[selinux-policy/f14/master] - Add namespace policy - Update for screen policy to handle pipe in homedir - Fixes for polyinstatia
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Jan 14 16:54:12 UTC 2011
commit bf666e22e8eccb82afdda49d98417501d1c364ad
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Jan 14 17:53:59 2011 +0000
- Add namespace policy
- Update for screen policy to handle pipe in homedir
- Fixes for polyinstatiated homedir
- Allow dirsrv to use kerberos
modules-mls.conf | 7 ++
modules-targeted.conf | 7 ++
policy-F14.patch | 281 ++++++++++++++++++++++++++++++++++++++++---------
selinux-policy.spec | 8 ++-
4 files changed, 252 insertions(+), 51 deletions(-)
---
diff --git a/modules-mls.conf b/modules-mls.conf
index c406c69..e5bd84d 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -2082,3 +2082,10 @@ shorewall = base
# Policy for shutdown
#
shutdown = module
+
+# Layer: apps
+# Module: namespace
+#
+# policy for namespace.init script
+#
+namespace = module
diff --git a/modules-targeted.conf b/modules-targeted.conf
index b96d8ad..e935c82 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2291,3 +2291,10 @@ pingd = module
#
#
milter = module
+
+# Layer: apps
+# Module: namespace
+#
+# policy for namespace.init script
+#
+namespace = module
diff --git a/policy-F14.patch b/policy-F14.patch
index 90e5965..d5c1eef 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -1679,7 +1679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.9.7/policy/modules/admin/shutdown.te
--- nsaserefpolicy/policy/modules/admin/shutdown.te 2010-10-12 22:42:51.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/admin/shutdown.te 2010-12-06 11:05:50.173042620 +0100
++++ serefpolicy-3.9.7/policy/modules/admin/shutdown.te 2011-01-14 14:43:21.719042381 +0100
@@ -7,6 +7,7 @@
type shutdown_t;
@@ -1688,7 +1688,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
application_domain(shutdown_t, shutdown_exec_t)
role system_r types shutdown_t;
-@@ -38,13 +39,14 @@
+@@ -33,18 +34,21 @@
+ manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t)
+ files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)
+
++kernel_read_system_state(shutdown_t)
++
+ domain_use_interactive_fds(shutdown_t)
+
files_read_etc_files(shutdown_t)
files_read_generic_pids(shutdown_t)
@@ -1705,7 +1712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
init_stream_connect(shutdown_t)
init_telinit(shutdown_t)
-@@ -53,11 +55,18 @@
+@@ -53,11 +57,18 @@
miscfiles_read_localization(shutdown_t)
@@ -4472,6 +4479,105 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.
nscd_socket_use(mplayer_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/namespace.fc serefpolicy-3.9.7/policy/modules/apps/namespace.fc
+--- nsaserefpolicy/policy/modules/apps/namespace.fc 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.9.7/policy/modules/apps/namespace.fc 2011-01-14 16:42:28.160042208 +0100
+@@ -0,0 +1,3 @@
++
++/etc/security/namespace.init -- gen_context(system_u:object_r:namespace_init_exec_t,s0)
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/namespace.if serefpolicy-3.9.7/policy/modules/apps/namespace.if
+--- nsaserefpolicy/policy/modules/apps/namespace.if 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.9.7/policy/modules/apps/namespace.if 2011-01-14 16:42:28.161042562 +0100
+@@ -0,0 +1,46 @@
++
++## <summary>policy for namespace</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run namespace_init.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`namespace_init_domtrans',`
++ gen_require(`
++ type namespace_init_t, namespace_init_exec_t;
++ ')
++
++ domtrans_pattern($1, namespace_init_exec_t, namespace_init_t)
++')
++
++
++########################################
++## <summary>
++## Execute namespace_init in the namespace_init domain, and
++## allow the specified role the namespace_init domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the namespace_init domain.
++## </summary>
++## </param>
++#
++interface(`namespace_init_run',`
++ gen_require(`
++ type namespace_init_t;
++ ')
++
++ namespace_init_domtrans($1)
++ role $2 types namespace_init_t;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/namespace.te serefpolicy-3.9.7/policy/modules/apps/namespace.te
+--- nsaserefpolicy/policy/modules/apps/namespace.te 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.9.7/policy/modules/apps/namespace.te 2011-01-14 16:42:28.161042562 +0100
+@@ -0,0 +1,38 @@
++policy_module(namespace,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type namespace_init_t;
++type namespace_init_exec_t;
++init_system_domain(namespace_init_t, namespace_init_exec_t)
++role system_r types namespace_init_t;
++
++permissive namespace_init_t;
++
++########################################
++#
++# namespace_init local policy
++#
++
++allow namespace_init_t self:capability dac_override;
++
++allow namespace_init_t self:fifo_file manage_fifo_file_perms;
++allow namespace_init_t self:unix_stream_socket create_stream_socket_perms;
++
++kernel_read_system_state(namespace_init_t)
++
++domain_use_interactive_fds(namespace_init_t)
++
++files_read_etc_files(namespace_init_t)
++files_polyinstantiate_all(namespace_init_t)
++
++miscfiles_read_localization(namespace_init_t)
++
++userdom_manage_user_home_content_dirs(namespace_init_t)
++userdom_manage_user_home_content_files(namespace_init_t)
++userdom_relabelto_user_home_dirs(namespace_init_t)
++userdom_relabelto_user_home_files(namespace_init_t)
++userdom_user_home_dir_filetrans_user_home_content(namespace_init_t, { dir file lnk_file fifo_file sock_file })
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.9.7/policy/modules/apps/nsplugin.fc
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.9.7/policy/modules/apps/nsplugin.fc 2010-11-05 14:02:26.463651990 +0100
@@ -6608,6 +6714,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.9.7/policy/modules/apps/screen.fc
+--- nsaserefpolicy/policy/modules/apps/screen.fc 2010-10-12 22:42:50.000000000 +0200
++++ serefpolicy-3.9.7/policy/modules/apps/screen.fc 2011-01-14 14:38:22.853041696 +0100
+@@ -2,6 +2,7 @@
+ # /home
+ #
+ HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
++HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
+
+ #
+ # /usr
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.9.7/policy/modules/apps/screen.if
+--- nsaserefpolicy/policy/modules/apps/screen.if 2010-10-12 22:42:50.000000000 +0200
++++ serefpolicy-3.9.7/policy/modules/apps/screen.if 2011-01-14 14:39:49.518042232 +0100
+@@ -64,6 +64,9 @@
+ files_pid_filetrans($1_screen_t, screen_var_run_t, dir)
+
+ allow $1_screen_t screen_home_t:dir list_dir_perms;
++ manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t)
++ manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t)
++ userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir)
+ read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+ read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.9.7/policy/modules/apps/seunshare.if
--- nsaserefpolicy/policy/modules/apps/seunshare.if 2010-10-12 22:42:50.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/apps/seunshare.if 2010-11-05 14:02:26.488655314 +0100
@@ -7422,7 +7552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.f
/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.9.7/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/apps/vmware.te 2010-11-05 14:02:26.502650347 +0100
++++ serefpolicy-3.9.7/policy/modules/apps/vmware.te 2011-01-14 14:42:18.439041608 +0100
@@ -126,6 +126,7 @@
dev_read_sysfs(vmware_host_t)
dev_read_urand(vmware_host_t)
@@ -7447,7 +7577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t
userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
userdom_dontaudit_search_user_home_dirs(vmware_host_t)
-@@ -158,8 +161,19 @@
+@@ -158,8 +161,23 @@
netutils_domtrans_ping(vmware_host_t)
optional_policy(`
@@ -7459,6 +7589,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t
+')
+
+optional_policy(`
++ samba_read_config(vmware_host_t)
++')
++
++optional_policy(`
seutil_sigchld_newrole(vmware_host_t)
+')
@@ -7640,7 +7774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
dbus_session_bus_client($1_wm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.9.7/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/kernel/corecommands.fc 2010-12-09 12:33:23.341041447 +0100
++++ serefpolicy-3.9.7/policy/modules/kernel/corecommands.fc 2011-01-14 17:03:13.574042262 +0100
@@ -9,8 +9,11 @@
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -7662,7 +7796,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/etc/pm/power\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/pm/sleep\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -101,6 +106,9 @@
+@@ -83,8 +88,6 @@
+
+ /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
+
+-/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0)
+-
+ /etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
+@@ -101,6 +104,9 @@
/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xinit(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -7672,7 +7815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/etc/profile.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/xen/qemu-ifup -- gen_context(system_u:object_r:bin_t,s0)
/etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -109,11 +117,14 @@
+@@ -109,11 +115,14 @@
/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -7687,7 +7830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
/lib64/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -126,6 +137,8 @@
+@@ -126,6 +135,8 @@
/lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -7696,7 +7839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
#
# /sbin
-@@ -145,6 +158,12 @@
+@@ -145,6 +156,12 @@
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -7709,7 +7852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
ifdef(`distro_gentoo',`
/opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
/opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -169,6 +188,7 @@
+@@ -169,6 +186,7 @@
/usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -7717,7 +7860,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -205,7 +225,8 @@
+@@ -205,7 +223,8 @@
/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -7727,7 +7870,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-@@ -218,8 +239,11 @@
+@@ -218,8 +237,11 @@
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -7739,7 +7882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/denyhosts/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -228,6 +252,8 @@
+@@ -228,6 +250,8 @@
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -7748,7 +7891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,6 +340,7 @@
+@@ -314,6 +338,7 @@
/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0)
@@ -7756,7 +7899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
')
ifdef(`distro_suse', `
-@@ -340,3 +367,28 @@
+@@ -340,3 +365,28 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -10278,7 +10421,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.9.7/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/kernel/filesystem.te 2010-11-05 14:02:26.549900032 +0100
++++ serefpolicy-3.9.7/policy/modules/kernel/filesystem.te 2011-01-14 16:44:38.431041319 +0100
@@ -52,6 +52,7 @@
fs_type(anon_inodefs_t)
files_mountpoint(anon_inodefs_t)
@@ -10353,6 +10496,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
files_mountpoint(removable_t)
#
+@@ -266,6 +287,7 @@
+ genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
++#genfscon 9p / gen_context(system_u:object_r:nfs_t,s0)
+
+ ########################################
+ #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.9.7/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2010-10-12 22:42:50.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/kernel/kernel.if 2010-11-05 14:02:26.551900321 +0100
@@ -16990,7 +17141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.9.7/policy/modules/services/chronyd.te
--- nsaserefpolicy/policy/modules/services/chronyd.te 2010-10-12 22:42:48.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/chronyd.te 2010-11-05 14:02:26.610899953 +0100
++++ serefpolicy-3.9.7/policy/modules/services/chronyd.te 2011-01-14 14:48:03.778292550 +0100
@@ -15,6 +15,9 @@
type chronyd_keys_t;
files_type(chronyd_keys_t)
@@ -17012,14 +17163,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
-@@ -50,6 +57,7 @@
+@@ -50,6 +57,11 @@
manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
files_pid_filetrans(chronyd_t, chronyd_var_run_t, file)
++kernel_read_system_state(chronyd_t)
++
++corecmd_exec_shell(chronyd_t)
++
+corenet_udp_bind_generic_node(chronyd_t)
corenet_udp_bind_ntp_port(chronyd_t)
# bind to udp/323
corenet_udp_bind_chronyd_port(chronyd_t)
+@@ -63,6 +75,8 @@
+
+ miscfiles_read_localization(chronyd_t)
+
++mta_send_mail(chronyd_t)
++
+ optional_policy(`
+ gpsd_rw_shm(chronyd_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.9.7/policy/modules/services/clamav.if
--- nsaserefpolicy/policy/modules/services/clamav.if 2010-10-12 22:42:48.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/services/clamav.if 2010-11-05 14:02:26.610899953 +0100
@@ -20316,8 +20480,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv.te serefpolicy-3.9.7/policy/modules/services/dirsrv.te
--- nsaserefpolicy/policy/modules/services/dirsrv.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.9.7/policy/modules/services/dirsrv.te 2010-12-01 11:30:50.899291181 +0100
-@@ -0,0 +1,176 @@
++++ serefpolicy-3.9.7/policy/modules/services/dirsrv.te 2011-01-14 16:33:36.867042355 +0100
+@@ -0,0 +1,180 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
@@ -20485,6 +20649,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirs
+sysnet_dns_name_resolve(dirsrv_snmp_t)
+
+optional_policy(`
++ kerberos_use(dirsrv_t)
++')
++
++optional_policy(`
+ snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
+ snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
+ snmp_append_snmp_var_lib_files(dirsrv_snmp_t)
@@ -20706,7 +20874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.9.7/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-10-12 22:42:48.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/dovecot.te 2010-12-15 15:26:21.727042646 +0100
++++ serefpolicy-3.9.7/policy/modules/services/dovecot.te 2011-01-14 14:46:07.945051887 +0100
@@ -18,7 +18,7 @@
files_tmp_file(dovecot_auth_tmp_t)
@@ -20844,11 +21012,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
miscfiles_read_localization(dovecot_deliver_t)
-@@ -302,4 +331,5 @@
+@@ -302,4 +331,11 @@
optional_policy(`
mta_manage_spool(dovecot_deliver_t)
+ mta_read_queue(dovecot_deliver_t)
++')
++
++optional_policy(`
++ # Handle sieve scripts
++ allow dovecot_deliver_t self:fifo_file rw_fifo_file_perms;
++ sendmail_domtrans(dovecot_deliver_t)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/drbd.fc serefpolicy-3.9.7/policy/modules/services/drbd.fc
--- nsaserefpolicy/policy/modules/services/drbd.fc 1970-01-01 01:00:00.000000000 +0100
@@ -34990,7 +35164,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.9.7/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-10-12 22:42:49.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/services/ssh.te 2011-01-04 16:03:00.640041553 +0100
++++ serefpolicy-3.9.7/policy/modules/services/ssh.te 2011-01-14 14:36:35.619041519 +0100
@@ -6,26 +6,32 @@
#
@@ -35052,21 +35226,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
type ssh_t;
type ssh_exec_t;
typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t };
-@@ -76,9 +77,12 @@
+@@ -76,8 +77,12 @@
type ssh_home_t;
typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
-files_type(ssh_home_t)
userdom_user_home_content(ssh_home_t)
-
++files_poly_parent(ssh_home_t)
++
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
+')
-+
+
##############################
#
- # SSH client local policy
-@@ -95,15 +99,11 @@
+@@ -95,15 +100,11 @@
allow ssh_t self:msgq create_msgq_perms;
allow ssh_t self:msg { send receive };
allow ssh_t self:tcp_socket create_stream_socket_perms;
@@ -35083,7 +35257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -113,6 +113,7 @@
+@@ -113,6 +114,7 @@
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
@@ -35091,7 +35265,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
-@@ -124,9 +125,10 @@
+@@ -124,9 +126,10 @@
read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
# ssh servers can read the user keys and config
@@ -35105,7 +35279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
kernel_read_kernel_sysctls(ssh_t)
kernel_read_system_state(ssh_t)
-@@ -138,6 +140,8 @@
+@@ -138,6 +141,8 @@
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
@@ -35114,7 +35288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
dev_read_urand(ssh_t)
-@@ -169,14 +173,13 @@
+@@ -169,14 +174,13 @@
userdom_search_user_home_dirs(ssh_t)
# Write to the user domain tty.
userdom_use_user_terminals(ssh_t)
@@ -35133,7 +35307,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
tunable_policy(`use_nfs_home_dirs',`
-@@ -200,6 +203,56 @@
+@@ -200,6 +204,56 @@
xserver_domtrans_xauth(ssh_t)
')
@@ -35190,7 +35364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
##############################
#
# ssh_keysign_t local policy
-@@ -209,7 +262,7 @@
+@@ -209,7 +263,7 @@
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@@ -35199,7 +35373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
dev_read_urand(ssh_keysign_t)
-@@ -232,33 +285,44 @@
+@@ -232,33 +286,44 @@
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -35253,7 +35427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
optional_policy(`
-@@ -266,11 +330,24 @@
+@@ -266,11 +331,24 @@
')
optional_policy(`
@@ -35279,7 +35453,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
optional_policy(`
-@@ -284,6 +361,11 @@
+@@ -284,6 +362,11 @@
')
optional_policy(`
@@ -35291,7 +35465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +374,26 @@
+@@ -292,26 +375,26 @@
')
ifdef(`TODO',`
@@ -35337,7 +35511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
') dnl endif TODO
########################################
-@@ -324,7 +406,6 @@
+@@ -324,7 +407,6 @@
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
@@ -35345,7 +35519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
-@@ -353,10 +434,6 @@
+@@ -353,10 +435,6 @@
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
optional_policy(`
@@ -40634,7 +40808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.9.7/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/system/authlogin.te 2010-11-05 14:02:26.894650197 +0100
++++ serefpolicy-3.9.7/policy/modules/system/authlogin.te 2011-01-14 17:03:47.552042420 +0100
@@ -5,9 +5,17 @@
# Declarations
#
@@ -40662,18 +40836,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
allow chkpwd_t shadow_t:file read_file_perms;
files_list_etc(chkpwd_t)
-@@ -394,3 +402,11 @@
+@@ -394,3 +402,14 @@
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
+
+tunable_policy(`allow_polyinstantiation',`
+ files_polyinstantiate_all(polydomain)
-+ userdom_manage_user_home_content_dirs(polydomain)
-+ userdom_manage_user_home_content_files(polydomain)
-+ userdom_relabelto_user_home_dirs(polydomain)
-+ userdom_relabelto_user_home_files(polydomain)
+')
++
++optional_policy(`
++ tunable_policy(`allow_polyinstantiation',`
++ namespace_init_domtrans(polydomain)
++ ')
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.9.7/policy/modules/system/daemontools.if
--- nsaserefpolicy/policy/modules/system/daemontools.if 2010-10-12 22:42:50.000000000 +0200
+++ serefpolicy-3.9.7/policy/modules/system/daemontools.if 2010-11-05 14:02:26.896650555 +0100
@@ -49326,7 +49503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.9.7/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2010-10-12 22:42:50.000000000 +0200
-+++ serefpolicy-3.9.7/policy/modules/system/userdomain.te 2010-11-05 14:02:26.965900198 +0100
++++ serefpolicy-3.9.7/policy/modules/system/userdomain.te 2011-01-14 14:35:13.707042269 +0100
@@ -43,6 +43,13 @@
## <desc>
@@ -49357,7 +49534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -71,18 +87,21 @@
+@@ -71,21 +87,25 @@
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -49380,7 +49557,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
files_tmp_file(user_tmp_t)
userdom_user_home_content(user_tmp_t)
-@@ -94,3 +113,25 @@
++files_poly_parent(user_tmp_t)
+
+ type user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t };
+ files_tmpfs_file(user_tmpfs_t)
+@@ -94,3 +114,25 @@
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 54f7812..8f77bf1 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.7
-Release: 21%{?dist}
+Release: 22%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,12 @@ exit 0
%endif
%changelog
+* Fri Jan 14 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-22
+- Add namespace policy
+- Update for screen policy to handle pipe in homedir
+- Fixes for polyinstatiated homedir
+- Allow dirsrv to use kerberos
+
* Fri Jan 7 2011 Miroslav Grepl <mgrepl at redhat.com> 3.9.7-21
- Make kernel_t domain MLS trusted for lowering the level of file.
- Add label for /var/lib/tftpboot/grub directory
More information about the scm-commits
mailing list