rpms/selinux-policy/devel policy-20090105.patch, 1.28, 1.29 selinux-policy.spec, 1.780, 1.781
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Feb 3 15:26:41 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv5190
Modified Files:
policy-20090105.patch selinux-policy.spec
Log Message:
* Mon Feb 2 2009 Dan Walsh <dwalsh at redhat.com> 3.6.3-13
- Add boolean to disallow unconfined_t login
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -r1.28 -r1.29
--- policy-20090105.patch 30 Jan 2009 16:49:11 -0000 1.28
+++ policy-20090105.patch 3 Feb 2009 15:26:10 -0000 1.29
@@ -2875,8 +2875,8 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.3/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/apps/nsplugin.te 2009-01-19 13:10:02.000000000 -0500
-@@ -0,0 +1,277 @@
++++ serefpolicy-3.6.3/policy/modules/apps/nsplugin.te 2009-02-02 09:39:29.000000000 -0500
+@@ -0,0 +1,288 @@
+
+policy_module(nsplugin, 1.0.0)
+
@@ -2892,6 +2892,13 @@
+## </desc>
+gen_tunable(allow_nsplugin_execmem, false)
+
++## <desc>
++## <p>
++## Allow nsplugin code to connect to unreserved ports
++## </p>
++## </desc>
++gen_tunable(nsplugin_can_network, True)
++
+type nsplugin_exec_t;
+application_executable_file(nsplugin_exec_t)
+
@@ -2940,6 +2947,10 @@
+ allow nsplugin_config_t self:process { execstack execmem };
+')
+
++tunable_policy(`nsplugin_can_network',`
++ corenet_tcp_connect_all_unreserved_ports(nsplugin_t)
++')
++
+manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
+manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
@@ -4313,8 +4324,33 @@
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.6.3/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/kernel/corenetwork.if.in 2009-01-19 13:13:31.000000000 -0500
-@@ -1579,6 +1579,24 @@
++++ serefpolicy-3.6.3/policy/modules/kernel/corenetwork.if.in 2009-02-02 09:34:32.000000000 -0500
+@@ -1504,6 +1504,24 @@
+
+ ########################################
+ ## <summary>
++## Connect TCP sockets to all ports > 1024.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`corenet_tcp_connect_all_unreserved_ports',`
++ gen_require(`
++ attribute port_type, reserved_port_type;
++ ')
++
++ allow $1 { port_type -reserved_port_type }:tcp_socket name_connect;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to connect TCP sockets
+ ## all reserved ports.
+ ## </summary>
+@@ -1579,6 +1597,24 @@
########################################
## <summary>
@@ -9419,6 +9455,17 @@
+typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t;
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.6.3/policy/modules/services/apcupsd.fc
+--- nsaserefpolicy/policy/modules/services/apcupsd.fc 2008-10-08 19:00:27.000000000 -0400
++++ serefpolicy-3.6.3/policy/modules/services/apcupsd.fc 2009-02-02 08:21:34.000000000 -0500
+@@ -5,6 +5,7 @@
+ ')
+
+ /usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
++/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
+
+ /var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
+ /var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.3/policy/modules/services/apm.te
--- nsaserefpolicy/policy/modules/services/apm.te 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/apm.te 2009-01-28 09:26:27.000000000 -0500
@@ -14526,6 +14573,28 @@
+manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.6.3/policy/modules/services/mysql.fc
+--- nsaserefpolicy/policy/modules/services/mysql.fc 2008-11-18 18:57:20.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/mysql.fc 2009-02-02 08:23:53.000000000 -0500
+@@ -10,6 +10,7 @@
+ #
+ # /usr
+ #
++/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+ /usr/libexec/mysqld -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+
+ /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.3/policy/modules/services/mysql.te
+--- nsaserefpolicy/policy/modules/services/mysql.te 2009-01-19 11:06:49.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/mysql.te 2009-02-02 08:24:35.000000000 -0500
+@@ -65,6 +65,7 @@
+ kernel_read_system_state(mysqld_t)
+ kernel_read_kernel_sysctls(mysqld_t)
+
++can_exec(mysqld_t, mysqld_exec_t)
+ corenet_all_recvfrom_unlabeled(mysqld_t)
+ corenet_all_recvfrom_netlabel(mysqld_t)
+ corenet_tcp_sendrecv_generic_if(mysqld_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.3/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.3/policy/modules/services/nagios.fc 2009-01-19 13:10:02.000000000 -0500
@@ -19924,13 +19993,14 @@
auth_write_login_records(rshd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.3/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/rsync.te 2009-01-19 13:10:02.000000000 -0500
-@@ -119,5 +119,8 @@
++++ serefpolicy-3.6.3/policy/modules/services/rsync.te 2009-02-02 08:28:58.000000000 -0500
+@@ -119,5 +119,9 @@
tunable_policy(`rsync_export_all_ro',`
fs_read_noxattr_fs_files(rsync_t)
+ auth_read_all_dirs_except_shadow(rsync_t)
auth_read_all_files_except_shadow(rsync_t)
++ auth_read_all_symlinks_except_shadow(rsync_t)
+ auth_tunable_read_shadow(rsync_t)
')
+auth_can_read_shadow_passwords(rsync_t)
@@ -20365,7 +20435,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.3/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/samba.te 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/samba.te 2009-02-03 10:22:51.000000000 -0500
@@ -66,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
@@ -20519,7 +20589,20 @@
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -350,8 +377,20 @@
+@@ -338,20 +365,27 @@
+ ')
+
+ tunable_policy(`samba_enable_home_dirs',`
+- userdom_manage_user_home_content_dirs(smbd_t)
+- userdom_manage_user_home_content_files(smbd_t)
+- userdom_manage_user_home_content_symlinks(smbd_t)
+- userdom_manage_user_home_content_sockets(smbd_t)
+- userdom_manage_user_home_content_pipes(smbd_t)
+- userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file })
++ userdom_manage_user_home_content(smbd_t)
+ ')
+
+ # Support Samba sharing of NFS mount points
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
@@ -20540,7 +20623,7 @@
optional_policy(`
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
-@@ -359,6 +398,16 @@
+@@ -359,6 +393,16 @@
optional_policy(`
kerberos_use(smbd_t)
@@ -20557,7 +20640,7 @@
')
optional_policy(`
-@@ -381,8 +430,10 @@
+@@ -381,8 +425,10 @@
tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
@@ -20568,7 +20651,7 @@
auth_read_all_files_except_shadow(nmbd_t)
')
-@@ -454,6 +505,7 @@
+@@ -454,6 +500,7 @@
dev_getattr_mtrr_dev(nmbd_t)
fs_getattr_all_fs(nmbd_t)
@@ -20576,7 +20659,7 @@
fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
-@@ -553,19 +605,33 @@
+@@ -553,19 +600,33 @@
userdom_use_user_terminals(smbmount_t)
userdom_use_all_users_fds(smbmount_t)
@@ -20613,7 +20696,7 @@
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
-@@ -585,6 +651,9 @@
+@@ -585,6 +646,9 @@
files_pid_filetrans(swat_t, swat_var_run_t, file)
allow swat_t winbind_exec_t:file mmap_file_perms;
@@ -20623,7 +20706,7 @@
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -609,15 +678,18 @@
+@@ -609,15 +673,18 @@
dev_read_urand(swat_t)
@@ -20642,7 +20725,7 @@
logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
-@@ -635,6 +707,17 @@
+@@ -635,6 +702,17 @@
kerberos_use(swat_t)
')
@@ -20660,7 +20743,7 @@
########################################
#
# Winbind local policy
-@@ -642,7 +725,7 @@
+@@ -642,7 +720,7 @@
allow winbind_t self:capability { dac_override ipc_lock setuid };
dontaudit winbind_t self:capability sys_tty_config;
@@ -20669,7 +20752,7 @@
allow winbind_t self:fifo_file rw_fifo_file_perms;
allow winbind_t self:unix_dgram_socket create_socket_perms;
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
-@@ -683,9 +766,10 @@
+@@ -683,9 +761,10 @@
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
files_pid_filetrans(winbind_t, winbind_var_run_t, file)
@@ -20682,7 +20765,7 @@
corenet_all_recvfrom_unlabeled(winbind_t)
corenet_all_recvfrom_netlabel(winbind_t)
-@@ -709,10 +793,12 @@
+@@ -709,10 +788,12 @@
auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
@@ -20695,7 +20778,7 @@
logging_send_syslog_msg(winbind_t)
-@@ -768,8 +854,13 @@
+@@ -768,8 +849,13 @@
userdom_use_user_terminals(winbind_helper_t)
optional_policy(`
@@ -20709,7 +20792,7 @@
')
########################################
-@@ -778,6 +869,16 @@
+@@ -778,6 +864,16 @@
#
optional_policy(`
@@ -20726,7 +20809,7 @@
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -788,9 +889,43 @@
+@@ -788,9 +884,43 @@
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -21996,7 +22079,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.3/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/ssh.te 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/ssh.te 2009-02-02 14:39:09.000000000 -0500
@@ -75,7 +75,7 @@
ubac_constrained(ssh_tmpfs_t)
@@ -23252,7 +23335,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-28 13:23:35.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-02-02 14:36:35.000000000 -0500
@@ -34,6 +34,13 @@
## <desc>
@@ -23652,17 +23735,21 @@
seutil_sigchld_newrole(xdm_t)
')
-@@ -550,8 +651,8 @@
+@@ -550,9 +651,11 @@
')
optional_policy(`
- unconfined_domain(xdm_t)
- unconfined_domtrans(xdm_t)
+- unconfined_domtrans(xdm_t)
++ unconfined_shell_domtrans(xdm_t)
+ unconfined_signal(xdm_t)
++')
++optional_policy(`
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -571,6 +672,10 @@
+ ')
+@@ -571,6 +674,10 @@
')
optional_policy(`
@@ -23673,7 +23760,7 @@
xfs_stream_connect(xdm_t)
')
-@@ -587,7 +692,7 @@
+@@ -587,7 +694,7 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -23682,7 +23769,7 @@
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:memprotect mmap_zero;
-@@ -602,9 +707,11 @@
+@@ -602,9 +709,11 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -23694,7 +23781,7 @@
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
-@@ -622,7 +729,7 @@
+@@ -622,7 +731,7 @@
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
@@ -23703,7 +23790,7 @@
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,6 +742,15 @@
+@@ -635,6 +744,15 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -23719,7 +23806,7 @@
# Create files in /var/log with the xserver_log_t type.
manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
logging_log_filetrans(xserver_t, xserver_log_t,file)
-@@ -680,9 +796,14 @@
+@@ -680,9 +798,14 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -23734,7 +23821,7 @@
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -697,8 +818,13 @@
+@@ -697,8 +820,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -23748,7 +23835,7 @@
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -720,6 +846,7 @@
+@@ -720,6 +848,7 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -23756,7 +23843,7 @@
modutils_domtrans_insmod(xserver_t)
-@@ -742,7 +869,7 @@
+@@ -742,7 +871,7 @@
')
ifdef(`enable_mls',`
@@ -23765,7 +23852,7 @@
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
-@@ -774,6 +901,10 @@
+@@ -774,6 +903,10 @@
')
optional_policy(`
@@ -23776,7 +23863,7 @@
rhgb_getpgid(xserver_t)
rhgb_signal(xserver_t)
')
-@@ -806,7 +937,7 @@
+@@ -806,7 +939,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -23785,7 +23872,7 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -827,9 +958,14 @@
+@@ -827,9 +960,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -23800,7 +23887,7 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -844,11 +980,14 @@
+@@ -844,11 +982,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -23816,7 +23903,7 @@
')
optional_policy(`
-@@ -856,6 +995,11 @@
+@@ -856,6 +997,11 @@
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -23828,7 +23915,7 @@
########################################
#
# Rules common to all X window domains
-@@ -881,6 +1025,8 @@
+@@ -881,6 +1027,8 @@
# X Server
# can read server-owned resources
allow x_domain xserver_t:x_resource read;
@@ -23837,7 +23924,7 @@
# can mess with own clients
allow x_domain self:x_client { manage destroy };
-@@ -905,6 +1051,8 @@
+@@ -905,6 +1053,8 @@
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -23846,7 +23933,7 @@
# X Colormaps
# can use the default colormap
allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -972,6 +1120,37 @@
+@@ -972,6 +1122,37 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -23884,7 +23971,7 @@
ifdef(`TODO',`
tunable_policy(`allow_polyinstantiation',`
# xdm needs access for linking .X11-unix to poly /tmp
-@@ -986,3 +1165,12 @@
+@@ -986,3 +1167,12 @@
#
allow xdm_t user_home_type:file unlink;
') dnl end TODO
@@ -27634,7 +27721,7 @@
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.3/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/unconfined.if 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/unconfined.if 2009-02-02 14:49:54.000000000 -0500
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -27692,7 +27779,23 @@
')
optional_policy(`
-@@ -367,6 +376,24 @@
+@@ -227,13 +236,9 @@
+ #
+ interface(`unconfined_shell_domtrans',`
+ gen_require(`
+- type unconfined_t;
++ type unconfined_login_domain;
+ ')
+-
+- corecmd_shell_domtrans($1,unconfined_t)
+- allow unconfined_t $1:fd use;
+- allow unconfined_t $1:fifo_file rw_file_perms;
+- allow unconfined_t $1:process sigchld;
++ typeattribute $1 unconfined_login_domain
+ ')
+
+ ########################################
+@@ -367,6 +372,24 @@
########################################
## <summary>
@@ -27717,7 +27820,7 @@
## Send generic signals to the unconfined domain.
## </summary>
## <param name="domain">
-@@ -581,3 +608,150 @@
+@@ -581,3 +604,150 @@
allow $1 unconfined_t:dbus acquire_svc;
')
@@ -27870,11 +27973,13 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.3/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/unconfined.te 2009-01-30 10:55:24.000000000 -0500
-@@ -6,35 +6,77 @@
++++ serefpolicy-3.6.3/policy/modules/system/unconfined.te 2009-02-02 14:52:21.000000000 -0500
+@@ -5,36 +5,86 @@
+ #
# Declarations
#
-
++attribute unconfined_login_domain;
++
+## <desc>
+## <p>
+## Transition to confined nsplugin domains from unconfined user
@@ -27884,6 +27989,13 @@
+
+## <desc>
+## <p>
++## Allow a user to login as an unconfined domain
++## </p>
++## </desc>
++gen_tunable(unconfined_login, true)
++
++## <desc>
++## <p>
+## Allow unconfined domain to map low memory in the kernel
+## </p>
+## </desc>
@@ -27895,7 +28007,7 @@
+## </p>
+## </desc>
+gen_tunable(allow_unconfined_qemu_transition, false)
-+
+
# usage in this module of types created by these
# calls is not correct, however we dont currently
# have another method to add access to these types
@@ -27956,7 +28068,7 @@
libs_run_ldconfig(unconfined_t, unconfined_r)
-@@ -42,26 +84,39 @@
+@@ -42,26 +92,39 @@
logging_run_auditctl(unconfined_t, unconfined_r)
mount_run_unconfined(unconfined_t, unconfined_r)
@@ -27998,7 +28110,7 @@
')
optional_policy(`
-@@ -102,12 +157,24 @@
+@@ -102,12 +165,24 @@
')
optional_policy(`
@@ -28023,7 +28135,7 @@
')
optional_policy(`
-@@ -119,31 +186,33 @@
+@@ -119,31 +194,33 @@
')
optional_policy(`
@@ -28064,7 +28176,7 @@
')
optional_policy(`
-@@ -155,36 +224,38 @@
+@@ -155,36 +232,38 @@
')
optional_policy(`
@@ -28115,7 +28227,7 @@
')
optional_policy(`
-@@ -192,7 +263,7 @@
+@@ -192,7 +271,7 @@
')
optional_policy(`
@@ -28124,7 +28236,7 @@
')
optional_policy(`
-@@ -204,11 +275,12 @@
+@@ -204,11 +283,12 @@
')
optional_policy(`
@@ -28139,7 +28251,7 @@
')
########################################
-@@ -218,14 +290,60 @@
+@@ -218,14 +298,68 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -28183,7 +28295,7 @@
+ type mplayer_exec_t;
+ ')
+ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t)
-+')
+ ')
+
+optional_policy(`
+tunable_policy(`allow_unconfined_nsplugin_transition',`', `
@@ -28191,7 +28303,7 @@
+ type mozilla_exec_t;
+ ')
+ domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t)
- ')
++')
+')
+
+optional_policy(`
@@ -28202,6 +28314,14 @@
+')
+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
++
++tunable_policy(`unconfined_login',`
++ corecmd_shell_domtrans(unconfined_login_domain,unconfined_t)
++ allow unconfined_t unconfined_login_domain:fd use;
++ allow unconfined_t unconfined_login_domain:fifo_file rw_file_perms;
++ allow unconfined_t unconfined_login_domain:process sigchld;
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.3/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-11-11 16:13:48.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/userdomain.fc 2009-01-19 13:10:02.000000000 -0500
@@ -28216,7 +28336,7 @@
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-30 09:14:16.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-02-03 10:23:11.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -29682,7 +29802,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -2981,3 +3235,285 @@
+@@ -2981,3 +3235,313 @@
allow $1 userdomain:dbus send_msg;
')
@@ -29968,6 +30088,34 @@
+ exec_files_pattern($1, admin_home_t, admin_home_t)
+')
+
++
++#######################################
++## <summary>
++## Manage all files/directories in the homedir
++## </summary>
++## <param name="userdomain">
++## <summary>
++## The user domain
++## </summary>
++## </param>
++## <rolebase/>
++#
++interface(`userdom_manage_user_home_content',`
++ gen_require(`
++ type user_home_dir_t;
++ attribute user_home_type;
++ ')
++
++ files_list_home($1)
++ manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++ manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++ manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++ manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++ manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++ filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
++
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.3/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2009-01-19 11:07:34.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/system/userdomain.te 2009-01-19 13:10:02.000000000 -0500
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.780
retrieving revision 1.781
diff -u -r1.780 -r1.781
--- selinux-policy.spec 30 Jan 2009 16:49:11 -0000 1.780
+++ selinux-policy.spec 3 Feb 2009 15:26:10 -0000 1.781
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.3
-Release: 12%{?dist}
+Release: 13%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -234,7 +234,7 @@
%installCmds olpc mcs n y allow
%endif
-make UNK_PERMS=allow NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
+make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
mkdir %{buildroot}%{_usr}/share/selinux/devel/
mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
install -m 755 $RPM_SOURCE_DIR/policygentool %{buildroot}%{_usr}/share/selinux/devel/
@@ -444,6 +444,9 @@
%endif
%changelog
+* Mon Feb 2 2009 Dan Walsh <dwalsh at redhat.com> 3.6.3-13
+- Add boolean to disallow unconfined_t login
+
* Fri Jan 30 2009 Dan Walsh <dwalsh at redhat.com> 3.6.3-12
- Add back transition from xguest to mozilla
More information about the scm-commits
mailing list