- Fix rpm_dontaudit_leaks

2010-01-28 15:29:47 +00:00 · 2010-01-28 15:29:47 +00:00 · ef4ca2d5e7
parent 4aaa022742
commit ef4ca2d5e7
1 changed files with 50 additions and 46 deletions
--- a/policy-F13.patch
+++ b/policy-F13.patch
@ -626,7 +626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
 /usr/bin/online_update		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.8/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/admin/rpm.if	2010-01-22 10:22:49.000000000 -0500
+++ serefpolicy-3.7.8/policy/modules/admin/rpm.if	2010-01-28 10:15:39.000000000 -0500
@@ -13,11 +13,34 @@
 interface(`rpm_domtrans',`
 	gen_require(`
@ -699,16 +699,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
 +	dontaudit $1 rpm_t:shm rw_shm_perms;
 +
 +	dontaudit $1 rpm_script_t:fd use;
-+	dontaudit $1 rpm_script_t:fifo_file { read write };
+	dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
 +
 +	dontaudit $1 rpm_var_run_t:file write;
 +
-+	dontaudit $1 rpm_tmp_t:file { read write };
+	dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms;
 + 	dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
-+ 	dontaudit $1 rpm_tmpfs_t:file { read write };
-+	dontaudit $1 rpm_script_tmp_t:file { read write };
-+	dontaudit $1 rpm_var_lib_t:file { read write };
-+	dontaudit $1 rpm_var_cache_t:file  { read write };
+ 	dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms;
+	dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms;
+	dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms;
+	dontaudit $1 rpm_var_cache_t:file  rw_inherited_file_perms;
 +')
 +
 +########################################
@ -6744,7 +6744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 /var/lib/nfs/rpc_pipefs(/.*)?	<<none>>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.8/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/files.if	2010-01-21 13:49:10.000000000 -0500
+++ serefpolicy-3.7.8/policy/modules/kernel/files.if	2010-01-28 08:42:36.000000000 -0500
@@ -932,10 +932,8 @@
 	relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
 	relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@ -20815,7 +20815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.8/policy/modules/services/policykit.te
 --- nsaserefpolicy/policy/modules/services/policykit.te	2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/policykit.te	2010-01-25 12:24:39.000000000 -0500
+++ serefpolicy-3.7.8/policy/modules/services/policykit.te	2010-01-28 09:30:05.000000000 -0500
@@ -36,11 +36,12 @@
 # policykit local policy
 #
@ -20869,7 +20869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
 +')
 +
 +optional_policy(`
-+	gnome_dontaudit_search_config(policykit_t)
+	gnome_read_config(policykit_t)
 +')
 
 ########################################
@ -27017,7 +27017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.
 corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.8/policy/modules/services/xserver.fc
 --- nsaserefpolicy/policy/modules/services/xserver.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/xserver.fc	2010-01-18 15:18:03.000000000 -0500
+++ serefpolicy-3.7.8/policy/modules/services/xserver.fc	2010-01-28 08:44:25.000000000 -0500
@@ -3,12 +3,21 @@
 #
 HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:user_fonts_config_t,s0)
@ -27079,7 +27079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 /usr/bin/xauth		--	gen_context(system_u:object_r:xauth_exec_t,s0)
 /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 ifdef(`distro_debian', `
-@@ -89,17 +94,37 @@
+@@ -89,17 +94,40 @@
 
 /var/[xgk]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
 
@ -27120,6 +27120,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 +/var/lib/nxserver/home/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +/var/lib/nxserver/home/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+/var/lib/pqsql/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.8/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2009-12-04 09:43:33.000000000 -0500
 +++ serefpolicy-3.7.8/policy/modules/services/xserver.if	2010-01-18 15:18:03.000000000 -0500
@ -27586,7 +27589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.8/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/xserver.te	2010-01-25 12:06:19.000000000 -0500
+++ serefpolicy-3.7.8/policy/modules/services/xserver.te	2010-01-28 08:43:20.000000000 -0500
@@ -36,6 +36,13 @@
 
 ## <desc>
@ -27749,7 +27752,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_files(iceauth_t)
-@@ -250,30 +274,48 @@
+@@ -250,30 +274,49 @@
 	fs_manage_cifs_files(iceauth_t)
 ')
 
@ -27796,13 +27799,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +files_read_usr_files(xauth_t)
 files_search_pids(xauth_t)
 +files_dontaudit_getattr_all_dirs(xauth_t)
+files_var_lib_filetrans(xauth_t, xauth_home_t, file)
 
 -fs_getattr_xattr_fs(xauth_t)
 +fs_getattr_all_fs(xauth_t)
 fs_search_auto_mountpoints(xauth_t)
 
 # cjp: why?
-@@ -283,6 +325,14 @@
+@@ -283,6 +326,14 @@
 
 userdom_use_user_terminals(xauth_t)
 userdom_read_user_tmp_files(xauth_t)
@ -27817,7 +27821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 xserver_rw_xdm_tmp_files(xauth_t)
 
-@@ -294,6 +344,15 @@
+@@ -294,6 +345,15 @@
 	fs_manage_cifs_files(xauth_t)
 ')
 
@ -27833,7 +27837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 optional_policy(`
 	ssh_sigchld(xauth_t)
 	ssh_read_pipes(xauth_t)
-@@ -305,20 +364,31 @@
+@@ -305,20 +365,31 @@
 # XDM Local policy
 #
 
@ -27868,7 +27872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 # Allow gdm to run gdm-binary
 can_exec(xdm_t, xdm_exec_t)
-@@ -334,22 +404,40 @@
+@@ -334,22 +405,40 @@
 manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
 manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
 files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
@ -27912,7 +27916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 allow xdm_t xserver_t:process signal;
 allow xdm_t xserver_t:unix_stream_socket connectto;
-@@ -363,6 +451,7 @@
+@@ -363,6 +452,7 @@
 allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
 
 allow xdm_t xserver_t:shm rw_shm_perms;
@ -27920,7 +27924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 # connect to xdm xserver over stream socket
 stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -371,10 +460,14 @@
+@@ -371,10 +461,14 @@
 delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
 delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
 
@ -27936,7 +27940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 kernel_read_system_state(xdm_t)
 kernel_read_kernel_sysctls(xdm_t)
-@@ -394,11 +487,13 @@
+@@ -394,11 +488,13 @@
 corenet_udp_sendrecv_all_ports(xdm_t)
 corenet_tcp_bind_generic_node(xdm_t)
 corenet_udp_bind_generic_node(xdm_t)
@ -27950,7 +27954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 dev_read_rand(xdm_t)
 dev_read_sysfs(xdm_t)
 dev_getattr_framebuffer_dev(xdm_t)
-@@ -406,6 +501,7 @@
+@@ -406,6 +502,7 @@
 dev_getattr_mouse_dev(xdm_t)
 dev_setattr_mouse_dev(xdm_t)
 dev_rw_apm_bios(xdm_t)
@ -27958,7 +27962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 dev_setattr_apm_bios_dev(xdm_t)
 dev_rw_dri(xdm_t)
 dev_rw_agp(xdm_t)
-@@ -414,18 +510,21 @@
+@@ -414,18 +511,21 @@
 dev_getattr_misc_dev(xdm_t)
 dev_setattr_misc_dev(xdm_t)
 dev_dontaudit_rw_misc(xdm_t)
@ -27983,7 +27987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 files_read_etc_files(xdm_t)
 files_read_var_files(xdm_t)
-@@ -436,9 +535,15 @@
+@@ -436,9 +536,15 @@
 files_read_usr_files(xdm_t)
 # Poweroff wants to create the /poweroff file when run from xdm
 files_create_boot_flag(xdm_t)
@ -27999,7 +28003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 storage_dontaudit_read_fixed_disk(xdm_t)
 storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -447,6 +552,7 @@
+@@ -447,6 +553,7 @@
 storage_dontaudit_raw_write_removable_device(xdm_t)
 storage_dontaudit_setattr_removable_dev(xdm_t)
 storage_dontaudit_rw_scsi_generic(xdm_t)
@ -28007,7 +28011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 term_setattr_console(xdm_t)
 term_use_unallocated_ttys(xdm_t)
-@@ -455,6 +561,7 @@
+@@ -455,6 +562,7 @@
 auth_domtrans_pam_console(xdm_t)
 auth_manage_pam_pid(xdm_t)
 auth_manage_pam_console_data(xdm_t)
@ -28015,7 +28019,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 auth_rw_faillog(xdm_t)
 auth_write_login_records(xdm_t)
 
-@@ -465,10 +572,12 @@
+@@ -465,10 +573,12 @@
 
 logging_read_generic_logs(xdm_t)
 
@ -28030,7 +28034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_create_all_users_keys(xdm_t)
-@@ -477,6 +586,11 @@
+@@ -477,6 +587,11 @@
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
@ -28042,7 +28046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 xserver_rw_session(xdm_t, xdm_tmpfs_t)
 xserver_unconfined(xdm_t)
-@@ -509,10 +623,12 @@
+@@ -509,10 +624,12 @@
 
 optional_policy(`
 	alsa_domtrans(xdm_t)
@ -28055,7 +28059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 
 optional_policy(`
-@@ -520,12 +636,49 @@
+@@ -520,12 +637,49 @@
 ')
 
 optional_policy(`
@ -28105,7 +28109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	hostname_exec(xdm_t)
 ')
 
-@@ -543,9 +696,42 @@
+@@ -543,9 +697,42 @@
 ')
 
 optional_policy(`
@ -28148,7 +28152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 optional_policy(`
 	seutil_sigchld_newrole(xdm_t)
 ')
-@@ -555,8 +741,9 @@
+@@ -555,8 +742,9 @@
 ')
 
 optional_policy(`
@ -28160,7 +28164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 	ifndef(`distro_redhat',`
 		allow xdm_t self:process { execheap execmem };
-@@ -565,7 +752,6 @@
+@@ -565,7 +753,6 @@
 	ifdef(`distro_rhel4',`
 		allow xdm_t self:process { execheap execmem };
 	')
@ -28168,7 +28172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 optional_policy(`
 	userhelper_dontaudit_search_config(xdm_t)
-@@ -576,6 +762,10 @@
+@@ -576,6 +763,10 @@
 ')
 
 optional_policy(`
@ -28179,7 +28183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	xfs_stream_connect(xdm_t)
 ')
 
-@@ -600,10 +790,9 @@
+@@ -600,10 +791,9 @@
 # execheap needed until the X module loader is fixed.
 # NVIDIA Needs execstack
 
@ -28191,7 +28195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 allow xserver_t self:fd use;
 allow xserver_t self:fifo_file rw_fifo_file_perms;
 allow xserver_t self:sock_file read_sock_file_perms;
-@@ -615,6 +804,18 @@
+@@ -615,6 +805,18 @@
 allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow xserver_t self:tcp_socket create_stream_socket_perms;
 allow xserver_t self:udp_socket create_socket_perms;
@ -28210,7 +28214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
 manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -634,12 +835,19 @@
+@@ -634,12 +836,19 @@
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
 
@ -28232,7 +28236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 kernel_read_system_state(xserver_t)
 kernel_read_device_sysctls(xserver_t)
-@@ -673,7 +881,6 @@
+@@ -673,7 +882,6 @@
 dev_rw_agp(xserver_t)
 dev_rw_framebuffer(xserver_t)
 dev_manage_dri_dev(xserver_t)
@ -28240,7 +28244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 dev_create_generic_dirs(xserver_t)
 dev_setattr_generic_dirs(xserver_t)
 # raw memory access is needed if not using the frame buffer
-@@ -683,9 +890,12 @@
+@@ -683,9 +891,12 @@
 dev_rw_xserver_misc(xserver_t)
 # read events - the synaptics touchpad driver reads raw events
 dev_rw_input_dev(xserver_t)
@ -28254,7 +28258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 files_read_etc_files(xserver_t)
 files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +910,12 @@
+@@ -700,8 +911,12 @@
 fs_search_nfs(xserver_t)
 fs_search_auto_mountpoints(xserver_t)
 fs_search_ramfs(xserver_t)
@ -28267,7 +28271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 selinux_validate_context(xserver_t)
 selinux_compute_access_vector(xserver_t)
-@@ -723,6 +937,7 @@
+@@ -723,6 +938,7 @@
 
 miscfiles_read_localization(xserver_t)
 miscfiles_read_fonts(xserver_t)
@ -28275,7 +28279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 modutils_domtrans_insmod(xserver_t)
 
-@@ -779,12 +994,20 @@
+@@ -779,12 +995,20 @@
 ')
 
 optional_policy(`
@ -28297,7 +28301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 	unconfined_domtrans(xserver_t)
 ')
 
-@@ -811,7 +1034,7 @@
+@@ -811,7 +1035,7 @@
 allow xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xserver_t xdm_var_lib_t:dir search;
 
@ -28306,7 +28310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 
 # Label pid and temporary files with derived types.
 manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1055,14 @@
+@@ -832,9 +1056,14 @@
 # to read ROLE_home_t - examine this in more detail
 # (xauth?)
 userdom_read_user_home_content_files(xserver_t)
@ -28321,7 +28325,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xserver_t)
 	fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1077,14 @@
+@@ -849,11 +1078,14 @@
 
 optional_policy(`
 	dbus_system_bus_client(xserver_t)
@ -28338,7 +28342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 ')
 
 optional_policy(`
-@@ -1000,17 +1231,32 @@
+@@ -1000,17 +1232,32 @@
 allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
 allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;