- Fixes for kpropd

2009-05-14 18:53:40 +00:00 · 2009-05-14 18:53:40 +00:00 · f72bd44737
commit f72bd44737
parent fcb4418ad5
2 changed files with 135 additions and 61 deletions
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -1887,7 +1887,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.12/policy/modules/apps/gnome.if
 --- nsaserefpolicy/policy/modules/apps/gnome.if	2008-11-11 16:13:41.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/gnome.if	2009-05-14 10:31:02.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/apps/gnome.if	2009-05-14 11:05:16.000000000 -0400
@@ -89,5 +89,175 @@
 	allow $1 gnome_home_t:dir manage_dir_perms;
@ -10664,7 +10664,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te
 --- nsaserefpolicy/policy/modules/services/consolekit.te	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/consolekit.te	2009-05-12 15:30:13.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/consolekit.te	2009-05-14 13:42:00.000000000 -0400
@@ -13,6 +13,9 @@
 type consolekit_var_run_t;
 files_pid_file(consolekit_var_run_t)
@ -13790,8 +13790,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te
 --- nsaserefpolicy/policy/modules/services/fprintd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/fprintd.te	2009-05-12 15:30:13.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/fprintd.te	2009-05-14 13:42:21.000000000 -0400
-@@ -0,0 +1,48 @@
+@@ -0,0 +1,49 @@
 +policy_module(fprintd,1.0.0)
 +
 +########################################
@ -13806,6 +13806,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +type fprintd_var_lib_t;
 +files_type(fprintd_var_lib_t)
 +
 +allow fprintd_t self:capability sys_ptrace;
 +allow fprintd_t self:fifo_file rw_fifo_file_perms;
 +allow fprintd_t self:process { getsched signal };
 +
@ -14919,7 +14920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.6.12/policy/modules/services/kerberos.fc
 --- nsaserefpolicy/policy/modules/services/kerberos.fc	2009-03-23 13:47:11.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/kerberos.fc	2009-05-14 08:39:20.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/kerberos.fc	2009-05-14 13:29:16.000000000 -0400
@@ -6,13 +6,14 @@
 /etc/krb5kdc/principal.*		gen_context(system_u:object_r:krb5kdc_principal_t,s0)
@ -14936,6 +14937,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /usr/local/var/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
 /usr/local/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
@@ -21,7 +22,7 @@
 /var/kerberos/krb5kdc/from_master.*	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
 /var/kerberos/krb5kdc/kadm5\.keytab --	gen_context(system_u:object_r:krb5_keytab_t,s0)
 /var/kerberos/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
 -/var/kerberos/krb5kdc/principal\.ok	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
 +/var/kerberos/krb5kdc/principal.*\.ok	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
 /var/log/krb5kdc\.log			gen_context(system_u:object_r:krb5kdc_log_t,s0)
 /var/log/kadmin(d)?\.log		gen_context(system_u:object_r:kadmind_log_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.12/policy/modules/services/kerberos.te
 --- nsaserefpolicy/policy/modules/services/kerberos.te	2009-03-23 13:47:11.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/services/kerberos.te	2009-05-14 13:28:31.000000000 -0400
@@ -33,6 +33,7 @@
 type kpropd_t;
 type kpropd_exec_t;
 init_daemon_domain(kpropd_t, kpropd_exec_t)
 +domain_obj_id_change_exemption(kpropd_t)
 type krb5_conf_t;
 files_type(krb5_conf_t)
@@ -281,6 +282,7 @@
 allow kpropd_t krb5_keytab_t:file read_file_perms;
 +manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t)
 manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t)
 corecmd_exec_bin(kpropd_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.6.12/policy/modules/services/kerneloops.if
 --- nsaserefpolicy/policy/modules/services/kerneloops.if	2009-01-05 15:39:43.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/services/kerneloops.if	2009-05-12 15:30:13.000000000 -0400
@ -23298,7 +23327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:home_ssh_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.12/policy/modules/services/ssh.if
 --- nsaserefpolicy/policy/modules/services/ssh.if	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/ssh.if	2009-05-12 15:30:13.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/ssh.if	2009-05-14 14:05:37.000000000 -0400
@@ -36,6 +36,7 @@
 	gen_require(`
 		attribute ssh_server;
@ -23474,7 +23503,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 	optional_policy(`
-@@ -454,6 +455,24 @@
+@@ -345,6 +346,7 @@
 	allow ssh_t $3:unix_stream_socket connectto;
 	# user can manage the keys and config
 +	userdom_search_user_home_dirs($1_t)
 	manage_files_pattern($3, home_ssh_t, home_ssh_t)
 	manage_lnk_files_pattern($3, home_ssh_t, home_ssh_t)
 	manage_sock_files_pattern($3, home_ssh_t, home_ssh_t)
@@ -454,6 +456,24 @@
 ########################################
 ## <summary>
@ -23499,7 +23536,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Read a ssh server unnamed pipe.
 ## </summary>
 ## <param name="domain">
-@@ -469,6 +488,23 @@
+@@ -469,6 +489,23 @@
 	allow $1 sshd_t:fifo_file { getattr read };
 ')
@ -23523,7 +23560,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 ## <summary>
-@@ -611,3 +647,42 @@
+@@ -611,3 +648,42 @@
 	dontaudit $1 sshd_key_t:file { getattr read };
 ')
@ -24533,7 +24570,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/virt.te	2009-05-12 15:30:13.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/virt.te	2009-05-14 13:40:26.000000000 -0400
@@ -8,19 +8,31 @@
 ## <desc>
@ -24700,7 +24737,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 term_getattr_pty_fs(virtd_t)
 term_use_ptmx(virtd_t)
-@@ -129,6 +192,13 @@
+@@ -129,7 +192,15 @@
 logging_send_syslog_msg(virtd_t)
@ -24710,11 +24747,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +userdom_dontaudit_list_admin_dir(virtd_t)
 +userdom_getattr_all_users(virtd_t)
-+userdom_search_user_home_content(virtd_t)
+userdom_list_user_home_content(virtd_t)
 userdom_read_all_users_state(virtd_t)
 +userdom_read_user_home_content_files(virtd_t)
 tunable_policy(`virt_use_nfs',`
-@@ -167,22 +237,34 @@
+ 	fs_manage_nfs_dirs(virtd_t)
@@ -167,22 +238,34 @@
 	dnsmasq_domtrans(virtd_t)
 	dnsmasq_signal(virtd_t)
 	dnsmasq_kill(virtd_t)
@ -24737,15 +24776,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
 +	lvm_domtrans(virtd_t)
 +')
-+
+ 
-+optional_policy(`
+ optional_policy(`
 -	qemu_domtrans(virtd_t)
 +	polkit_domtrans_auth(virtd_t)
 +	polkit_domtrans_resolve(virtd_t)
 +	polkit_read_lib(virtd_t)
 +')
- 
+
- optional_policy(`
+optional_policy(`
 -	qemu_domtrans(virtd_t)
 +	qemu_spec_domtrans(virtd_t, svirt_t)
 	qemu_read_state(virtd_t)
 	qemu_signal(virtd_t)
@ -24754,7 +24793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 optional_policy(`
-@@ -195,8 +277,88 @@
+@@ -195,8 +278,89 @@
 	xen_stream_connect(virtd_t)
 	xen_stream_connect_xenstore(virtd_t)
@ -24763,11 +24802,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +optional_policy(`
 +	udev_domtrans(virtd_t)
-+')
+ ')
-+
+ 
-+#optional_policy(`
+ optional_policy(`
-+#	unconfined_domain(virtd_t)
+ 	unconfined_domain(virtd_t)
-+#')
+ ')
 +
 +manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 +manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
@ -24838,12 +24877,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +optional_policy(`
 +	xen_rw_image_files(svirt_t)
- ')
+')
- 
+
- optional_policy(`
+optional_policy(`
 -	unconfined_domain(virtd_t)
 +	xen_rw_image_files(svirt_t)
- ')
+')
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.12/policy/modules/services/w3c.te
 --- nsaserefpolicy/policy/modules/services/w3c.te	2008-08-25 09:12:31.000000000 -0400
 +++ serefpolicy-3.6.12/policy/modules/services/w3c.te	2009-05-12 15:30:13.000000000 -0400
@ -30862,7 +30901,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if	2009-05-12 15:30:13.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if	2009-05-14 13:40:08.000000000 -0400
@@ -30,8 +30,9 @@
 	')
@ -32245,40 +32284,47 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2814,12 +3012,12 @@
+@@ -2682,16 +2880,17 @@
- 		type user_tmp_t;
+ #
 interface(`userdom_search_user_home_content',`
 	gen_require(`
 -		type user_home_dir_t, user_home_t;
 +		type user_home_dir_t;
 +		attribute user_home_type;
 	')
-	allow $1 user_tmp_t:file write_file_perms;
+ 	files_list_home($1)
-+	write_files_pattern($1, user_tmp_t, user_tmp_t)
+-	allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
 +	allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
 ')
 ########################################
 ## <summary>
-##	Do not audit attempts to use user ttys.
+-##	Send general signals to unprivileged user domains.
-+##	Delete all users files in /tmp
+##	List users home directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-@@ -2827,17 +3025,35 @@
+@@ -2699,12 +2898,32 @@
 ##	</summary>
 ## </param>
 #
-interface(`userdom_dontaudit_use_user_ttys',`
+-interface(`userdom_signal_unpriv_users',`
-+interface(`userdom_delete_user_tmp_files',`
+interface(`userdom_list_user_home_content',`
 	gen_require(`
-		type user_tty_device_t;
+-		attribute unpriv_userdomain;
-+		type user_tmp_t;
+		type user_home_dir_t;
 +		attribute user_home_type;
 	')
-	dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
+-	allow $1 unpriv_userdomain:process signal;
-+	allow $1 user_tmp_t:file delete_file_perms;
+	files_list_home($1)
- ')
+	allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
- 
+')
- ########################################
+
- ## <summary>
+########################################
-##	Read the process state of all user domains.
+## <summary>
-+##	Do not audit attempts to use user ttys.
+##	Send general signals to unprivileged user domains.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@ -32286,21 +32332,43 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_dontaudit_use_user_ttys',`
+interface(`userdom_signal_unpriv_users',`
 +	gen_require(`
-+		type user_tty_device_t;
+		attribute unpriv_userdomain;
 +	')
 +
-+	dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
+	allow $1 unpriv_userdomain:process signal;
 ')
 ########################################
@@ -2814,7 +3033,25 @@
 		type user_tmp_t;
 	')
 -	allow $1 user_tmp_t:file write_file_perms;
 +	write_files_pattern($1, user_tmp_t, user_tmp_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Read the process state of all user domains.
+##	Delete all users files in /tmp
- ## </summary>
+## </summary>
- ## <param name="domain">
+## <param name="domain">
- ##	<summary>
+##	<summary>
-@@ -2851,6 +3067,7 @@
+##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`userdom_delete_user_tmp_files',`
 +	gen_require(`
 +		type user_tmp_t;
 +	')
 +
 +	allow $1 user_tmp_t:file delete_file_perms;
 ')
 ########################################
@@ -2851,6 +3088,7 @@
 	')
 	read_files_pattern($1,userdomain,userdomain)
@ -32308,7 +32376,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	kernel_search_proc($1)
 ')
-@@ -2981,3 +3198,481 @@
+@@ -2981,3 +3219,481 @@
 	allow $1 userdomain:dbus send_msg;
 ')
@ -33208,7 +33276,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.12/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/xen.te	2009-05-14 08:26:03.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/xen.te	2009-05-14 14:07:29.000000000 -0400
@@ -6,6 +6,13 @@
 # Declarations
 #
@ -33433,7 +33501,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 files_read_etc_runtime_files(xm_t)
 files_read_usr_files(xm_t)
-@@ -339,15 +390,64 @@
+@@ -339,15 +390,67 @@
 storage_raw_read_fixed_disk(xm_t)
@ -33464,6 +33532,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +# SSH component local policy
 +#
 +ssh_basic_client_template(xm,xm_t,system_r)
 +kernel_read_xen_state(xm_ssh_t)
 +kernel_write_xen_state(xm_ssh_t)
 +
 +
 +#Should have a boolean wrapping these
 +fs_list_auto_mountpoints(xend_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 36%{?dist}
+Release: 37%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -473,6 +473,9 @@ exit 0
 %endif
 %changelog
 * Thu May 14 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-37
 - Fixes for kpropd
 * Tue May 12 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-36
 - Allow brctl to r/w tun_tap_device_t