- Allow also to search var_lib

- New context for dbus launcher
2007-09-21 23:46:18 +00:00 · 2007-09-21 23:46:18 +00:00 · ec4fb1ce99
parent 347ff1a0c3
commit ec4fb1ce99
2 changed files with 88 additions and 34 deletions
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -314,8 +314,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc
 +/var/lib/alsa(/.*)?		gen_context(system_u:object_r:alsa_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.0.8/policy/modules/admin/alsa.te
 --- nsaserefpolicy/policy/modules/admin/alsa.te	2007-07-25 10:37:43.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/alsa.te	2007-09-19 10:54:14.000000000 -0400
-@@ -14,25 +14,35 @@
+++ serefpolicy-3.0.8/policy/modules/admin/alsa.te	2007-09-21 19:08:24.000000000 -0400
+@@ -14,25 +14,36 @@
 type alsa_etc_rw_t;
 files_type(alsa_etc_rw_t)
 
@ -342,6 +342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
 manage_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
 manage_lnk_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
 
+files_search_var_lib(alsa_t)
 +manage_dirs_pattern(alsa_t,alsa_var_lib_t,alsa_var_lib_t)
 +manage_files_pattern(alsa_t,alsa_var_lib_t,alsa_var_lib_t)
 +
@ -354,7 +355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
 
 libs_use_ld_so(alsa_t)
 libs_use_shared_libs(alsa_t)
-@@ -43,7 +53,13 @@
+@@ -43,7 +54,13 @@
 
 userdom_manage_unpriv_user_semaphores(alsa_t)
 userdom_manage_unpriv_user_shared_mem(alsa_t)
@ -2838,7 +2839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if	2007-09-21 19:16:08.000000000 -0400
@@ -271,45 +271,6 @@
 
 ########################################
@ -9977,7 +9978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.te	2007-09-20 15:44:32.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/xserver.te	2007-09-21 19:21:31.000000000 -0400
@@ -16,6 +16,13 @@
 
 ## <desc>
@ -9992,11 +9993,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ## Allow xdm logins as sysadm
 ## </p>
 ## </desc>
-@@ -132,15 +139,19 @@
+@@ -132,15 +139,20 @@
 manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
 manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
 fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 +fs_rw_tmpfs_files(xdm_xserver_t)
+fs_getattr_all_fs(xdm_t)
 
 manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)	
 manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
@ -10013,7 +10015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 allow xdm_t xdm_xserver_t:process signal;
 allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -185,6 +196,7 @@
+@@ -185,6 +197,7 @@
 corenet_udp_sendrecv_all_ports(xdm_t)
 corenet_tcp_bind_all_nodes(xdm_t)
 corenet_udp_bind_all_nodes(xdm_t)
@ -10021,7 +10023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 corenet_tcp_connect_all_ports(xdm_t)
 corenet_sendrecv_all_client_packets(xdm_t)
 # xdm tries to bind to biff_port_t
-@@ -246,6 +258,7 @@
+@@ -246,6 +259,7 @@
 auth_domtrans_pam_console(xdm_t)
 auth_manage_pam_pid(xdm_t)
 auth_manage_pam_console_data(xdm_t)
@ -10029,7 +10031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 auth_rw_faillog(xdm_t)
 auth_write_login_records(xdm_t)
 
-@@ -257,6 +270,7 @@
+@@ -257,6 +271,7 @@
 libs_exec_lib_files(xdm_t)
 
 logging_read_generic_logs(xdm_t)
@ -10037,7 +10039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 miscfiles_read_localization(xdm_t)
 miscfiles_read_fonts(xdm_t)
-@@ -268,9 +282,14 @@
+@@ -268,9 +283,14 @@
 userdom_create_all_users_keys(xdm_t)
 # for .dmrc
 userdom_read_unpriv_users_home_content_files(xdm_t)
@ -10052,7 +10054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
 
-@@ -306,6 +325,11 @@
+@@ -306,6 +326,11 @@
 
 optional_policy(`
 	consolekit_dbus_chat(xdm_t)
@ -10064,7 +10066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 
 optional_policy(`
-@@ -348,12 +372,8 @@
+@@ -348,12 +373,8 @@
 ')
 
 optional_policy(`
@ -10078,7 +10080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 	ifdef(`distro_rhel4',`
 		allow xdm_t self:process { execheap execmem };
-@@ -385,7 +405,7 @@
+@@ -385,7 +406,7 @@
 allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
 
@ -10087,7 +10089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 # Label pid and temporary files with derived types.
 manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -425,6 +445,10 @@
+@@ -425,6 +446,10 @@
 ')
 
 optional_policy(`
@ -10098,7 +10100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	resmgr_stream_connect(xdm_t)
 ')
 
-@@ -434,47 +458,19 @@
+@@ -434,47 +459,20 @@
 ')
 
 optional_policy(`
@ -10113,6 +10115,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +optional_policy(`
 +	unconfined_rw_shm(xdm_xserver_t)
 +	unconfined_execmem_rw_shm(xdm_xserver_t)
+	unconfined_rw_tmpfs_files(xdm_xserver_t)
 +')
 
 -	ifdef(`distro_rhel4',`
@ -10188,7 +10191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic
 ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.0.8/policy/modules/system/authlogin.fc
 --- nsaserefpolicy/policy/modules/system/authlogin.fc	2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc	2007-09-21 16:38:32.000000000 -0400
@@ -14,6 +14,7 @@
 /sbin/pam_timestamp_check --	gen_context(system_u:object_r:pam_exec_t,s0)
 /sbin/unix_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
@ -10197,9 +10200,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ifdef(`distro_suse', `
 /sbin/unix2_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
 ')
+@@ -40,3 +41,5 @@
+ /var/run/console(/.*)?	 	gen_context(system_u:object_r:pam_var_console_t,s0)
+ 
+ /var/run/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)
+
+/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if	2007-09-20 16:27:52.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if	2007-09-21 19:32:00.000000000 -0400
@@ -26,7 +26,8 @@
 	type $1_chkpwd_t, can_read_shadow_passwords;
 	application_domain($1_chkpwd_t,chkpwd_exec_t)
@ -10230,7 +10239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 
 	domain_type($1)
 	domain_subj_id_change_exemption($1)
-@@ -176,11 +177,23 @@
+@@ -176,11 +177,28 @@
 	domain_obj_id_change_exemption($1)
 	role system_r types $1;
 
@ -10243,6 +10252,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +
 +	files_list_var_lib($1)
 +	manage_files_pattern($1, var_auth_t, var_auth_t)
+
+	manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
+	manage_files_pattern($1, auth_cache_t, auth_cache_t)
+	manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
+	files_var_filetrans($1,auth_cache_t,dir)
 +
 	# for SSP/ProPolice
 	dev_read_urand($1)
@ -10254,7 +10268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	selinux_get_fs_mount($1)
 	selinux_validate_context($1)
 	selinux_compute_access_vector($1)
-@@ -196,22 +209,33 @@
+@@ -196,22 +214,33 @@
 	mls_fd_share_all_levels($1)
 
 	auth_domtrans_chk_passwd($1)
@ -10289,7 +10303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	')
 ')
 
-@@ -309,9 +333,6 @@
+@@ -309,9 +338,6 @@
 		type system_chkpwd_t, chkpwd_exec_t, shadow_t;
 	')
 
@ -10299,7 +10313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	corecmd_search_bin($1)
 	domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
 
-@@ -329,6 +350,7 @@
+@@ -329,6 +355,7 @@
 
 	optional_policy(`
 		kerberos_use($1)
@ -10307,7 +10321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	')
 
 	optional_policy(`
-@@ -347,6 +369,37 @@
+@@ -347,6 +374,37 @@
 
 ########################################
 ## <summary>
@ -10345,7 +10359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ##	Get the attributes of the shadow passwords file.
 ## </summary>
 ## <param name="domain">
-@@ -695,6 +748,24 @@
+@@ -695,6 +753,24 @@
 
 ########################################
 ## <summary>
@ -10370,7 +10384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ##	Execute pam programs in the PAM domain.
 ## </summary>
 ## <param name="domain">
-@@ -1318,14 +1389,9 @@
+@@ -1318,14 +1394,9 @@
 ## </param>
 #
 interface(`auth_use_nsswitch',`
@ -10385,7 +10399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	files_list_var_lib($1)
 
 	miscfiles_read_certs($1)
-@@ -1381,3 +1447,163 @@
+@@ -1381,3 +1452,163 @@
 	typeattribute $1 can_write_shadow_passwords;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
@ -10551,7 +10565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.8/policy/modules/system/authlogin.te
 --- nsaserefpolicy/policy/modules/system/authlogin.te	2007-08-22 07:14:12.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.te	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.te	2007-09-21 16:37:58.000000000 -0400
@@ -9,6 +9,13 @@
 attribute can_read_shadow_passwords;
 attribute can_write_shadow_passwords;
@ -10566,7 +10580,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 
 type chkpwd_exec_t;
 application_executable_file(chkpwd_exec_t)
-@@ -67,6 +74,10 @@
+@@ -53,6 +60,9 @@
+ type utempter_exec_t;
+ application_domain(utempter_t,utempter_exec_t)
+ 
+type auth_cache_t;
+logging_log_file(auth_cache_t)
+
+ #
+ # var_auth_t is the type of /var/lib/auth, usually
+ # used for auth data in pam_able
+@@ -67,6 +77,10 @@
 authlogin_common_auth_domain_template(system)
 role system_r types system_chkpwd_t;
 
@ -10577,7 +10601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ########################################
 #
 # PAM local policy
-@@ -159,6 +170,8 @@
+@@ -159,6 +173,8 @@
 dev_setattr_mouse_dev(pam_console_t)
 dev_getattr_power_mgmt_dev(pam_console_t)
 dev_setattr_power_mgmt_dev(pam_console_t)
@ -10586,7 +10610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 dev_getattr_scanner_dev(pam_console_t)
 dev_setattr_scanner_dev(pam_console_t)
 dev_getattr_sound_dev(pam_console_t)
-@@ -236,7 +249,7 @@
+@@ -236,7 +252,7 @@
 
 optional_policy(`
 	xserver_read_xdm_pid(pam_console_t)
@ -10595,7 +10619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 ')
 
 ########################################
-@@ -302,3 +315,28 @@
+@@ -302,3 +318,28 @@
 	xserver_use_xdm_fds(utempter_t)
 	xserver_rw_xdm_pipes(utempter_t)
 ')
@ -12977,7 +13001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +/usr/bin/rhythmbox		    --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if	2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if	2007-09-21 19:31:25.000000000 -0400
@@ -12,14 +12,13 @@
 #
 interface(`unconfined_domain_noaudit',`
@ -13032,7 +13056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 	read_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t)
 	read_lnk_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t)
 ')
-@@ -601,3 +605,149 @@
+@@ -601,3 +605,175 @@
 
 	allow $1 unconfined_tmp_t:file { getattr write append };
 ')
@ -13182,6 +13206,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +
 +	allow $1 unconfined_t:process rlimitinh;
 +')
+
+########################################
+## <summary>
+##	Read/write unconfined tmpfs files.
+## </summary>
+## <desc>
+##	<p>
+##	Read/write unconfined tmpfs files.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_rw_tmpfs_files',`
+	gen_require(`
+		type unconfined_tmpfs_t;
+	')
+
+	fs_search_tmpfs($1)
+	allow $1 unconfined_tmpfs_t:dir list_dir_perms;
+	rw_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
+	read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
+')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-07-25 10:37:42.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/system/unconfined.te	2007-09-21 06:44:58.000000000 -0400
@ -13400,7 +13450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-09-20 18:02:36.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-09-21 19:20:56.000000000 -0400
@@ -29,8 +29,9 @@
 	')
 
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -362,6 +362,10 @@ exit 0
 %endif

 %changelog
+* Fri Sep 21 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-8
+- Allow also to search var_lib
+- New context for dbus launcher 
+
 * Fri Sep 21 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-7
 - Allow cupsd_config_t to read/write usb_device_t
 - Support for finger print reader,