################################## -+## -+## Get the process group of unconfined. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`unconfined_getpgid',` -+ gen_require(` -+ type unconfined_t; -+ ') -+ -+ allow $1 unconfined_t:process getpgid; -+') -+ -+######################################## -+## -+## Change to the unconfined role. -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`unconfined_role_change',` -+ gen_require(` -+ role unconfined_r; -+ ') -+ -+ allow $1 unconfined_r; -+') +-') +- +-######################################## +-## +-## Allow unconfined to execute the specified program in +-## the specified domain. +-## +-## +-##

+-## Allow unconfined to execute the specified program in +-## the specified domain. +-##

+-##

+-## This is a interface to support third party modules +-## and its use is not allowed in upstream reference +-## policy. +-##

+-## +-## +-## +-## Domain to execute in. +-## +-## +-## +-## +-## Domain entry point file. +-## +-## +-# +-interface(`unconfined_domtrans_to',` +- gen_require(` +- type unconfined_t; +- ') +- +- domtrans_pattern(unconfined_t,$2,$1) +-') +- +-######################################## +-## +-## Allow unconfined to execute the specified program in +-## the specified domain. Allow the specified domain the +-## unconfined role and use of unconfined user terminals. +-## +-## +-##

+-## Allow unconfined to execute the specified program in +-## the specified domain. Allow the specified domain the +-## unconfined role and use of unconfined user terminals. +-##

+-##

+-## This is a interface to support third party modules +-## and its use is not allowed in upstream reference +-## policy. +-##

+-## +-## +-## +-## Domain to execute in. +-## +-## +-## +-## +-## Domain entry point file. +-## +-## +-# +-interface(`unconfined_run_to',` +- gen_require(` +- type unconfined_t; +- role unconfined_r; +- ') +- +- domtrans_pattern(unconfined_t,$2,$1) +- role unconfined_r types $1; +- userdom_use_user_terminals($1) +-') +- +-######################################## +-## +-## Inherit file descriptors from the unconfined domain. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_use_fds',` +- gen_require(` +- type unconfined_t; +- ') +- +- allow $1 unconfined_t:fd use; +-') +- +-######################################## +-## +-## Send a SIGCHLD signal to the unconfined domain. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_sigchld',` +- gen_require(` +- type unconfined_t; +- ') +- +- allow $1 unconfined_t:process sigchld; +-') +- +-######################################## +-## +-## Send a SIGNULL signal to the unconfined domain. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_signull',` +- gen_require(` +- type unconfined_t; +- ') +- +- allow $1 unconfined_t:process signull; +-') +- +-######################################## +-## +-## Send generic signals to the unconfined domain. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_signal',` +- gen_require(` +- type unconfined_t; +- ') +- +- allow $1 unconfined_t:process signal; +-') +- +-######################################## +-## +-## Read unconfined domain unnamed pipes. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_read_pipes',` +- gen_require(` +- type unconfined_t; +- ') +- +- allow $1 unconfined_t:fifo_file read_fifo_file_perms; +-') +- +-######################################## +-## +-## Do not audit attempts to read unconfined domain unnamed pipes. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_dontaudit_read_pipes',` +- gen_require(` +- type unconfined_t; +- ') +- +- dontaudit $1 unconfined_t:fifo_file read; +-') +- +-######################################## +-## +-## Read and write unconfined domain unnamed pipes. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_rw_pipes',` +- gen_require(` +- type unconfined_t; +- ') +- +- allow $1 unconfined_t:fifo_file rw_fifo_file_perms; +-') +- +-######################################## +-## +-## Do not audit attempts to read and write +-## unconfined domain unnamed pipes. +-## +-## +-## +-## Domain to not audit. +-## +-## +-# +-interface(`unconfined_dontaudit_rw_pipes',` +- gen_require(` +- type unconfined_t; +- ') +- +- dontaudit $1 unconfined_t:fifo_file rw_file_perms; +-') +- +-######################################## +-## +-## Connect to the unconfined domain using +-## a unix domain stream socket. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_stream_connect',` +- gen_require(` +- type unconfined_t; +- ') +- +- allow $1 unconfined_t:unix_stream_socket connectto; +-') +- +-######################################## +-## +-## Do not audit attempts to read or write +-## unconfined domain tcp sockets. +-## +-## +-##

+-## Do not audit attempts to read or write +-## unconfined domain tcp sockets. +-##

+-##

+-## This interface was added due to a broken +-## symptom in ldconfig. +-##

+-## +-## +-## +-## Domain to not audit. +-## +-## +-# +-interface(`unconfined_dontaudit_rw_tcp_sockets',` +- gen_require(` +- type unconfined_t; +- ') +- +- dontaudit $1 unconfined_t:tcp_socket { read write }; +-') +- +-######################################## +-## +-## Create keys for the unconfined domain. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_create_keys',` +- gen_require(` +- type unconfined_t; +- ') +- +- allow $1 unconfined_t:key create; +-') +- +-######################################## +-## +-## Send messages to the unconfined domain over dbus. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_dbus_send',` +- gen_require(` +- type unconfined_t; +- class dbus send_msg; +- ') +- +- allow $1 unconfined_t:dbus send_msg; +-') +- +-######################################## +-## +-## Send and receive messages from +-## unconfined_t over dbus. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_dbus_chat',` +- gen_require(` +- type unconfined_t; +- class dbus send_msg; +- ') +- +- allow $1 unconfined_t:dbus send_msg; +- allow unconfined_t $1:dbus send_msg; +-') +- +-######################################## +-## +-## Connect to the the unconfined DBUS +-## for service (acquire_svc). +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`unconfined_dbus_connect',` +- gen_require(` +- type unconfined_t; +- class dbus acquire_svc; +- ') +- +- allow $1 unconfined_t:dbus acquire_svc; +-') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.12/policy/modules/system/unconfined.te --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/unconfined.te 2009-04-07 16:01:44.000000000 -0400 -@@ -5,6 +5,35 @@ ++++ serefpolicy-3.6.12/policy/modules/system/unconfined.te 2009-04-09 04:23:28.000000000 -0400 +@@ -5,227 +5,6 @@ # # Declarations # -+attribute unconfined_login_domain; -+ -+## -+##

-+## Transition to confined nsplugin domains from unconfined user -+##

-+## -+gen_tunable(allow_unconfined_nsplugin_transition, false) -+ -+## -+##

-+## Allow a user to login as an unconfined domain -+##

-+## -+gen_tunable(unconfined_login, true) -+ -+## -+##

-+## Allow unconfined domain to map low memory in the kernel -+##

-+## -+gen_tunable(allow_unconfined_mmap_low, false) -+ -+## -+##

-+## Transition to confined qemu domains from unconfined user -+##

-+## -+gen_tunable(allow_unconfined_qemu_transition, false) ++attribute unconfined_services; - # usage in this module of types created by these - # calls is not correct, however we dont currently -@@ -13,28 +42,51 @@ - userdom_manage_home_role(unconfined_r, unconfined_t) - userdom_manage_tmp_role(unconfined_r, unconfined_t) - userdom_manage_tmpfs_role(unconfined_r, unconfined_t) -+userdom_execmod_user_home_files(unconfined_t) +-# usage in this module of types created by these +-# calls is not correct, however we dont currently +-# have another method to add access to these types +-userdom_base_user_template(unconfined) +-userdom_manage_home_role(unconfined_r, unconfined_t) +-userdom_manage_tmp_role(unconfined_r, unconfined_t) +-userdom_manage_tmpfs_role(unconfined_r, unconfined_t) - type unconfined_exec_t; - init_system_domain(unconfined_t, unconfined_exec_t) -+role unconfined_r types unconfined_t; -+ -+domain_user_exemption_target(unconfined_t) -+allow system_r unconfined_r; -+allow unconfined_r system_r; -+init_script_role_transition(unconfined_r) -+role system_r types unconfined_t; -+typealias unconfined_t alias { unconfined_dbusd_t unconfined_crontab_t }; - - type unconfined_execmem_t; +-type unconfined_exec_t; +-init_system_domain(unconfined_t, unconfined_exec_t) +- +-type unconfined_execmem_t; -type unconfined_execmem_exec_t; -init_system_domain(unconfined_execmem_t, unconfined_execmem_exec_t) -+type execmem_exec_t; -+init_system_domain(unconfined_execmem_t, execmem_exec_t) - role unconfined_r types unconfined_execmem_t; -+typealias execmem_exec_t alias unconfined_execmem_exec_t; -+ -+type unconfined_notrans_t; -+type unconfined_notrans_exec_t; -+init_system_domain(unconfined_notrans_t, unconfined_notrans_exec_t) -+role unconfined_r types unconfined_notrans_t; - - ######################################## - # - # Local policy - # - +-role unconfined_r types unconfined_execmem_t; +- +-######################################## +-# +-# Local policy +-# +- -domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t) -+dontaudit unconfined_t self:dir write; -+ -+allow unconfined_t self:system syslog_read; -+dontaudit unconfined_t self:capability sys_module; -+ -+domtrans_pattern(unconfined_t, execmem_exec_t, unconfined_execmem_t) - - files_create_boot_flag(unconfined_t) -+files_create_default_dir(unconfined_t) - - mcs_killall(unconfined_t) - mcs_ptrace_all(unconfined_t) -+mls_file_write_all_levels(unconfined_t) - - init_run_daemon(unconfined_t, unconfined_r) -+init_domtrans_script(unconfined_t) - - libs_run_ldconfig(unconfined_t, unconfined_r) - -@@ -42,26 +94,53 @@ - logging_run_auditctl(unconfined_t, unconfined_r) - - mount_run_unconfined(unconfined_t, unconfined_r) -+# Unconfined running as system_r -+mount_domtrans_unconfined(unconfined_t) - -+seutil_run_setsebool(unconfined_t, unconfined_r) - seutil_run_setfiles(unconfined_t, unconfined_r) - seutil_run_semanage(unconfined_t, unconfined_r) - - unconfined_domain(unconfined_t) -+domain_mmap_low(unconfined_t) - - userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }) - -+usermanage_run_passwd(unconfined_t, unconfined_r) -+usermanage_run_chfn(unconfined_t, unconfined_r) -+ -+tunable_policy(`unconfined_login',` -+ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t) -+ allow unconfined_t unconfined_login_domain:fd use; -+ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms; -+ allow unconfined_t unconfined_login_domain:process sigchld; -+') -+ -+optional_policy(` -+ loadkeys_run(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` -+ nsplugin_role_notrans(unconfined_r, unconfined_t) -+ tunable_policy(`allow_unconfined_nsplugin_transition',` -+ nsplugin_domtrans(unconfined_execmem_t) -+ nsplugin_domtrans_config(unconfined_execmem_t) -+ nsplugin_domtrans(unconfined_t) -+ nsplugin_domtrans_config(unconfined_t) -+ ') -+') -+ - ifdef(`distro_gentoo',` - seutil_run_runinit(unconfined_t, unconfined_r) - seutil_init_script_run_runinit(unconfined_t, unconfined_r) - ') - - optional_policy(` +- +-files_create_boot_flag(unconfined_t) +- +-mcs_killall(unconfined_t) +-mcs_ptrace_all(unconfined_t) +- +-init_run_daemon(unconfined_t, unconfined_r) +- +-libs_run_ldconfig(unconfined_t, unconfined_r) +- +-logging_send_syslog_msg(unconfined_t) +-logging_run_auditctl(unconfined_t, unconfined_r) +- +-mount_run_unconfined(unconfined_t, unconfined_r) +- +-seutil_run_setfiles(unconfined_t, unconfined_r) +-seutil_run_semanage(unconfined_t, unconfined_r) +- +-unconfined_domain(unconfined_t) +- +-userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file }) +- +-ifdef(`distro_gentoo',` +- seutil_run_runinit(unconfined_t, unconfined_r) +- seutil_init_script_run_runinit(unconfined_t, unconfined_r) +-') +- +-optional_policy(` - ada_domtrans(unconfined_t) -+ ada_run(unconfined_t, unconfined_r) - ') - - optional_policy(` - apache_run_helper(unconfined_t, unconfined_r) +-') +- +-optional_policy(` +- apache_run_helper(unconfined_t, unconfined_r) - apache_role(unconfined_r, unconfined_t) - ') - - optional_policy(` -@@ -102,12 +181,24 @@ - ') - - optional_policy(` -+ gnomeclock_dbus_chat(unconfined_t) -+ ') -+ -+ optional_policy(` -+ kerneloops_dbus_chat(unconfined_t) -+ ') -+ -+ optional_policy(` - networkmanager_dbus_chat(unconfined_t) - ') - - optional_policy(` - oddjob_dbus_chat(unconfined_t) - ') -+ -+ optional_policy(` -+ vpnc_dbus_chat(unconfined_t) -+ ') - ') - - optional_policy(` -@@ -119,72 +210,84 @@ - ') - - optional_policy(` +-') +- +-optional_policy(` +- bind_run_ndc(unconfined_t, unconfined_r) +-') +- +-optional_policy(` +- bootloader_run(unconfined_t, unconfined_r) +-') +- +-optional_policy(` +- cron_unconfined_role(unconfined_r, unconfined_t) +-') +- +-optional_policy(` +- init_dbus_chat_script(unconfined_t) +- +- dbus_stub(unconfined_t) +- +- optional_policy(` +- avahi_dbus_chat(unconfined_t) +- ') +- +- optional_policy(` +- bluetooth_dbus_chat(unconfined_t) +- ') +- +- optional_policy(` +- consolekit_dbus_chat(unconfined_t) +- ') +- +- optional_policy(` +- cups_dbus_chat_config(unconfined_t) +- ') +- +- optional_policy(` +- hal_dbus_chat(unconfined_t) +- ') +- +- optional_policy(` +- networkmanager_dbus_chat(unconfined_t) +- ') +- +- optional_policy(` +- oddjob_dbus_chat(unconfined_t) +- ') +-') +- +-optional_policy(` +- firstboot_run(unconfined_t, unconfined_r) +-') +- +-optional_policy(` +- ftp_run_ftpdctl(unconfined_t, unconfined_r) +-') +- +-optional_policy(` - inn_domtrans(unconfined_t) -+ gpsd_run(unconfined_t, unconfined_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - java_domtrans_unconfined(unconfined_t) -+ iptables_run(unconfined_t, unconfined_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - lpd_run_checkpc(unconfined_t, unconfined_r) -+ java_run_unconfined(unconfined_t, unconfined_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - modutils_run_update_mods(unconfined_t, unconfined_r) -+ kismet_run(unconfined_t, unconfined_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - mono_domtrans(unconfined_t) -+ livecd_run(unconfined_t, unconfined_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - mta_role(unconfined_r, unconfined_t) -+ lpd_run_checkpc(unconfined_t, unconfined_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - oddjob_domtrans_mkhomedir(unconfined_t) -+ modutils_run_update_mods(unconfined_t, unconfined_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - prelink_run(unconfined_t, unconfined_r) -+ mono_role_template(unconfined, unconfined_r, unconfined_t) -+ unconfined_domain(unconfined_mono_t) -+ role system_r types unconfined_mono_t; - ') - - optional_policy(` +-') +- +-optional_policy(` - portmap_run_helper(unconfined_t, unconfined_r) -+ oddjob_run_mkhomedir(unconfined_t, unconfined_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - postfix_run_map(unconfined_t, unconfined_r) - # cjp: this should probably be removed: - postfix_domtrans_master(unconfined_t) -+ prelink_run(unconfined_t, unconfined_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - pyzor_role(unconfined_r, unconfined_t) -+ portmap_run_helper(unconfined_t, unconfined_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - # cjp: this should probably be removed: - rpc_domtrans_nfsd(unconfined_t) -+ qemu_role_notrans(unconfined_r, unconfined_t) -+ qemu_unconfined_role(unconfined_r) -+ -+ tunable_policy(`allow_unconfined_qemu_transition',` -+ qemu_domtrans(unconfined_t) -+ ',` -+ qemu_domtrans_unconfined(unconfined_t) -+') - ') - - optional_policy(` - rpm_run(unconfined_t, unconfined_r) -+ # Allow SELinux aware applications to request rpm_script execution -+ rpm_transition_script(unconfined_t) -+ rpm_role_transition(unconfined_r) - ') - - optional_policy(` +-') +- +-optional_policy(` +- rpm_run(unconfined_t, unconfined_r) +-') +- +-optional_policy(` - samba_run_net(unconfined_t, unconfined_r) -+ samba_role_notrans(unconfined_r) -+ samba_run_unconfined_net(unconfined_t, unconfined_r) - samba_run_winbind_helper(unconfined_t, unconfined_r) -+ samba_run_smbcontrol(unconfined_t, unconfined_r) - ') - - optional_policy(` +- samba_run_winbind_helper(unconfined_t, unconfined_r) +-') +- +-optional_policy(` - spamassassin_role(unconfined_r, unconfined_t) -+ sendmail_run_unconfined(unconfined_t, unconfined_r) - ') - - optional_policy(` - sysnet_run_dhcpc(unconfined_t, unconfined_r) - sysnet_dbus_chat_dhcpc(unconfined_t) -+ sysnet_role_transition_dhcpc(unconfined_r) - ') - - optional_policy(` -@@ -192,7 +295,7 @@ - ') - - optional_policy(` +-') +- +-optional_policy(` +- sysnet_run_dhcpc(unconfined_t, unconfined_r) +- sysnet_dbus_chat_dhcpc(unconfined_t) +-') +- +-optional_policy(` +- tzdata_run(unconfined_t, unconfined_r) +-') +- +-optional_policy(` - usermanage_run_admin_passwd(unconfined_t, unconfined_r) -+ vbetool_run(unconfined_t, unconfined_r) - ') - - optional_policy(` -@@ -204,11 +307,12 @@ - ') - - optional_policy(` +-') +- +-optional_policy(` +- vpn_run(unconfined_t, unconfined_r) +-') +- +-optional_policy(` +- webalizer_run(unconfined_t, unconfined_r) +-') +- +-optional_policy(` - wine_domtrans(unconfined_t) -+ wine_run(unconfined_t, unconfined_r) - ') - - optional_policy(` +-') +- +-optional_policy(` - xserver_domtrans(unconfined_t) -+ xserver_run(unconfined_t, unconfined_r) -+ xserver_rw_shm(unconfined_t) - ') - - ######################################## -@@ -218,14 +322,61 @@ - - allow unconfined_execmem_t self:process { execstack execmem }; - unconfined_domain_noaudit(unconfined_execmem_t) -+allow unconfined_execmem_t unconfined_t:process transition; - - optional_policy(` +-') +- +-######################################## +-# +-# Unconfined Execmem Local policy +-# +- +-allow unconfined_execmem_t self:process { execstack execmem }; +-unconfined_domain_noaudit(unconfined_execmem_t) +- +-optional_policy(` - dbus_stub(unconfined_execmem_t) - - init_dbus_chat_script(unconfined_execmem_t) -+ dbus_system_bus_client(unconfined_execmem_t) - unconfined_dbus_chat(unconfined_execmem_t) -+ unconfined_dbus_connect(unconfined_execmem_t) -+') -+ -+optional_policy(` -+ avahi_dbus_chat(unconfined_execmem_t) -+') - - optional_policy(` - hal_dbus_chat(unconfined_execmem_t) - ') -+ -+optional_policy(` -+ xserver_rw_shm(unconfined_execmem_t) -+') -+ -+######################################## -+# -+# Unconfined notrans Local policy -+# -+ -+allow unconfined_notrans_t self:process { execstack execmem }; -+unconfined_domain_noaudit(unconfined_notrans_t) -+domtrans_pattern(unconfined_t, unconfined_notrans_exec_t, unconfined_notrans_t) -+# Allow SELinux aware applications to request rpm_script execution -+rpm_transition_script(unconfined_notrans_t) -+domain_ptrace_all_domains(unconfined_notrans_t) -+ -+optional_policy(` -+ gen_require(` -+ type mplayer_exec_t; -+ ') -+ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t) -+') -+ -+optional_policy(` -+tunable_policy(`allow_unconfined_nsplugin_transition',`', ` -+ gen_require(` -+ type mozilla_exec_t; -+ ') -+ domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t) - ') -+') -+ -+optional_policy(` -+ gen_require(` -+ type openoffice_exec_t; -+ ') -+ domtrans_pattern(unconfined_t, openoffice_exec_t, unconfined_execmem_t) -+') -+ -+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -+ +- init_dbus_chat_script(unconfined_execmem_t) +- unconfined_dbus_chat(unconfined_execmem_t) +- +- optional_policy(` +- hal_dbus_chat(unconfined_execmem_t) +- ') +-') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.12/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-11-11 16:13:48.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/system/userdomain.fc 2009-04-07 16:01:44.000000000 -0400 @@ -27327,7 +28678,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-11 07:13:54.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -27614,7 +28965,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -368,46 +373,41 @@ +@@ -322,6 +327,7 @@ + ') + + exec_files_pattern($1, user_tmp_t, user_tmp_t) ++ dontaudit $1 user_tmp_t:sock_file execute; + files_search_tmp($1) + ') + +@@ -368,46 +374,41 @@ ####################################### ## @@ -27681,7 +29040,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -420,34 +420,43 @@ +@@ -420,34 +421,43 @@ ## is the prefix for user_t). ## ## @@ -27743,7 +29102,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -497,11 +506,7 @@ +@@ -497,11 +507,7 @@ attribute unpriv_userdomain; ') @@ -27756,7 +29115,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -512,189 +517,199 @@ +@@ -512,189 +518,199 @@ dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -28037,7 +29396,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -722,13 +737,26 @@ +@@ -722,13 +738,26 @@ userdom_base_user_template($1) @@ -28069,7 +29428,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_change_password_template($1) -@@ -746,70 +774,71 @@ +@@ -746,70 +775,71 @@ allow $1_t self:context contains; @@ -28174,7 +29533,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -846,6 +875,28 @@ +@@ -846,6 +876,28 @@ # Local policy # @@ -28203,7 +29562,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` loadkeys_run($1_t,$1_r) ') -@@ -876,7 +927,7 @@ +@@ -876,7 +928,7 @@ userdom_restricted_user_template($1) @@ -28212,7 +29571,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -884,14 +935,19 @@ +@@ -884,14 +936,19 @@ # auth_role($1_r, $1_t) @@ -28237,7 +29596,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -899,28 +955,33 @@ +@@ -899,28 +956,33 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -28278,7 +29637,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -954,8 +1015,8 @@ +@@ -954,8 +1016,8 @@ # Declarations # @@ -28288,7 +29647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -964,11 +1025,12 @@ +@@ -964,11 +1026,12 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -28303,7 +29662,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -986,37 +1048,47 @@ +@@ -986,37 +1049,47 @@ ') ') @@ -28365,7 +29724,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -1050,7 +1122,7 @@ +@@ -1050,7 +1123,7 @@ # template(`userdom_admin_user_template',` gen_require(` @@ -28374,7 +29733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1059,8 +1131,7 @@ +@@ -1059,8 +1132,7 @@ # # Inherit rules for ordinary users. @@ -28384,7 +29743,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1083,7 +1154,8 @@ +@@ -1083,7 +1155,8 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -28394,7 +29753,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1099,6 +1171,7 @@ +@@ -1099,6 +1172,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -28402,7 +29761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1106,8 +1179,6 @@ +@@ -1106,8 +1180,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -28411,7 +29770,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1162,20 +1233,6 @@ +@@ -1162,20 +1234,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -28432,7 +29791,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1221,6 +1278,7 @@ +@@ -1221,6 +1279,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -28440,7 +29799,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1286,11 +1344,15 @@ +@@ -1286,11 +1345,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -28456,7 +29815,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1387,7 +1449,7 @@ +@@ -1387,7 +1450,7 @@ ######################################## ## @@ -28465,7 +29824,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1420,6 +1482,14 @@ +@@ -1420,6 +1483,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -28480,7 +29839,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1435,9 +1505,11 @@ +@@ -1435,9 +1506,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -28492,7 +29851,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1494,6 +1566,25 @@ +@@ -1494,6 +1567,25 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -28518,7 +29877,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1568,6 +1659,8 @@ +@@ -1568,6 +1660,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -28527,7 +29886,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1643,6 +1736,7 @@ +@@ -1643,6 +1737,7 @@ type user_home_dir_t, user_home_t; ') @@ -28535,7 +29894,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1741,30 +1835,79 @@ +@@ -1741,30 +1836,80 @@ ######################################## ## @@ -28622,10 +29981,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + files_search_home($1) + exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) ++ dontaudit $1 user_home_type:sock_file execute; ') ######################################## -@@ -1787,6 +1930,46 @@ +@@ -1787,6 +1932,46 @@ ######################################## ## @@ -28672,7 +30032,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete files ## in a user home subdirectory. ## -@@ -1799,6 +1982,7 @@ +@@ -1799,6 +1984,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -28680,7 +30040,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2328,7 +2512,7 @@ +@@ -2328,7 +2514,7 @@ ######################################## ## @@ -28689,7 +30049,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2814,7 +2998,25 @@ +@@ -2814,7 +3000,25 @@ type user_tmp_t; ') @@ -28716,7 +30076,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2851,6 +3053,7 @@ +@@ -2851,6 +3055,7 @@ ') read_files_pattern($1,userdomain,userdomain) @@ -28724,7 +30084,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -2981,3 +3184,482 @@ +@@ -2981,3 +3186,482 @@ allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index e66addfd..cbbedf12 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -167,7 +167,7 @@ fi %define loadminpolicy() \ ( cd /usr/share/selinux/%1; \ -semodule -b base.pp.bz2 -i unconfined.pp.bz2 -s %1; \ +semodule -b base.pp.bz2 -i unconfined.pp.bz2 unconfineduser.pp.bz2 -s %1; \ ); \ %define loadpolicy() \ @@ -313,14 +313,10 @@ SELinux Reference policy targeted base module. %post targeted if [ $1 -eq 1 ]; then %loadpolicy targeted -#semanage -S targeted -i - << __eof -#login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ -#login -m -s unconfined_u -r s0-s0:c0.c1023 root -#__eof restorecon -R /root /var/log /var/run 2> /dev/null else semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid 2>/dev/null -%loadpolicy targeted +%loadpolicy targeted unconfined.pp unconfineduser.pp %relabel targeted fi exit 0 @@ -444,6 +440,9 @@ exit 0 %endif %changelog +* Thu Apr 9 2009 Dan Walsh 3.6.12-3 +- Separate out the ucnonfined user from the unconfined.pp package + * Wed Apr 7 2009 Dan Walsh 3.6.12-2 - Make sure unconfined_java_t and unconfined_mono_t create user_tmpfs_t.