rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
80347b11c4
selinux-policy/execmem.patch
Dan Walsh f1bc73d0ef Allow logrotate setuid and setgid since logrotate is supposed to do it 
Fixes for thumb policy by grift
Add new nfsd ports
Added fix to allow confined apps to execmod on chrome
Add labeling for additional vdsm directories
Allow Exim and Dovecot SASL
Add label for /var/run/nmbd
Add fixes to make virsh and xen working together
Colord executes ls
/var/spool/cron  is now labeled as user_cron_spool_t
2011-10-04 10:50:39 -04:00

380 lines
11 KiB
Diff
Raw Blame History

diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 8d3c1d8..a7b1b65 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -416,14 +416,6 @@ optional_policy(`
unconfined_domain_noaudit(rpm_script_t)
unconfined_domtrans(rpm_script_t)
unconfined_execmem_domtrans(rpm_script_t)
-
- optional_policy(`
- java_domtrans_unconfined(rpm_script_t)
- ')
-
- optional_policy(`
- mono_domtrans(rpm_script_t)
- ')
')
optional_policy(`
diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
index 6f3570a..70c661e 100644
--- a/policy/modules/apps/execmem.fc
+++ b/policy/modules/apps/execmem.fc
@@ -46,3 +46,48 @@ ifdef(`distro_gentoo',`
/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
/opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0)
/usr/local/Wolfram/Mathematica(/.*)?MathKernel -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+#
+# /opt
+#
+/opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/local/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+#
+# /usr
+#
+/usr/Aptana[^/]*/AptanaStudio -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/fastjar -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/frysk -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/gappletviewer -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/gij -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/gjarsigner -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/gkeytool -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/grmic -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/grmiregistry -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/jv-convert -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/ibm(/.*)?/eclipse/plugins(/.*)? -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+ifdef(`distro_redhat',`
+/usr/java/eclipse[^/]*/eclipse -- gen_context(system_u:object_r:execmem_exec_t,s0)
+')
+/usr/bin/mono.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
index e23f640..a78bec0 100644
--- a/policy/modules/apps/execmem.if
+++ b/policy/modules/apps/execmem.if
@@ -129,4 +129,3 @@ interface(`execmem_execmod',`
allow $1 execmem_exec_t:file execmod;
')
-
diff --git a/policy/modules/apps/execmem.te b/policy/modules/apps/execmem.te
index a7d37e2..fd8450f 100644
--- a/policy/modules/apps/execmem.te
+++ b/policy/modules/apps/execmem.te
@@ -4,7 +4,25 @@ policy_module(execmem, 1.0.0)
#
# Declarations
#
+attribute execmem_type;
-type execmem_exec_t alias unconfined_execmem_exec_t;
+type execmem_exec_t;
+typealias execmem_exec_t alias { unconfined_execmem_exec_t mono_exec_t java_exec_t };
application_executable_file(execmem_exec_t)
+allow execmem_type self:process { execmem execstack };
+files_execmod_tmp(execmem_type)
+execmem_execmod(execmem_type)
+
+optional_policy(`
+ gnome_read_usr_config(execmem_type)
+')
+
+optional_policy(`
+ mozilla_execmod_user_home_files(execmem_type)
+')
+
+optional_policy(`
+ nsplugin_rw_shm(execmem_type)
+ nsplugin_rw_semaphores(execmem_type)
+')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index d1b1280..f93103b 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -273,10 +273,6 @@ optional_policy(`
')
optional_policy(`
- java_domtrans(mozilla_t)
-')
-
-optional_policy(`
lpd_domtrans_lpr(mozilla_t)
')
@@ -456,7 +452,7 @@ optional_policy(`
')
optional_policy(`
- java_exec(mozilla_plugin_t)
+ execmem_exec(mozilla_plugin_t)
')
optional_policy(`
diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te
index ccc15ab..9d0e298 100644
--- a/policy/modules/apps/podsleuth.te
+++ b/policy/modules/apps/podsleuth.te
@@ -85,5 +85,5 @@ optional_policy(`
')
optional_policy(`
- mono_exec(podsleuth_t)
+ execmem_exec(podsleuth_t)
')
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index bfabe3f..fbbce55 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -268,10 +268,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- java_role(staff_r, staff_t)
- ')
-
- optional_policy(`
lockdev_role(staff_r, staff_t)
')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 7cd6d4f..e120bbc 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -524,10 +524,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- java_role(sysadm_r, sysadm_t)
- ')
-
- optional_policy(`
lockdev_role(sysadm_r, sysadm_t)
')
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
index fcc8949..6f1425f 100644
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@@ -337,10 +337,6 @@ optional_policy(`
')
optional_policy(`
- java_run_unconfined(unconfined_t, unconfined_r)
-')
-
-optional_policy(`
kerberos_filetrans_named_content(unconfined_t)
')
@@ -361,13 +357,6 @@ optional_policy(`
')
optional_policy(`
- mono_role_template(unconfined, unconfined_r, unconfined_t)
- unconfined_domain_noaudit(unconfined_mono_t)
- role system_r types unconfined_mono_t;
-')
-
-
-optional_policy(`
mozilla_role_plugin(unconfined_r)
tunable_policy(`unconfined_mozilla_plugin_transition', `
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index e5a8559..68013b7 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -148,10 +148,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- java_role(user_r, user_t)
- ')
-
- optional_policy(`
lockdev_role(user_r, user_t)
')
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
index 1cd57fd..a1db79d 100644
--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -107,14 +107,6 @@ optional_policy(`
')
optional_policy(`
- java_role_template(xguest, xguest_r, xguest_t)
-')
-
-optional_policy(`
- mono_role_template(xguest, xguest_r, xguest_t)
-')
-
-optional_policy(`
mozilla_run_plugin(xguest_usertype, xguest_r)
')
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
index 1442451..add9ada 100644
--- a/policy/modules/services/boinc.te
+++ b/policy/modules/services/boinc.te
@@ -168,5 +168,5 @@ miscfiles_read_fonts(boinc_project_t)
miscfiles_read_localization(boinc_project_t)
optional_policy(`
- java_exec(boinc_project_t)
+ execmem_exec(boinc_project_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 86ea0ba..a2c41fd 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -299,10 +299,6 @@ optional_policy(`
')
optional_policy(`
- mono_domtrans(crond_t)
-')
-
-optional_policy(`
amanda_search_var_lib(crond_t)
')
@@ -553,10 +549,6 @@ optional_policy(`
')
optional_policy(`
- mono_domtrans(system_cronjob_t)
-')
-
-optional_policy(`
mrtg_append_create_logs(system_cronjob_t)
')
@@ -709,11 +701,6 @@ tunable_policy(`fcron_crond',`
allow crond_t user_cron_spool_t:file manage_file_perms;
')
-# need a per-role version of this:
-#optional_policy(`
-# mono_domtrans(cronjob_t)
-#')
-
optional_policy(`
nis_use_ypbind(cronjob_t)
')
diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
index 1e40c00..ae34382 100644
--- a/policy/modules/services/hadoop.if
+++ b/policy/modules/services/hadoop.if
@@ -127,7 +127,7 @@ template(`hadoop_domain_template',`
hadoop_exec_config(hadoop_$1_t)
- java_exec(hadoop_$1_t)
+ execmem_exec(hadoop_$1_t)
kerberos_use(hadoop_$1_t)
diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
index 3889dc9..32dc803 100644
--- a/policy/modules/services/hadoop.te
+++ b/policy/modules/services/hadoop.te
@@ -167,7 +167,7 @@ miscfiles_read_localization(hadoop_t)
userdom_use_inherited_user_terminals(hadoop_t)
-java_exec(hadoop_t)
+execmem_exec(hadoop_t)
kerberos_use(hadoop_t)
@@ -342,7 +342,7 @@ sysnet_read_config(zookeeper_t)
userdom_use_inherited_user_terminals(zookeeper_t)
userdom_dontaudit_search_user_home_dirs(zookeeper_t)
-java_exec(zookeeper_t)
+execmem_exec(zookeeper_t)
########################################
#
@@ -427,4 +427,4 @@ miscfiles_read_localization(zookeeper_server_t)
sysnet_read_config(zookeeper_server_t)
-java_exec(zookeeper_server_t)
+execmem_exec(zookeeper_server_t)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 60e0e2d..d14f2d6 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1247,10 +1247,6 @@ optional_policy(`
')
optional_policy(`
- mono_rw_shm(xserver_t)
-')
-
-optional_policy(`
rhgb_rw_shm(xserver_t)
rhgb_rw_tmpfs_files(xserver_t)
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 53f3bfe..20dd3a0 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1190,10 +1190,6 @@ optional_policy(`
unconfined_dontaudit_rw_pipes(daemon)
')
- optional_policy(`
- mono_domtrans(initrc_t)
- ')
-
# Allow SELinux aware applications to request rpm_script_t execution
rpm_transition_script(initrc_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index e7a65ae..a001ce9 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1281,14 +1281,6 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
- java_role_template($1, $1_r, $1_t)
- ')
-
- optional_policy(`
- mono_role_template($1, $1_r, $1_t)
- ')
-
- optional_policy(`
mount_run_fusermount($1_t, $1_r)
mount_read_pid_files($1_t)
')
Reference in New Issue View Git Blame Copy Permalink