rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Allow confined users to login with dbus

This commit is contained in:
Daniel J Walsh 2008-09-23 20:14:47 +00:00
parent a80e7ac6a3
commit ed32c64290
2 changed files with 70 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
policy-20080710.patch
View File

@ -14730,7 +14730,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.5.8/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/dbus.if 2008-09-17 08:49:08.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/dbus.if 2008-09-23 15:34:03.000000000 -0400
@@ -53,6 +53,7 @@
gen_require(`
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@ -14748,7 +14748,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type $1_dbusd_tmp_t;
files_tmp_file($1_dbusd_tmp_t)
@@ -84,14 +83,18 @@
@@ -84,14 +83,19 @@
allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
@ -14760,6 +14760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
+ allow $2 $1_dbusd_t:unix_stream_socket { getattr connectto };
+ allow $2 $1_dbusd_t:unix_dgram_socket getattr;
+ allow $1_dbusd_t $2:unix_stream_socket rw_socket_perms;
# SE-DBus specific permissions
- allow $1_dbusd_$1_t { $1_dbusd_t self }:dbus send_msg;
@ -14771,7 +14772,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
@@ -102,10 +105,9 @@
@@ -102,10 +106,9 @@
files_tmp_filetrans($1_dbusd_t, $1_dbusd_tmp_t, { file dir })
domtrans_pattern($2, system_dbusd_exec_t, $1_dbusd_t)
@ -14784,7 +14785,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $1_dbusd_t $2:process sigkill;
allow $2 $1_dbusd_t:fd use;
allow $2 $1_dbusd_t:fifo_file rw_fifo_file_perms;
@@ -115,8 +117,8 @@
@@ -115,8 +118,8 @@
kernel_read_kernel_sysctls($1_dbusd_t)
corecmd_list_bin($1_dbusd_t)
@ -14794,7 +14795,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_read_bin_pipes($1_dbusd_t)
corecmd_read_bin_sockets($1_dbusd_t)
@@ -139,6 +141,7 @@
@@ -139,6 +142,7 @@
fs_getattr_romfs($1_dbusd_t)
fs_getattr_xattr_fs($1_dbusd_t)
@ -14802,7 +14803,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
selinux_get_fs_mount($1_dbusd_t)
selinux_validate_context($1_dbusd_t)
@@ -161,12 +164,24 @@
@@ -161,12 +165,24 @@
seutil_read_config($1_dbusd_t)
seutil_read_default_contexts($1_dbusd_t)
@ -14828,7 +14829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`read_default_t',`
files_list_default($1_dbusd_t)
files_read_default_files($1_dbusd_t)
@@ -180,8 +195,15 @@
@@ -180,9 +196,17 @@
')
optional_policy(`
@ -14842,9 +14843,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_dontaudit_xdm_lib_search($1_dbusd_t)
+ xserver_rw_xdm_home_files($1_dbusd_t)
')
+
')
@@ -207,14 +229,12 @@
#######################################
@@ -207,14 +231,12 @@
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
@ -14862,7 +14865,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($2, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($2)
@@ -223,6 +243,10 @@
@@ -223,6 +245,10 @@
files_search_pids($2)
stream_connect_pattern($2, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
dbus_read_config($2)
@ -14873,7 +14876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
@@ -251,18 +275,16 @@
@@ -251,18 +277,16 @@
template(`dbus_user_bus_client_template',`
gen_require(`
type $1_dbusd_t;
@ -14894,7 +14897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -292,6 +314,55 @@
@@ -292,6 +316,55 @@
########################################
## <summary>
@ -14950,7 +14953,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read dbus configuration.
## </summary>
## <param name="domain">
@@ -366,3 +437,75 @@
@@ -366,3 +439,75 @@
allow $1 system_dbusd_t:dbus *;
')
@ -15028,7 +15031,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.5.8/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/dbus.te 2008-09-17 08:49:08.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/dbus.te 2008-09-23 15:32:31.000000000 -0400
@@ -9,9 +9,10 @@
#
# Delcarations
@ -15115,6 +15118,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
+ consolekit_dbus_chat(system_dbusd_t)
+')
+
+optional_policy(`
+ gnome_exec_gconf(system_dbusd_t)
+')
+
@ -15136,10 +15143,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
+
+optional_policy(`
+ consolekit_dbus_chat(system_dbusd_t)
+')
+
+optional_policy(`
+ gen_require(`
+ type unconfined_dbusd_t;
+ ')
@ -19515,7 +19518,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.5.8/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-09-11 11:28:34.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/networkmanager.if 2008-09-17 08:49:08.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/networkmanager.if 2008-09-23 11:18:34.000000000 -0400
@@ -118,6 +118,24 @@
########################################
@ -19543,13 +19546,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.8/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-09-11 11:28:34.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/networkmanager.te 2008-09-22 09:09:30.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/networkmanager.te 2008-09-23 16:02:33.000000000 -0400
@@ -29,9 +29,9 @@
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
-allow NetworkManager_t self:capability { kill setgid setuid dac_override net_admin net_raw net_bind_service ipc_lock };
+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
-allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
+allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
@ -21909,7 +21912,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.5.8/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2008-09-11 11:28:34.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/ppp.if 2008-09-17 08:49:08.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/ppp.if 2008-09-23 15:53:43.000000000 -0400
@@ -310,6 +310,24 @@
########################################
@ -26773,7 +26776,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.5.8/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/squid.te 2008-09-17 08:49:09.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/squid.te 2008-09-23 15:23:35.000000000 -0400
@@ -31,12 +31,15 @@
type squid_var_run_t;
files_pid_file(squid_var_run_t)
@ -26829,7 +26832,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
libs_use_ld_so(squid_t)
libs_use_shared_libs(squid_t)
@@ -149,11 +158,7 @@
@@ -146,14 +155,11 @@
tunable_policy(`squid_connect_any',`
corenet_tcp_connect_all_ports(squid_t)
+ corenet_tcp_bind_all_ports(squid_t)
')
optional_policy(`
@ -26842,7 +26849,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -168,7 +173,12 @@
@@ -168,7 +174,12 @@
udev_read_db(squid_t)
')
@ -30107,7 +30114,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.5.8/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2008-09-12 10:48:05.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/system/init.if 2008-09-17 08:49:09.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/system/init.if 2008-09-23 11:15:16.000000000 -0400
@@ -278,6 +278,27 @@
kernel_dontaudit_use_fds($1)
')
@ -30320,7 +30327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.5.8/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2008-09-12 10:48:05.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/system/init.te 2008-09-17 08:49:09.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/system/init.te 2008-09-23 15:44:50.000000000 -0400
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart,false)
@ -30393,7 +30400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
nscd_socket_use(init_t)
')
@@ -204,7 +230,7 @@
@@ -204,9 +230,10 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -30401,8 +30408,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module };
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
+allow initrc_t self:key { search };
@@ -219,7 +245,8 @@
# Allow IPC with self
allow initrc_t self:unix_dgram_socket create_socket_perms;
@@ -219,7 +246,8 @@
term_create_pty(initrc_t,initrc_devpts_t)
# Going to single user mode
@ -30412,7 +30422,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
can_exec(initrc_t, init_script_file_type)
@@ -232,6 +259,7 @@
@@ -232,6 +260,7 @@
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t,initrc_var_run_t,file)
@ -30420,7 +30430,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
can_exec(initrc_t,initrc_tmp_t)
allow initrc_t initrc_tmp_t:file manage_file_perms;
@@ -276,7 +304,7 @@
@@ -276,7 +305,7 @@
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
@ -30429,7 +30439,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
@@ -521,6 +549,31 @@
@@ -371,6 +400,7 @@
libs_use_shared_libs(initrc_t)
libs_exec_lib_files(initrc_t)
+logging_send_audit_msgs(initrc_t)
logging_send_syslog_msg(initrc_t)
logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
@@ -521,6 +551,31 @@
')
')
@ -30461,7 +30479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
@@ -579,6 +632,10 @@
@@ -579,6 +634,10 @@
dbus_read_config(initrc_t)
optional_policy(`
@ -30472,7 +30490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
networkmanager_dbus_chat(initrc_t)
')
')
@@ -664,12 +721,6 @@
@@ -664,12 +723,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@ -30485,7 +30503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
ifdef(`distro_redhat',`
@@ -730,6 +781,9 @@
@@ -730,6 +783,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@ -30495,7 +30513,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -742,10 +796,12 @@
@@ -742,10 +798,12 @@
squid_manage_logs(initrc_t)
')
@ -30508,7 +30526,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
@@ -763,6 +819,11 @@
@@ -763,6 +821,11 @@
uml_setattr_util_sockets(initrc_t)
')
@ -30520,7 +30538,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
unconfined_domain(initrc_t)
@@ -777,6 +838,10 @@
@@ -777,6 +840,10 @@
')
optional_policy(`
@ -30531,7 +30549,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
@@ -799,3 +864,11 @@
@@ -799,3 +866,11 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@ -32469,8 +32487,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.5.8/policy/modules/system/sysnetwork.fc
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2008-08-07 11:15:12.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/system/sysnetwork.fc 2008-09-17 08:49:09.000000000 -0400
@@ -57,3 +57,5 @@
+++ serefpolicy-3.5.8/policy/modules/system/sysnetwork.fc 2008-09-23 14:00:14.000000000 -0400
@@ -11,6 +11,7 @@
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
@@ -57,3 +58,5 @@
ifdef(`distro_gentoo',`
/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
')

5
selinux-policy.spec
View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.8
Release: 6%{?dist}
Release: 7%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -381,6 +381,9 @@ exit 0
%endif
%changelog
* Tue Sep 23 2008 Dan Walsh <dwalsh@redhat.com> 3.5.8-7
- Allow confined users to login with dbus
* Mon Sep 22 2008 Dan Walsh <dwalsh@redhat.com> 3.5.8-6
- Fix transition to nsplugin