- Allow also to search var_lib

- New context for dbus launcher
This commit is contained in:
Daniel J Walsh 2007-09-21 23:46:18 +00:00
parent 347ff1a0c3
commit ec4fb1ce99
2 changed files with 88 additions and 34 deletions

View File

@ -314,8 +314,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc
+/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.0.8/policy/modules/admin/alsa.te
--- nsaserefpolicy/policy/modules/admin/alsa.te 2007-07-25 10:37:43.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/alsa.te 2007-09-19 10:54:14.000000000 -0400
@@ -14,25 +14,35 @@
+++ serefpolicy-3.0.8/policy/modules/admin/alsa.te 2007-09-21 19:08:24.000000000 -0400
@@ -14,25 +14,36 @@
type alsa_etc_rw_t;
files_type(alsa_etc_rw_t)
@ -342,6 +342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
manage_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
manage_lnk_files_pattern(alsa_t,alsa_etc_rw_t,alsa_etc_rw_t)
+files_search_var_lib(alsa_t)
+manage_dirs_pattern(alsa_t,alsa_var_lib_t,alsa_var_lib_t)
+manage_files_pattern(alsa_t,alsa_var_lib_t,alsa_var_lib_t)
+
@ -354,7 +355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te
libs_use_ld_so(alsa_t)
libs_use_shared_libs(alsa_t)
@@ -43,7 +53,13 @@
@@ -43,7 +54,13 @@
userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
@ -2838,7 +2839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-08-22 07:14:06.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-09-21 19:16:08.000000000 -0400
@@ -271,45 +271,6 @@
########################################
@ -9977,7 +9978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-08-22 07:14:07.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-09-20 15:44:32.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-09-21 19:21:31.000000000 -0400
@@ -16,6 +16,13 @@
## <desc>
@ -9992,11 +9993,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
## Allow xdm logins as sysadm
## </p>
## </desc>
@@ -132,15 +139,19 @@
@@ -132,15 +139,20 @@
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+fs_rw_tmpfs_files(xdm_xserver_t)
+fs_getattr_all_fs(xdm_t)
manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
@ -10013,7 +10015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
@@ -185,6 +196,7 @@
@@ -185,6 +197,7 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_all_nodes(xdm_t)
corenet_udp_bind_all_nodes(xdm_t)
@ -10021,7 +10023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
corenet_tcp_connect_all_ports(xdm_t)
corenet_sendrecv_all_client_packets(xdm_t)
# xdm tries to bind to biff_port_t
@@ -246,6 +258,7 @@
@@ -246,6 +259,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@ -10029,7 +10031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
@@ -257,6 +270,7 @@
@@ -257,6 +271,7 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
@ -10037,7 +10039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
miscfiles_read_localization(xdm_t)
miscfiles_read_fonts(xdm_t)
@@ -268,9 +282,14 @@
@@ -268,9 +283,14 @@
userdom_create_all_users_keys(xdm_t)
# for .dmrc
userdom_read_unpriv_users_home_content_files(xdm_t)
@ -10052,7 +10054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
@@ -306,6 +325,11 @@
@@ -306,6 +326,11 @@
optional_policy(`
consolekit_dbus_chat(xdm_t)
@ -10064,7 +10066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
@@ -348,12 +372,8 @@
@@ -348,12 +373,8 @@
')
optional_policy(`
@ -10078,7 +10080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
@@ -385,7 +405,7 @@
@@ -385,7 +406,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@ -10087,7 +10089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
@@ -425,6 +445,10 @@
@@ -425,6 +446,10 @@
')
optional_policy(`
@ -10098,7 +10100,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
resmgr_stream_connect(xdm_t)
')
@@ -434,47 +458,19 @@
@@ -434,47 +459,20 @@
')
optional_policy(`
@ -10113,6 +10115,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+optional_policy(`
+ unconfined_rw_shm(xdm_xserver_t)
+ unconfined_execmem_rw_shm(xdm_xserver_t)
+ unconfined_rw_tmpfs_files(xdm_xserver_t)
+')
- ifdef(`distro_rhel4',`
@ -10188,7 +10191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.0.8/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2007-05-29 14:10:58.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc 2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc 2007-09-21 16:38:32.000000000 -0400
@@ -14,6 +14,7 @@
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
@ -10197,9 +10200,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
ifdef(`distro_suse', `
/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
')
@@ -40,3 +41,5 @@
/var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-20 16:27:52.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-21 19:32:00.000000000 -0400
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
@ -10230,7 +10239,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
domain_type($1)
domain_subj_id_change_exemption($1)
@@ -176,11 +177,23 @@
@@ -176,11 +177,28 @@
domain_obj_id_change_exemption($1)
role system_r types $1;
@ -10243,6 +10252,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+
+ files_list_var_lib($1)
+ manage_files_pattern($1, var_auth_t, var_auth_t)
+
+ manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
+ manage_files_pattern($1, auth_cache_t, auth_cache_t)
+ manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
+ files_var_filetrans($1,auth_cache_t,dir)
+
# for SSP/ProPolice
dev_read_urand($1)
@ -10254,7 +10268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
selinux_get_fs_mount($1)
selinux_validate_context($1)
selinux_compute_access_vector($1)
@@ -196,22 +209,33 @@
@@ -196,22 +214,33 @@
mls_fd_share_all_levels($1)
auth_domtrans_chk_passwd($1)
@ -10289,7 +10303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
')
@@ -309,9 +333,6 @@
@@ -309,9 +338,6 @@
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
')
@ -10299,7 +10313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
corecmd_search_bin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
@@ -329,6 +350,7 @@
@@ -329,6 +355,7 @@
optional_policy(`
kerberos_use($1)
@ -10307,7 +10321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
optional_policy(`
@@ -347,6 +369,37 @@
@@ -347,6 +374,37 @@
########################################
## <summary>
@ -10345,7 +10359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
## Get the attributes of the shadow passwords file.
## </summary>
## <param name="domain">
@@ -695,6 +748,24 @@
@@ -695,6 +753,24 @@
########################################
## <summary>
@ -10370,7 +10384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
## Execute pam programs in the PAM domain.
## </summary>
## <param name="domain">
@@ -1318,14 +1389,9 @@
@@ -1318,14 +1394,9 @@
## </param>
#
interface(`auth_use_nsswitch',`
@ -10385,7 +10399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
files_list_var_lib($1)
miscfiles_read_certs($1)
@@ -1381,3 +1447,163 @@
@@ -1381,3 +1452,163 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@ -10551,7 +10565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.8/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-08-22 07:14:12.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.te 2007-09-21 16:37:58.000000000 -0400
@@ -9,6 +9,13 @@
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
@ -10566,7 +10580,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
type chkpwd_exec_t;
application_executable_file(chkpwd_exec_t)
@@ -67,6 +74,10 @@
@@ -53,6 +60,9 @@
type utempter_exec_t;
application_domain(utempter_t,utempter_exec_t)
+type auth_cache_t;
+logging_log_file(auth_cache_t)
+
#
# var_auth_t is the type of /var/lib/auth, usually
# used for auth data in pam_able
@@ -67,6 +77,10 @@
authlogin_common_auth_domain_template(system)
role system_r types system_chkpwd_t;
@ -10577,7 +10601,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
########################################
#
# PAM local policy
@@ -159,6 +170,8 @@
@@ -159,6 +173,8 @@
dev_setattr_mouse_dev(pam_console_t)
dev_getattr_power_mgmt_dev(pam_console_t)
dev_setattr_power_mgmt_dev(pam_console_t)
@ -10586,7 +10610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
dev_getattr_scanner_dev(pam_console_t)
dev_setattr_scanner_dev(pam_console_t)
dev_getattr_sound_dev(pam_console_t)
@@ -236,7 +249,7 @@
@@ -236,7 +252,7 @@
optional_policy(`
xserver_read_xdm_pid(pam_console_t)
@ -10595,7 +10619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
########################################
@@ -302,3 +315,28 @@
@@ -302,3 +318,28 @@
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
@ -12977,7 +13001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+/usr/bin/rhythmbox -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-06-15 14:54:34.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-09-17 16:20:18.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-09-21 19:31:25.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@ -13032,7 +13056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
read_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t)
read_lnk_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t)
')
@@ -601,3 +605,149 @@
@@ -601,3 +605,175 @@
allow $1 unconfined_tmp_t:file { getattr write append };
')
@ -13182,6 +13206,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+
+ allow $1 unconfined_t:process rlimitinh;
+')
+
+########################################
+## <summary>
+## Read/write unconfined tmpfs files.
+## </summary>
+## <desc>
+## <p>
+## Read/write unconfined tmpfs files.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unconfined_rw_tmpfs_files',`
+ gen_require(`
+ type unconfined_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ allow $1 unconfined_tmpfs_t:dir list_dir_perms;
+ rw_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
+ read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-09-21 06:44:58.000000000 -0400
@ -13400,7 +13450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-20 18:02:36.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-09-21 19:20:56.000000000 -0400
@@ -29,8 +29,9 @@
')

View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
Release: 7%{?dist}
Release: 8%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -362,6 +362,10 @@ exit 0
%endif
%changelog
* Fri Sep 21 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-8
- Allow also to search var_lib
- New context for dbus launcher
* Fri Sep 21 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-7
- Allow cupsd_config_t to read/write usb_device_t
- Support for finger print reader,