rpms/selinux-policy/F-9 policy-20071130.patch,1.253,1.254

Thu Feb 19 10:33:09 UTC 2009

Author: mgrepl

Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12213

Modified Files:
	policy-20071130.patch 
Log Message:
- Fix kismet policy



policy-20071130.patch:

Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.253
retrieving revision 1.254
diff -u -r1.253 -r1.254

--- policy-20071130.patch	13 Feb 2009 14:09:56 -0000	1.253
+++ policy-20071130.patch	19 Feb 2009 10:33:02 -0000	1.254
@@ -572895,8 +572895,8 @@
 +/var/run/kismet_server.pid	--	gen_context(system_u:object_r:kismet_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.3.1/policy/modules/admin/kismet.if
 --- nsaserefpolicy/policy/modules/admin/kismet.if	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/admin/kismet.if	2009-02-12 22:21:57.000000000 +0100
-@@ -0,0 +1,252 @@
++++ serefpolicy-3.3.1/policy/modules/admin/kismet.if	2009-02-19 11:22:07.000000000 +0100
+@@ -0,0 +1,253 @@
 +## <summary>Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.</summary>
 +
 +########################################
@@ -572915,6 +572915,7 @@
 +	')
 +
 +	domtrans_pattern($1, kismet_exec_t, kismet_t)
++	allow kismet_t $1:process signull;
 +')
 +
 +########################################
@@ -573151,8 +573152,8 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.3.1/policy/modules/admin/kismet.te
 --- nsaserefpolicy/policy/modules/admin/kismet.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/admin/kismet.te	2009-02-12 22:21:57.000000000 +0100
-@@ -0,0 +1,77 @@
++++ serefpolicy-3.3.1/policy/modules/admin/kismet.te	2009-02-19 11:27:37.000000000 +0100
+@@ -0,0 +1,98 @@
 +
 +policy_module(kismet, 1.0.2)
 +
@@ -573175,6 +573176,12 @@
 +type kismet_log_t;
 +logging_log_file(kismet_log_t)
 +
++type kismet_tmpfs_t;
++files_tmpfs_file(kismet_tmpfs_t)
++
++type kismet_tmp_t;
++files_tmp_file(kismet_tmp_t)
++
 +########################################
 +#
 +# kismet local policy
@@ -573200,6 +573207,14 @@
 +allow kismet_t kismet_var_run_t:dir manage_dir_perms;
 +files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir })
 +
++manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
++manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
++fs_tmpfs_filetrans(kismet_t, kismet_tmpfs_t, { dir file })
++
++manage_dirs_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
++manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
++files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir })
++
 +corecmd_exec_bin(kismet_t)
 +
 +corenet_all_recvfrom_unlabeled(kismet_t)
@@ -573209,6 +573224,7 @@
 +corenet_tcp_sendrecv_all_ports(kismet_t)
 +corenet_tcp_bind_all_nodes(kismet_t)
 +corenet_tcp_bind_kismet_port(kismet_t)
++corenet_tcp_connect_pulseaudio_port(kismet_t)
 +
 +kernel_search_debugfs(kismet_t)
 +
@@ -573218,11 +573234,17 @@
 +
 +files_read_usr_files(kismet_t)
 +
++fs_getattr_tmpfs(kismet_t)
++
 +libs_use_ld_so(kismet_t)
 +libs_use_shared_libs(kismet_t)
 +
 +miscfiles_read_localization(kismet_t)
 +
++userdom_read_generic_user_tmpfs_files(kismet_t)
++
++userdom_dontaudit_manage_sysadm_home_files(kismet_t)
++
 +optional_policy(`
 +	dbus_system_bus_client_template(kismet, kismet_t)
 +
@@ -673972,7 +673994,7 @@
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-02-26 14:23:09.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2009-02-12 22:21:57.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2009-02-19 11:21:16.000000000 +0100
 @@ -29,9 +29,14 @@
  	')
  
@@ -675947,7 +675969,7 @@
  ')
  
  ########################################
-@@ -3254,6 +3473,42 @@
+@@ -3254,6 +3473,63 @@
  ##	</summary>
  ## </param>
  #
@@ -675962,6 +675984,27 @@
 +	read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
 +')
 +
++######################################
++## <summary>
++##      Read user tmpfs files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`userdom_read_generic_user_tmpfs_files',`
++        gen_require(`
++                type user_tmpfs_t;
++        ')
++
++        read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++        read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++        allow $1 user_tmpfs_t:dir list_dir_perms;
++        fs_search_tmpfs($1)
++')
++
 +########################################
 +## <summary>
 +##	Read/write user tmpfs files.
@@ -675990,7 +676033,7 @@
  template(`userdom_rw_user_tmpfs_files',`
  	gen_require(`
  		type $1_tmpfs_t;
-@@ -3267,6 +3522,42 @@
+@@ -3267,6 +3543,42 @@
  
  ########################################
  ## <summary>
@@ -676033,7 +676076,7 @@
  ##	List users untrusted directories.
  ## </summary>
  ## <desc>
-@@ -3962,6 +4253,24 @@
+@@ -3962,6 +4274,24 @@
  
  ########################################
  ## <summary>
@@ -676058,7 +676101,7 @@
  ##	Manage unpriviledged user SysV shared
  ##	memory segments.
  ## </summary>
-@@ -4231,11 +4540,11 @@
+@@ -4231,11 +4561,11 @@
  #
  interface(`userdom_search_staff_home_dirs',`
  	gen_require(`
@@ -676072,7 +676115,7 @@
  ')
  
  ########################################
-@@ -4251,10 +4560,10 @@
+@@ -4251,10 +4581,10 @@
  #
  interface(`userdom_dontaudit_search_staff_home_dirs',`
  	gen_require(`
@@ -676085,7 +676128,7 @@
  ')
  
  ########################################
-@@ -4270,11 +4579,11 @@
+@@ -4270,11 +4600,11 @@
  #
  interface(`userdom_manage_staff_home_dirs',`
  	gen_require(`
@@ -676099,7 +676142,7 @@
  ')
  
  ########################################
-@@ -4289,16 +4598,16 @@
+@@ -4289,16 +4619,16 @@
  #
  interface(`userdom_relabelto_staff_home_dirs',`
  	gen_require(`
@@ -676119,7 +676162,7 @@
  ##	users home directory.
  ## </summary>
  ## <param name="domain">
-@@ -4307,12 +4616,54 @@
+@@ -4307,12 +4637,54 @@
  ##	</summary>
  ## </param>
  #
@@ -676177,7 +676220,7 @@
  ')
  
  ########################################
-@@ -4327,13 +4678,13 @@
+@@ -4327,13 +4699,13 @@
  #
  interface(`userdom_read_staff_home_content_files',`
  	gen_require(`
@@ -676195,7 +676238,7 @@
  ')
  
  ########################################
-@@ -4531,10 +4882,10 @@
+@@ -4531,10 +4903,10 @@
  #
  interface(`userdom_getattr_sysadm_home_dirs',`
  	gen_require(`
@@ -676208,7 +676251,7 @@
  ')
  
  ########################################
-@@ -4551,10 +4902,10 @@
+@@ -4551,10 +4923,10 @@
  #
  interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
  	gen_require(`
@@ -676221,7 +676264,7 @@
  ')
  
  ########################################
-@@ -4569,10 +4920,10 @@
+@@ -4569,10 +4941,10 @@
  #
  interface(`userdom_search_sysadm_home_dirs',`
  	gen_require(`
@@ -676234,7 +676277,7 @@
  ')
  
  ########################################
-@@ -4588,10 +4939,10 @@
+@@ -4588,10 +4960,10 @@
  #
  interface(`userdom_dontaudit_search_sysadm_home_dirs',`
  	gen_require(`
@@ -676247,7 +676290,7 @@
  ')
  
  ########################################
-@@ -4606,10 +4957,10 @@
+@@ -4606,10 +4978,10 @@
  #
  interface(`userdom_list_sysadm_home_dirs',`
  	gen_require(`
@@ -676260,7 +676303,7 @@
  ')
  
  ########################################
-@@ -4625,10 +4976,10 @@
+@@ -4625,10 +4997,10 @@
  #
  interface(`userdom_dontaudit_list_sysadm_home_dirs',`
  	gen_require(`
@@ -676273,17 +676316,14 @@
  ')
  
  ########################################
-@@ -4644,12 +4995,29 @@
+@@ -4644,14 +5016,53 @@
  #
  interface(`userdom_dontaudit_read_sysadm_home_content_files',`
  	gen_require(`
 -		type sysadm_home_dir_t, sysadm_home_t;
 +		type admin_home_t;
- 	')
- 
--	dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
--	dontaudit $1 sysadm_home_t:dir search_dir_perms;
--	dontaudit $1 sysadm_home_t:file read_file_perms;
++	')
++
 +	dontaudit $1 admin_home_t:dir search_dir_perms;
 +	dontaudit $1 admin_home_t:file read_file_perms;
 +')
@@ -676301,13 +676341,40 @@
 +interface(`userdom_dontaudit_read_sysadm_home_sym_links',`
 +	gen_require(`
 +		type admin_home_t;
-+	')
-+
+ 	')
+ 
+-	dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
+-	dontaudit $1 sysadm_home_t:dir search_dir_perms;
+-	dontaudit $1 sysadm_home_t:file read_file_perms;
 +	dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
++')
++
++#######################################
++## <summary>
++##      Do not audit attempts to manage files in the sysadm
++##      home directory.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain to not audit.
++##      </summary>
++## </param>
++#
++interface(`userdom_dontaudit_manage_sysadm_home_files',`
++        gen_require(`
++                type admin_home_t;
++        ')
++
++        dontaudit $1 admin_home_t:dir manage_dir_perms;
++        dontaudit $1 admin_home_t:file manage_file_perms;
++        dontaudit $1 admin_home_t:lnk_file manage_lnk_file_perms;
  ')
  
++
  ########################################
-@@ -4676,10 +5044,10 @@
+ ## <summary>
+ ##	Create objects in sysadm home directories
+@@ -4676,10 +5087,10 @@
  #
  interface(`userdom_sysadm_home_dir_filetrans',`
  	gen_require(`
@@ -676320,7 +676387,7 @@
  ')
  
  ########################################
-@@ -4694,10 +5062,10 @@
+@@ -4694,10 +5105,10 @@
  #
  interface(`userdom_search_sysadm_home_content_dirs',`
  	gen_require(`
@@ -676333,7 +676400,7 @@
  ')
  
  ########################################
-@@ -4712,13 +5080,13 @@
+@@ -4712,13 +5123,13 @@
  #
  interface(`userdom_read_sysadm_home_content_files',`
  	gen_require(`
@@ -676351,151 +676418,156 @@
  ')
  
  ########################################
-@@ -4754,11 +5122,49 @@
+@@ -4754,16 +5165,16 @@
  #
  interface(`userdom_search_all_users_home_dirs',`
  	gen_require(`
+-		attribute home_dir_type;
 +		attribute user_home_dir_type;
-+	')
-+
-+	files_list_home($1)
-+	allow $1 user_home_dir_type:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Read all users home directories symlinks.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`userdom_read_all_users_home_dirs_symlinks',`
-+	gen_require(`
- 		attribute home_dir_type;
  	')
  
  	files_list_home($1)
 -	allow $1 home_dir_type:dir search_dir_perms;
-+	allow $1 home_dir_type:lnk_file read_lnk_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Read all users home directories symlinks.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`userdom_read_all_users_home_content_symlinks',`
-+	gen_require(`
-+		type user_home_t;
-+	')
-+
-+	files_list_home($1)
-+	allow $1 user_home_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
-@@ -4778,6 +5184,14 @@
- 
- 	files_list_home($1)
- 	allow $1 home_dir_type:dir list_dir_perms;
-+
-+	tunable_policy(`use_nfs_home_dirs',`
-+		fs_list_nfs($1)
-+	')
-+
-+	tunable_policy(`use_samba_home_dirs',`
-+		fs_list_cifs($1)
-+	')
++	allow $1 user_home_dir_type:dir search_dir_perms;
  ')
  
  ########################################
-@@ -4815,6 +5229,8 @@
+ ## <summary>
+-##	List all users home directories.
++##	Read all users home directories symlinks.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4771,18 +5182,18 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_list_all_users_home_dirs',`
++interface(`userdom_read_all_users_home_dirs_symlinks',`
+ 	gen_require(`
+ 		attribute home_dir_type;
  	')
  
- 	dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
-+	fs_dontaudit_list_nfs($1)
-+	fs_dontaudit_list_cifs($1)
+ 	files_list_home($1)
+-	allow $1 home_dir_type:dir list_dir_perms;
++	allow $1 home_dir_type:lnk_file read_lnk_file_perms;
  ')
  
  ########################################
-@@ -4839,7 +5255,7 @@
- 
- ########################################
  ## <summary>
--##	Create, read, write, and delete all directories
-+##	delete all directories
- ##	in all users home directories.
+-##	Search all users home directories.
++##	Read all users home directories symlinks.
  ## </summary>
  ## <param name="domain">
-@@ -4848,18 +5264,18 @@
+ ##	<summary>
+@@ -4790,36 +5201,45 @@
  ##	</summary>
  ## </param>
  #
--interface(`userdom_manage_all_users_home_content_dirs',`
-+interface(`userdom_delete_all_users_home_content_dirs',`
+-interface(`userdom_search_all_users_home_content',`
++interface(`userdom_read_all_users_home_content_symlinks',`
  	gen_require(`
- 		attribute home_type;
+-		attribute home_dir_type, home_type;
++		type user_home_t;
  	')
  
  	files_list_home($1)
--	allow $1 home_type:dir manage_dir_perms;
-+	delete_dirs_pattern($1, home_type, home_type)
+-	allow $1 { home_dir_type home_type }:dir search_dir_perms;
++	allow $1 user_home_t:lnk_file read_lnk_file_perms;
  ')
  
  ########################################
  ## <summary>
--##	Create, read, write, and delete all files
-+##	Create, read, write, and delete all directories
- ##	in all users home directories.
+-##	Do not audit attempts to search all users home directories.
++##	List all users home directories.
  ## </summary>
  ## <param name="domain">
-@@ -4868,18 +5284,18 @@
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
--interface(`userdom_manage_all_users_home_content_files',`
-+interface(`userdom_manage_all_users_home_content_dirs',`
+-interface(`userdom_dontaudit_search_all_users_home_content',`
++interface(`userdom_list_all_users_home_dirs',`
  	gen_require(`
- 		attribute home_type;
+-		attribute home_dir_type, home_type;
++		attribute home_dir_type;
  	')
  
- 	files_list_home($1)
--	manage_files_pattern($1,home_type,home_type)
-+	allow $1 home_type:dir manage_dir_perms;
+-	dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
++	files_list_home($1)
++	allow $1 home_dir_type:dir list_dir_perms;
++
++	tunable_policy(`use_nfs_home_dirs',`
++		fs_list_nfs($1)
++	')
++
++	tunable_policy(`use_samba_home_dirs',`
++		fs_list_cifs($1)
++	')
  ')
  
  ########################################
  ## <summary>
--##	Create, read, write, and delete all symlinks
-+##	Delete all files
- ##	in all users home directories.
+-##	Read all files in all users home directories.
++##	Search all users home directories.
  ## </summary>
  ## <param name="domain">
-@@ -4888,12 +5304,71 @@
+ ##	<summary>
+@@ -4827,7 +5247,46 @@
  ##	</summary>
  ## </param>
  #
--interface(`userdom_manage_all_users_home_content_symlinks',`
-+interface(`userdom_delete_all_users_home_content_files',`
- 	gen_require(`
- 		attribute home_type;
- 	')
- 
--	files_list_home($1)
-+	delete_files_pattern($1,home_type,home_type)
+-interface(`userdom_read_all_users_home_content_files',`
++interface(`userdom_search_all_users_home_content',`
++	gen_require(`
++		attribute home_dir_type, home_type;
++	')
++
++	files_list_home($1)
++	allow $1 { home_dir_type home_type }:dir search_dir_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Create, read, write, and delete all files
++##	Do not audit attempts to search all users home directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`userdom_dontaudit_search_all_users_home_content',`
++	gen_require(`
++		attribute home_dir_type, home_type;
++	')
++
++	dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
++	fs_dontaudit_list_nfs($1)
++	fs_dontaudit_list_cifs($1)
++')
++
++########################################
++## <summary>
++##	Read all files in all users home directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_read_all_users_home_content_files',`
+ 	gen_require(`
+ 		attribute home_type;
+ 	')
+@@ -4839,6 +5298,26 @@
+ 
+ ########################################
+ ## <summary>
++##	delete all directories
 +##	in all users home directories.
 +## </summary>
 +## <param name="domain">
@@ -676504,18 +676576,25 @@
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_manage_all_users_home_content_files',`
++interface(`userdom_delete_all_users_home_content_dirs',`
 +	gen_require(`
 +		attribute home_type;
 +	')
 +
 +	files_list_home($1)
-+	manage_files_pattern($1,home_type,home_type)
++	delete_dirs_pattern($1, home_type, home_type)
 +')
 +
 +########################################
 +## <summary>
-+##	Delete all symlinks
+ ##	Create, read, write, and delete all directories
+ ##	in all users home directories.
+ ## </summary>
+@@ -4859,6 +5338,25 @@
+ 
+ ########################################
+ ## <summary>
++##	Delete all files
 +##	in all users home directories.
 +## </summary>
 +## <param name="domain">
@@ -676524,18 +676603,24 @@
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_delete_all_users_home_content_symlinks',`
++interface(`userdom_delete_all_users_home_content_files',`
 +	gen_require(`
 +		attribute home_type;
 +	')
 +
-+	files_list_home($1)
-+	delete_lnk_files_pattern($1,home_type,home_type)
++	delete_files_pattern($1,home_type,home_type)
 +')
 +
 +########################################
 +## <summary>
-+##	Create, read, write, and delete all symlinks
+ ##	Create, read, write, and delete all files
+ ##	in all users home directories.
+ ## </summary>
+@@ -4879,6 +5377,26 @@
+ 
+ ########################################
+ ## <summary>
++##	Delete all symlinks
 +##	in all users home directories.
 +## </summary>
 +## <param name="domain">
@@ -676544,16 +676629,21 @@
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_manage_all_users_home_content_symlinks',`
++interface(`userdom_delete_all_users_home_content_symlinks',`
 +	gen_require(`
 +		attribute home_type;
 +	')
 +
 +	files_list_home($1)
- 	manage_lnk_files_pattern($1,home_type,home_type)
- ')
- 
-@@ -5115,7 +5590,7 @@
++	delete_lnk_files_pattern($1,home_type,home_type)
++')
++
++########################################
++## <summary>
+ ##	Create, read, write, and delete all symlinks
+ ##	in all users home directories.
+ ## </summary>
+@@ -5115,7 +5633,7 @@
  #
  interface(`userdom_relabelto_generic_user_home_dirs',`
  	gen_require(`
@@ -676562,7 +676652,7 @@
  	')
  
  	files_search_home($1)
-@@ -5304,6 +5779,63 @@
+@@ -5304,6 +5822,63 @@
  
  ########################################
  ## <summary>
@@ -676626,7 +676716,7 @@
  ##	Create, read, write, and delete directories in
  ##	unprivileged users home directories.
  ## </summary>
-@@ -5509,6 +6041,43 @@
+@@ -5509,6 +6084,43 @@
  
  ########################################
  ## <summary>
@@ -676670,7 +676760,7 @@
  ##	Read and write unprivileged user ttys.
  ## </summary>
  ## <param name="domain">
-@@ -5559,7 +6128,7 @@
+@@ -5559,7 +6171,7 @@
  		attribute userdomain;
  	')
  
@@ -676679,7 +676769,7 @@
  	kernel_search_proc($1)
  ')
  
-@@ -5674,6 +6243,42 @@
+@@ -5674,6 +6286,42 @@
  
  ########################################
  ## <summary>
@@ -676722,7 +676812,7 @@
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -5704,3 +6309,408 @@
+@@ -5704,3 +6352,408 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')


