rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Policy update should not modify local contexts

This commit is contained in:
Dan Walsh 2011-10-21 09:42:14 -04:00
parent 052e175084
commit e1f17eb990
2 changed files with 305 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

401
policy-F16.patch
View File

@ -322,10 +322,18 @@ index 63ef90e..a535b31 100644
')
diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
index 1392679..c94911d 100644
index 1392679..e75873a 100644
--- a/policy/modules/admin/alsa.if
+++ b/policy/modules/admin/alsa.if
@@ -206,3 +206,21 @@ interface(`alsa_read_lib',`
@@ -148,6 +148,7 @@ interface(`alsa_manage_home_files',`
userdom_search_user_home_dirs($1)
allow $1 alsa_home_t:file manage_file_perms;
+ alsa_filetrans_home_content(unpriv_userdomain)
')
########################################
@@ -206,3 +207,47 @@ interface(`alsa_read_lib',`
files_search_var_lib($1)
read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
')
@ -340,13 +348,39 @@ index 1392679..c94911d 100644
+## </summary>
+## </param>
+#
+interface(`alsa_filetrans_named_content',`
+interface(`alsa_filetrans_home_content',`
+ gen_require(`
+ type alsa_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc")
+')
+
+########################################
+## <summary>
+## Transition to alsa named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_filetrans_named_content',`
+ gen_require(`
+ type alsa_home_t;
+ type alsa_etc_rw_t;
+ type alsa_var_lib_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc")
+ files_etc_filetrans($1, alsa_etc_rw_t, file, "asound.state")
+ files_etc_filetrans($1, alsa_etc_rw_t, dir, "pcm")
+ files_etc_filetrans($1, alsa_etc_rw_t, dir, "asound")
+ files_usr_filetrans($1, alsa_etc_rw_t, file, "alsa.conf")
+ files_usr_filetrans($1, alsa_etc_rw_t, dir, "pcm")
+ files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa")
+')
diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc
index e3e0701..3fd0282 100644
--- a/policy/modules/admin/amanda.fc
@ -3658,7 +3692,7 @@ index 7bddc02..2b59ed0 100644
+
+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 975af1a..2aa37b4 100644
index 975af1a..634c47a 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
@ -3669,23 +3703,38 @@ index 975af1a..2aa37b4 100644
attribute sudodomain;
')
@@ -47,6 +48,15 @@ template(`sudo_role_template',`
@@ -47,26 +48,11 @@ template(`sudo_role_template',`
ubac_constrained($1_sudo_t)
role $2 types $1_sudo_t;
- ##############################
- #
- # Local Policy
- #
+ type $1_sudo_tmp_t;
+ files_tmp_file($1_sudo_tmp_t)
+
- # Use capabilities.
- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
- allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_sudo_t self:process { setexec setrlimit };
- allow $1_sudo_t self:fd use;
- allow $1_sudo_t self:fifo_file rw_fifo_file_perms;
- allow $1_sudo_t self:shm create_shm_perms;
- allow $1_sudo_t self:sem create_sem_perms;
- allow $1_sudo_t self:msgq create_msgq_perms;
- allow $1_sudo_t self:msg { send receive };
- allow $1_sudo_t self:unix_dgram_socket create_socket_perms;
- allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_sudo_t self:unix_dgram_socket sendto;
- allow $1_sudo_t self:unix_stream_socket connectto;
- allow $1_sudo_t self:key manage_key_perms;
+ allow $1_sudo_t $1_sudo_tmp_t:file manage_file_perms;
+ files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file)
+
+ manage_dirs_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
+ manage_files_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
+
##############################
#
# Local Policy
@@ -76,6 +86,11 @@ template(`sudo_role_template',`
allow $1_sudo_t $3:key search;
@@ -76,88 +62,19 @@ template(`sudo_role_template',`
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_sudo_t, $3)
corecmd_bin_domtrans($1_sudo_t, $3)
@ -3697,50 +3746,90 @@ index 975af1a..2aa37b4 100644
allow $3 $1_sudo_t:fd use;
allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
allow $3 $1_sudo_t:process signal_perms;
@@ -113,12 +128,15 @@ template(`sudo_role_template',`
term_getattr_pty_fs($1_sudo_t)
term_relabel_all_ttys($1_sudo_t)
term_relabel_all_ptys($1_sudo_t)
+ term_getattr_pty_fs($1_sudo_t)
- kernel_read_kernel_sysctls($1_sudo_t)
- kernel_read_system_state($1_sudo_t)
- kernel_link_key($1_sudo_t)
-
- corecmd_read_bin_symlinks($1_sudo_t)
- corecmd_exec_all_executables($1_sudo_t)
-
- dev_getattr_fs($1_sudo_t)
- dev_read_urand($1_sudo_t)
- dev_rw_generic_usb_dev($1_sudo_t)
- dev_read_sysfs($1_sudo_t)
-
- domain_use_interactive_fds($1_sudo_t)
- domain_sigchld_interactive_fds($1_sudo_t)
- domain_getattr_all_entry_files($1_sudo_t)
-
- files_read_etc_files($1_sudo_t)
- files_read_var_files($1_sudo_t)
- files_read_usr_symlinks($1_sudo_t)
- files_getattr_usr_files($1_sudo_t)
- # for some PAM modules and for cwd
- files_dontaudit_search_home($1_sudo_t)
- files_list_tmp($1_sudo_t)
-
- fs_search_auto_mountpoints($1_sudo_t)
- fs_getattr_xattr_fs($1_sudo_t)
-
- selinux_validate_context($1_sudo_t)
- selinux_compute_relabel_context($1_sudo_t)
-
- term_getattr_pty_fs($1_sudo_t)
- term_relabel_all_ttys($1_sudo_t)
- term_relabel_all_ptys($1_sudo_t)
-
auth_run_chk_passwd($1_sudo_t, $2)
# sudo stores a token in the pam_pid directory
auth_manage_pam_pid($1_sudo_t)
- # sudo stores a token in the pam_pid directory
- auth_manage_pam_pid($1_sudo_t)
auth_use_nsswitch($1_sudo_t)
+ application_signal($1_sudo_t)
+
init_rw_utmp($1_sudo_t)
logging_send_audit_msgs($1_sudo_t)
@@ -126,7 +144,7 @@ template(`sudo_role_template',`
miscfiles_read_localization($1_sudo_t)
- init_rw_utmp($1_sudo_t)
-
- logging_send_audit_msgs($1_sudo_t)
- logging_send_syslog_msg($1_sudo_t)
-
- miscfiles_read_localization($1_sudo_t)
-
- seutil_search_default_contexts($1_sudo_t)
+ seutil_read_default_contexts($1_sudo_t)
seutil_libselinux_linked($1_sudo_t)
userdom_spec_domtrans_all_users($1_sudo_t)
@@ -135,12 +153,13 @@ template(`sudo_role_template',`
userdom_manage_user_tmp_files($1_sudo_t)
userdom_manage_user_tmp_symlinks($1_sudo_t)
userdom_use_user_terminals($1_sudo_t)
+ userdom_signal_all_users($1_sudo_t)
# for some PAM modules and for cwd
- seutil_libselinux_linked($1_sudo_t)
-
- userdom_spec_domtrans_all_users($1_sudo_t)
- userdom_manage_user_home_content_files($1_sudo_t)
- userdom_manage_user_home_content_symlinks($1_sudo_t)
- userdom_manage_user_tmp_files($1_sudo_t)
- userdom_manage_user_tmp_symlinks($1_sudo_t)
- userdom_use_user_terminals($1_sudo_t)
- # for some PAM modules and for cwd
- userdom_dontaudit_search_user_home_content($1_sudo_t)
+ userdom_search_user_home_content($1_sudo_t)
+ userdom_search_admin_dir($1_sudo_t)
+ userdom_manage_all_users_keys($1_sudo_t)
-
- ifdef(`hide_broken_symptoms', `
- dontaudit $1_sudo_t $3:socket_class_set { read write };
- ')
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files($1_sudo_t)
- ')
-
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files($1_sudo_t)
- ')
-
- optional_policy(`
- dbus_system_bus_client($1_sudo_t)
- ')
-
- optional_policy(`
- fprintd_dbus_chat($1_sudo_t)
- ')
-
+ mta_role($2, $1_sudo_t)
')
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_sudo_t)
@@ -177,3 +196,22 @@ interface(`sudo_sigchld',`
########################################
@@ -177,3 +94,22 @@ interface(`sudo_sigchld',`
allow $1 sudodomain:process sigchld;
')
@ -3764,10 +3853,10 @@ index 975af1a..2aa37b4 100644
+ can_exec($1, sudo_exec_t)
+')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
index 2731fa1..3443ba2 100644
index 2731fa1..22beabf 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -7,3 +7,7 @@ attribute sudodomain;
@@ -7,3 +7,110 @@ attribute sudodomain;
type sudo_exec_t;
application_executable_file(sudo_exec_t)
@ -3775,6 +3864,109 @@ index 2731fa1..3443ba2 100644
+type sudo_db_t;
+files_type(sudo_db_t)
+
+manage_dirs_pattern(sudodomain, sudo_db_t, sudo_db_t)
+manage_files_pattern(sudodomain, sudo_db_t, sudo_db_t)
+
+##############################
+#
+# Local Policy
+#
+
+# Use capabilities.
+allow sudodomain self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
+allow sudodomain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow sudodomain self:process { setexec setrlimit };
+allow sudodomain self:fd use;
+allow sudodomain self:fifo_file rw_fifo_file_perms;
+allow sudodomain self:shm create_shm_perms;
+allow sudodomain self:sem create_sem_perms;
+allow sudodomain self:msgq create_msgq_perms;
+allow sudodomain self:msg { send receive };
+allow sudodomain self:unix_dgram_socket create_socket_perms;
+allow sudodomain self:unix_stream_socket create_stream_socket_perms;
+allow sudodomain self:unix_dgram_socket sendto;
+allow sudodomain self:unix_stream_socket connectto;
+allow sudodomain self:key manage_key_perms;
+
+kernel_read_kernel_sysctls(sudodomain)
+kernel_read_system_state(sudodomain)
+kernel_link_key(sudodomain)
+
+corecmd_read_bin_symlinks(sudodomain)
+corecmd_exec_all_executables(sudodomain)
+
+dev_getattr_fs(sudodomain)
+dev_read_urand(sudodomain)
+dev_rw_generic_usb_dev(sudodomain)
+dev_read_sysfs(sudodomain)
+
+domain_use_interactive_fds(sudodomain)
+domain_sigchld_interactive_fds(sudodomain)
+domain_getattr_all_entry_files(sudodomain)
+
+files_read_etc_files(sudodomain)
+files_read_var_files(sudodomain)
+files_read_usr_symlinks(sudodomain)
+files_getattr_usr_files(sudodomain)
+# for some PAM modules and for cwd
+files_dontaudit_search_home(sudodomain)
+files_list_tmp(sudodomain)
+
+fs_search_auto_mountpoints(sudodomain)
+fs_getattr_xattr_fs(sudodomain)
+
+selinux_validate_context(sudodomain)
+selinux_compute_relabel_context(sudodomain)
+
+term_getattr_pty_fs(sudodomain)
+term_relabel_all_ttys(sudodomain)
+term_relabel_all_ptys(sudodomain)
+term_getattr_pty_fs(sudodomain)
+
+#auth_run_chk_passwd(sudodomain)
+# sudo stores a token in the pam_pid directory
+auth_manage_pam_pid(sudodomain)
+#auth_use_nsswitch(sudodomain)
+
+application_signal(sudodomain)
+
+init_rw_utmp(sudodomain)
+
+logging_send_audit_msgs(sudodomain)
+logging_send_syslog_msg(sudodomain)
+
+miscfiles_read_localization(sudodomain)
+
+seutil_read_default_contexts(sudodomain)
+seutil_libselinux_linked(sudodomain)
+
+userdom_spec_domtrans_all_users(sudodomain)
+userdom_manage_user_home_content_files(sudodomain)
+userdom_manage_user_home_content_symlinks(sudodomain)
+userdom_manage_user_tmp_files(sudodomain)
+userdom_manage_user_tmp_symlinks(sudodomain)
+userdom_use_user_terminals(sudodomain)
+userdom_signal_all_users(sudodomain)
+# for some PAM modules and for cwd
+userdom_search_user_home_content(sudodomain)
+userdom_search_admin_dir(sudodomain)
+userdom_manage_all_users_keys(sudodomain)
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_files(sudodomain)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_files(sudodomain)
+')
+
+optional_policy(`
+ dbus_system_bus_client(sudodomain)
+')
+
+optional_policy(`
+ fprintd_dbus_chat(sudodomain)
+')
diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
index d5aaf0e..6b16aef 100644
--- a/policy/modules/admin/sxid.te
@ -4136,7 +4328,7 @@ index 81fb26f..66cf96c 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 441cf22..772a68e 100644
index 441cf22..cd9d876 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto;
@ -4147,7 +4339,7 @@ index 441cf22..772a68e 100644
selinux_get_fs_mount(chfn_t)
selinux_validate_context(chfn_t)
@@ -79,18 +80,17 @@ selinux_compute_create_context(chfn_t)
@@ -79,18 +80,18 @@ selinux_compute_create_context(chfn_t)
selinux_compute_relabel_context(chfn_t)
selinux_compute_user_contexts(chfn_t)
@ -4155,6 +4347,7 @@ index 441cf22..772a68e 100644
-term_use_all_ptys(chfn_t)
+term_use_all_inherited_ttys(chfn_t)
+term_use_all_inherited_ptys(chfn_t)
+term_getattr_all_ptys(chfn_t)
fs_getattr_xattr_fs(chfn_t)
fs_search_auto_mountpoints(chfn_t)
@ -4170,7 +4363,7 @@ index 441cf22..772a68e 100644
# allow checking if a shell is executable
corecmd_check_exec_shell(chfn_t)
@@ -105,6 +105,7 @@ files_dontaudit_search_home(chfn_t)
@@ -105,6 +106,7 @@ files_dontaudit_search_home(chfn_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(chfn_t)
@ -4178,7 +4371,7 @@ index 441cf22..772a68e 100644
miscfiles_read_localization(chfn_t)
@@ -118,6 +119,10 @@ userdom_use_unpriv_users_fds(chfn_t)
@@ -118,6 +120,10 @@ userdom_use_unpriv_users_fds(chfn_t)
# on user home dir
userdom_dontaudit_search_user_home_content(chfn_t)
@ -4189,17 +4382,18 @@ index 441cf22..772a68e 100644
########################################
#
# Crack local policy
@@ -194,8 +199,7 @@ selinux_compute_create_context(groupadd_t)
@@ -194,8 +200,8 @@ selinux_compute_create_context(groupadd_t)
selinux_compute_relabel_context(groupadd_t)
selinux_compute_user_contexts(groupadd_t)
-term_use_all_ttys(groupadd_t)
-term_use_all_ptys(groupadd_t)
+term_use_all_inherited_terms(groupadd_t)
+term_getattr_all_ptys(groupadd_t)
init_use_fds(groupadd_t)
init_read_utmp(groupadd_t)
@@ -277,6 +281,7 @@ kernel_read_kernel_sysctls(passwd_t)
@@ -277,6 +283,7 @@ kernel_read_kernel_sysctls(passwd_t)
# for SSP
dev_read_urand(passwd_t)
@ -4207,13 +4401,14 @@ index 441cf22..772a68e 100644
fs_getattr_xattr_fs(passwd_t)
fs_search_auto_mountpoints(passwd_t)
@@ -291,17 +296,18 @@ selinux_compute_create_context(passwd_t)
@@ -291,17 +298,19 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
-term_use_all_ttys(passwd_t)
-term_use_all_ptys(passwd_t)
+term_use_all_inherited_terms(passwd_t)
+term_getattr_all_ptys(passwd_t)
-auth_domtrans_chk_passwd(passwd_t)
auth_manage_shadow(passwd_t)
@ -4230,7 +4425,7 @@ index 441cf22..772a68e 100644
domain_use_interactive_fds(passwd_t)
@@ -311,6 +317,8 @@ files_search_var(passwd_t)
@@ -311,6 +320,8 @@ files_search_var(passwd_t)
files_dontaudit_search_pids(passwd_t)
files_relabel_etc_files(passwd_t)
@ -4239,7 +4434,7 @@ index 441cf22..772a68e 100644
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
@@ -323,7 +331,7 @@ miscfiles_read_localization(passwd_t)
@@ -323,7 +334,7 @@ miscfiles_read_localization(passwd_t)
seutil_dontaudit_search_config(passwd_t)
@ -4248,7 +4443,7 @@ index 441cf22..772a68e 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
@@ -332,6 +340,7 @@ userdom_read_user_tmp_files(passwd_t)
@@ -332,6 +343,7 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@ -4256,17 +4451,18 @@ index 441cf22..772a68e 100644
optional_policy(`
nscd_domtrans(passwd_t)
@@ -381,8 +390,7 @@ dev_read_urand(sysadm_passwd_t)
@@ -381,8 +393,8 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
-term_use_all_ttys(sysadm_passwd_t)
-term_use_all_ptys(sysadm_passwd_t)
+term_use_all_inherited_terms(sysadm_passwd_t)
+term_getattr_all_ptys(sysadm_passwd_t)
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
@@ -426,7 +434,7 @@ optional_policy(`
@@ -426,7 +438,7 @@ optional_policy(`
# Useradd local policy
#
@ -4275,7 +4471,7 @@ index 441cf22..772a68e 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
@@ -448,8 +456,12 @@ corecmd_exec_shell(useradd_t)
@@ -448,8 +460,12 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@ -4288,7 +4484,7 @@ index 441cf22..772a68e 100644
files_manage_etc_files(useradd_t)
files_search_var_lib(useradd_t)
@@ -460,6 +472,7 @@ fs_search_auto_mountpoints(useradd_t)
@@ -460,6 +476,7 @@ fs_search_auto_mountpoints(useradd_t)
fs_getattr_xattr_fs(useradd_t)
mls_file_upgrade(useradd_t)
@ -4296,17 +4492,18 @@ index 441cf22..772a68e 100644
# Allow access to context for shadow file
selinux_get_fs_mount(useradd_t)
@@ -469,8 +482,7 @@ selinux_compute_create_context(useradd_t)
@@ -469,8 +486,8 @@ selinux_compute_create_context(useradd_t)
selinux_compute_relabel_context(useradd_t)
selinux_compute_user_contexts(useradd_t)
-term_use_all_ttys(useradd_t)
-term_use_all_ptys(useradd_t)
+term_use_all_inherited_terms(useradd_t)
+term_getattr_all_ptys(useradd_t)
auth_domtrans_chk_passwd(useradd_t)
auth_rw_lastlog(useradd_t)
@@ -498,21 +510,11 @@ seutil_domtrans_setfiles(useradd_t)
@@ -498,21 +515,11 @@ seutil_domtrans_setfiles(useradd_t)
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
@ -20755,10 +20952,10 @@ index 2be17d2..2c588ca 100644
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index e14b961..f3980e0 100644
index e14b961..f2aac71 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,48 @@ ifndef(`enable_mls',`
@@ -24,20 +24,52 @@ ifndef(`enable_mls',`
#
# Local policy
#
@ -20802,12 +20999,16 @@ index e14b961..f3980e0 100644
+userdom_manage_tmp_role(sysadm_r, sysadm_t)
+
+optional_policy(`
+ alsa_filetrans_named_content(sysadm_t)
+')
+
+optional_policy(`
+ ssh_filetrans_admin_home_content(sysadm_t)
+')
ifdef(`direct_sysadm_daemon',`
optional_policy(`
@@ -55,6 +83,7 @@ ifndef(`enable_mls',`
@@ -55,6 +87,7 @@ ifndef(`enable_mls',`
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
logging_run_auditctl(sysadm_t, sysadm_r)
@ -20815,7 +21016,7 @@ index e14b961..f3980e0 100644
')
tunable_policy(`allow_ptrace',`
@@ -67,9 +96,9 @@ optional_policy(`
@@ -67,9 +100,9 @@ optional_policy(`
optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
@ -20826,7 +21027,7 @@ index e14b961..f3980e0 100644
')
optional_policy(`
@@ -98,6 +127,10 @@ optional_policy(`
@@ -98,6 +131,10 @@ optional_policy(`
')
optional_policy(`
@ -20837,7 +21038,7 @@ index e14b961..f3980e0 100644
certwatch_run(sysadm_t, sysadm_r)
')
@@ -110,11 +143,19 @@ optional_policy(`
@@ -110,11 +147,19 @@ optional_policy(`
')
optional_policy(`
@ -20858,7 +21059,7 @@ index e14b961..f3980e0 100644
')
optional_policy(`
@@ -128,6 +169,10 @@ optional_policy(`
@@ -128,6 +173,10 @@ optional_policy(`
')
optional_policy(`
@ -20869,7 +21070,7 @@ index e14b961..f3980e0 100644
dmesg_exec(sysadm_t)
')
@@ -163,6 +208,13 @@ optional_policy(`
@@ -163,6 +212,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@ -20883,7 +21084,7 @@ index e14b961..f3980e0 100644
')
optional_policy(`
@@ -170,15 +222,20 @@ optional_policy(`
@@ -170,15 +226,20 @@ optional_policy(`
')
optional_policy(`
@ -20907,7 +21108,7 @@ index e14b961..f3980e0 100644
')
optional_policy(`
@@ -198,22 +255,19 @@ optional_policy(`
@@ -198,22 +259,19 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@ -20935,7 +21136,7 @@ index e14b961..f3980e0 100644
')
optional_policy(`
@@ -225,25 +279,47 @@ optional_policy(`
@@ -225,25 +283,47 @@ optional_policy(`
')
optional_policy(`
@ -20983,7 +21184,7 @@ index e14b961..f3980e0 100644
portage_run(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
')
@@ -253,19 +329,19 @@ optional_policy(`
@@ -253,19 +333,19 @@ optional_policy(`
')
optional_policy(`
@ -21007,7 +21208,7 @@ index e14b961..f3980e0 100644
')
optional_policy(`
@@ -274,10 +350,7 @@ optional_policy(`
@@ -274,10 +354,7 @@ optional_policy(`
optional_policy(`
rpm_run(sysadm_t, sysadm_r)
@ -21019,7 +21220,7 @@ index e14b961..f3980e0 100644
')
optional_policy(`
@@ -302,12 +375,18 @@ optional_policy(`
@@ -302,12 +379,18 @@ optional_policy(`
')
optional_policy(`
@ -21039,7 +21240,7 @@ index e14b961..f3980e0 100644
')
optional_policy(`
@@ -332,7 +411,10 @@ optional_policy(`
@@ -332,7 +415,10 @@ optional_policy(`
')
optional_policy(`
@ -21051,7 +21252,7 @@ index e14b961..f3980e0 100644
')
optional_policy(`
@@ -343,19 +425,15 @@ optional_policy(`
@@ -343,19 +429,15 @@ optional_policy(`
')
optional_policy(`
@ -21073,7 +21274,7 @@ index e14b961..f3980e0 100644
')
optional_policy(`
@@ -367,45 +445,45 @@ optional_policy(`
@@ -367,45 +449,45 @@ optional_policy(`
')
optional_policy(`
@ -21130,7 +21331,7 @@ index e14b961..f3980e0 100644
auth_role(sysadm_r, sysadm_t)
')
@@ -418,10 +496,6 @@ ifndef(`distro_redhat',`
@@ -418,10 +500,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@ -21141,7 +21342,7 @@ index e14b961..f3980e0 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
@@ -439,6 +513,7 @@ ifndef(`distro_redhat',`
@@ -439,6 +517,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@ -21149,7 +21350,7 @@ index e14b961..f3980e0 100644
')
optional_policy(`
@@ -446,11 +521,66 @@ ifndef(`distro_redhat',`
@@ -446,11 +525,66 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@ -21172,8 +21373,9 @@ index e14b961..f3980e0 100644
+
+ optional_policy(`
+ mplayer_role(sysadm_r, sysadm_t)
+ ')
+
')
-')
+ optional_policy(`
+ pyzor_role(sysadm_r, sysadm_t)
+ ')
@ -21212,9 +21414,8 @@ index e14b961..f3980e0 100644
+
+ optional_policy(`
+ wireshark_role(sysadm_r, sysadm_t)
')
-')
+ ')
+
+ optional_policy(`
+ xserver_role(sysadm_r, sysadm_t)
+ ')
@ -21928,10 +22129,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
index 0000000..8d7dde1
index 0000000..50c38f9
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,502 @@
@@ -0,0 +1,498 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@ -22159,11 +22360,7 @@ index 0000000..8d7dde1
+')
+
+optional_policy(`
+ ada_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ alsa_run(unconfined_t, unconfined_r)
+ alsa_filetrans_named_content(unconfined_t)
+')
+
+optional_policy(`
@ -73110,10 +73307,10 @@ index 0000000..79c358c
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
index 0000000..1449552
index 0000000..a84b8e7
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,370 @@
@@ -0,0 +1,371 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@ -73267,6 +73464,7 @@ index 0000000..1449552
+
+manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
+
@ -78167,7 +78365,7 @@ index 4b2878a..34d01ef 100644
+ allow $1 unpriv_userdomain:sem rw_sem_perms;
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 9b4a930..04d748b 100644
index 9b4a930..d6c3860 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2)
@ -78220,7 +78418,7 @@ index 9b4a930..04d748b 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
@@ -71,26 +98,78 @@ ubac_constrained(user_home_dir_t)
@@ -71,26 +98,77 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@ -78283,7 +78481,6 @@ index 9b4a930..04d748b 100644
+ alsa_read_rw_config(unpriv_userdomain)
+ alsa_manage_home_files(unpriv_userdomain)
+ alsa_relabel_home_files(unpriv_userdomain)
+ alsa_filetrans_named_content(unpriv_userdomain)
+')
+
+optional_policy(`

9
selinux-policy.spec
View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
Release: 45.1%{?dist}
Release: 46%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -176,8 +176,8 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
%dir %{_sysconfdir}/selinux/%1/contexts/files \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \
%config %{_sysconfdir}/selinux/%1/contexts/files/media \
%dir %{_sysconfdir}/selinux/%1/contexts/users \
@ -481,6 +481,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
* Fri Oct 20 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-46
- Policy update should not modify local contexts
* Thu Oct 20 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-45.1
- Remove ada policy