rpms/selinux-policy/F-9 policy-20071130.patch,1.253,1.254
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Feb 19 10:33:09 UTC 2009
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12213
Modified Files:
policy-20071130.patch
Log Message:
- Fix kismet policy
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.253
retrieving revision 1.254
diff -u -r1.253 -r1.254
--- policy-20071130.patch 13 Feb 2009 14:09:56 -0000 1.253
+++ policy-20071130.patch 19 Feb 2009 10:33:02 -0000 1.254
@@ -572895,8 +572895,8 @@
+/var/run/kismet_server.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.3.1/policy/modules/admin/kismet.if
--- nsaserefpolicy/policy/modules/admin/kismet.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/admin/kismet.if 2009-02-12 22:21:57.000000000 +0100
-@@ -0,0 +1,252 @@
++++ serefpolicy-3.3.1/policy/modules/admin/kismet.if 2009-02-19 11:22:07.000000000 +0100
+@@ -0,0 +1,253 @@
+## <summary>Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.</summary>
+
+########################################
@@ -572915,6 +572915,7 @@
+ ')
+
+ domtrans_pattern($1, kismet_exec_t, kismet_t)
++ allow kismet_t $1:process signull;
+')
+
+########################################
@@ -573151,8 +573152,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.3.1/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/admin/kismet.te 2009-02-12 22:21:57.000000000 +0100
-@@ -0,0 +1,77 @@
++++ serefpolicy-3.3.1/policy/modules/admin/kismet.te 2009-02-19 11:27:37.000000000 +0100
+@@ -0,0 +1,98 @@
+
+policy_module(kismet, 1.0.2)
+
@@ -573175,6 +573176,12 @@
+type kismet_log_t;
+logging_log_file(kismet_log_t)
+
++type kismet_tmpfs_t;
++files_tmpfs_file(kismet_tmpfs_t)
++
++type kismet_tmp_t;
++files_tmp_file(kismet_tmp_t)
++
+########################################
+#
+# kismet local policy
@@ -573200,6 +573207,14 @@
+allow kismet_t kismet_var_run_t:dir manage_dir_perms;
+files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir })
+
++manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
++manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
++fs_tmpfs_filetrans(kismet_t, kismet_tmpfs_t, { dir file })
++
++manage_dirs_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
++manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
++files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir })
++
+corecmd_exec_bin(kismet_t)
+
+corenet_all_recvfrom_unlabeled(kismet_t)
@@ -573209,6 +573224,7 @@
+corenet_tcp_sendrecv_all_ports(kismet_t)
+corenet_tcp_bind_all_nodes(kismet_t)
+corenet_tcp_bind_kismet_port(kismet_t)
++corenet_tcp_connect_pulseaudio_port(kismet_t)
+
+kernel_search_debugfs(kismet_t)
+
@@ -573218,11 +573234,17 @@
+
+files_read_usr_files(kismet_t)
+
++fs_getattr_tmpfs(kismet_t)
++
+libs_use_ld_so(kismet_t)
+libs_use_shared_libs(kismet_t)
+
+miscfiles_read_localization(kismet_t)
+
++userdom_read_generic_user_tmpfs_files(kismet_t)
++
++userdom_dontaudit_manage_sysadm_home_files(kismet_t)
++
+optional_policy(`
+ dbus_system_bus_client_template(kismet, kismet_t)
+
@@ -673972,7 +673994,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-26 14:23:09.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2009-02-12 22:21:57.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2009-02-19 11:21:16.000000000 +0100
@@ -29,9 +29,14 @@
')
@@ -675947,7 +675969,7 @@
')
########################################
-@@ -3254,6 +3473,42 @@
+@@ -3254,6 +3473,63 @@
## </summary>
## </param>
#
@@ -675962,6 +675984,27 @@
+ read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
+')
+
++######################################
++## <summary>
++## Read user tmpfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_read_generic_user_tmpfs_files',`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ allow $1 user_tmpfs_t:dir list_dir_perms;
++ fs_search_tmpfs($1)
++')
++
+########################################
+## <summary>
+## Read/write user tmpfs files.
@@ -675990,7 +676033,7 @@
template(`userdom_rw_user_tmpfs_files',`
gen_require(`
type $1_tmpfs_t;
-@@ -3267,6 +3522,42 @@
+@@ -3267,6 +3543,42 @@
########################################
## <summary>
@@ -676033,7 +676076,7 @@
## List users untrusted directories.
## </summary>
## <desc>
-@@ -3962,6 +4253,24 @@
+@@ -3962,6 +4274,24 @@
########################################
## <summary>
@@ -676058,7 +676101,7 @@
## Manage unpriviledged user SysV shared
## memory segments.
## </summary>
-@@ -4231,11 +4540,11 @@
+@@ -4231,11 +4561,11 @@
#
interface(`userdom_search_staff_home_dirs',`
gen_require(`
@@ -676072,7 +676115,7 @@
')
########################################
-@@ -4251,10 +4560,10 @@
+@@ -4251,10 +4581,10 @@
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(`
@@ -676085,7 +676128,7 @@
')
########################################
-@@ -4270,11 +4579,11 @@
+@@ -4270,11 +4600,11 @@
#
interface(`userdom_manage_staff_home_dirs',`
gen_require(`
@@ -676099,7 +676142,7 @@
')
########################################
-@@ -4289,16 +4598,16 @@
+@@ -4289,16 +4619,16 @@
#
interface(`userdom_relabelto_staff_home_dirs',`
gen_require(`
@@ -676119,7 +676162,7 @@
## users home directory.
## </summary>
## <param name="domain">
-@@ -4307,12 +4616,54 @@
+@@ -4307,12 +4637,54 @@
## </summary>
## </param>
#
@@ -676177,7 +676220,7 @@
')
########################################
-@@ -4327,13 +4678,13 @@
+@@ -4327,13 +4699,13 @@
#
interface(`userdom_read_staff_home_content_files',`
gen_require(`
@@ -676195,7 +676238,7 @@
')
########################################
-@@ -4531,10 +4882,10 @@
+@@ -4531,10 +4903,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@@ -676208,7 +676251,7 @@
')
########################################
-@@ -4551,10 +4902,10 @@
+@@ -4551,10 +4923,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@@ -676221,7 +676264,7 @@
')
########################################
-@@ -4569,10 +4920,10 @@
+@@ -4569,10 +4941,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@@ -676234,7 +676277,7 @@
')
########################################
-@@ -4588,10 +4939,10 @@
+@@ -4588,10 +4960,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@@ -676247,7 +676290,7 @@
')
########################################
-@@ -4606,10 +4957,10 @@
+@@ -4606,10 +4978,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@@ -676260,7 +676303,7 @@
')
########################################
-@@ -4625,10 +4976,10 @@
+@@ -4625,10 +4997,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@@ -676273,17 +676316,14 @@
')
########################################
-@@ -4644,12 +4995,29 @@
+@@ -4644,14 +5016,53 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
- type sysadm_home_dir_t, sysadm_home_t;
+ type admin_home_t;
- ')
-
-- dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
-- dontaudit $1 sysadm_home_t:dir search_dir_perms;
-- dontaudit $1 sysadm_home_t:file read_file_perms;
++ ')
++
+ dontaudit $1 admin_home_t:dir search_dir_perms;
+ dontaudit $1 admin_home_t:file read_file_perms;
+')
@@ -676301,13 +676341,40 @@
+interface(`userdom_dontaudit_read_sysadm_home_sym_links',`
+ gen_require(`
+ type admin_home_t;
-+ ')
-+
+ ')
+
+- dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
+- dontaudit $1 sysadm_home_t:dir search_dir_perms;
+- dontaudit $1 sysadm_home_t:file read_file_perms;
+ dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
++')
++
++#######################################
++## <summary>
++## Do not audit attempts to manage files in the sysadm
++## home directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`userdom_dontaudit_manage_sysadm_home_files',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:dir manage_dir_perms;
++ dontaudit $1 admin_home_t:file manage_file_perms;
++ dontaudit $1 admin_home_t:lnk_file manage_lnk_file_perms;
')
++
########################################
-@@ -4676,10 +5044,10 @@
+ ## <summary>
+ ## Create objects in sysadm home directories
+@@ -4676,10 +5087,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -676320,7 +676387,7 @@
')
########################################
-@@ -4694,10 +5062,10 @@
+@@ -4694,10 +5105,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -676333,7 +676400,7 @@
')
########################################
-@@ -4712,13 +5080,13 @@
+@@ -4712,13 +5123,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -676351,151 +676418,156 @@
')
########################################
-@@ -4754,11 +5122,49 @@
+@@ -4754,16 +5165,16 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
+- attribute home_dir_type;
+ attribute user_home_dir_type;
-+ ')
-+
-+ files_list_home($1)
-+ allow $1 user_home_dir_type:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Read all users home directories symlinks.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_read_all_users_home_dirs_symlinks',`
-+ gen_require(`
- attribute home_dir_type;
')
files_list_home($1)
- allow $1 home_dir_type:dir search_dir_perms;
-+ allow $1 home_dir_type:lnk_file read_lnk_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Read all users home directories symlinks.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`userdom_read_all_users_home_content_symlinks',`
-+ gen_require(`
-+ type user_home_t;
-+ ')
-+
-+ files_list_home($1)
-+ allow $1 user_home_t:lnk_file read_lnk_file_perms;
- ')
-
- ########################################
-@@ -4778,6 +5184,14 @@
-
- files_list_home($1)
- allow $1 home_dir_type:dir list_dir_perms;
-+
-+ tunable_policy(`use_nfs_home_dirs',`
-+ fs_list_nfs($1)
-+ ')
-+
-+ tunable_policy(`use_samba_home_dirs',`
-+ fs_list_cifs($1)
-+ ')
++ allow $1 user_home_dir_type:dir search_dir_perms;
')
########################################
-@@ -4815,6 +5229,8 @@
+ ## <summary>
+-## List all users home directories.
++## Read all users home directories symlinks.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4771,18 +5182,18 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`userdom_list_all_users_home_dirs',`
++interface(`userdom_read_all_users_home_dirs_symlinks',`
+ gen_require(`
+ attribute home_dir_type;
')
- dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
-+ fs_dontaudit_list_nfs($1)
-+ fs_dontaudit_list_cifs($1)
+ files_list_home($1)
+- allow $1 home_dir_type:dir list_dir_perms;
++ allow $1 home_dir_type:lnk_file read_lnk_file_perms;
')
########################################
-@@ -4839,7 +5255,7 @@
-
- ########################################
## <summary>
--## Create, read, write, and delete all directories
-+## delete all directories
- ## in all users home directories.
+-## Search all users home directories.
++## Read all users home directories symlinks.
## </summary>
## <param name="domain">
-@@ -4848,18 +5264,18 @@
+ ## <summary>
+@@ -4790,36 +5201,45 @@
## </summary>
## </param>
#
--interface(`userdom_manage_all_users_home_content_dirs',`
-+interface(`userdom_delete_all_users_home_content_dirs',`
+-interface(`userdom_search_all_users_home_content',`
++interface(`userdom_read_all_users_home_content_symlinks',`
gen_require(`
- attribute home_type;
+- attribute home_dir_type, home_type;
++ type user_home_t;
')
files_list_home($1)
-- allow $1 home_type:dir manage_dir_perms;
-+ delete_dirs_pattern($1, home_type, home_type)
+- allow $1 { home_dir_type home_type }:dir search_dir_perms;
++ allow $1 user_home_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
--## Create, read, write, and delete all files
-+## Create, read, write, and delete all directories
- ## in all users home directories.
+-## Do not audit attempts to search all users home directories.
++## List all users home directories.
## </summary>
## <param name="domain">
-@@ -4868,18 +5284,18 @@
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
## </summary>
## </param>
#
--interface(`userdom_manage_all_users_home_content_files',`
-+interface(`userdom_manage_all_users_home_content_dirs',`
+-interface(`userdom_dontaudit_search_all_users_home_content',`
++interface(`userdom_list_all_users_home_dirs',`
gen_require(`
- attribute home_type;
+- attribute home_dir_type, home_type;
++ attribute home_dir_type;
')
- files_list_home($1)
-- manage_files_pattern($1,home_type,home_type)
-+ allow $1 home_type:dir manage_dir_perms;
+- dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
++ files_list_home($1)
++ allow $1 home_dir_type:dir list_dir_perms;
++
++ tunable_policy(`use_nfs_home_dirs',`
++ fs_list_nfs($1)
++ ')
++
++ tunable_policy(`use_samba_home_dirs',`
++ fs_list_cifs($1)
++ ')
')
########################################
## <summary>
--## Create, read, write, and delete all symlinks
-+## Delete all files
- ## in all users home directories.
+-## Read all files in all users home directories.
++## Search all users home directories.
## </summary>
## <param name="domain">
-@@ -4888,12 +5304,71 @@
+ ## <summary>
+@@ -4827,7 +5247,46 @@
## </summary>
## </param>
#
--interface(`userdom_manage_all_users_home_content_symlinks',`
-+interface(`userdom_delete_all_users_home_content_files',`
- gen_require(`
- attribute home_type;
- ')
-
-- files_list_home($1)
-+ delete_files_pattern($1,home_type,home_type)
+-interface(`userdom_read_all_users_home_content_files',`
++interface(`userdom_search_all_users_home_content',`
++ gen_require(`
++ attribute home_dir_type, home_type;
++ ')
++
++ files_list_home($1)
++ allow $1 { home_dir_type home_type }:dir search_dir_perms;
+')
+
+########################################
+## <summary>
-+## Create, read, write, and delete all files
++## Do not audit attempts to search all users home directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`userdom_dontaudit_search_all_users_home_content',`
++ gen_require(`
++ attribute home_dir_type, home_type;
++ ')
++
++ dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
++ fs_dontaudit_list_nfs($1)
++ fs_dontaudit_list_cifs($1)
++')
++
++########################################
++## <summary>
++## Read all files in all users home directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_read_all_users_home_content_files',`
+ gen_require(`
+ attribute home_type;
+ ')
+@@ -4839,6 +5298,26 @@
+
+ ########################################
+ ## <summary>
++## delete all directories
+## in all users home directories.
+## </summary>
+## <param name="domain">
@@ -676504,18 +676576,25 @@
+## </summary>
+## </param>
+#
-+interface(`userdom_manage_all_users_home_content_files',`
++interface(`userdom_delete_all_users_home_content_dirs',`
+ gen_require(`
+ attribute home_type;
+ ')
+
+ files_list_home($1)
-+ manage_files_pattern($1,home_type,home_type)
++ delete_dirs_pattern($1, home_type, home_type)
+')
+
+########################################
+## <summary>
-+## Delete all symlinks
+ ## Create, read, write, and delete all directories
+ ## in all users home directories.
+ ## </summary>
+@@ -4859,6 +5338,25 @@
+
+ ########################################
+ ## <summary>
++## Delete all files
+## in all users home directories.
+## </summary>
+## <param name="domain">
@@ -676524,18 +676603,24 @@
+## </summary>
+## </param>
+#
-+interface(`userdom_delete_all_users_home_content_symlinks',`
++interface(`userdom_delete_all_users_home_content_files',`
+ gen_require(`
+ attribute home_type;
+ ')
+
-+ files_list_home($1)
-+ delete_lnk_files_pattern($1,home_type,home_type)
++ delete_files_pattern($1,home_type,home_type)
+')
+
+########################################
+## <summary>
-+## Create, read, write, and delete all symlinks
+ ## Create, read, write, and delete all files
+ ## in all users home directories.
+ ## </summary>
+@@ -4879,6 +5377,26 @@
+
+ ########################################
+ ## <summary>
++## Delete all symlinks
+## in all users home directories.
+## </summary>
+## <param name="domain">
@@ -676544,16 +676629,21 @@
+## </summary>
+## </param>
+#
-+interface(`userdom_manage_all_users_home_content_symlinks',`
++interface(`userdom_delete_all_users_home_content_symlinks',`
+ gen_require(`
+ attribute home_type;
+ ')
+
+ files_list_home($1)
- manage_lnk_files_pattern($1,home_type,home_type)
- ')
-
-@@ -5115,7 +5590,7 @@
++ delete_lnk_files_pattern($1,home_type,home_type)
++')
++
++########################################
++## <summary>
+ ## Create, read, write, and delete all symlinks
+ ## in all users home directories.
+ ## </summary>
+@@ -5115,7 +5633,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -676562,7 +676652,7 @@
')
files_search_home($1)
-@@ -5304,6 +5779,63 @@
+@@ -5304,6 +5822,63 @@
########################################
## <summary>
@@ -676626,7 +676716,7 @@
## Create, read, write, and delete directories in
## unprivileged users home directories.
## </summary>
-@@ -5509,6 +6041,43 @@
+@@ -5509,6 +6084,43 @@
########################################
## <summary>
@@ -676670,7 +676760,7 @@
## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
-@@ -5559,7 +6128,7 @@
+@@ -5559,7 +6171,7 @@
attribute userdomain;
')
@@ -676679,7 +676769,7 @@
kernel_search_proc($1)
')
-@@ -5674,6 +6243,42 @@
+@@ -5674,6 +6286,42 @@
########################################
## <summary>
@@ -676722,7 +676812,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5704,3 +6309,408 @@
+@@ -5704,3 +6352,408 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
More information about the scm-commits
mailing list