rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Allow setroubleshoot to read policy config and send audit messages

This commit is contained in:
Daniel J Walsh 2008-01-15 20:43:04 +00:00
parent 8a40d69539
commit e26fef9ac3
2 changed files with 150 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

221
policy-20071130.patch
View File

@ -141,6 +141,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.2.5/M
endef
# create-base-per-role-tmpl modulenames,outputfile
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.2.5/man/man8/httpd_selinux.8
--- nsaserefpolicy/man/man8/httpd_selinux.8 2007-10-12 08:56:10.000000000 -0400
+++ serefpolicy-3.2.5/man/man8/httpd_selinux.8 2008-01-15 09:08:57.000000000 -0500
@@ -93,6 +93,11 @@
.EE
.PP
+httpd can be configured to turn on sending email. By default http is not allowed to send mail. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail boolean.
+
+.EX
+setsebool -P httpd_can_sendmail 1
+.PP
httpd can be configured to turn off internal scripting (PHP). PHP and other
loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.2.5/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2007-08-11 06:22:29.000000000 -0400
+++ serefpolicy-3.2.5/policy/flask/access_vectors 2007-12-19 05:38:08.000000000 -0500
@ -10050,6 +10065,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
logrotate_exec(ntpd_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.2.5/policy/modules/services/nx.fc
--- nsaserefpolicy/policy/modules/services/nx.fc 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/nx.fc 2008-01-15 13:47:19.000000000 -0500
@@ -1,3 +1,5 @@
+
+/usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
/opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
/opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.2.5/policy/modules/services/oddjob.te
--- nsaserefpolicy/policy/modules/services/oddjob.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/oddjob.te 2008-01-04 12:24:30.000000000 -0500
@ -12013,9 +12037,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
-dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.2.5/policy/modules/services/setroubleshoot.if
--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2007-09-04 15:22:23.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/setroubleshoot.if 2008-01-15 12:19:51.000000000 -0500
@@ -16,8 +16,8 @@
')
files_search_pids($1)
- allow $1 setroubleshoot_var_run_t:sock_file write;
- allow $1 setroubleshootd_t:unix_stream_socket connectto;
+ stream_connect_pattern($1, setroubleshoot_var_run_t, setroubleshoot_var_run_t, setroubleshoot_t)
+ allow $1 setroubleshoot_var_run_t:sock_file read;
')
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te 2008-01-08 06:17:24.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te 2008-01-15 11:09:44.000000000 -0500
@@ -27,8 +27,8 @@
# setroubleshootd local policy
#
@ -12056,7 +12094,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
fs_getattr_all_dirs(setroubleshootd_t)
fs_getattr_all_files(setroubleshootd_t)
@@ -110,6 +116,7 @@
@@ -97,11 +103,13 @@
locallogin_dontaudit_use_fds(setroubleshootd_t)
+logging_send_audit_msgs(setroubleshootd_t)
logging_send_syslog_msg(setroubleshootd_t)
logging_stream_connect_auditd(setroubleshootd_t)
seutil_read_config(setroubleshootd_t)
seutil_read_file_contexts(setroubleshootd_t)
+seutil_read_bin_policy(setroubleshootd_t)
sysnet_read_config(setroubleshootd_t)
@@ -110,6 +118,7 @@
optional_policy(`
dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t)
dbus_connect_system_bus(setroubleshootd_t)
@ -12158,14 +12210,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.2.5/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.fc 2008-01-14 11:58:23.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.fc 2008-01-15 14:51:50.000000000 -0500
@@ -1,4 +1,4 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:user_spamassassin_home_t,s0)
/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
/usr/bin/spamassassin -- gen_context(system_u:object_r:spamassassin_exec_t,s0)
@@ -9,8 +9,12 @@
@@ -6,11 +6,16 @@
/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamd_exec_t,s0)
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
@ -15147,7 +15203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.2.5/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/init.te 2008-01-08 13:52:56.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/init.te 2008-01-15 09:55:44.000000000 -0500
@@ -10,6 +10,20 @@
# Declarations
#
@ -15322,7 +15378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+# Cron jobs used to start and stop services
+optional_policy(`
+ cron_read_pipes(daemon)
+ cron_rw_pipes(daemon)
+')
+
optional_policy(`
@ -17486,7 +17542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-14 09:58:38.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-15 11:58:29.000000000 -0500
@@ -29,8 +29,9 @@
')
@ -18318,7 +18374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
@@ -1187,12 +1165,11 @@
@@ -1187,22 +1165,17 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
@ -18333,7 +18389,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
# Run pppd in pppd_t by default for user
@@ -1278,8 +1255,6 @@
optional_policy(`
ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
')
-
- optional_policy(`
- setroubleshoot_stream_connect($1_t)
- ')
')
#######################################
@@ -1278,8 +1251,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@ -18342,7 +18408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
@@ -1416,6 +1391,7 @@
@@ -1416,6 +1387,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@ -18350,7 +18416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
@@ -1781,10 +1757,14 @@
@@ -1781,10 +1753,14 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@ -18366,7 +18432,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -1880,11 +1860,11 @@
@@ -1880,11 +1856,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@ -18380,7 +18446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -1914,11 +1894,11 @@
@@ -1914,11 +1890,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@ -18394,7 +18460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -1962,12 +1942,12 @@
@@ -1962,12 +1938,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@ -18410,7 +18476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -1997,10 +1977,10 @@
@@ -1997,10 +1973,10 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@ -18423,7 +18489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2032,11 +2012,47 @@
@@ -2032,11 +2008,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@ -18473,7 +18539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2068,10 +2084,10 @@
@@ -2068,10 +2080,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@ -18486,7 +18552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2101,11 +2117,11 @@
@@ -2101,11 +2113,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@ -18500,7 +18566,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2135,11 +2151,11 @@
@@ -2135,11 +2147,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@ -18515,7 +18581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2169,10 +2185,10 @@
@@ -2169,10 +2181,10 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@ -18528,7 +18594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2202,11 +2218,11 @@
@@ -2202,11 +2214,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@ -18542,7 +18608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2236,11 +2252,11 @@
@@ -2236,11 +2248,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@ -18556,7 +18622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2270,10 +2286,10 @@
@@ -2270,10 +2282,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@ -18569,7 +18635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2305,12 +2321,12 @@
@@ -2305,12 +2317,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@ -18585,7 +18651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2342,10 +2358,10 @@
@@ -2342,10 +2354,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@ -18598,7 +18664,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2377,12 +2393,12 @@
@@ -2377,12 +2389,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@ -18614,7 +18680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2414,12 +2430,12 @@
@@ -2414,12 +2426,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@ -18630,7 +18696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2451,12 +2467,12 @@
@@ -2451,12 +2463,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@ -18646,7 +18712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2501,11 +2517,11 @@
@@ -2501,11 +2513,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@ -18660,7 +18726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2550,11 +2566,11 @@
@@ -2550,11 +2562,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@ -18674,7 +18740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2594,11 +2610,11 @@
@@ -2594,11 +2606,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@ -18688,7 +18754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2628,11 +2644,11 @@
@@ -2628,11 +2640,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@ -18702,7 +18768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2662,11 +2678,11 @@
@@ -2662,11 +2674,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@ -18716,7 +18782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2698,10 +2714,10 @@
@@ -2698,10 +2710,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@ -18729,7 +18795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2733,10 +2749,10 @@
@@ -2733,10 +2745,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@ -18742,7 +18808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2766,12 +2782,12 @@
@@ -2766,12 +2778,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@ -18758,7 +18824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2803,10 +2819,10 @@
@@ -2803,10 +2815,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@ -18771,7 +18837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2838,10 +2854,48 @@
@@ -2838,10 +2850,48 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@ -18822,7 +18888,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2871,12 +2925,12 @@
@@ -2871,12 +2921,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@ -18838,7 +18904,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2908,10 +2962,10 @@
@@ -2908,10 +2958,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@ -18851,7 +18917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2943,12 +2997,12 @@
@@ -2943,12 +2993,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@ -18867,7 +18933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -2980,11 +3034,11 @@
@@ -2980,11 +3030,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@ -18881,7 +18947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -3016,11 +3070,11 @@
@@ -3016,11 +3066,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@ -18895,7 +18961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -3052,11 +3106,11 @@
@@ -3052,11 +3102,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@ -18909,7 +18975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -3088,11 +3142,11 @@
@@ -3088,11 +3138,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@ -18923,7 +18989,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -3124,11 +3178,11 @@
@@ -3124,11 +3174,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@ -18937,7 +19003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -3173,10 +3227,10 @@
@@ -3173,10 +3223,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@ -18950,7 +19016,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
files_search_tmp($2)
')
@@ -3217,10 +3271,10 @@
@@ -3217,10 +3267,10 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@ -18963,7 +19029,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -3248,6 +3302,42 @@
@@ -3248,6 +3298,42 @@
## </summary>
## </param>
#
@ -19006,7 +19072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
template(`userdom_rw_user_tmpfs_files',`
gen_require(`
type $1_tmpfs_t;
@@ -4225,11 +4315,11 @@
@@ -4225,11 +4311,11 @@
#
interface(`userdom_search_staff_home_dirs',`
gen_require(`
@ -19020,7 +19086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -4245,10 +4335,10 @@
@@ -4245,10 +4331,10 @@
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(`
@ -19033,7 +19099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -4264,11 +4354,11 @@
@@ -4264,11 +4350,11 @@
#
interface(`userdom_manage_staff_home_dirs',`
gen_require(`
@ -19047,7 +19113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -4283,16 +4373,16 @@
@@ -4283,16 +4369,16 @@
#
interface(`userdom_relabelto_staff_home_dirs',`
gen_require(`
@ -19067,7 +19133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## users home directory.
## </summary>
## <param name="domain">
@@ -4301,12 +4391,27 @@
@@ -4301,12 +4387,27 @@
## </summary>
## </param>
#
@ -19098,7 +19164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -4321,13 +4426,13 @@
@@ -4321,13 +4422,13 @@
#
interface(`userdom_read_staff_home_content_files',`
gen_require(`
@ -19116,7 +19182,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -4525,10 +4630,10 @@
@@ -4525,10 +4626,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@ -19129,7 +19195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -4545,10 +4650,10 @@
@@ -4545,10 +4646,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@ -19142,7 +19208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -4563,10 +4668,10 @@
@@ -4563,10 +4664,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@ -19155,7 +19221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -4582,10 +4687,10 @@
@@ -4582,10 +4683,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@ -19168,7 +19234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -4600,10 +4705,10 @@
@@ -4600,10 +4701,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@ -19181,7 +19247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -4619,10 +4724,10 @@
@@ -4619,10 +4720,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@ -19194,7 +19260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -4638,12 +4743,11 @@
@@ -4638,12 +4739,11 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
@ -19210,7 +19276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -4670,10 +4774,10 @@
@@ -4670,10 +4770,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@ -19223,7 +19289,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -4688,10 +4792,10 @@
@@ -4688,10 +4788,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@ -19236,7 +19302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -4706,13 +4810,13 @@
@@ -4706,13 +4806,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@ -19254,7 +19320,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -4748,11 +4852,48 @@
@@ -4748,11 +4848,49 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@ -19264,6 +19330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ files_list_home($1)
+ allow $1 user_home_dir_type:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read all users home directories symlinks.
@ -19304,7 +19371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -4772,6 +4913,14 @@
@@ -4772,6 +4910,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@ -19319,7 +19386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
########################################
@@ -5109,7 +5258,7 @@
@@ -5109,7 +5255,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@ -19328,7 +19395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
')
files_search_home($1)
@@ -5298,6 +5447,49 @@
@@ -5298,6 +5444,49 @@
########################################
## <summary>
@ -19378,7 +19445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Create, read, write, and delete directories in
## unprivileged users home directories.
## </summary>
@@ -5503,6 +5695,42 @@
@@ -5503,6 +5692,42 @@
########################################
## <summary>
@ -19421,7 +19488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
@@ -5668,6 +5896,42 @@
@@ -5668,6 +5893,42 @@
########################################
## <summary>
@ -19464,7 +19531,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
@@ -5698,3 +5962,277 @@
@@ -5698,3 +5959,277 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@ -20499,8 +20566,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.i
+## <summary>Policy for staff user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.5/policy/modules/users/staff.te
--- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/users/staff.te 2008-01-08 05:06:18.000000000 -0500
@@ -0,0 +1,34 @@
+++ serefpolicy-3.2.5/policy/modules/users/staff.te 2008-01-15 11:59:03.000000000 -0500
@@ -0,0 +1,38 @@
+policy_module(staff,1.0.1)
+userdom_unpriv_user_template(staff)
+
@ -20519,6 +20586,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t
+seutil_run_newrole(staff_t, staff_r, { staff_tty_device_t staff_devpts_t })
+
+optional_policy(`
+ gpg_per_role_template(staff, staff_usertype, staff_r)
+')
+
+optional_policy(`
+ java_per_role_template(staff, staff_t, staff_r)
+')
+
@ -20527,7 +20598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t
+')
+
+optional_policy(`
+ gpg_per_role_template(staff, staff_usertype, staff_r)
+ setroubleshoot_stream_connect(staff_t)
+')
+
+optional_policy(`

5
selinux-policy.spec
View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.2.5
Release: 12%{?dist}
Release: 13%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -387,6 +387,9 @@ exit 0
%endif
%changelog
* Tue Jan 15 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-13
- Allow setroubleshoot to read policy config and send audit messages
* Mon Jan 14 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-12
- Allow users to execute all files in homedir, if boolean set
- Allow mount to read samba config