[selinux-policy/f12/master] - Add xdm_exec_bootloader boolean, which allows xdm to execute /sbin/grub and read files in /boot di
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Nov 4 16:30:58 UTC 2010
commit 9ba2a3f26a8917e8b424d366b008296f06770a44
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Thu Nov 4 17:30:39 2010 +0100
- Add xdm_exec_bootloader boolean, which allows xdm to execute /sbin/grub and read files in /boot directory
policy-20100106.patch | 271 ++++++++++++++++++++++++++++++++++++-------------
selinux-policy.spec | 5 +-
2 files changed, 206 insertions(+), 70 deletions(-)
---
diff --git a/policy-20100106.patch b/policy-20100106.patch
index d7d1ca2..27ef5db 100644
--- a/policy-20100106.patch
+++ b/policy-20100106.patch
@@ -626,6 +626,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(alsa_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.if serefpolicy-3.6.32/policy/modules/admin/bootloader.if
+--- nsaserefpolicy/policy/modules/admin/bootloader.if 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/admin/bootloader.if 2010-11-03 13:15:45.977900433 +0100
+@@ -18,6 +18,24 @@
+ domtrans_pattern($1, bootloader_exec_t, bootloader_t)
+ ')
+
++######################################
++## <summary>
++## Execute bootloader in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`bootloader_exec',`
++ gen_require(`
++ type bootloader_exec_t;
++ ')
++
++ can_exec($1, bootloader_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Execute bootloader interactively and do
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.if serefpolicy-3.6.32/policy/modules/admin/consoletype.if
--- nsaserefpolicy/policy/modules/admin/consoletype.if 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/admin/consoletype.if 2010-02-21 19:47:22.082308968 +0100
@@ -4532,7 +4560,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/tmp/lost\+found/.* <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2010-02-21 20:44:28.921325502 +0100
-+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2010-04-23 07:41:58.899496269 +0200
++++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2010-11-03 13:16:27.522650494 +0100
@@ -1152,6 +1152,102 @@
allow $1 file_type:filesystem unmount;
')
@@ -4661,7 +4689,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Create directories in /boot
## </summary>
## <param name="domain">
-@@ -1772,7 +1886,8 @@
+@@ -1580,6 +1694,25 @@
+ relabelfrom_files_pattern($1, boot_t, boot_t)
+ ')
+
++######################################
++## <summary>
++## Read symbolic links
++## in the /boot directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_read_boot_symlinks',`
++ gen_require(`
++ type boot_t;
++ ')
++
++ read_lnk_files_pattern($1, boot_t, boot_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Read and write symbolic links
+@@ -1772,7 +1905,8 @@
########################################
## <summary>
@@ -4671,7 +4725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -1780,13 +1895,12 @@
+@@ -1780,13 +1914,12 @@
## </summary>
## </param>
#
@@ -4686,7 +4740,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1865,6 +1979,25 @@
+@@ -1865,6 +1998,25 @@
########################################
## <summary>
@@ -4712,7 +4766,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Read symbolic links with the default file type.
## </summary>
## <param name="domain">
-@@ -1991,7 +2124,7 @@
+@@ -1991,7 +2143,7 @@
########################################
## <summary>
@@ -4721,7 +4775,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -1999,21 +2132,36 @@
+@@ -1999,21 +2151,36 @@
## </summary>
## </param>
#
@@ -4765,7 +4819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -2021,14 +2169,16 @@
+@@ -2021,14 +2188,16 @@
## </summary>
## </param>
#
@@ -4787,7 +4841,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2276,8 +2426,8 @@
+@@ -2276,8 +2445,8 @@
')
allow $1 etc_t:dir list_dir_perms;
@@ -4798,7 +4852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2654,6 +2804,7 @@
+@@ -2654,6 +2823,7 @@
')
allow $1 home_root_t:dir getattr;
@@ -4806,7 +4860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2674,6 +2825,7 @@
+@@ -2674,6 +2844,7 @@
')
dontaudit $1 home_root_t:dir getattr;
@@ -4814,7 +4868,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2692,6 +2844,7 @@
+@@ -2692,6 +2863,7 @@
')
allow $1 home_root_t:dir search_dir_perms;
@@ -4822,7 +4876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2711,6 +2864,7 @@
+@@ -2711,6 +2883,7 @@
')
dontaudit $1 home_root_t:dir search_dir_perms;
@@ -4830,7 +4884,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2730,6 +2884,7 @@
+@@ -2730,6 +2903,7 @@
')
dontaudit $1 home_root_t:dir list_dir_perms;
@@ -4838,7 +4892,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -2748,6 +2903,25 @@
+@@ -2748,6 +2922,25 @@
')
allow $1 home_root_t:dir list_dir_perms;
@@ -4864,7 +4918,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -3480,6 +3654,24 @@
+@@ -3480,6 +3673,24 @@
read_files_pattern($1, tmp_t, tmp_t)
')
@@ -4889,7 +4943,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
## <summary>
## Manage temporary directories in /tmp.
-@@ -3598,26 +3790,25 @@
+@@ -3598,26 +3809,25 @@
########################################
## <summary>
@@ -4921,7 +4975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## of all tmp files.
## </summary>
## <param name="domain">
-@@ -3626,18 +3817,18 @@
+@@ -3626,18 +3836,18 @@
## </summary>
## </param>
#
@@ -4944,7 +4998,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -3645,30 +3836,31 @@
+@@ -3645,30 +3855,31 @@
## </summary>
## </param>
#
@@ -4982,7 +5036,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -4438,7 +4630,7 @@
+@@ -4438,7 +4649,7 @@
########################################
## <summary>
@@ -4991,7 +5045,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -4446,17 +4638,17 @@
+@@ -4446,17 +4657,17 @@
## </summary>
## </param>
#
@@ -5013,7 +5067,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -4464,17 +4656,17 @@
+@@ -4464,17 +4675,17 @@
## </summary>
## </param>
#
@@ -5035,7 +5089,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -4482,12 +4674,12 @@
+@@ -4482,12 +4693,12 @@
## </summary>
## </param>
#
@@ -5051,7 +5105,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -4846,6 +5038,25 @@
+@@ -4846,6 +5057,25 @@
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -5077,7 +5131,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
## <summary>
## Do not audit attempts to search
-@@ -4970,9 +5181,9 @@
+@@ -4970,9 +5200,9 @@
rw_files_pattern($1, var_run_t, var_run_t)
')
@@ -5089,7 +5143,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -4980,13 +5191,12 @@
+@@ -4980,13 +5210,12 @@
## </summary>
## </param>
#
@@ -5106,7 +5160,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -5009,24 +5219,6 @@
+@@ -5009,24 +5238,6 @@
########################################
## <summary>
@@ -5131,7 +5185,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to ioctl daemon runtime data files.
## </summary>
## <param name="domain">
-@@ -5131,6 +5323,24 @@
+@@ -5131,6 +5342,24 @@
########################################
## <summary>
@@ -5156,7 +5210,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
-@@ -5537,3 +5747,23 @@
+@@ -5537,3 +5766,23 @@
dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
')
@@ -8045,6 +8099,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+apache_content_template(cobbler)
+manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
+manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.32/policy/modules/services/consolekit.if
+--- nsaserefpolicy/policy/modules/services/consolekit.if 2010-01-18 18:24:22.761535139 +0100
++++ serefpolicy-3.6.32/policy/modules/services/consolekit.if 2010-11-04 17:13:25.388650929 +0100
+@@ -58,6 +58,24 @@
+ files_search_pids($1)
+ ')
+
++#######################################
++## <summary>
++## Dontaudit attempts to read consolekit log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`consolekit_dontaudit_read_log',`
++ gen_require(`
++ type consolekit_log_t;
++ ')
++
++ dontaudit $1 consolekit_log_t:file read_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Manage consolekit log files.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.32/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2010-02-21 20:46:52.740325173 +0100
+++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2010-03-11 21:20:40.181057088 +0100
@@ -16964,7 +17046,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-18 18:24:22.923530253 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-08-05 13:49:43.778084944 +0200
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-11-03 13:18:21.147900765 +0100
@@ -1,5 +1,5 @@
-policy_module(xserver, 3.2.3)
@@ -16981,7 +17063,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
class x_server all_x_server_perms;
class x_extension all_x_extension_perms;
class x_resource all_x_resource_perms;
-@@ -54,56 +56,58 @@
+@@ -41,6 +43,13 @@
+
+ ## <desc>
+ ## <p>
++## Allows xdm to execute bootloader
++## </p>
++## </desc>
++gen_tunable(xdm_exec_bootloader, false)
++
++## <desc>
++## <p>
+ ## Allow xdm logins as sysadm
+ ## </p>
+ ## </desc>
+@@ -54,56 +63,58 @@
gen_tunable(xserver_object_manager, false)
attribute xdmhomewriter;
@@ -17080,7 +17176,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
typealias user_xproperty_t alias { staff_xproperty_t sysadm_xproperty_t };
typealias user_xproperty_t alias { auditadm_xproperty_t secadm_xproperty_t };
typealias user_input_xevent_t alias { staff_input_xevent_t sysadm_input_xevent_t };
-@@ -108,52 +112,63 @@
+@@ -108,52 +119,63 @@
typealias user_xproperty_t alias { auditadm_xproperty_t secadm_xproperty_t };
typealias user_input_xevent_t alias { staff_input_xevent_t sysadm_input_xevent_t };
typealias user_input_xevent_t alias { auditadm_input_xevent_t secadm_input_xevent_t };
@@ -17165,7 +17261,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
files_tmp_file(xauth_tmp_t)
ubac_constrained(xauth_tmp_t)
-@@ -168,7 +183,9 @@
+@@ -168,7 +190,9 @@
type xdm_exec_t;
auth_login_pgm_domain(xdm_t)
init_domain(xdm_t, xdm_exec_t)
@@ -17176,7 +17272,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type xdm_lock_t;
files_lock_file(xdm_lock_t)
-@@ -191,6 +208,12 @@
+@@ -191,6 +215,12 @@
type xserver_var_run_t;
files_pid_file(xserver_var_run_t)
@@ -17189,7 +17285,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type xdm_tmpfs_t;
files_tmpfs_file(xdm_tmpfs_t)
-@@ -209,17 +232,9 @@
+@@ -209,17 +239,9 @@
type xserver_exec_t;
typealias xserver_t alias { user_xserver_t staff_xserver_t sysadm_xserver_t };
typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
@@ -17207,7 +17303,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type xserver_tmpfs_t;
typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t };
typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t };
-@@ -269,9 +284,11 @@
+@@ -269,9 +291,11 @@
')
ifdef(`hide_broken_symptoms', `
@@ -17219,7 +17315,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_dontaudit_use_unallocated_ttys(iceauth_t)
optional_policy(`
-@@ -289,6 +306,9 @@
+@@ -289,6 +313,9 @@
allow xauth_t self:unix_stream_socket create_stream_socket_perms;
allow xauth_t xdm_t:process sigchld;
@@ -17229,16 +17325,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xauth_t xauth_home_t:file manage_file_perms;
userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file)
-@@ -301,15 +321,21 @@
+@@ -301,15 +328,21 @@
manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
-domain_use_interactive_fds(xauth_t)
+stream_connect_pattern(xauth_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
++
++kernel_read_system_state(xauth_t)
-dev_rw_xserver_misc(xauth_t)
-+kernel_read_system_state(xauth_t)
-+
+domain_use_interactive_fds(xauth_t)
+domain_dontaudit_leaks(xauth_t)
@@ -17253,7 +17349,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_getattr_all_fs(xauth_t)
fs_search_auto_mountpoints(xauth_t)
-@@ -325,12 +351,15 @@
+@@ -325,12 +358,15 @@
ifdef(`hide_broken_symptoms', `
userdom_manage_user_home_content_files(xauth_t)
userdom_manage_user_tmp_files(xauth_t)
@@ -17269,7 +17365,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`use_samba_home_dirs',`
-@@ -340,7 +369,6 @@
+@@ -340,7 +376,6 @@
ifdef(`hide_broken_symptoms', `
term_dontaudit_use_unallocated_ttys(xauth_t)
dev_dontaudit_rw_dri(xauth_t)
@@ -17277,7 +17373,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -394,12 +422,12 @@
+@@ -394,12 +429,12 @@
# this is ugly, daemons should not create files under /etc!
manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)
@@ -17296,7 +17392,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
-@@ -433,7 +461,7 @@
+@@ -433,7 +468,7 @@
manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t)
files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file })
@@ -17305,7 +17401,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xdm_t xserver_t:unix_stream_socket connectto;
allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
-@@ -504,7 +532,7 @@
+@@ -504,7 +539,7 @@
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -17314,7 +17410,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
-@@ -549,8 +577,11 @@
+@@ -549,8 +584,11 @@
storage_dontaudit_rw_fuse(xdm_t)
term_setattr_console(xdm_t)
@@ -17326,7 +17422,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
-@@ -566,13 +597,13 @@
+@@ -566,13 +604,13 @@
logging_read_generic_logs(xdm_t)
@@ -17341,7 +17437,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -583,6 +614,7 @@
+@@ -583,6 +621,7 @@
userdom_signal_all_users(xdm_t)
userdom_stream_connect(xdm_t)
userdom_manage_user_tmp_dirs(xdm_t)
@@ -17349,7 +17445,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_manage_user_tmp_sockets(xdm_t)
userdom_manage_tmpfs_role(system_r, xdm_t)
-@@ -635,6 +667,7 @@
+@@ -603,6 +642,13 @@
+ fs_exec_cifs_files(xdm_t)
+ ')
+
++
++tunable_policy(`xdm_exec_bootloader',`
++ bootloader_exec(xdm_t)
++ files_read_boot_files(xdm_t)
++ files_read_boot_symlinks(xdm_t)
++')
++
+ tunable_policy(`xdm_sysadm_login',`
+ userdom_xsession_spec_domtrans_all_users(xdm_t)
+ # FIXME:
+@@ -635,6 +681,7 @@
dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms;
xserver_xdm_append_log(xdm_dbusd_t)
@@ -17357,7 +17467,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_bin_entry_type(xdm_t)
-@@ -667,7 +700,9 @@
+@@ -667,7 +714,9 @@
')
optional_policy(`
@@ -17367,7 +17477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -685,11 +720,6 @@
+@@ -685,11 +734,6 @@
optional_policy(`
# Do not audit attempts to check whether user root has email
mta_dontaudit_getattr_spool_files(xdm_t)
@@ -17379,7 +17489,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -705,13 +735,18 @@
+@@ -705,13 +749,18 @@
')
optional_policy(`
@@ -17400,7 +17510,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
# On crash gdm execs gdb to dump stack
-@@ -726,6 +761,10 @@
+@@ -726,6 +775,10 @@
')
optional_policy(`
@@ -17411,7 +17521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_sigchld_newrole(xdm_t)
')
-@@ -767,6 +806,14 @@
+@@ -767,6 +820,14 @@
# X server local policy
#
@@ -17426,7 +17536,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
# sys_admin, locking shared mem? chowning IPC message queues or semaphores?
-@@ -802,18 +849,12 @@
+@@ -802,18 +863,12 @@
allow xserver_t xauth_home_t:file read_file_perms;
@@ -17446,7 +17556,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -907,6 +948,7 @@
+@@ -907,6 +962,7 @@
mls_process_write_to_clearance(xserver_t)
mls_file_read_to_clearance(xserver_t)
mls_file_write_all_levels(xserver_t)
@@ -17454,7 +17564,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -928,13 +970,14 @@
+@@ -928,13 +984,14 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -17470,7 +17580,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -952,7 +995,7 @@
+@@ -952,7 +1009,7 @@
')
ifdef(`enable_mls',`
@@ -17479,7 +17589,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
-@@ -961,15 +1004,17 @@
+@@ -961,15 +1018,17 @@
# but typeattribute doesnt work in conditionals
allow xserver_t xserver_t:x_server *;
@@ -17500,7 +17610,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xserver_t xextension_type:x_extension *;
allow xserver_t { x_domain xserver_t }:x_resource *;
allow xserver_t xevent_type:{ x_event x_synthetic_event } *;
-@@ -1016,6 +1061,7 @@
+@@ -1016,6 +1075,7 @@
# cjp: when xdm is configurable via tunable these
# rules will be enabled only when xdm is enabled
@@ -17508,7 +17618,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow xserver_t xdm_t:process { signal getpgid };
allow xserver_t xdm_t:shm rw_shm_perms;
-@@ -1027,9 +1073,9 @@
+@@ -1027,9 +1087,9 @@
read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
# Label pid and temporary files with derived types.
@@ -17521,7 +17631,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Run xkbcomp.
allow xserver_t xkb_var_lib_t:lnk_file read;
-@@ -1088,136 +1134,139 @@
+@@ -1088,136 +1148,139 @@
#
# Hacks
@@ -19098,7 +19208,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.32/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2010-01-18 18:24:22.965530078 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.if 2010-09-01 14:23:30.404335337 +0200
++++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.if 2010-11-03 12:12:57.859900158 +0100
@@ -525,6 +525,10 @@
files_search_usr($1)
corecmd_search_bin($1)
@@ -19110,7 +19220,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1142,6 +1146,27 @@
+@@ -1064,6 +1068,10 @@
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, semanage_exec_t, semanage_t)
++
++ ifdef(`hide_broken_symptoms', `
++ dontaudit semanage_t $1:socket_class_set { read write };
++ ')
+ ')
+
+ ########################################
+@@ -1142,6 +1150,27 @@
role $2 types setsebool_t;
')
@@ -19561,7 +19682,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/root/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-01-18 18:24:22.983531669 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2010-08-05 14:30:31.764085111 +0200
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2010-11-03 12:18:15.998899861 +0100
@@ -461,7 +461,7 @@
xserver_create_xdm_tmp_sockets($1)
# Needed for escd, remove if we get escd policy
@@ -19589,7 +19710,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_dontaudit_list_all_proc($1_usertype)
-@@ -1095,6 +1091,8 @@
+@@ -1006,6 +1002,11 @@
+ ')
+
+ optional_policy(`
++ consolekit_dontaudit_read_log($1_usertype)
++ consolekit_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
+@@ -1095,6 +1096,8 @@
fs_list_cgroup_dirs($1_usertype)
@@ -19598,7 +19731,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users) disabling this forces FTP passive mode
# and may change other protocols
-@@ -1136,7 +1134,6 @@
+@@ -1136,7 +1139,6 @@
optional_policy(`
mount_run($1_t, $1_r)
@@ -19606,7 +19739,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -2316,6 +2313,24 @@
+@@ -2316,6 +2318,24 @@
dontaudit $1 user_tmp_t:dir list_dir_perms;
')
@@ -19631,7 +19764,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
## <summary>
## Do not audit attempts to manage users
-@@ -3631,6 +3646,24 @@
+@@ -3631,6 +3651,24 @@
########################################
## <summary>
@@ -19656,7 +19789,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Allow Search /root
## </summary>
## <param name="domain">
-@@ -3759,6 +3792,26 @@
+@@ -3759,6 +3797,26 @@
read_files_pattern($1, admin_home_t, admin_home_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6a55af3..bee8a84 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 125%{?dist}
+Release: 126%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,9 @@ exit 0
%endif
%changelog
+* Thu Nov 4 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-126
+- Add xdm_exec_bootloader boolean, which allows xdm to execute /sbin/grub and read files in /boot directory
+
* Wed Oct 27 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-125
- Allow vpnc to search /root
More information about the scm-commits
mailing list