- Turn off default transition to mozilla_plugin and telepathy domains from unconfined user
- Turn off iptables from unconfined user - Allow sudo to send signals to any domains the user could have transitioned to. - Passwd in single user mode needs to talk to console_device_t - Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio - locate tried to read a symbolic link, will dontaudit - New labels for telepathy-sunshine content in homedir - Google is storing other binaries under /opt/google/talkplugin - bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug - Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15 - modemmanger and bluetooth send dbus messages to devicekit_power - Samba needs to getquota on filesystems labeld samba_share_t
This commit is contained in:
Dan Walsh
parent
5ae8fb66d8
commit
fbd9ca071a
@ -251,6 +251,14 @@ allow_nsplugin_execmem=true
|
||||
#
|
||||
allow_unconfined_nsplugin_transition=true
|
||||
|
||||
# Allow unconfined domain to transition to confined domain
|
||||
#
|
||||
unconfined_mozilla_plugin_transition=true
|
||||
|
||||
# Allow unconfined domain to transition to confined domain
|
||||
#
|
||||
unconfined_telepathy_transition=true
|
||||
|
||||
# System uses init upstart program
|
||||
#
|
||||
init_upstart = true
|
||||
|
||||
402
policy-F14.patch
402
policy-F14.patch
@ -1467,7 +1467,7 @@ index 7bddc02..2b59ed0 100644
|
||||
+
|
||||
+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
|
||||
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
|
||||
index 5f44f1b..2993130 100644
|
||||
index 5f44f1b..bb95e79 100644
|
||||
--- a/policy/modules/admin/sudo.if
|
||||
+++ b/policy/modules/admin/sudo.if
|
||||
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
|
||||
@ -1497,7 +1497,7 @@ index 5f44f1b..2993130 100644
|
||||
allow $3 $1_sudo_t:fd use;
|
||||
allow $3 $1_sudo_t:fifo_file rw_file_perms;
|
||||
allow $3 $1_sudo_t:process signal_perms;
|
||||
@@ -111,6 +117,7 @@ template(`sudo_role_template',`
|
||||
@@ -111,12 +117,15 @@ template(`sudo_role_template',`
|
||||
|
||||
term_relabel_all_ttys($1_sudo_t)
|
||||
term_relabel_all_ptys($1_sudo_t)
|
||||
@ -1505,7 +1505,15 @@ index 5f44f1b..2993130 100644
|
||||
|
||||
auth_run_chk_passwd($1_sudo_t, $2)
|
||||
# sudo stores a token in the pam_pid directory
|
||||
@@ -133,13 +140,18 @@ template(`sudo_role_template',`
|
||||
auth_manage_pam_pid($1_sudo_t)
|
||||
auth_use_nsswitch($1_sudo_t)
|
||||
|
||||
+ application_signal($1_sudo_t)
|
||||
+
|
||||
init_rw_utmp($1_sudo_t)
|
||||
|
||||
logging_send_audit_msgs($1_sudo_t)
|
||||
@@ -133,13 +142,18 @@ template(`sudo_role_template',`
|
||||
userdom_manage_user_tmp_files($1_sudo_t)
|
||||
userdom_manage_user_tmp_symlinks($1_sudo_t)
|
||||
userdom_use_user_terminals($1_sudo_t)
|
||||
@ -1606,7 +1614,7 @@ index aecbf1c..0b5e634 100644
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
|
||||
index c35d801..961424f 100644
|
||||
index c35d801..b1a841a 100644
|
||||
--- a/policy/modules/admin/usermanage.te
|
||||
+++ b/policy/modules/admin/usermanage.te
|
||||
@@ -90,9 +90,7 @@ fs_search_auto_mountpoints(chfn_t)
|
||||
@ -1620,11 +1628,13 @@ index c35d801..961424f 100644
|
||||
|
||||
# allow checking if a shell is executable
|
||||
corecmd_check_exec_shell(chfn_t)
|
||||
@@ -295,15 +293,18 @@ selinux_compute_user_contexts(passwd_t)
|
||||
@@ -293,17 +291,18 @@ selinux_compute_create_context(passwd_t)
|
||||
selinux_compute_relabel_context(passwd_t)
|
||||
selinux_compute_user_contexts(passwd_t)
|
||||
|
||||
term_use_all_ttys(passwd_t)
|
||||
term_use_all_ptys(passwd_t)
|
||||
+term_use_generic_ptys(passwd_t)
|
||||
-term_use_all_ttys(passwd_t)
|
||||
-term_use_all_ptys(passwd_t)
|
||||
+term_use_all_terms(passwd_t)
|
||||
|
||||
-auth_domtrans_chk_passwd(passwd_t)
|
||||
auth_manage_shadow(passwd_t)
|
||||
@ -1641,7 +1651,7 @@ index c35d801..961424f 100644
|
||||
|
||||
domain_use_interactive_fds(passwd_t)
|
||||
|
||||
@@ -334,6 +335,7 @@ userdom_read_user_tmp_files(passwd_t)
|
||||
@@ -334,6 +333,7 @@ userdom_read_user_tmp_files(passwd_t)
|
||||
# user generally runs this from their home directory, so do not audit a search
|
||||
# on user home dir
|
||||
userdom_dontaudit_search_user_home_content(passwd_t)
|
||||
@ -1649,7 +1659,7 @@ index c35d801..961424f 100644
|
||||
|
||||
optional_policy(`
|
||||
nscd_domtrans(passwd_t)
|
||||
@@ -428,7 +430,7 @@ optional_policy(`
|
||||
@@ -428,7 +428,7 @@ optional_policy(`
|
||||
# Useradd local policy
|
||||
#
|
||||
|
||||
@ -1658,7 +1668,7 @@ index c35d801..961424f 100644
|
||||
dontaudit useradd_t self:capability sys_tty_config;
|
||||
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow useradd_t self:process setfscreate;
|
||||
@@ -500,12 +502,8 @@ seutil_domtrans_setfiles(useradd_t)
|
||||
@@ -500,12 +500,8 @@ seutil_domtrans_setfiles(useradd_t)
|
||||
|
||||
userdom_use_unpriv_users_fds(useradd_t)
|
||||
# Add/remove user home directories
|
||||
@ -3701,7 +3711,7 @@ index 9a6d67d..47aa143 100644
|
||||
## mozilla over dbus.
|
||||
## </summary>
|
||||
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
|
||||
index cbf4bec..3ecd99b 100644
|
||||
index cbf4bec..70d899d 100644
|
||||
--- a/policy/modules/apps/mozilla.te
|
||||
+++ b/policy/modules/apps/mozilla.te
|
||||
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
|
||||
@ -3774,7 +3784,7 @@ index cbf4bec..3ecd99b 100644
|
||||
pulseaudio_exec(mozilla_t)
|
||||
pulseaudio_stream_connect(mozilla_t)
|
||||
pulseaudio_manage_home_files(mozilla_t)
|
||||
@@ -266,3 +291,108 @@ optional_policy(`
|
||||
@@ -266,3 +291,121 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
thunderbird_domtrans(mozilla_t)
|
||||
')
|
||||
@ -3815,8 +3825,18 @@ index cbf4bec..3ecd99b 100644
|
||||
+corecmd_exec_bin(mozilla_plugin_t)
|
||||
+corecmd_exec_shell(mozilla_plugin_t)
|
||||
+
|
||||
+corenet_tcp_connect_flash_port(mozilla_plugin_t)
|
||||
+corenet_tcp_connect_streaming_port(mozilla_plugin_t)
|
||||
+corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
|
||||
+corenet_tcp_connect_http_port(mozilla_plugin_t)
|
||||
+corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
|
||||
+corenet_tcp_connect_squid_port(mozilla_plugin_t)
|
||||
+corenet_tcp_connect_ipp_port(mozilla_plugin_t)
|
||||
+corenet_tcp_connect_speech_port(mozilla_plugin_t)
|
||||
+
|
||||
+dev_read_urand(mozilla_plugin_t)
|
||||
+dev_read_video_dev(mozilla_plugin_t)
|
||||
+dev_write_video_dev(mozilla_plugin_t)
|
||||
+dev_read_sysfs(mozilla_plugin_t)
|
||||
+dev_read_sound(mozilla_plugin_t)
|
||||
+dev_write_sound(mozilla_plugin_t)
|
||||
@ -3852,6 +3872,7 @@ index cbf4bec..3ecd99b 100644
|
||||
+
|
||||
+optional_policy(`
|
||||
+ alsa_read_rw_config(mozilla_plugin_t)
|
||||
+ alsa_read_home_files(mozilla_plugin_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -3874,8 +3895,10 @@ index cbf4bec..3ecd99b 100644
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ pulseaudio_exec(mozilla_plugin_t)
|
||||
+ pulseaudio_stream_connect(mozilla_plugin_t)
|
||||
+ pulseaudio_setattr_home_dir(mozilla_plugin_t)
|
||||
+ pulseaudio_rw_home_files(mozilla_plugin_t)
|
||||
+ pulseaudio_manage_home_files(mozilla_plugin_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -6088,15 +6111,28 @@ index 7590165..e5ef7b3 100644
|
||||
')
|
||||
')
|
||||
+
|
||||
diff --git a/policy/modules/apps/slocate.te b/policy/modules/apps/slocate.te
|
||||
index e9134f0..3d2ef30 100644
|
||||
--- a/policy/modules/apps/slocate.te
|
||||
+++ b/policy/modules/apps/slocate.te
|
||||
@@ -38,6 +38,7 @@ dev_getattr_all_blk_files(locate_t)
|
||||
dev_getattr_all_chr_files(locate_t)
|
||||
|
||||
files_list_all(locate_t)
|
||||
+files_dontaudit_read_all_symlinks(locate_t)
|
||||
files_getattr_all_files(locate_t)
|
||||
files_getattr_all_pipes(locate_t)
|
||||
files_getattr_all_sockets(locate_t)
|
||||
diff --git a/policy/modules/apps/telepathy.fc b/policy/modules/apps/telepathy.fc
|
||||
new file mode 100644
|
||||
index 0000000..1e47b96
|
||||
index 0000000..809bb65
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/apps/telepathy.fc
|
||||
@@ -0,0 +1,14 @@
|
||||
@@ -0,0 +1,15 @@
|
||||
+HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
|
||||
+HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
|
||||
+HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
|
||||
+HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
|
||||
+HOME_DIR/.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0)
|
||||
+
|
||||
+/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0)
|
||||
+
|
||||
@ -6304,10 +6340,10 @@ index 0000000..3d12484
|
||||
+')
|
||||
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
|
||||
new file mode 100644
|
||||
index 0000000..c4fe796
|
||||
index 0000000..34a2b48
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/apps/telepathy.te
|
||||
@@ -0,0 +1,320 @@
|
||||
@@ -0,0 +1,327 @@
|
||||
+
|
||||
+policy_module(telepathy, 1.0.0)
|
||||
+
|
||||
@ -6341,6 +6377,9 @@ index 0000000..c4fe796
|
||||
+type telepathy_mission_control_cache_home_t;
|
||||
+userdom_user_home_content(telepathy_mission_control_cache_home_t)
|
||||
+
|
||||
+type telepathy_sunshine_home_t;
|
||||
+userdom_user_home_content(telepathy_sunshine_home_t)
|
||||
+
|
||||
+telepathy_domain_template(msn)
|
||||
+telepathy_domain_template(salut)
|
||||
+telepathy_domain_template(sofiasip)
|
||||
@ -6561,12 +6600,16 @@ index 0000000..c4fe796
|
||||
+#
|
||||
+# Telepathy Sunshine local policy.
|
||||
+#
|
||||
+manage_dirs_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
|
||||
+manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
|
||||
+userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, { dir file })
|
||||
+userdom_search_user_home_dirs(telepathy_sunshine_t)
|
||||
+
|
||||
+manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
|
||||
+exec_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
|
||||
+files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file)
|
||||
+
|
||||
+corecmd_list_bin(telepathy_sunshine_t)
|
||||
+corecmd_exec_bin(telepathy_sunshine_t)
|
||||
+
|
||||
+dev_read_urand(telepathy_sunshine_t)
|
||||
+
|
||||
@ -6984,7 +7027,7 @@ index 82842a0..369c3b5 100644
|
||||
dbus_system_bus_client($1_wm_t)
|
||||
dbus_session_bus_client($1_wm_t)
|
||||
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
|
||||
index 0eb1d97..38d675c 100644
|
||||
index 0eb1d97..46af2a4 100644
|
||||
--- a/policy/modules/kernel/corecommands.fc
|
||||
+++ b/policy/modules/kernel/corecommands.fc
|
||||
@@ -9,8 +9,11 @@
|
||||
@ -7040,7 +7083,7 @@ index 0eb1d97..38d675c 100644
|
||||
|
||||
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
+/opt/google/talkplugin/cron(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
+/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
+
|
||||
+/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
+
|
||||
@ -8061,7 +8104,7 @@ index 3517db2..bd4c23d 100644
|
||||
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
|
||||
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
|
||||
index 5302dac..000c53a 100644
|
||||
index 5302dac..a738502 100644
|
||||
--- a/policy/modules/kernel/files.if
|
||||
+++ b/policy/modules/kernel/files.if
|
||||
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
|
||||
@ -8506,7 +8549,7 @@ index 5302dac..000c53a 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -5826,3 +6137,229 @@ interface(`files_unconfined',`
|
||||
@@ -5826,3 +6137,247 @@ interface(`files_unconfined',`
|
||||
|
||||
typeattribute $1 files_unconfined_type;
|
||||
')
|
||||
@ -8623,6 +8666,24 @@ index 5302dac..000c53a 100644
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow read write all tmpfs files
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`files_rw_tmpfs_files',`
|
||||
+ gen_require(`
|
||||
+ attribute tmpfsfile;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 tmpfsfile:file { read write };
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Do not audit attempts to read security files
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
@ -9214,7 +9275,7 @@ index 0dff98e..a09ab47 100644
|
||||
|
||||
#
|
||||
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
|
||||
index ed7667a..46e9859 100644
|
||||
index ed7667a..10c14fe 100644
|
||||
--- a/policy/modules/kernel/kernel.if
|
||||
+++ b/policy/modules/kernel/kernel.if
|
||||
@@ -698,6 +698,46 @@ interface(`kernel_read_debugfs',`
|
||||
@ -9273,7 +9334,32 @@ index ed7667a..46e9859 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2845,6 +2885,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
|
||||
@@ -2380,6 +2420,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Read and write unlabeled sockets.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`kernel_rw_unlabeled_socket',`
|
||||
+ gen_require(`
|
||||
+ type unlabeled_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 unlabeled_t:socket rw_socket_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Do not audit attempts by caller to get attributes for
|
||||
## unlabeled character devices.
|
||||
## </summary>
|
||||
@@ -2845,6 +2903,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -9298,7 +9384,7 @@ index ed7667a..46e9859 100644
|
||||
## Unconfined access to kernel module resources.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2860,3 +2918,23 @@ interface(`kernel_unconfined',`
|
||||
@@ -2860,3 +2936,23 @@ interface(`kernel_unconfined',`
|
||||
|
||||
typeattribute $1 kern_unconfined;
|
||||
')
|
||||
@ -10947,10 +11033,10 @@ index 0000000..8b2cdf3
|
||||
+
|
||||
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
|
||||
new file mode 100644
|
||||
index 0000000..a09ca52
|
||||
index 0000000..0e47a85
|
||||
--- /dev/null
|
||||
+++ b/policy/modules/roles/unconfineduser.te
|
||||
@@ -0,0 +1,478 @@
|
||||
@@ -0,0 +1,492 @@
|
||||
+policy_module(unconfineduser, 1.0.0)
|
||||
+
|
||||
+########################################
|
||||
@ -10961,13 +11047,27 @@ index 0000000..a09ca52
|
||||
+
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Transition to confined nsplugin domains from unconfined user
|
||||
+## Transition unconfined user to the nsplugin domains when running nspluginviewer
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(allow_unconfined_nsplugin_transition, false)
|
||||
+
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Transition unconfined user to the mozilla plugin domain when running xulrunner plugin-container.
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(unconfined_mozilla_plugin_transition, false)
|
||||
+
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Transition unconfined user to telepathy confined domains.
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(unconfined_telepathy_transition, false)
|
||||
+
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow vidio playing tools to tun unconfined
|
||||
+## </p>
|
||||
+## </desc>
|
||||
@ -11113,10 +11213,6 @@ index 0000000..a09ca52
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ iptables_run(unconfined_usertype, unconfined_r)
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ networkmanager_dbus_chat(unconfined_usertype)
|
||||
+ ')
|
||||
+
|
||||
@ -11282,8 +11378,11 @@ index 0000000..a09ca52
|
||||
+ role system_r types unconfined_mono_t;
|
||||
+')
|
||||
+
|
||||
+
|
||||
+optional_policy(`
|
||||
+ mozilla_run_plugin(unconfined_usertype, unconfined_r)
|
||||
+ tunable_policy(`unconfined_mozilla_plugin_transition', `
|
||||
+ mozilla_run_plugin(unconfined_usertype, unconfined_r)
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -11344,7 +11443,9 @@ index 0000000..a09ca52
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ telepathy_dbus_session_role(unconfined_r, unconfined_t)
|
||||
+ tunable_policy(`unconfined_telepathy_transition', `
|
||||
+ telepathy_dbus_session_role(unconfined_r, unconfined_t)
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -11428,7 +11529,6 @@ index 0000000..a09ca52
|
||||
+#
|
||||
+
|
||||
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
+
|
||||
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
|
||||
index 9b55b00..2932c13 100644
|
||||
--- a/policy/modules/roles/unprivuser.te
|
||||
@ -11917,7 +12017,7 @@ index 98646c4..5be7dc8 100644
|
||||
+ allow abrt_t domain:process setrlimit;
|
||||
')
|
||||
diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if
|
||||
index c0f858d..fe060aa 100644
|
||||
index c0f858d..d639ae0 100644
|
||||
--- a/policy/modules/services/accountsd.if
|
||||
+++ b/policy/modules/services/accountsd.if
|
||||
@@ -5,9 +5,9 @@
|
||||
@ -11932,6 +12032,15 @@ index c0f858d..fe060aa 100644
|
||||
## </param>
|
||||
#
|
||||
interface(`accountsd_domtrans',`
|
||||
@@ -25,7 +25,7 @@ interface(`accountsd_domtrans',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
-## Domain allowed access.
|
||||
+## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@@ -138,7 +138,7 @@ interface(`accountsd_admin',`
|
||||
type accountsd_t;
|
||||
')
|
||||
@ -14463,7 +14572,7 @@ index 3e45431..fa57a6f 100644
|
||||
admin_pattern($1, bluetooth_var_lib_t)
|
||||
|
||||
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
|
||||
index 215b86b..08afbb9 100644
|
||||
index 215b86b..67818fe 100644
|
||||
--- a/policy/modules/services/bluetooth.te
|
||||
+++ b/policy/modules/services/bluetooth.te
|
||||
@@ -4,6 +4,7 @@ policy_module(bluetooth, 3.3.0)
|
||||
@ -14474,6 +14583,28 @@ index 215b86b..08afbb9 100644
|
||||
type bluetooth_t;
|
||||
type bluetooth_exec_t;
|
||||
init_daemon_domain(bluetooth_t, bluetooth_exec_t)
|
||||
@@ -99,6 +100,10 @@ kernel_request_load_module(bluetooth_t)
|
||||
#search debugfs - redhat bug 548206
|
||||
kernel_search_debugfs(bluetooth_t)
|
||||
|
||||
+ifdef(`hide_broken_symptoms', `
|
||||
+ kernel_rw_unlabeled_socket(bluetooth_t)
|
||||
+')
|
||||
+
|
||||
corenet_all_recvfrom_unlabeled(bluetooth_t)
|
||||
corenet_all_recvfrom_netlabel(bluetooth_t)
|
||||
corenet_tcp_sendrecv_generic_if(bluetooth_t)
|
||||
@@ -147,6 +152,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
|
||||
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
|
||||
|
||||
optional_policy(`
|
||||
+ devicekit_dbus_chat_power(bluetooth_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
dbus_system_bus_client(bluetooth_t)
|
||||
dbus_connect_system_bus(bluetooth_t)
|
||||
|
||||
diff --git a/policy/modules/services/boinc.fc b/policy/modules/services/boinc.fc
|
||||
new file mode 100644
|
||||
index 0000000..c095160
|
||||
@ -16429,7 +16560,7 @@ index 0258b48..c4d678b 100644
|
||||
|
||||
########################################
|
||||
diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
|
||||
index 42c6bd7..53b10e3 100644
|
||||
index 42c6bd7..ac43a92 100644
|
||||
--- a/policy/modules/services/consolekit.if
|
||||
+++ b/policy/modules/services/consolekit.if
|
||||
@@ -5,9 +5,9 @@
|
||||
@ -16444,7 +16575,32 @@ index 42c6bd7..53b10e3 100644
|
||||
## </param>
|
||||
#
|
||||
interface(`consolekit_domtrans',`
|
||||
@@ -95,3 +95,22 @@ interface(`consolekit_read_pid_files',`
|
||||
@@ -41,6 +41,24 @@ interface(`consolekit_dbus_chat',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Dontaudit attempts to read consolekit log files.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain to not audit.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`consolekit_dontaudit_read_log',`
|
||||
+ gen_require(`
|
||||
+ type consolekit_log_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 consolekit_log_t:file read_file_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Read consolekit log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -95,3 +113,22 @@ interface(`consolekit_read_pid_files',`
|
||||
files_search_pids($1)
|
||||
read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
|
||||
')
|
||||
@ -18120,7 +18276,7 @@ index f706b99..ab2edfc 100644
|
||||
+ files_list_pids($1)
|
||||
')
|
||||
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
|
||||
index f231f17..58416a0 100644
|
||||
index f231f17..184b4b5 100644
|
||||
--- a/policy/modules/services/devicekit.te
|
||||
+++ b/policy/modules/services/devicekit.te
|
||||
@@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
|
||||
@ -18215,7 +18371,18 @@ index f231f17..58416a0 100644
|
||||
hal_domtrans_mac(devicekit_power_t)
|
||||
hal_manage_log(devicekit_power_t)
|
||||
hal_manage_pid_dirs(devicekit_power_t)
|
||||
@@ -280,5 +303,9 @@ optional_policy(`
|
||||
@@ -269,6 +292,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ networkmanager_domtrans(devicekit_power_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
policykit_dbus_chat(devicekit_power_t)
|
||||
policykit_domtrans_auth(devicekit_power_t)
|
||||
policykit_read_lib(devicekit_power_t)
|
||||
@@ -280,5 +307,9 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -22168,7 +22335,7 @@ index 3368699..7a7fc02 100644
|
||||
#
|
||||
interface(`modemmanager_domtrans',`
|
||||
diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te
|
||||
index b3ace16..3dd940c 100644
|
||||
index b3ace16..7f18c33 100644
|
||||
--- a/policy/modules/services/modemmanager.te
|
||||
+++ b/policy/modules/services/modemmanager.te
|
||||
@@ -16,7 +16,8 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
|
||||
@ -22189,10 +22356,14 @@ index b3ace16..3dd940c 100644
|
||||
term_use_unallocated_ttys(modemmanager_t)
|
||||
|
||||
miscfiles_read_localization(modemmanager_t)
|
||||
@@ -37,5 +39,9 @@ logging_send_syslog_msg(modemmanager_t)
|
||||
@@ -37,5 +39,13 @@ logging_send_syslog_msg(modemmanager_t)
|
||||
networkmanager_dbus_chat(modemmanager_t)
|
||||
|
||||
optional_policy(`
|
||||
+ devicekit_dbus_chat_power(modemmanager_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ policykit_dbus_chat(modemmanager_t)
|
||||
+')
|
||||
+
|
||||
@ -30503,7 +30674,7 @@ index 82cb169..9e72970 100644
|
||||
+ admin_pattern($1, samba_unconfined_script_exec_t)
|
||||
')
|
||||
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
|
||||
index e30bb63..85203da 100644
|
||||
index e30bb63..e4334a6 100644
|
||||
--- a/policy/modules/services/samba.te
|
||||
+++ b/policy/modules/services/samba.te
|
||||
@@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
|
||||
@ -30525,6 +30696,15 @@ index e30bb63..85203da 100644
|
||||
dontaudit smbd_t self:capability sys_tty_config;
|
||||
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow smbd_t self:process setrlimit;
|
||||
@@ -263,7 +260,7 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
|
||||
manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
|
||||
manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
|
||||
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
|
||||
-allow smbd_t samba_share_t:filesystem getattr;
|
||||
+allow smbd_t samba_share_t:filesystem { getattr quotaget };
|
||||
|
||||
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
|
||||
manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
|
||||
@@ -279,7 +276,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
|
||||
manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
|
||||
manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
|
||||
@ -35850,7 +36030,7 @@ index da2601a..f963642 100644
|
||||
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
|
||||
+')
|
||||
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
|
||||
index e226da4..69093aa 100644
|
||||
index e226da4..f37e8ae 100644
|
||||
--- a/policy/modules/services/xserver.te
|
||||
+++ b/policy/modules/services/xserver.te
|
||||
@@ -26,27 +26,43 @@ gen_require(`
|
||||
@ -36652,7 +36832,7 @@ index e226da4..69093aa 100644
|
||||
dev_create_generic_dirs(xserver_t)
|
||||
dev_setattr_generic_dirs(xserver_t)
|
||||
# raw memory access is needed if not using the frame buffer
|
||||
@@ -678,8 +959,13 @@ dev_wx_raw_memory(xserver_t)
|
||||
@@ -678,11 +959,17 @@ dev_wx_raw_memory(xserver_t)
|
||||
dev_rw_xserver_misc(xserver_t)
|
||||
# read events - the synaptics touchpad driver reads raw events
|
||||
dev_rw_input_dev(xserver_t)
|
||||
@ -36666,7 +36846,11 @@ index e226da4..69093aa 100644
|
||||
files_read_etc_files(xserver_t)
|
||||
files_read_etc_runtime_files(xserver_t)
|
||||
files_read_usr_files(xserver_t)
|
||||
@@ -693,8 +979,13 @@ fs_getattr_xattr_fs(xserver_t)
|
||||
+files_rw_tmpfs_files(xserver_t)
|
||||
|
||||
# brought on by rhgb
|
||||
files_search_mnt(xserver_t)
|
||||
@@ -693,8 +980,13 @@ fs_getattr_xattr_fs(xserver_t)
|
||||
fs_search_nfs(xserver_t)
|
||||
fs_search_auto_mountpoints(xserver_t)
|
||||
fs_search_ramfs(xserver_t)
|
||||
@ -36680,7 +36864,7 @@ index e226da4..69093aa 100644
|
||||
|
||||
selinux_validate_context(xserver_t)
|
||||
selinux_compute_access_vector(xserver_t)
|
||||
@@ -716,11 +1007,14 @@ logging_send_audit_msgs(xserver_t)
|
||||
@@ -716,11 +1008,14 @@ logging_send_audit_msgs(xserver_t)
|
||||
|
||||
miscfiles_read_localization(xserver_t)
|
||||
miscfiles_read_fonts(xserver_t)
|
||||
@ -36695,7 +36879,7 @@ index e226da4..69093aa 100644
|
||||
|
||||
userdom_search_user_home_dirs(xserver_t)
|
||||
userdom_use_user_ttys(xserver_t)
|
||||
@@ -773,12 +1067,28 @@ optional_policy(`
|
||||
@@ -773,12 +1068,28 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -36725,7 +36909,7 @@ index e226da4..69093aa 100644
|
||||
unconfined_domtrans(xserver_t)
|
||||
')
|
||||
|
||||
@@ -787,6 +1097,10 @@ optional_policy(`
|
||||
@@ -787,6 +1098,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -36736,7 +36920,7 @@ index e226da4..69093aa 100644
|
||||
xfs_stream_connect(xserver_t)
|
||||
')
|
||||
|
||||
@@ -802,10 +1116,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
||||
@@ -802,10 +1117,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
|
||||
|
||||
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
|
||||
# handle of a file inside the dir!!!
|
||||
@ -36750,7 +36934,7 @@ index e226da4..69093aa 100644
|
||||
|
||||
# Label pid and temporary files with derived types.
|
||||
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
@@ -813,7 +1127,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
@@ -813,7 +1128,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
|
||||
|
||||
# Run xkbcomp.
|
||||
@ -36759,7 +36943,7 @@ index e226da4..69093aa 100644
|
||||
can_exec(xserver_t, xkb_var_lib_t)
|
||||
|
||||
# VNC v4 module in X server
|
||||
@@ -826,6 +1140,9 @@ init_use_fds(xserver_t)
|
||||
@@ -826,6 +1141,9 @@ init_use_fds(xserver_t)
|
||||
# to read ROLE_home_t - examine this in more detail
|
||||
# (xauth?)
|
||||
userdom_read_user_home_content_files(xserver_t)
|
||||
@ -36769,7 +36953,7 @@ index e226da4..69093aa 100644
|
||||
|
||||
tunable_policy(`use_nfs_home_dirs',`
|
||||
fs_manage_nfs_dirs(xserver_t)
|
||||
@@ -841,11 +1158,14 @@ tunable_policy(`use_samba_home_dirs',`
|
||||
@@ -841,11 +1159,14 @@ tunable_policy(`use_samba_home_dirs',`
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(xserver_t)
|
||||
@ -36786,7 +36970,7 @@ index e226da4..69093aa 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -853,6 +1173,10 @@ optional_policy(`
|
||||
@@ -853,6 +1174,10 @@ optional_policy(`
|
||||
rhgb_rw_tmpfs_files(xserver_t)
|
||||
')
|
||||
|
||||
@ -36797,7 +36981,7 @@ index e226da4..69093aa 100644
|
||||
########################################
|
||||
#
|
||||
# Rules common to all X window domains
|
||||
@@ -896,7 +1220,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
||||
@@ -896,7 +1221,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
|
||||
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
|
||||
# operations allowed on my windows
|
||||
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
|
||||
@ -36806,7 +36990,7 @@ index e226da4..69093aa 100644
|
||||
# operations allowed on all windows
|
||||
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
|
||||
|
||||
@@ -950,11 +1274,31 @@ allow x_domain self:x_resource { read write };
|
||||
@@ -950,11 +1275,31 @@ allow x_domain self:x_resource { read write };
|
||||
# can mess with the screensaver
|
||||
allow x_domain xserver_t:x_screen { getattr saver_getattr };
|
||||
|
||||
@ -36838,7 +37022,7 @@ index e226da4..69093aa 100644
|
||||
tunable_policy(`! xserver_object_manager',`
|
||||
# should be xserver_unconfined(x_domain),
|
||||
# but typeattribute doesnt work in conditionals
|
||||
@@ -976,18 +1320,32 @@ tunable_policy(`! xserver_object_manager',`
|
||||
@@ -976,18 +1321,32 @@ tunable_policy(`! xserver_object_manager',`
|
||||
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
|
||||
')
|
||||
|
||||
@ -37374,7 +37558,7 @@ index 1c4b1e7..2997dd7 100644
|
||||
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
|
||||
|
||||
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
|
||||
index bea0ade..c411b5e 100644
|
||||
index bea0ade..149e383 100644
|
||||
--- a/policy/modules/system/authlogin.if
|
||||
+++ b/policy/modules/system/authlogin.if
|
||||
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
|
||||
@ -37566,7 +37750,33 @@ index bea0ade..c411b5e 100644
|
||||
## Manage var auth files. Used by various other applications
|
||||
## and pam applets etc.
|
||||
## </summary>
|
||||
@@ -1500,6 +1586,8 @@ interface(`auth_manage_login_records',`
|
||||
@@ -1346,6 +1432,25 @@ interface(`auth_read_login_records',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Read login records files (/var/log/wtmp).
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`auth_dontaudit_read_login_records',`
|
||||
+ gen_require(`
|
||||
+ type wtmp_t;
|
||||
+ ')
|
||||
+
|
||||
+ dontaudit $1 wtmp_t:file read_file_perms;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Do not audit attempts to read login records
|
||||
## files (/var/log/wtmp).
|
||||
## </summary>
|
||||
@@ -1500,6 +1605,8 @@ interface(`auth_manage_login_records',`
|
||||
#
|
||||
interface(`auth_use_nsswitch',`
|
||||
|
||||
@ -37575,7 +37785,7 @@ index bea0ade..c411b5e 100644
|
||||
files_list_var_lib($1)
|
||||
|
||||
# read /etc/nsswitch.conf
|
||||
@@ -1531,7 +1619,15 @@ interface(`auth_use_nsswitch',`
|
||||
@@ -1531,7 +1638,15 @@ interface(`auth_use_nsswitch',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -43603,7 +43813,7 @@ index db75976..392d1ee 100644
|
||||
+HOME_DIR/\.gvfs(/.*)? <<none>>
|
||||
+HOME_DIR/\.debug(/.*)? <<none>>
|
||||
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
||||
index 2aa8928..b4d758b 100644
|
||||
index 2aa8928..54365f8 100644
|
||||
--- a/policy/modules/system/userdomain.if
|
||||
+++ b/policy/modules/system/userdomain.if
|
||||
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
|
||||
@ -44509,12 +44719,13 @@ index 2aa8928..b4d758b 100644
|
||||
##############################
|
||||
#
|
||||
# Local policy
|
||||
@@ -867,45 +1005,103 @@ template(`userdom_restricted_xwindows_user_template',`
|
||||
@@ -867,45 +1005,105 @@ template(`userdom_restricted_xwindows_user_template',`
|
||||
#
|
||||
|
||||
auth_role($1_r, $1_t)
|
||||
- auth_search_pam_console_data($1_t)
|
||||
+ auth_search_pam_console_data($1_usertype)
|
||||
+ auth_dontaudit_read_login_records($1_usertype)
|
||||
|
||||
- dev_read_sound($1_t)
|
||||
- dev_write_sound($1_t)
|
||||
@ -44573,6 +44784,7 @@ index 2aa8928..b4d758b 100644
|
||||
+ ')
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ consolekit_dontaudit_read_log($1_usertype)
|
||||
+ consolekit_dbus_chat($1_usertype)
|
||||
+ ')
|
||||
+
|
||||
@ -44624,7 +44836,7 @@ index 2aa8928..b4d758b 100644
|
||||
')
|
||||
')
|
||||
|
||||
@@ -940,7 +1136,7 @@ template(`userdom_unpriv_user_template', `
|
||||
@@ -940,7 +1138,7 @@ template(`userdom_unpriv_user_template', `
|
||||
#
|
||||
|
||||
# Inherit rules for ordinary users.
|
||||
@ -44633,7 +44845,7 @@ index 2aa8928..b4d758b 100644
|
||||
userdom_common_user_template($1)
|
||||
|
||||
##############################
|
||||
@@ -949,54 +1145,77 @@ template(`userdom_unpriv_user_template', `
|
||||
@@ -949,54 +1147,77 @@ template(`userdom_unpriv_user_template', `
|
||||
#
|
||||
|
||||
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
||||
@ -44741,7 +44953,7 @@ index 2aa8928..b4d758b 100644
|
||||
')
|
||||
')
|
||||
|
||||
@@ -1032,7 +1251,7 @@ template(`userdom_unpriv_user_template', `
|
||||
@@ -1032,7 +1253,7 @@ template(`userdom_unpriv_user_template', `
|
||||
template(`userdom_admin_user_template',`
|
||||
gen_require(`
|
||||
attribute admindomain;
|
||||
@ -44750,7 +44962,7 @@ index 2aa8928..b4d758b 100644
|
||||
')
|
||||
|
||||
##############################
|
||||
@@ -1067,6 +1286,9 @@ template(`userdom_admin_user_template',`
|
||||
@@ -1067,6 +1288,9 @@ template(`userdom_admin_user_template',`
|
||||
# Skip authentication when pam_rootok is specified.
|
||||
allow $1_t self:passwd rootok;
|
||||
|
||||
@ -44760,7 +44972,7 @@ index 2aa8928..b4d758b 100644
|
||||
kernel_read_software_raid_state($1_t)
|
||||
kernel_getattr_core_if($1_t)
|
||||
kernel_getattr_message_if($1_t)
|
||||
@@ -1081,6 +1303,7 @@ template(`userdom_admin_user_template',`
|
||||
@@ -1081,6 +1305,7 @@ template(`userdom_admin_user_template',`
|
||||
kernel_sigstop_unlabeled($1_t)
|
||||
kernel_signull_unlabeled($1_t)
|
||||
kernel_sigchld_unlabeled($1_t)
|
||||
@ -44768,7 +44980,7 @@ index 2aa8928..b4d758b 100644
|
||||
|
||||
corenet_tcp_bind_generic_port($1_t)
|
||||
# allow setting up tunnels
|
||||
@@ -1112,10 +1335,13 @@ template(`userdom_admin_user_template',`
|
||||
@@ -1112,10 +1337,13 @@ template(`userdom_admin_user_template',`
|
||||
domain_sigchld_all_domains($1_t)
|
||||
# for lsof
|
||||
domain_getattr_all_sockets($1_t)
|
||||
@ -44782,7 +44994,7 @@ index 2aa8928..b4d758b 100644
|
||||
fs_set_all_quotas($1_t)
|
||||
fs_exec_noxattr($1_t)
|
||||
|
||||
@@ -1135,6 +1361,7 @@ template(`userdom_admin_user_template',`
|
||||
@@ -1135,6 +1363,7 @@ template(`userdom_admin_user_template',`
|
||||
logging_send_syslog_msg($1_t)
|
||||
|
||||
modutils_domtrans_insmod($1_t)
|
||||
@ -44790,7 +45002,7 @@ index 2aa8928..b4d758b 100644
|
||||
|
||||
# The following rule is temporary until such time that a complete
|
||||
# policy management infrastructure is in place so that an administrator
|
||||
@@ -1203,6 +1430,8 @@ template(`userdom_security_admin_template',`
|
||||
@@ -1203,6 +1432,8 @@ template(`userdom_security_admin_template',`
|
||||
dev_relabel_all_dev_nodes($1)
|
||||
|
||||
files_create_boot_flag($1)
|
||||
@ -44799,7 +45011,7 @@ index 2aa8928..b4d758b 100644
|
||||
|
||||
# Necessary for managing /boot/efi
|
||||
fs_manage_dos_files($1)
|
||||
@@ -1230,6 +1459,7 @@ template(`userdom_security_admin_template',`
|
||||
@@ -1230,6 +1461,7 @@ template(`userdom_security_admin_template',`
|
||||
seutil_run_checkpolicy($1,$2)
|
||||
seutil_run_loadpolicy($1,$2)
|
||||
seutil_run_semanage($1,$2)
|
||||
@ -44807,7 +45019,7 @@ index 2aa8928..b4d758b 100644
|
||||
seutil_run_setfiles($1, $2)
|
||||
|
||||
optional_policy(`
|
||||
@@ -1268,12 +1498,15 @@ template(`userdom_security_admin_template',`
|
||||
@@ -1268,12 +1500,15 @@ template(`userdom_security_admin_template',`
|
||||
interface(`userdom_user_home_content',`
|
||||
gen_require(`
|
||||
type user_home_t;
|
||||
@ -44824,7 +45036,7 @@ index 2aa8928..b4d758b 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1384,6 +1617,7 @@ interface(`userdom_search_user_home_dirs',`
|
||||
@@ -1384,6 +1619,7 @@ interface(`userdom_search_user_home_dirs',`
|
||||
')
|
||||
|
||||
allow $1 user_home_dir_t:dir search_dir_perms;
|
||||
@ -44832,7 +45044,7 @@ index 2aa8928..b4d758b 100644
|
||||
files_search_home($1)
|
||||
')
|
||||
|
||||
@@ -1430,6 +1664,14 @@ interface(`userdom_list_user_home_dirs',`
|
||||
@@ -1430,6 +1666,14 @@ interface(`userdom_list_user_home_dirs',`
|
||||
|
||||
allow $1 user_home_dir_t:dir list_dir_perms;
|
||||
files_search_home($1)
|
||||
@ -44847,7 +45059,7 @@ index 2aa8928..b4d758b 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1445,9 +1687,11 @@ interface(`userdom_list_user_home_dirs',`
|
||||
@@ -1445,9 +1689,11 @@ interface(`userdom_list_user_home_dirs',`
|
||||
interface(`userdom_dontaudit_list_user_home_dirs',`
|
||||
gen_require(`
|
||||
type user_home_dir_t;
|
||||
@ -44859,7 +45071,7 @@ index 2aa8928..b4d758b 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1504,6 +1748,42 @@ interface(`userdom_relabelto_user_home_dirs',`
|
||||
@@ -1504,6 +1750,42 @@ interface(`userdom_relabelto_user_home_dirs',`
|
||||
allow $1 user_home_dir_t:dir relabelto;
|
||||
')
|
||||
|
||||
@ -44902,7 +45114,7 @@ index 2aa8928..b4d758b 100644
|
||||
########################################
|
||||
## <summary>
|
||||
## Create directories in the home dir root with
|
||||
@@ -1578,6 +1858,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
|
||||
@@ -1578,6 +1860,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
|
||||
')
|
||||
|
||||
dontaudit $1 user_home_t:dir search_dir_perms;
|
||||
@ -44911,7 +45123,7 @@ index 2aa8928..b4d758b 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1592,10 +1874,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
|
||||
@@ -1592,10 +1876,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
|
||||
#
|
||||
interface(`userdom_list_user_home_content',`
|
||||
gen_require(`
|
||||
@ -44926,7 +45138,7 @@ index 2aa8928..b4d758b 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1638,34 +1922,53 @@ interface(`userdom_delete_user_home_content_dirs',`
|
||||
@@ -1638,34 +1924,53 @@ interface(`userdom_delete_user_home_content_dirs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -44988,7 +45200,7 @@ index 2aa8928..b4d758b 100644
|
||||
gen_require(`
|
||||
type user_home_dir_t, user_home_t;
|
||||
')
|
||||
@@ -1689,12 +1992,32 @@ interface(`userdom_read_user_home_content_files',`
|
||||
@@ -1689,12 +1994,32 @@ interface(`userdom_read_user_home_content_files',`
|
||||
type user_home_dir_t, user_home_t;
|
||||
')
|
||||
|
||||
@ -45021,7 +45233,7 @@ index 2aa8928..b4d758b 100644
|
||||
## Do not audit attempts to read user home files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -1705,11 +2028,14 @@ interface(`userdom_read_user_home_content_files',`
|
||||
@@ -1705,11 +2030,14 @@ interface(`userdom_read_user_home_content_files',`
|
||||
#
|
||||
interface(`userdom_dontaudit_read_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -45039,7 +45251,7 @@ index 2aa8928..b4d758b 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1799,8 +2125,7 @@ interface(`userdom_read_user_home_content_symlinks',`
|
||||
@@ -1799,8 +2127,7 @@ interface(`userdom_read_user_home_content_symlinks',`
|
||||
type user_home_dir_t, user_home_t;
|
||||
')
|
||||
|
||||
@ -45049,7 +45261,7 @@ index 2aa8928..b4d758b 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -1816,20 +2141,14 @@ interface(`userdom_read_user_home_content_symlinks',`
|
||||
@@ -1816,20 +2143,14 @@ interface(`userdom_read_user_home_content_symlinks',`
|
||||
#
|
||||
interface(`userdom_exec_user_home_content_files',`
|
||||
gen_require(`
|
||||
@ -45074,7 +45286,7 @@ index 2aa8928..b4d758b 100644
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -2171,7 +2490,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
|
||||
@@ -2171,7 +2492,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
|
||||
type user_tmp_t;
|
||||
')
|
||||
|
||||
@ -45083,7 +45295,7 @@ index 2aa8928..b4d758b 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2424,13 +2743,14 @@ interface(`userdom_read_user_tmpfs_files',`
|
||||
@@ -2424,13 +2745,14 @@ interface(`userdom_read_user_tmpfs_files',`
|
||||
')
|
||||
|
||||
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
|
||||
@ -45099,7 +45311,7 @@ index 2aa8928..b4d758b 100644
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@@ -2451,26 +2771,6 @@ interface(`userdom_rw_user_tmpfs_files',`
|
||||
@@ -2451,26 +2773,6 @@ interface(`userdom_rw_user_tmpfs_files',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -45126,7 +45338,7 @@ index 2aa8928..b4d758b 100644
|
||||
## Get the attributes of a user domain tty.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@@ -2804,7 +3104,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
||||
@@ -2804,7 +3106,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
||||
|
||||
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
|
||||
allow unpriv_userdomain $1:fd use;
|
||||
@ -45135,7 +45347,7 @@ index 2aa8928..b4d758b 100644
|
||||
allow unpriv_userdomain $1:process sigchld;
|
||||
')
|
||||
|
||||
@@ -2820,11 +3120,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
||||
@@ -2820,11 +3122,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
|
||||
#
|
||||
interface(`userdom_search_user_home_content',`
|
||||
gen_require(`
|
||||
@ -45151,7 +45363,7 @@ index 2aa8928..b4d758b 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2906,7 +3208,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
|
||||
@@ -2906,7 +3210,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
|
||||
type user_devpts_t;
|
||||
')
|
||||
|
||||
@ -45160,7 +45372,7 @@ index 2aa8928..b4d758b 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2961,7 +3263,45 @@ interface(`userdom_write_user_tmp_files',`
|
||||
@@ -2961,7 +3265,45 @@ interface(`userdom_write_user_tmp_files',`
|
||||
type user_tmp_t;
|
||||
')
|
||||
|
||||
@ -45207,7 +45419,7 @@ index 2aa8928..b4d758b 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -2998,6 +3338,7 @@ interface(`userdom_read_all_users_state',`
|
||||
@@ -2998,6 +3340,7 @@ interface(`userdom_read_all_users_state',`
|
||||
')
|
||||
|
||||
read_files_pattern($1, userdomain, userdomain)
|
||||
@ -45215,7 +45427,7 @@ index 2aa8928..b4d758b 100644
|
||||
kernel_search_proc($1)
|
||||
')
|
||||
|
||||
@@ -3128,3 +3469,854 @@ interface(`userdom_dbus_send_all_users',`
|
||||
@@ -3128,3 +3471,854 @@ interface(`userdom_dbus_send_all_users',`
|
||||
|
||||
allow $1 userdomain:dbus send_msg;
|
||||
')
|
||||
|
||||
@ -21,7 +21,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.9.5
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -470,6 +470,20 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Sep 30 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-9
|
||||
- Turn off default transition to mozilla_plugin and telepathy domains from unconfined user
|
||||
- Turn off iptables from unconfined user
|
||||
- Allow sudo to send signals to any domains the user could have transitioned to.
|
||||
- Passwd in single user mode needs to talk to console_device_t
|
||||
- Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio
|
||||
- locate tried to read a symbolic link, will dontaudit
|
||||
- New labels for telepathy-sunshine content in homedir
|
||||
- Google is storing other binaries under /opt/google/talkplugin
|
||||
- bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug
|
||||
- Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15
|
||||
- modemmanger and bluetooth send dbus messages to devicekit_power
|
||||
- Samba needs to getquota on filesystems labeld samba_share_t
|
||||
|
||||
* Wed Sep 29 2010 Dan Walsh <dwalsh@redhat.com> 3.9.5-8
|
||||
- Dontaudit attempts by xdm_t to write to bin_t for kdm
|
||||
- Allow initrc_t to manage system_conf_t
|
||||
|
||||
Loading…
Reference in New Issue
Block a user