[selinux-policy/f14/master] - Allow seunshare to fowner
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Aug 25 13:44:06 UTC 2010
commit f8f2073784062ef530c984b2d204dc6c8cee39ff
Author: Dan Walsh <dwalsh at redhat.com>
Date: Wed Aug 25 09:44:01 2010 -0400
- Allow seunshare to fowner
policy-F14.patch | 105 ++++++++++++++++++++++++++++++++-------------------
selinux-policy.spec | 5 ++-
2 files changed, 70 insertions(+), 40 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index 7b7cb6e..4a1f485 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -6211,8 +6211,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+# No types are sandbox_exec_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.8.8/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/sandbox.if 2010-08-23 08:34:27.000000000 -0400
-@@ -0,0 +1,333 @@
++++ serefpolicy-3.8.8/policy/modules/apps/sandbox.if 2010-08-25 09:14:51.000000000 -0400
+@@ -0,0 +1,334 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -6250,6 +6250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ allow $1 sandbox_x_domain:process { signal_perms transition };
+ dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
+ allow sandbox_x_domain $1:process { sigchld signull };
++ dontaudit sandbox_domain $1:process signal;
+ role $2 types sandbox_x_domain;
+ role $2 types sandbox_xserver_t;
+ allow $1 sandbox_xserver_t:process signal_perms;
@@ -7007,7 +7008,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.8.8/policy/modules/apps/seunshare.te
--- nsaserefpolicy/policy/modules/apps/seunshare.te 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te 2010-08-11 08:01:44.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te 2010-08-25 09:09:14.000000000 -0400
@@ -5,40 +5,45 @@
# Declarations
#
@@ -7022,7 +7023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
#
# seunshare local policy
#
-+allow seunshare_domain self:capability { setuid dac_override setpcap sys_admin sys_nice };
++allow seunshare_domain self:capability { fowner setuid dac_override setpcap sys_admin sys_nice };
+allow seunshare_domain self:process { fork setexec signal getcap setcap setsched };
-allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
@@ -7283,8 +7284,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathy.te serefpolicy-3.8.8/policy/modules/apps/telepathy.te
--- nsaserefpolicy/policy/modules/apps/telepathy.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.8/policy/modules/apps/telepathy.te 2010-08-19 05:59:57.000000000 -0400
-@@ -0,0 +1,311 @@
++++ serefpolicy-3.8.8/policy/modules/apps/telepathy.te 2010-08-25 09:41:04.000000000 -0400
+@@ -0,0 +1,313 @@
+
+policy_module(telepathy, 1.0.0)
+
@@ -7335,9 +7336,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
+
+manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
++manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
+files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file})
-+userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file})
++userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file})
++userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
+
+corenet_sendrecv_http_client_packets(telepathy_msn_t)
+corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
@@ -10143,7 +10146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.8.8/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/roles/staff.te 2010-08-19 06:52:30.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/roles/staff.te 2010-08-24 23:01:42.000000000 -0400
@@ -8,25 +8,60 @@
role staff_r;
@@ -10158,10 +10161,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
# Local policy
#
-+kernel_read_ring_buffer(staff_t)
-+kernel_getattr_core_if(staff_t)
-+kernel_getattr_message_if(staff_t)
-+kernel_read_software_raid_state(staff_t)
++kernel_read_ring_buffer(staff_usertype)
++kernel_getattr_core_if(staff_usertype)
++kernel_getattr_message_if(staff_usertype)
++kernel_read_software_raid_state(staff_usertype)
+
+auth_domtrans_pam_console(staff_t)
+
@@ -21138,7 +21141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.8.8/policy/modules/services/nut.te
--- nsaserefpolicy/policy/modules/services/nut.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nut.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/nut.te 2010-08-25 09:16:11.000000000 -0400
@@ -41,7 +41,7 @@
manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
@@ -21148,7 +21151,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.
kernel_read_kernel_sysctls(nut_upsd_t)
-@@ -103,6 +103,10 @@
+@@ -65,6 +65,7 @@
+ allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid };
+ allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;
+ allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
++allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
+ allow nut_upsmon_t self:tcp_socket create_socket_perms;
+
+ read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
+@@ -103,6 +104,10 @@
mta_send_mail(nut_upsmon_t)
@@ -22382,8 +22393,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.8.8/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/postfix.if 2010-07-30 14:06:53.000000000 -0400
-@@ -376,6 +376,25 @@
++++ serefpolicy-3.8.8/policy/modules/services/postfix.if 2010-08-25 09:35:31.000000000 -0400
+@@ -77,6 +77,7 @@
+
+ files_read_etc_files(postfix_$1_t)
+ files_read_etc_runtime_files(postfix_$1_t)
++ files_read_usr_files(postfix_$1_t)
+ files_read_usr_symlinks(postfix_$1_t)
+ files_search_spool(postfix_$1_t)
+ files_getattr_tmp_dirs(postfix_$1_t)
+@@ -376,6 +377,25 @@
domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
')
@@ -22409,7 +22428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
## <summary>
## Execute the master postfix program in the
-@@ -529,6 +548,25 @@
+@@ -529,6 +549,25 @@
########################################
## <summary>
@@ -22435,7 +22454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
## Search postfix mail spool directories.
## </summary>
## <param name="domain">
-@@ -539,10 +577,10 @@
+@@ -539,10 +578,10 @@
#
interface(`postfix_search_spool',`
gen_require(`
@@ -22448,7 +22467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
files_search_spool($1)
')
-@@ -558,10 +596,10 @@
+@@ -558,10 +597,10 @@
#
interface(`postfix_list_spool',`
gen_require(`
@@ -22461,7 +22480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
files_search_spool($1)
')
-@@ -577,11 +615,11 @@
+@@ -577,11 +616,11 @@
#
interface(`postfix_read_spool_files',`
gen_require(`
@@ -22475,7 +22494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
########################################
-@@ -596,11 +634,11 @@
+@@ -596,11 +635,11 @@
#
interface(`postfix_manage_spool_files',`
gen_require(`
@@ -22489,7 +22508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
########################################
-@@ -621,3 +659,101 @@
+@@ -621,3 +660,101 @@
typeattribute $1 postfix_user_domtrans;
')
@@ -22593,7 +22612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.8.8/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/postfix.te 2010-08-23 14:01:01.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/postfix.te 2010-08-25 09:35:15.000000000 -0400
@@ -5,6 +5,15 @@
# Declarations
#
@@ -30372,7 +30391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
# /var
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.8.8/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/init.if 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/init.if 2010-08-25 07:50:48.000000000 -0400
@@ -105,7 +105,11 @@
role system_r types $1;
@@ -35089,7 +35108,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.8.8/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.te 2010-07-30 14:45:35.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.te 2010-08-25 07:51:06.000000000 -0400
@@ -5,6 +5,13 @@
# Declarations
#
@@ -35150,7 +35169,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
domain_use_interactive_fds(dhcpc_t)
domain_dontaudit_read_all_domains_state(dhcpc_t)
-@@ -155,6 +173,10 @@
+@@ -130,6 +148,7 @@
+ term_dontaudit_use_generic_ptys(dhcpc_t)
+
+ init_rw_utmp(dhcpc_t)
++init_stream_connect(dhcpc_t)
+
+ logging_send_syslog_msg(dhcpc_t)
+
+@@ -155,6 +174,10 @@
')
optional_policy(`
@@ -35161,7 +35188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
init_dbus_chat_script(dhcpc_t)
dbus_system_bus_client(dhcpc_t)
-@@ -171,6 +193,8 @@
+@@ -171,6 +194,8 @@
optional_policy(`
hal_dontaudit_rw_dgram_sockets(dhcpc_t)
@@ -35170,7 +35197,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
optional_policy(`
-@@ -192,6 +216,13 @@
+@@ -192,6 +217,13 @@
')
optional_policy(`
@@ -35184,7 +35211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
nis_read_ypbind_pid(dhcpc_t)
')
-@@ -213,6 +244,7 @@
+@@ -213,6 +245,7 @@
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -35192,7 +35219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
optional_policy(`
-@@ -276,8 +308,11 @@
+@@ -276,8 +309,11 @@
domain_use_interactive_fds(ifconfig_t)
@@ -35204,7 +35231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -305,6 +340,8 @@
+@@ -305,6 +341,8 @@
seutil_use_runinit_fds(ifconfig_t)
@@ -35213,7 +35240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
userdom_use_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
-@@ -314,6 +351,10 @@
+@@ -314,6 +352,10 @@
')
')
@@ -35224,7 +35251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
ifdef(`hide_broken_symptoms',`
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
-@@ -327,6 +368,8 @@
+@@ -327,6 +369,8 @@
optional_policy(`
hal_dontaudit_rw_pipes(ifconfig_t)
hal_dontaudit_rw_dgram_sockets(ifconfig_t)
@@ -35233,7 +35260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
optional_policy(`
-@@ -334,6 +377,10 @@
+@@ -334,6 +378,10 @@
')
optional_policy(`
@@ -35244,7 +35271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
nis_use_ypbind(ifconfig_t)
')
-@@ -355,3 +402,9 @@
+@@ -355,3 +403,9 @@
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -36150,7 +36177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.8.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/userdomain.if 2010-08-19 07:42:28.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/userdomain.if 2010-08-25 09:41:50.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -38391,7 +38418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+
+########################################
+## <summary>
-+## Dontaudit search user temporary directories.
++## Dontaudit attempt to set attributes on user temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -38399,12 +38426,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+## </summary>
+## </param>
+#
-+interface(`userdom_dontaduit_search_user_tmp',`
++interface(`userdom_dontaudit_setattr_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
-+ dontaudit $1 user_tmp_t:dir search_dir_perms;
++ dontaudit $1 user_tmp_t:dir setattr;
+')
+
+########################################
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e4dedb8..cfdf87e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.8.8
-Release: 20%{?dist}
+Release: 21%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,9 @@ exit 0
%endif
%changelog
+* Tue Aug 24 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-21
+- Allow seunshare to fowner
+
* Tue Aug 24 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-20
- Allow cron to look at user_cron_spool links
- Lots of fixes for mozilla_plugin_t
More information about the scm-commits
mailing list