rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

- Allow init to transition to initrc_t on shell exec.

Browse Source 
- Fix init to be able to sendto init_t.
- Allow syslog to connect to mysql
- Allow lvm to manage its own fifo_files
- Allow bugzilla to use ldap
- More mls fixes
This commit is contained in:
Daniel J Walsh 2008-03-12 02:21:18 +00:00
parent 0879f489ab
commit e9fce44302
1 changed files with 21 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
policy-20071130.patch
View File

@ -23429,7 +23429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500 --- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-11 19:56:07.000000000 -0400 +++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-03-11 22:20:09.000000000 -0400
@@ -12,9 +12,15 @@ @@ -12,9 +12,15 @@
## </summary> ## </summary>
## </param> ## </param>
@ -23896,7 +23896,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# for when /tmp/.X11-unix is created by the system # for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use; allow $2 xdm_t:fd use;
@@ -542,25 +543,541 @@ @@ -542,25 +543,533 @@
allow $2 xdm_tmp_t:sock_file { read write }; allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write }; dontaudit $2 xdm_t:tcp_socket { read write };
@ -24023,6 +24023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ type screensaver_xext_t, unknown_xext_t, x_rootscreen_t; + type screensaver_xext_t, unknown_xext_t, x_rootscreen_t;
+ type disallowed_xext_t; + type disallowed_xext_t;
+ type output_xext_t; + type output_xext_t;
+ type accelgraphics_xext_t;
+ +
+ attribute x_server_domain, x_domain; + attribute x_server_domain, x_domain;
+ attribute xproperty_type; + attribute xproperty_type;
@ -24069,12 +24070,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ allow $1 { x_domain x_server_domain }:x_device read; + allow $1 { x_domain x_server_domain }:x_device read;
+ ') + ')
+ +
+ # everyone can grab the server
+ # everyone does it, it is basically a free DOS attack
+ allow $1 x_server_domain:x_server grab;
+ # everyone can get the font path, etc.
+ # this could leak out sensitive information
+ allow $1 x_server_domain:x_server { getattr manage };
+ # everyone can do override-redirect windows. + # everyone can do override-redirect windows.
+ # this could be used to spoof labels + # this could be used to spoof labels
+ allow $1 $1:x_drawable override; + allow $1 $1:x_drawable override;
@ -24082,24 +24077,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ # allows to know when new windows appear, among other things + # allows to know when new windows appear, among other things
+ allow $1 manage_xevent_t:x_event receive; + allow $1 manage_xevent_t:x_event receive;
+ +
+ allow $1 accelgraphics_xext_t:x_extension use; + allow $1 xextension_type:x_extension use;
+ +
+ # X Server + # X Server
+ # can read server-owned resources + # can read server-owned resources
+ allow $1 x_server_domain:x_resource read; + allow $1 x_server_domain:x_resource read;
+ # everyone can grab the server
+ # everyone does it, it is basically a free DOS attack
+ allow $1 x_server_domain:x_server grab;
+ # everyone can get the font path, etc.
+ # this could leak out sensitive information
+ allow $1 x_server_domain:x_server { getattr manage };
+
+ # can mess with own clients + # can mess with own clients
+ allow $1 $1:x_client { manage destroy }; + allow $1 $1:x_client { manage destroy };
+ +
+ # X Protocol Extensions + # X Protocol Extensions
+ allow $1 std_xext_t:x_extension { use };
+ allow $1 shmem_xext_t:x_extension { use };
+ allow $1 xextension_type:x_extension query; + allow $1 xextension_type:x_extension query;
+ +
+ # X Properties + # X Properties
+ # can read and write client properties + # can read and write client properties
+ allow $1 $1:x_property { create destroy read write }; + allow $1 $1:x_property { create destroy read write };
+ allow $1 default_xproperty_t:x_property { read write destroy create }; + allow $1 default_xproperty_t:x_property { read write destroy create };
+ allow $1 output_xext_t:x_extension { use };
+ allow $1 output_xext_t:x_property read; + allow $1 output_xext_t:x_property read;
+ allow $1 xserver_unconfined_type:x_property read; + allow $1 xserver_unconfined_type:x_property read;
+ +
@ -24163,16 +24162,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ # can read and write own objects + # can read and write own objects
+ allow $1 $1:x_resource { read write }; + allow $1 $1:x_resource { read write };
+ +
+ allow $1 screensaver_xext_t:x_extension { use };
+ allow $1 unknown_xext_t:x_extension { use };
+
+ allow $1 x_rootscreen_t:x_screen { saver_setattr saver_getattr getattr setattr }; + allow $1 x_rootscreen_t:x_screen { saver_setattr saver_getattr getattr setattr };
+ +
+ allow $1 disallowed_xext_t:x_extension { use };
+ +
+ allow $1 xdm_xserver_t:x_device { getattr getfocus use setattr };
+ allow $1 xdm_xserver_t:x_resource read;
+ allow $1 xdm_xserver_t:x_server grab;
+') +')
+ +
+####################################### +#######################################
@ -24444,7 +24436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
') ')
') ')
@@ -593,26 +1110,44 @@ @@ -593,26 +1102,44 @@
# #
template(`xserver_use_user_fonts',` template(`xserver_use_user_fonts',`
gen_require(` gen_require(`
@ -24496,7 +24488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Transition to a user Xauthority domain. ## Transition to a user Xauthority domain.
## </summary> ## </summary>
## <desc> ## <desc>
@@ -638,10 +1173,77 @@ @@ -638,10 +1165,77 @@
# #
template(`xserver_domtrans_user_xauth',` template(`xserver_domtrans_user_xauth',`
gen_require(` gen_require(`
@ -24576,7 +24568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
') ')
######################################## ########################################
@@ -671,10 +1273,10 @@ @@ -671,10 +1265,10 @@
# #
template(`xserver_user_home_dir_filetrans_user_xauth',` template(`xserver_user_home_dir_filetrans_user_xauth',`
gen_require(` gen_require(`
@ -24589,7 +24581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
') ')
######################################## ########################################
@@ -760,7 +1362,7 @@ @@ -760,7 +1354,7 @@
type xconsole_device_t; type xconsole_device_t;
') ')
@ -24598,7 +24590,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
') ')
######################################## ########################################
@@ -860,6 +1462,25 @@ @@ -860,6 +1454,25 @@
######################################## ########################################
## <summary> ## <summary>
@ -24624,7 +24616,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Read xdm-writable configuration files. ## Read xdm-writable configuration files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -914,6 +1535,7 @@ @@ -914,6 +1527,7 @@
files_search_tmp($1) files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms; allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t) create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@ -24632,7 +24624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
') ')
######################################## ########################################
@@ -955,6 +1577,24 @@ @@ -955,6 +1569,24 @@
######################################## ########################################
## <summary> ## <summary>
@ -24657,7 +24649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Execute the X server in the XDM X server domain. ## Execute the X server in the XDM X server domain.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -965,15 +1605,47 @@ @@ -965,15 +1597,47 @@
# #
interface(`xserver_domtrans_xdm_xserver',` interface(`xserver_domtrans_xdm_xserver',`
gen_require(` gen_require(`
@ -24706,7 +24698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Make an X session script an entrypoint for the specified domain. ## Make an X session script an entrypoint for the specified domain.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1123,7 +1795,7 @@ @@ -1123,7 +1787,7 @@
type xdm_xserver_tmp_t; type xdm_xserver_tmp_t;
') ')
@ -24715,7 +24707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
') ')
######################################## ########################################
@@ -1312,3 +1984,83 @@ @@ -1312,3 +1976,83 @@
files_search_tmp($1) files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
') ')