[selinux-policy/f13/master] - Fixes for ssh_keygen policy - Allow sysadm_t to run ssh-keygen in ssh_keygen_t domain - Backport s
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Mar 8 16:15:07 UTC 2011
commit 0ffdd95627529594dfa9fd6a8b9d8fd8d483c59d
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Mar 8 17:15:05 2011 +0000
- Fixes for ssh_keygen policy
- Allow sysadm_t to run ssh-keygen in ssh_keygen_t domain
- Backport spice vdagent policy
modules-targeted.conf | 7 +
policy-F13.patch | 361 ++++++++++++++++++++++++++++++++++++++++++-------
selinux-policy.spec | 7 +-
3 files changed, 326 insertions(+), 49 deletions(-)
---
diff --git a/modules-targeted.conf b/modules-targeted.conf
index dc9e340..54d4a43 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2237,3 +2237,10 @@ mediawiki = module
# policy for namespace.init script
#
namespace = module
+
+# Layer: services
+# Module: vdagent
+#
+# vdagent
+#
+vdagent = module
diff --git a/policy-F13.patch b/policy-F13.patch
index 4e0cf5d..979192d 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -13553,7 +13553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.19/policy/modules/roles/sysadm.te
--- nsaserefpolicy/policy/modules/roles/sysadm.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2011-03-04 13:15:26.285413000 +0000
++++ serefpolicy-3.7.19/policy/modules/roles/sysadm.te 2011-03-08 15:16:37.182413000 +0000
@@ -28,17 +28,31 @@
corecmd_exec_shell(sysadm_t)
@@ -13798,11 +13798,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
screen_role_template(sysadm, sysadm_r, sysadm_t)
-+ allow sysadm_screen_t self:capability { dac_read_search dac_override };
++ allow sysadm_screen_t self:capability { dac_read_search dac_override sys_tty_config };
')
optional_policy(`
-@@ -358,8 +422,14 @@
+@@ -358,11 +422,18 @@
')
optional_policy(`
@@ -13817,7 +13817,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
ssh_role_template(sysadm, sysadm_r, sysadm_t)
-@@ -382,9 +452,11 @@
++ ssh_run_keygen(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -382,9 +453,11 @@
sysnet_run_dhcpc(sysadm_t, sysadm_r)
')
@@ -13829,7 +13833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
tripwire_run_siggen(sysadm_t, sysadm_r)
-@@ -393,23 +465,31 @@
+@@ -393,23 +466,31 @@
tripwire_run_twprint(sysadm_t, sysadm_r)
')
@@ -13861,7 +13865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
unprivuser_role_change(sysadm_r)
')
-@@ -417,9 +497,11 @@
+@@ -417,9 +498,11 @@
usbmodules_run(sysadm_t, sysadm_r)
')
@@ -13873,7 +13877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
-@@ -427,9 +509,15 @@
+@@ -427,9 +510,15 @@
usermanage_run_useradd(sysadm_t, sysadm_r)
')
@@ -13889,7 +13893,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
optional_policy(`
vpn_run(sysadm_t, sysadm_r)
-@@ -440,13 +528,30 @@
+@@ -440,13 +529,30 @@
')
optional_policy(`
@@ -38276,7 +38280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.19/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.if 2010-11-02 16:20:27.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/ssh.if 2011-03-08 14:16:27.328413001 +0000
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -38519,7 +38523,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
files_search_pids($1)
')
-@@ -693,7 +726,51 @@
+@@ -678,6 +711,32 @@
+ domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
+ ')
+
++######################################
++## <summary>
++## Execute ssh-keygen in the iptables domain, and
++## allow the specified role the ssh-keygen domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`ssh_run_keygen',`
++ gen_require(`
++ type ssh_keygen_t;
++ ')
++
++ role $2 types ssh_keygen_t;
++ ssh_domtrans_keygen($1)
++')
++
+ ########################################
+ ## <summary>
+ ## Read ssh server keys
+@@ -693,7 +752,51 @@
type sshd_key_t;
')
@@ -38572,7 +38609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
#######################################
-@@ -714,3 +791,67 @@
+@@ -714,3 +817,67 @@
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -38642,7 +38679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.19/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2011-02-14 14:49:26.196796002 +0000
++++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2011-03-08 14:38:01.609413002 +0000
@@ -34,13 +34,12 @@
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
@@ -38733,17 +38770,62 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
tunable_policy(`allow_ssh_keysign',`
domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-@@ -217,6 +221,9 @@
- allow ssh_keygen_t sshd_key_t:file manage_file_perms;
- files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
-
-+manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
-+manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
-+
- kernel_read_kernel_sysctls(ssh_keygen_t)
+@@ -201,54 +205,6 @@
+ xserver_domtrans_xauth(ssh_t)
+ ')
- fs_search_auto_mountpoints(ssh_keygen_t)
-@@ -282,36 +289,39 @@
+-########################################
+-#
+-# ssh_keygen local policy
+-#
+-
+-# ssh_keygen_t is the type of the ssh-keygen program when run at install time
+-# and by sysadm_t
+-
+-dontaudit ssh_keygen_t self:capability sys_tty_config;
+-allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
+-
+-allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
+-
+-allow ssh_keygen_t sshd_key_t:file manage_file_perms;
+-files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
+-
+-kernel_read_kernel_sysctls(ssh_keygen_t)
+-
+-fs_search_auto_mountpoints(ssh_keygen_t)
+-
+-dev_read_sysfs(ssh_keygen_t)
+-dev_read_urand(ssh_keygen_t)
+-
+-term_dontaudit_use_console(ssh_keygen_t)
+-
+-domain_use_interactive_fds(ssh_keygen_t)
+-
+-files_read_etc_files(ssh_keygen_t)
+-
+-init_use_fds(ssh_keygen_t)
+-init_use_script_ptys(ssh_keygen_t)
+-
+-logging_send_syslog_msg(ssh_keygen_t)
+-
+-userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
+-
+-optional_policy(`
+- nscd_socket_use(ssh_keygen_t)
+-')
+-
+-optional_policy(`
+- seutil_sigchld_newrole(ssh_keygen_t)
+-')
+-
+-optional_policy(`
+- udev_read_db(ssh_keygen_t)
+-')
+-
+ ##############################
+ #
+ # ssh_keysign_t local policy
+@@ -282,36 +238,39 @@
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -38792,7 +38874,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
optional_policy(`
-@@ -319,10 +329,27 @@
+@@ -319,10 +278,27 @@
')
optional_policy(`
@@ -38820,7 +38902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
rpm_use_script_fds(sshd_t)
')
-@@ -333,10 +360,18 @@
+@@ -333,10 +309,18 @@
')
optional_policy(`
@@ -38840,6 +38922,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
ifdef(`TODO',`
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
+@@ -376,6 +360,10 @@
+ allow ssh_keygen_t sshd_key_t:file manage_file_perms;
+ files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
+
++manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
++manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
++userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
++
+ kernel_read_kernel_sysctls(ssh_keygen_t)
+
+ fs_search_auto_mountpoints(ssh_keygen_t)
+@@ -384,6 +372,7 @@
+ dev_read_urand(ssh_keygen_t)
+
+ term_dontaudit_use_console(ssh_keygen_t)
++term_use_all_ptys(ssh_keygen_t)
+
+ domain_use_interactive_fds(ssh_keygen_t)
+
+@@ -397,6 +386,11 @@
+ logging_send_syslog_msg(ssh_keygen_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
++userdom_search_admin_dir(ssh_keygen_t)
++
++optional_policy(`
++ nscd_socket_use(ssh_keygen_t)
++')
+
+ optional_policy(`
+ seutil_sigchld_newrole(ssh_keygen_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.19/policy/modules/services/sssd.if
--- nsaserefpolicy/policy/modules/services/sssd.if 2010-04-13 18:44:36.000000000 +0000
+++ serefpolicy-3.7.19/policy/modules/services/sssd.if 2010-09-16 14:48:33.000000000 +0000
@@ -39418,6 +39531,99 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varn
allow varnishd_t self:process signal;
allow varnishd_t self:fifo_file rw_fifo_file_perms;
allow varnishd_t self:tcp_socket create_stream_socket_perms;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdagent.fc serefpolicy-3.7.19/policy/modules/services/vdagent.fc
+--- nsaserefpolicy/policy/modules/services/vdagent.fc 1970-01-01 00:00:00.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/vdagent.fc 2011-03-08 12:55:29.677413000 +0000
+@@ -0,0 +1,4 @@
++
++/sbin/vdagent -- gen_context(system_u:object_r:vdagent_exec_t,s0)
++
++/var/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdagent.if serefpolicy-3.7.19/policy/modules/services/vdagent.if
+--- nsaserefpolicy/policy/modules/services/vdagent.if 1970-01-01 00:00:00.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/vdagent.if 2011-03-08 12:55:29.684413000 +0000
+@@ -0,0 +1,39 @@
++## <summary>The spice guest agent daemon.</summary>
++
++
++########################################
++## <summary>
++## Execute a domain transition to run vdagent.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`vdagent_domtrans',`
++ gen_require(`
++ type vdagent_t, vdagent_exec_t;
++ ')
++
++ domtrans_pattern($1, vdagent_exec_t, vdagent_t)
++')
++
++########################################
++## <summary>
++## Connect to vdagent over an unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`vdagent_stream_connect',`
++ gen_require(`
++ type vdagent_t, vdagent_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vdagent.te serefpolicy-3.7.19/policy/modules/services/vdagent.te
+--- nsaserefpolicy/policy/modules/services/vdagent.te 1970-01-01 00:00:00.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/vdagent.te 2011-03-08 13:05:40.170413001 +0000
+@@ -0,0 +1,38 @@
++policy_module(vdagent,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type vdagent_t;
++type vdagent_exec_t;
++udev_system_domain(vdagent_t, vdagent_exec_t)
++
++type vdagent_var_run_t;
++files_pid_file(vdagent_var_run_t)
++
++permissive vdagent_t;
++
++########################################
++#
++# vdagent local policy
++#
++allow vdagent_t self:process { fork };
++
++allow vdagent_t self:fifo_file rw_fifo_file_perms;
++allow vdagent_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
++manage_dirs_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
++manage_sock_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
++manage_lnk_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
++files_pid_filetrans(vdagent_t, vdagent_var_run_t, { file dir sock_file })
++
++domain_use_interactive_fds(vdagent_t)
++
++files_read_etc_files(vdagent_t)
++
++miscfiles_read_localization(vdagent_t)
++
++userdom_use_user_ptys(vdagent_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.fc serefpolicy-3.7.19/policy/modules/services/vhostmd.fc
--- nsaserefpolicy/policy/modules/services/vhostmd.fc 2010-04-13 18:44:37.000000000 +0000
+++ serefpolicy-3.7.19/policy/modules/services/vhostmd.fc 2010-07-21 08:49:49.000000000 +0000
@@ -41069,7 +41275,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.19/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-11-02 17:15:31.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2011-03-08 15:27:05.150413000 +0000
@@ -1,5 +1,5 @@
-policy_module(xserver, 3.3.2)
@@ -41613,7 +41819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -477,6 +654,12 @@
+@@ -477,6 +654,13 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -41623,10 +41829,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+userdom_manage_user_tmp_sockets(xdm_t)
+userdom_manage_tmpfs_role(system_r, xdm_t)
+userdom_dontaudit_getattr_user_home_content(xdm_t)
++userdom_dontaudit_write_admin_dir(xdm_t)
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -495,6 +678,12 @@
+@@ -495,6 +679,12 @@
fs_exec_cifs_files(xdm_t)
')
@@ -41639,7 +41846,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -508,11 +697,17 @@
+@@ -508,11 +698,17 @@
')
optional_policy(`
@@ -41657,7 +41864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -520,12 +715,51 @@
+@@ -520,12 +716,51 @@
')
optional_policy(`
@@ -41709,7 +41916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
hostname_exec(xdm_t)
')
-@@ -543,20 +777,63 @@
+@@ -543,20 +778,63 @@
')
optional_policy(`
@@ -41775,7 +41982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -565,7 +842,6 @@
+@@ -565,7 +843,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -41783,10 +41990,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -576,6 +852,10 @@
+@@ -576,6 +853,14 @@
')
optional_policy(`
++ vdagent_stream_connect(xdm_t)
++')
++
++optional_policy(`
+ wm_exec(xdm_t)
+')
+
@@ -41794,7 +42005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xdm_t)
')
-@@ -600,10 +880,9 @@
+@@ -600,10 +885,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -41806,7 +42017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -615,6 +894,18 @@
+@@ -615,6 +899,18 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -41825,7 +42036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -634,12 +925,19 @@
+@@ -634,12 +930,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -41847,7 +42058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -647,6 +945,7 @@
+@@ -647,6 +950,7 @@
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -41855,7 +42066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -673,7 +972,6 @@
+@@ -673,7 +977,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -41863,7 +42074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -683,9 +981,12 @@
+@@ -683,9 +986,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -41877,7 +42088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +1001,13 @@
+@@ -700,8 +1006,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -41891,7 +42102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -723,11 +1029,14 @@
+@@ -723,11 +1034,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -41906,7 +42117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -779,12 +1088,28 @@
+@@ -779,12 +1093,28 @@
')
optional_policy(`
@@ -41936,7 +42147,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -811,7 +1136,7 @@
+@@ -811,7 +1141,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -41945,7 +42156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1157,14 @@
+@@ -832,9 +1162,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -41960,7 +42171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1179,14 @@
+@@ -849,11 +1184,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -41977,7 +42188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -999,3 +1332,34 @@
+@@ -999,3 +1337,34 @@
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -47382,7 +47593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.f
+/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.19/policy/modules/system/udev.if
--- nsaserefpolicy/policy/modules/system/udev.if 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/udev.if 2011-03-04 13:01:58.267413001 +0000
++++ serefpolicy-3.7.19/policy/modules/system/udev.if 2011-03-08 16:58:29.797413002 +0000
@@ -1,5 +1,31 @@
## <summary>Policy for udev.</summary>
@@ -47451,6 +47662,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i
## Create, read, write, and delete
## udev pid files.
## </summary>
+@@ -213,3 +257,35 @@
+ files_search_var_lib($1)
+ manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
+ ')
++
++#######################################
++## <summary>
++## Create a domain for processes
++## which can be started by udev.
++## </summary>
++## <param name="domain">
++## <summary>
++## Type to be used as a domain.
++## </summary>
++## </param>
++## <param name="entry_point">
++## <summary>
++## Type of the program to be used as an entry point to this domain.
++## </summary>
++## </param>
++#
++interface(`udev_system_domain',`
++ gen_require(`
++ type udev_t;
++ role system_r;
++ ')
++
++ domain_type($1)
++ domain_entry_file($1, $2)
++
++ role system_r types $1;
++
++ domtrans_pattern(udev_t, $2, $1)
++
++ dontaudit $1 udev_t:unix_dgram_socket { read write };
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.19/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2010-04-13 18:44:37.000000000 +0000
+++ serefpolicy-3.7.19/policy/modules/system/udev.te 2011-03-04 12:59:56.537413001 +0000
@@ -48293,7 +48540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.19/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2011-02-25 17:52:11.239507921 +0000
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.if 2011-03-08 15:28:55.169413000 +0000
@@ -30,8 +30,9 @@
')
@@ -49899,7 +50146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
kernel_search_proc($1)
')
-@@ -3111,3 +3500,725 @@
+@@ -3111,3 +3500,743 @@
allow $1 userdomain:dbus send_msg;
')
@@ -50028,6 +50275,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+ dontaudit $1 admin_home_t:dir list_dir_perms;
+')
+
++#######################################
++## <summary>
++## dontaudit write /root
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_dontaudit_write_admin_dir',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:dir write;
++')
++
+########################################
+## <summary>
+## Allow domain to list /root
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d3b69cf..eac9f6a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 98%{?dist}
+Release: 99%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,11 @@ exit 0
%endif
%changelog
+* Tue Mar 8 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-99
+- Fixes for ssh_keygen policy
+- Allow sysadm_t to run ssh-keygen in ssh_keygen_t domain
+- Backport spice vdagent policy
+
* Fri Mar 4 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-98
- Backport sandbox and seunshare policy from F15
- Allow rpm setfcap capability
More information about the scm-commits
mailing list