[selinux-policy/f13/master] - Add authlogin_radius boolean - Fixes for certmonger policy - Allow xguest to use smartcard - Make
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Nov 2 17:04:11 UTC 2010
commit ef6c41e1526ef5c7f8f995b05b9aa3c0ae6bbcf6
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Nov 2 18:03:54 2010 +0100
- Add authlogin_radius boolean
- Fixes for certmonger policy
- Allow xguest to use smartcard
- Make sshd to use user_tmp_t for its /tmp content
policy-F13.patch | 341 ++++++++++++++++++++++++++++++++-------------------
selinux-policy.spec | 8 +-
2 files changed, 224 insertions(+), 125 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index 4ea86b4..20a068e 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -2545,6 +2545,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
+optional_policy(`
+ xserver_dontaudit_write_log(shutdown_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.7.19/policy/modules/admin/smoltclient.te
+--- nsaserefpolicy/policy/modules/admin/smoltclient.te 2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/smoltclient.te 2010-10-26 13:48:18.337651044 +0200
+@@ -46,6 +46,7 @@
+
+ files_getattr_generic_locks(smoltclient_t)
+ files_read_etc_files(smoltclient_t)
++files_read_etc_runtime_files(smoltclient_t)
+ files_read_usr_files(smoltclient_t)
+
+ auth_use_nsswitch(smoltclient_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.fc serefpolicy-3.7.19/policy/modules/admin/sudo.fc
--- nsaserefpolicy/policy/modules/admin/sudo.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/admin/sudo.fc 2010-09-13 15:54:07.362085420 +0200
@@ -14084,7 +14095,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.19/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/roles/xguest.te 2010-08-20 13:55:45.358085064 +0200
++++ serefpolicy-3.7.19/policy/modules/roles/xguest.te 2010-11-02 17:09:32.420901767 +0100
@@ -15,7 +15,7 @@
## <desc>
@@ -14143,20 +14154,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
')
')
-@@ -81,19 +89,79 @@
+@@ -81,19 +89,84 @@
')
optional_policy(`
- java_role(xguest_r, xguest_t)
+ apache_role(xguest_r, xguest_t)
- ')
-
- optional_policy(`
-- mozilla_role(xguest_r, xguest_t)
++')
++
++optional_policy(`
+ gnomeclock_dontaudit_dbus_chat(xguest_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ chrome_role(xguest_r, xguest_usertype)
+')
+
@@ -14170,13 +14180,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
+
+optional_policy(`
+ nsplugin_role(xguest_r, xguest_t)
-+')
-+
+ ')
+
+ optional_policy(`
+- mozilla_role(xguest_r, xguest_t)
++ pcscd_read_pub_files(xguest_usertype)
++ pcscd_stream_connect(xguest_usertype)
+ ')
+
+#optional_policy(`
+# telepathy_dbus_session_role(xguest_r, xguest_t)
+#')
+
-+optional_policy(`
+ optional_policy(`
tunable_policy(`xguest_connect_network',`
+ kernel_read_network_state(xguest_usertype)
+
@@ -14214,19 +14230,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
+ corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
+ corenet_tcp_connect_transproxy_port(xguest_usertype)
+ corenet_tcp_connect_jabber_client_port(xguest_usertype)
-+ ')
-+')
-+
+ ')
+ ')
+
+-#gen_user(xguest_u,, xguest_r, s0, s0)
+optional_policy(`
+ gen_require(`
+ type mozilla_t;
- ')
++ ')
+
+ allow xguest_t mozilla_t:process transition;
+ role xguest_r types mozilla_t;
- ')
-
--#gen_user(xguest_u,, xguest_r, s0, s0)
++')
++
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.19/policy/modules/services/abrt.fc
--- nsaserefpolicy/policy/modules/services/abrt.fc 2010-04-13 20:44:37.000000000 +0200
@@ -15354,7 +15370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.19/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-10-08 10:37:53.972901045 +0200
++++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-11-02 16:55:03.289650829 +0100
@@ -13,17 +13,13 @@
#
template(`apache_content_template',`
@@ -15421,7 +15437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_exec_etc_files(httpd_$1_script_t)
files_read_etc_files(httpd_$1_script_t)
-@@ -108,19 +106,6 @@
+@@ -108,18 +106,7 @@
seutil_dontaudit_search_config(httpd_$1_script_t)
@@ -15437,11 +15453,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
- tunable_policy(`allow_httpd_$1_script_anon_write',`
- miscfiles_manage_public_files(httpd_$1_script_t)
- ')
--
++ apache_dontaudit_leaks(httpd_$1_script_t)
+
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
- manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-@@ -140,6 +125,7 @@
+@@ -140,6 +127,7 @@
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
@@ -15449,7 +15465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_cgi',`
-@@ -148,14 +134,19 @@
+@@ -148,14 +136,19 @@
# privileged users run the script:
domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
@@ -15469,7 +15485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
allow httpd_$1_script_t httpd_t:fd use;
allow httpd_$1_script_t httpd_t:process sigchld;
-@@ -172,6 +163,7 @@
+@@ -172,6 +165,7 @@
libs_read_lib_files(httpd_$1_script_t)
miscfiles_read_localization(httpd_$1_script_t)
@@ -15477,7 +15493,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -182,15 +174,13 @@
+@@ -182,15 +176,13 @@
optional_policy(`
postgresql_unpriv_client(httpd_$1_script_t)
@@ -15495,7 +15511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -229,6 +219,13 @@
+@@ -229,6 +221,13 @@
relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
@@ -15509,7 +15525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-@@ -312,6 +309,25 @@
+@@ -312,6 +311,25 @@
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
@@ -15535,7 +15551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
#######################################
## <summary>
## Send a generic signal to apache.
-@@ -400,7 +416,7 @@
+@@ -400,7 +418,7 @@
type httpd_t;
')
@@ -15544,7 +15560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -526,6 +542,25 @@
+@@ -526,6 +544,25 @@
########################################
## <summary>
## Allow the specified domain to delete
@@ -15570,7 +15586,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Apache cache.
## </summary>
## <param name="domain">
-@@ -542,6 +577,26 @@
+@@ -542,6 +579,26 @@
delete_files_pattern($1, httpd_cache_t, httpd_cache_t)
')
@@ -15597,7 +15613,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
## <summary>
## Allow the specified domain to read
-@@ -756,6 +811,28 @@
+@@ -756,6 +813,28 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -15626,7 +15642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -814,6 +891,7 @@
+@@ -814,6 +893,7 @@
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -15634,7 +15650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_search_var($1)
')
-@@ -836,11 +914,62 @@
+@@ -836,11 +916,62 @@
')
files_search_var($1)
@@ -15697,7 +15713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
## <summary>
## Execute all web scripts in the system
-@@ -858,6 +987,11 @@
+@@ -858,6 +989,11 @@
gen_require(`
attribute httpdcontent;
type httpd_sys_script_t;
@@ -15709,7 +15725,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -945,7 +1079,7 @@
+@@ -945,7 +1081,7 @@
type httpd_squirrelmail_t;
')
@@ -15718,7 +15734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -985,6 +1119,24 @@
+@@ -985,6 +1121,24 @@
allow $1 httpd_sys_content_t:dir search_dir_perms;
')
@@ -15743,7 +15759,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
## <summary>
## Read apache system content.
-@@ -1086,6 +1238,25 @@
+@@ -1086,6 +1240,25 @@
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -15769,7 +15785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
## <summary>
## Dontaudit attempts to write
-@@ -1102,7 +1273,7 @@
+@@ -1102,7 +1275,7 @@
type httpd_tmp_t;
')
@@ -15778,7 +15794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -1172,7 +1343,7 @@
+@@ -1172,7 +1345,7 @@
type httpd_modules_t, httpd_lock_t;
type httpd_var_run_t, httpd_php_tmp_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
@@ -15787,7 +15803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
allow $1 httpd_t:process { getattr ptrace signal_perms };
-@@ -1202,12 +1373,62 @@
+@@ -1202,12 +1375,63 @@
kernel_search_proc($1)
allow $1 httpd_t:dir list_dir_perms;
@@ -15825,13 +15841,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+#
+interface(`apache_dontaudit_leaks',`
+ gen_require(`
-+ type httpd_t;
++ type httpd_t, httpd_tmp_t;
+ ')
+
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
+ dontaudit $1 httpd_t:tcp_socket { read write };
+ dontaudit $1 httpd_t:unix_dgram_socket { read write };
+ dontaudit $1 httpd_t:unix_stream_socket { read write };
++ dontaudit $1 httpd_tmp_t:file { read write };
+')
+
+#######################################
@@ -17844,8 +17861,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.19/policy/modules/services/certmonger.te
--- nsaserefpolicy/policy/modules/services/certmonger.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/certmonger.te 2010-10-08 10:39:56.442913129 +0200
-@@ -0,0 +1,83 @@
++++ serefpolicy-3.7.19/policy/modules/services/certmonger.te 2010-11-02 17:07:05.681649412 +0100
+@@ -0,0 +1,88 @@
+policy_module(certmonger,1.0.0)
+
+########################################
@@ -17872,6 +17889,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+#
+
+allow certmonger_t self:capability { kill sys_nice };
++dontaudit certmonger_t self:capability sys_tty_config;
++
+allow certmonger_t self:process { fork getsched setsched sigkill };
+allow certmonger_t self:fifo_file rw_file_perms;
+allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
@@ -17899,6 +17918,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+files_read_usr_files(certmonger_t)
+files_list_tmp(certmonger_t)
+
++auth_rw_cache(certmonger_t)
++
+miscfiles_read_localization(certmonger_t)
+miscfiles_manage_cert_files(certmonger_t)
+
@@ -17927,6 +17948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+
+optional_policy(`
+ pcscd_stream_connect(certmonger_t)
++ pcscd_read_pub_files(certmonger_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.19/policy/modules/services/cgroup.fc
@@ -21855,7 +21877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetc
files_list_etc($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.19/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 2010-04-13 20:44:36.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/fprintd.te 2010-09-13 13:10:28.599085102 +0200
++++ serefpolicy-3.7.19/policy/modules/services/fprintd.te 2010-11-02 17:13:59.386650147 +0100
@@ -18,9 +18,9 @@
# Local policy
#
@@ -21868,7 +21890,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fpri
manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
-@@ -55,4 +55,6 @@
+@@ -41,6 +41,8 @@
+
+ auth_use_nsswitch(fprintd_t)
+
++init_dontaudit_leaks(fprintd_t)
++
+ miscfiles_read_localization(fprintd_t)
+
+ userdom_use_user_ptys(fprintd_t)
+@@ -55,4 +57,6 @@
policykit_read_lib(fprintd_t)
policykit_dbus_chat(fprintd_t)
policykit_domtrans_auth(fprintd_t)
@@ -23701,7 +23732,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt
admin_pattern($1, ksmtuned_var_run_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.7.19/policy/modules/services/ksmtuned.te
--- nsaserefpolicy/policy/modules/services/ksmtuned.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/ksmtuned.te 2010-06-21 21:11:46.923156716 +0200
++++ serefpolicy-3.7.19/policy/modules/services/ksmtuned.te 2010-11-02 17:00:40.709901203 +0100
@@ -10,6 +10,9 @@
type ksmtuned_exec_t;
init_daemon_domain(ksmtuned_t, ksmtuned_exec_t)
@@ -23723,7 +23754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt
manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t)
files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file)
-@@ -32,9 +39,15 @@
+@@ -32,9 +39,17 @@
dev_rw_sysfs(ksmtuned_t)
domain_read_all_domains_state(ksmtuned_t)
@@ -23737,6 +23768,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt
+
+term_use_all_terms(ksmtuned_t)
+
++logging_send_syslog_msg(ksmtuned_t)
++
miscfiles_read_localization(ksmtuned_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.7.19/policy/modules/services/ldap.fc
@@ -34674,7 +34707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+/root/\.shosts gen_context(system_u:object_r:home_ssh_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.19/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.if 2010-09-16 16:52:19.653637145 +0200
++++ serefpolicy-3.7.19/policy/modules/services/ssh.if 2010-11-02 17:20:27.771899311 +0100
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -34827,7 +34860,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
# for rsync
allow ssh_t $3:unix_stream_socket rw_socket_perms;
-@@ -359,7 +373,7 @@
+@@ -338,6 +352,7 @@
+ manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
+ manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
+ userdom_search_user_home_dirs($1_t)
++ userdom_manage_tmp_role($2, ssh_t)
+
+ ##############################
+ #
+@@ -359,7 +374,7 @@
stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
# Allow the user shell to signal the ssh program.
@@ -34836,7 +34877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
# allow ps to show ssh
ps_process_pattern($3, $1_ssh_agent_t)
-@@ -388,6 +402,7 @@
+@@ -388,6 +403,7 @@
logging_send_syslog_msg($1_ssh_agent_t)
miscfiles_read_localization($1_ssh_agent_t)
@@ -34844,7 +34885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
seutil_dontaudit_read_config($1_ssh_agent_t)
-@@ -395,10 +410,8 @@
+@@ -395,10 +411,8 @@
userdom_use_user_terminals($1_ssh_agent_t)
# for the transition back to normal privs upon exec
@@ -34856,7 +34897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_ssh_agent_t)
-@@ -475,7 +488,7 @@
+@@ -475,7 +489,7 @@
type sshd_t;
')
@@ -34865,7 +34906,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
########################################
## <summary>
-@@ -492,7 +505,7 @@
+@@ -492,7 +506,7 @@
type sshd_t;
')
@@ -34874,7 +34915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
########################################
-@@ -582,6 +595,25 @@
+@@ -582,6 +596,25 @@
domtrans_pattern($1, sshd_exec_t, sshd_t)
')
@@ -34900,7 +34941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
########################################
## <summary>
## Execute the ssh client in the caller domain.
-@@ -616,7 +648,7 @@
+@@ -616,7 +649,7 @@
type sshd_key_t;
')
@@ -34909,7 +34950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
files_search_pids($1)
')
-@@ -693,7 +725,51 @@
+@@ -693,7 +726,51 @@
type sshd_key_t;
')
@@ -34962,7 +35003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
#######################################
-@@ -714,3 +790,67 @@
+@@ -714,3 +791,67 @@
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -35032,8 +35073,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.19/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2010-10-25 12:31:52.241650895 +0200
-@@ -34,6 +34,9 @@
++++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2010-11-02 17:26:10.850902064 +0100
+@@ -34,13 +34,12 @@
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
@@ -35043,7 +35084,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
type sshd_key_t;
files_type(sshd_key_t)
-@@ -97,6 +100,8 @@
+-type sshd_tmp_t;
+-files_tmp_file(sshd_tmp_t)
+-files_poly_parent(sshd_tmp_t)
+-
+ ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
+ ')
+@@ -97,14 +96,11 @@
allow ssh_t self:msg { send receive };
allow ssh_t self:tcp_socket create_stream_socket_perms;
@@ -35052,7 +35100,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
# Read the ssh key file.
allow ssh_t sshd_key_t:file read_file_perms;
-@@ -114,6 +119,7 @@
+-# Access the ssh temporary files.
+-allow ssh_t sshd_tmp_t:dir manage_dir_perms;
+-allow ssh_t sshd_tmp_t:file manage_file_perms;
+-files_tmp_filetrans(ssh_t, sshd_tmp_t, { file dir })
+-
+ manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+ manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+ manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
+@@ -114,6 +110,7 @@
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
@@ -35060,7 +35116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
-@@ -125,9 +131,10 @@
+@@ -125,9 +122,10 @@
read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
# ssh servers can read the user keys and config
@@ -35074,7 +35130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
kernel_read_kernel_sysctls(ssh_t)
kernel_read_system_state(ssh_t)
-@@ -139,6 +146,8 @@
+@@ -139,6 +137,8 @@
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
@@ -35083,7 +35139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
dev_read_urand(ssh_t)
-@@ -170,8 +179,10 @@
+@@ -170,8 +170,10 @@
userdom_search_user_home_dirs(ssh_t)
# Write to the user domain tty.
userdom_use_user_terminals(ssh_t)
@@ -35095,16 +35151,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
tunable_policy(`allow_ssh_keysign',`
domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-@@ -282,6 +293,8 @@
+@@ -282,32 +284,39 @@
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
+-manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
+-manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
+-manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
+-files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
+allow sshd_t self:process setcurrent;
-+
- manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
- manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
- manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
-@@ -290,24 +303,34 @@
+
kernel_search_key(sshd_t)
kernel_link_key(sshd_t)
@@ -35122,6 +35178,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+userdom_read_user_home_content_files(sshd_t)
+userdom_read_user_home_content_symlinks(sshd_t)
+userdom_search_admin_dir(sshd_t)
++userdom_manage_tmp_role(system_r, sshd_t)
++userdom_spec_domtrans_unpriv_users(sshd_t)
++userdom_signal_unpriv_users(sshd_t)
+
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
@@ -35135,15 +35194,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
- userdom_signal_unpriv_users(sshd_t)
+')
+
-+userdom_spec_domtrans_unpriv_users(sshd_t)
-+userdom_signal_unpriv_users(sshd_t)
-+
+optional_policy(`
+ daemontools_service_domain(sshd_t, sshd_exec_t)
')
optional_policy(`
-@@ -315,7 +338,12 @@
+@@ -315,7 +324,12 @@
')
optional_policy(`
@@ -35157,7 +35213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
optional_policy(`
-@@ -323,6 +351,10 @@
+@@ -323,6 +337,10 @@
')
optional_policy(`
@@ -35168,7 +35224,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
rpm_use_script_fds(sshd_t)
')
-@@ -333,10 +365,18 @@
+@@ -333,10 +351,18 @@
')
optional_policy(`
@@ -37187,7 +37243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.19/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-10-08 10:31:31.109650747 +0200
++++ serefpolicy-3.7.19/policy/modules/services/xserver.te 2010-11-02 17:43:43.719667433 +0100
@@ -1,5 +1,5 @@
-policy_module(xserver, 3.3.2)
@@ -37368,7 +37424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(iceauth_t)
-@@ -250,30 +293,65 @@
+@@ -250,50 +293,106 @@
fs_manage_cifs_files(iceauth_t)
')
@@ -37437,8 +37493,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+fs_getattr_all_fs(xauth_t)
fs_search_auto_mountpoints(xauth_t)
- # cjp: why?
-@@ -283,17 +361,36 @@
+-# cjp: why?
+-term_use_ptmx(xauth_t)
++# Probably leak
++# 583546 bug
++term_dontaudit_use_ptmx(xauth_t)
++term_dontaudit_use_console(xauth_t)
+
+ auth_use_nsswitch(xauth_t)
userdom_use_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
@@ -37475,7 +37537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
-@@ -305,20 +402,33 @@
+@@ -305,20 +404,33 @@
# XDM Local policy
#
@@ -37512,7 +37574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -326,32 +436,55 @@
+@@ -326,32 +438,55 @@
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -37573,7 +37635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xdm_t xserver_t:unix_stream_socket connectto;
allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
-@@ -359,10 +492,13 @@
+@@ -359,10 +494,13 @@
# transition to the xdm xserver
domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
@@ -37587,7 +37649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -371,18 +507,25 @@
+@@ -371,18 +509,25 @@
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -37614,7 +37676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -394,11 +537,14 @@
+@@ -394,11 +539,14 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -37629,7 +37691,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -406,6 +552,7 @@
+@@ -406,6 +554,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -37637,7 +37699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -414,18 +561,22 @@
+@@ -414,18 +563,22 @@
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -37663,7 +37725,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -436,9 +587,17 @@
+@@ -436,9 +589,17 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -37681,7 +37743,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -447,14 +606,21 @@
+@@ -447,14 +608,21 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -37703,7 +37765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -465,10 +631,12 @@
+@@ -465,10 +633,12 @@
logging_read_generic_logs(xdm_t)
@@ -37718,7 +37780,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -477,6 +645,12 @@
+@@ -477,6 +647,12 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -37731,7 +37793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -508,11 +682,17 @@
+@@ -508,11 +684,17 @@
')
optional_policy(`
@@ -37749,7 +37811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -520,12 +700,51 @@
+@@ -520,12 +702,51 @@
')
optional_policy(`
@@ -37801,7 +37863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
hostname_exec(xdm_t)
')
-@@ -543,20 +762,63 @@
+@@ -543,20 +764,63 @@
')
optional_policy(`
@@ -37867,7 +37929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -565,7 +827,6 @@
+@@ -565,7 +829,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -37875,7 +37937,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -576,6 +837,10 @@
+@@ -576,6 +839,10 @@
')
optional_policy(`
@@ -37886,7 +37948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xdm_t)
')
-@@ -600,10 +865,9 @@
+@@ -600,10 +867,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -37898,7 +37960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -615,6 +879,18 @@
+@@ -615,6 +881,18 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -37917,7 +37979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -634,12 +910,19 @@
+@@ -634,12 +912,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -37939,7 +38001,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -647,6 +930,7 @@
+@@ -647,6 +932,7 @@
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -37947,7 +38009,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -673,7 +957,6 @@
+@@ -673,7 +959,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -37955,7 +38017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -683,9 +966,12 @@
+@@ -683,9 +968,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -37969,7 +38031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +986,13 @@
+@@ -700,8 +988,13 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -37983,7 +38045,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -723,11 +1014,14 @@
+@@ -723,11 +1016,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -37998,7 +38060,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -779,12 +1073,28 @@
+@@ -779,12 +1075,28 @@
')
optional_policy(`
@@ -38028,7 +38090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -811,7 +1121,7 @@
+@@ -811,7 +1123,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -38037,7 +38099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1142,14 @@
+@@ -832,9 +1144,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -38052,7 +38114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1164,14 @@
+@@ -849,11 +1166,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -38069,7 +38131,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -999,3 +1317,33 @@
+@@ -999,3 +1319,33 @@
allow xserver_unconfined_type xextension_type:x_extension *;
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -38195,7 +38257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
ifdef(`distro_suse', `
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.19/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-10-13 08:41:54.579650714 +0200
++++ serefpolicy-3.7.19/policy/modules/system/authlogin.if 2010-11-02 16:59:22.380650718 +0100
@@ -41,7 +41,6 @@
## </param>
#
@@ -38229,7 +38291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
auth_use_pam($1)
init_rw_utmp($1)
-@@ -151,6 +154,41 @@
+@@ -151,6 +154,45 @@
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -38239,6 +38301,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
+ userdom_delete_user_tmp_files($1)
+ userdom_search_admin_dir($1)
+
++ tunable_policy(`authlogin_radius',`
++ corenet_udp_bind_all_unreserved_ports($1)
++ ')
++
+ optional_policy(`
+ afs_rw_udp_sockets($1)
+ ')
@@ -38271,7 +38337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all($1)
')
-@@ -365,13 +403,15 @@
+@@ -365,13 +407,15 @@
')
optional_policy(`
@@ -38288,7 +38354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
########################################
-@@ -418,6 +458,7 @@
+@@ -418,6 +462,7 @@
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -38296,7 +38362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
')
########################################
-@@ -694,7 +735,7 @@
+@@ -694,7 +739,7 @@
')
files_search_etc($1)
@@ -38305,7 +38371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
typeattribute $1 can_relabelto_shadow_passwords;
')
-@@ -1500,6 +1541,8 @@
+@@ -1500,6 +1545,8 @@
#
interface(`auth_use_nsswitch',`
@@ -38314,7 +38380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
files_list_var_lib($1)
# read /etc/nsswitch.conf
-@@ -1531,7 +1574,15 @@
+@@ -1531,7 +1578,15 @@
')
optional_policy(`
@@ -38333,8 +38399,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.19/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/authlogin.te 2010-08-20 13:51:57.715085006 +0200
-@@ -84,7 +84,7 @@
++++ serefpolicy-3.7.19/policy/modules/system/authlogin.te 2010-11-02 16:58:56.412650880 +0100
+@@ -6,6 +6,13 @@
+ # Declarations
+ #
+
++## <desc>
++## <p>
++## Allow users to login using a radius server
++## </p>
++## </desc>
++gen_tunable(authlogin_radius, false)
++
+ attribute can_read_shadow_passwords;
+ attribute can_write_shadow_passwords;
+ attribute can_relabelto_shadow_passwords;
+@@ -84,7 +91,7 @@
allow chkpwd_t self:capability { dac_override setuid };
dontaudit chkpwd_t self:capability sys_tty_config;
@@ -41199,7 +41279,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.19/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-10-13 08:11:09.866910335 +0200
++++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-10-26 13:46:49.368668089 +0200
@@ -18,8 +18,15 @@
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;
@@ -41424,7 +41504,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
-@@ -186,6 +280,19 @@
+@@ -186,6 +280,23 @@
optional_policy(`
samba_domtrans_smbmount(mount_t)
@@ -41440,11 +41520,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+')
+
+optional_policy(`
++ virt_read_blk_images(mount_t)
++')
++
++optional_policy(`
+ vmware_exec_host(mount_t)
')
########################################
-@@ -194,6 +301,42 @@
+@@ -194,6 +305,42 @@
#
optional_policy(`
@@ -46222,7 +46306,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.19/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2010-08-13 08:20:57.407085107 +0200
++++ serefpolicy-3.7.19/policy/modules/system/userdomain.te 2010-11-02 17:26:58.264649340 +0100
@@ -29,18 +29,18 @@
## <desc>
@@ -46278,6 +46362,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
userdom_user_home_content(user_home_t)
fs_associate_tmpfs(user_home_t)
files_associate_tmp(user_home_t)
+@@ -85,7 +95,7 @@
+ files_type(user_devpts_t)
+ ubac_constrained(user_devpts_t)
+
+-type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t };
++type user_tmp_t alias { staff_tmp_t sysadm_tmp_t secadm_tmp_t sshd_tmp_t auditadm_tmp_t unconfined_tmp_t };
+ typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t };
+ files_tmp_file(user_tmp_t)
+ userdom_user_home_content(user_tmp_t)
@@ -97,3 +107,41 @@
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 172d278..51461b2 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 69%{?dist}
+Release: 70%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,12 @@ exit 0
%endif
%changelog
+* Tue Nov 2 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-70
+- Add authlogin_radius boolean
+- Fixes for certmonger policy
+- Allow xguest to use smartcard
+- Make sshd to use user_tmp_t for its /tmp content
+
* Tue Oct 26 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-69
- Dontaudit init leaks
More information about the scm-commits
mailing list