rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

- Allow nsswitch apps to read samba_var_t

Browse Source
This commit is contained in:
Daniel J Walsh 2007-09-25 13:30:08 +00:00
parent f5018f18f8
commit fb11ad6653
2 changed files with 70 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
policy-20070703.patch
View File

@ -2658,11 +2658,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.0.8/policy/modules/kernel/files.fc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.0.8/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2007-09-12 10:34:49.000000000 -0400 --- nsaserefpolicy/policy/modules/kernel/files.fc 2007-09-12 10:34:49.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/kernel/files.fc 2007-09-18 20:56:27.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/kernel/files.fc 2007-09-25 09:00:58.000000000 -0400
@@ -210,6 +210,7 @@ @@ -209,7 +209,8 @@
/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/usr/lost\+found/.* <<none>> /usr/lost\+found/.* <<none>>
/usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0) -/usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0)
+#/usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0)
+/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) +/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
@ -8514,8 +8516,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) /var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.0.8/policy/modules/services/samba.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.0.8/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2007-06-19 16:23:35.000000000 -0400 --- nsaserefpolicy/policy/modules/services/samba.if 2007-06-19 16:23:35.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/samba.if 2007-09-17 16:20:18.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/samba.if 2007-09-24 17:17:53.000000000 -0400
@@ -349,6 +349,7 @@ @@ -332,6 +332,25 @@
########################################
## <summary>
+## dontaudit the specified domain to
+## write samba /var files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_dontaudit_write_var_files',`
+ gen_require(`
+ type samba_var_t;
+ ')
+
+ dontaudit $1 samba_var_t:file write;
+')
+
+########################################
+## <summary>
## Allow the specified domain to
## read and write samba /var files.
## </summary>
@@ -349,6 +368,7 @@
files_search_var($1) files_search_var($1)
files_search_var_lib($1) files_search_var_lib($1)
manage_files_pattern($1,samba_var_t,samba_var_t) manage_files_pattern($1,samba_var_t,samba_var_t)
@ -8523,7 +8551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
') ')
######################################## ########################################
@@ -493,3 +494,102 @@ @@ -493,3 +513,102 @@
allow $1 samba_var_t:dir search_dir_perms; allow $1 samba_var_t:dir search_dir_perms;
stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t) stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
') ')
@ -10428,7 +10456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400 --- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-24 10:44:04.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-09-24 17:17:30.000000000 -0400
@@ -26,7 +26,8 @@ @@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords; type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t) application_domain($1_chkpwd_t,chkpwd_exec_t)
@ -10620,7 +10648,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
files_list_var_lib($1) files_list_var_lib($1)
miscfiles_read_certs($1) miscfiles_read_certs($1)
@@ -1381,3 +1453,163 @@ @@ -1347,6 +1419,8 @@
optional_policy(`
samba_stream_connect_winbind($1)
+ samba_read_var_files($1)
+ samba_dontaudit_write_var_files($1)
')
')
@@ -1381,3 +1455,163 @@
typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords;
') ')
@ -13644,8 +13681,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+') +')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-07-25 10:37:42.000000000 -0400 --- nsaserefpolicy/policy/modules/system/unconfined.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-09-21 06:44:58.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-09-24 17:02:03.000000000 -0400
@@ -5,28 +5,36 @@ @@ -5,28 +5,38 @@
# #
# Declarations # Declarations
# #
@ -13683,13 +13720,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
# Local policy # Local policy
# #
+dontaudit unconfined_t self:dir write;
+
+allow unconfined_t self:system syslog_read; +allow unconfined_t self:system syslog_read;
+dontaudit unconfined_t self:capability sys_module; +dontaudit unconfined_t self:capability sys_module;
+ +
domtrans_pattern(unconfined_t,unconfined_execmem_exec_t,unconfined_execmem_t) domtrans_pattern(unconfined_t,unconfined_execmem_exec_t,unconfined_execmem_t)
files_create_boot_flag(unconfined_t) files_create_boot_flag(unconfined_t)
@@ -35,6 +43,7 @@ @@ -35,6 +45,7 @@
mcs_ptrace_all(unconfined_t) mcs_ptrace_all(unconfined_t)
init_run_daemon(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) init_run_daemon(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@ -13697,7 +13736,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -42,37 +51,30 @@ @@ -42,37 +53,30 @@
logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@ -13715,17 +13754,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
optional_policy(` optional_policy(`
- ada_domtrans(unconfined_t) - ada_domtrans(unconfined_t)
-')
-
-optional_policy(`
- apache_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
- apache_per_role_template(unconfined,unconfined_t,unconfined_r)
- # this is disallowed usage:
- unconfined_domain(httpd_unconfined_script_t)
+ ada_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) + ada_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
') ')
optional_policy(` optional_policy(`
- apache_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
- apache_per_role_template(unconfined,unconfined_t,unconfined_r)
- # this is disallowed usage:
- unconfined_domain(httpd_unconfined_script_t)
-')
-
-optional_policy(`
- bind_run_ndc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) - bind_run_ndc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ bootloader_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) + bootloader_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
') ')
@ -13743,7 +13782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
') ')
optional_policy(` optional_policy(`
@@ -118,11 +120,11 @@ @@ -118,11 +122,11 @@
') ')
optional_policy(` optional_policy(`
@ -13757,7 +13796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
') ')
optional_policy(` optional_policy(`
@@ -134,11 +136,7 @@ @@ -134,11 +138,7 @@
') ')
optional_policy(` optional_policy(`
@ -13770,7 +13809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
') ')
optional_policy(` optional_policy(`
@@ -155,32 +153,23 @@ @@ -155,32 +155,23 @@
optional_policy(` optional_policy(`
postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t }) postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@ -13807,7 +13846,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
') ')
optional_policy(` optional_policy(`
@@ -205,11 +194,18 @@ @@ -205,11 +196,18 @@
') ')
optional_policy(` optional_policy(`
@ -13828,7 +13867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
') ')
######################################## ########################################
@@ -225,8 +221,20 @@ @@ -225,8 +223,20 @@
init_dbus_chat_script(unconfined_execmem_t) init_dbus_chat_script(unconfined_execmem_t)
unconfined_dbus_chat(unconfined_execmem_t) unconfined_dbus_chat(unconfined_execmem_t)

8
selinux-policy.spec
View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.0.8 Version: 3.0.8
Release: 11%{?dist} Release: 12%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -272,6 +272,7 @@ exit 0
%if %{BUILD_TARGETED} %if %{BUILD_TARGETED}
%package targeted %package targeted
Summary: SELinux targeted base policy Summary: SELinux targeted base policy
Provides: selinux-policy-base
Group: System Environment/Base Group: System Environment/Base
Obsoletes: selinux-policy-targeted-sources < 2 Obsoletes: selinux-policy-targeted-sources < 2
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
@ -315,6 +316,7 @@ exit 0
%package olpc %package olpc
Summary: SELinux olpc base policy Summary: SELinux olpc base policy
Group: System Environment/Base Group: System Environment/Base
Provides: selinux-policy-base
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Requires(pre): coreutils Requires(pre): coreutils
Requires(pre): selinux-policy = %{version}-%{release} Requires(pre): selinux-policy = %{version}-%{release}
@ -339,6 +341,7 @@ exit 0
%package mls %package mls
Summary: SELinux mls base policy Summary: SELinux mls base policy
Group: System Environment/Base Group: System Environment/Base
Provides: selinux-policy-base
Obsoletes: selinux-policy-mls-sources < 2 Obsoletes: selinux-policy-mls-sources < 2
Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
@ -362,6 +365,9 @@ exit 0
%endif %endif
%changelog %changelog
* Mon Sep 24 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-12
- Allow nsswitch apps to read samba_var_t
* Mon Sep 24 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-11 * Mon Sep 24 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-11
- Fix maxima - Fix maxima