[selinux-policy/f13/master] - Backport sandbox and seunshare policy from F15 - Allow rpm setfcap capability
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Mar 4 14:02:03 UTC 2011
commit a78aa2578b88f02eea1bb215c5aa349dfd98296b
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Fri Mar 4 15:01:48 2011 +0000
- Backport sandbox and seunshare policy from F15
- Allow rpm setfcap capability
policy-F13.patch | 406 +++++++++++++++++++++++++--------------------------
selinux-policy.spec | 6 +-
2 files changed, 205 insertions(+), 207 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index 0e28057..4e0cf5d 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -2333,7 +2333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.19/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/admin/rpm.te 2011-01-07 09:32:51.000000000 +0000
++++ serefpolicy-3.7.19/policy/modules/admin/rpm.te 2011-03-04 14:47:11.334413001 +0000
@@ -1,6 +1,8 @@
policy_module(rpm, 1.10.0)
@@ -2378,7 +2378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
-allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid sys_chroot sys_tty_config mknod };
-allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-+allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
++allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock setgid setuid setfcap sys_chroot sys_nice sys_tty_config mknod };
+
+allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
@@ -2453,15 +2453,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
auth_relabel_all_files_except_shadow(rpm_t)
auth_manage_all_files_except_shadow(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
-@@ -155,6 +188,7 @@
+@@ -155,6 +188,8 @@
files_exec_etc_files(rpm_t)
init_domtrans_script(rpm_t)
+init_use_script_ptys(rpm_t)
++init_signull_script(rpm_t)
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
-@@ -174,7 +208,19 @@
+@@ -174,7 +209,19 @@
')
optional_policy(`
@@ -2482,7 +2483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
')
optional_policy(`
-@@ -182,36 +228,19 @@
+@@ -182,36 +229,19 @@
')
optional_policy(`
@@ -2523,7 +2524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
-@@ -222,12 +251,15 @@
+@@ -222,12 +252,15 @@
allow rpm_script_t self:sem create_sem_perms;
allow rpm_script_t self:msgq create_msgq_perms;
allow rpm_script_t self:msg { send receive };
@@ -2539,7 +2540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
-@@ -239,6 +271,9 @@
+@@ -239,6 +272,9 @@
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
@@ -2549,7 +2550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
dev_list_sysfs(rpm_script_t)
-@@ -254,7 +289,9 @@
+@@ -254,7 +290,9 @@
fs_getattr_xattr_fs(rpm_script_t)
fs_mount_xattr_fs(rpm_script_t)
fs_unmount_xattr_fs(rpm_script_t)
@@ -2559,7 +2560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
mcs_killall(rpm_script_t)
mcs_ptrace_all(rpm_script_t)
-@@ -272,14 +309,19 @@
+@@ -272,14 +310,19 @@
storage_raw_read_fixed_disk(rpm_script_t)
storage_raw_write_fixed_disk(rpm_script_t)
@@ -2579,7 +2580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
-@@ -291,8 +333,10 @@
+@@ -291,8 +334,10 @@
files_exec_etc_files(rpm_script_t)
files_read_etc_runtime_files(rpm_script_t)
files_exec_usr_files(rpm_script_t)
@@ -2590,7 +2591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
libs_exec_ld_so(rpm_script_t)
libs_exec_lib_files(rpm_script_t)
-@@ -308,12 +352,15 @@
+@@ -308,12 +353,15 @@
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
@@ -2606,7 +2607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te
')
')
-@@ -326,13 +373,26 @@
+@@ -326,13 +374,26 @@
')
optional_policy(`
@@ -7672,13 +7673,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.19/policy/modules/apps/sandbox.fc
--- nsaserefpolicy/policy/modules/apps/sandbox.fc 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.fc 2011-01-18 15:44:18.000000000 +0000
-@@ -0,0 +1 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.fc 2011-03-04 14:38:18.886413002 +0000
+@@ -0,0 +1,2 @@
++
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.19/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2011-01-18 16:53:26.000000000 +0000
-@@ -0,0 +1,332 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2011-03-04 14:38:18.890413002 +0000
+@@ -0,0 +1,305 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -7701,9 +7703,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+interface(`sandbox_transition',`
+ gen_require(`
+ type sandbox_xserver_t;
++ type sandbox_file_t;
+ attribute sandbox_domain;
+ attribute sandbox_x_domain;
-+ attribute sandbox_file_type;
+ attribute sandbox_tmpfs_type;
+ ')
+
@@ -7730,27 +7732,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
+ dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
-+ dontaudit sandbox_x_domain $1:process signal;
++ dontaudit sandbox_x_domain $1:process { signal sigkill };
+
+ allow $1 sandbox_tmpfs_type:file manage_file_perms;
+ dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;
+
-+ manage_files_pattern($1, sandbox_file_type, sandbox_file_type);
-+ manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type);
-+ manage_sock_files_pattern($1, sandbox_file_type, sandbox_file_type);
-+ manage_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type);
-+ manage_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type);
-+ relabel_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
-+ relabel_files_pattern($1, sandbox_file_type, sandbox_file_type)
-+ relabel_lnk_files_pattern($1, sandbox_file_type, sandbox_file_type)
-+ relabel_fifo_files_pattern($1, sandbox_file_type, sandbox_file_type)
-+ relabel_sock_files_pattern($1, sandbox_file_type, sandbox_file_type)
++ can_exec($1, sandbox_file_t)
++ allow $1 sandbox_file_t:filesystem getattr;
++ manage_files_pattern($1, sandbox_file_t, sandbox_file_t);
++ manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t);
++ manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t);
++ manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t);
++ manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t);
++ relabel_dirs_pattern($1, sandbox_file_t, sandbox_file_t)
++ relabel_files_pattern($1, sandbox_file_t, sandbox_file_t)
++ relabel_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t)
++ relabel_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t)
++ relabel_sock_files_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
+## <summary>
+## Creates types and rules for a basic
-+## qemu process domain.
++## sandbox process domain.
+## </summary>
+## <param name="prefix">
+## <summary>
@@ -7762,24 +7766,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+ gen_require(`
+ attribute sandbox_domain;
-+ attribute sandbox_file_type;
++ type sandbox_file_t;
++ attribute sandbox_type;
+ ')
++ type $1_t, sandbox_domain, sandbox_type;
+
-+ type $1_t, sandbox_domain;
+ application_type($1_t)
+
+ mls_rangetrans_target($1_t)
+ mcs_untrusted_proc($1_t)
-+
-+ type $1_file_t, sandbox_file_type;
-+ files_type($1_file_t)
-+
-+ can_exec($1_t, $1_file_t)
-+ manage_dirs_pattern($1_t, $1_file_t, $1_file_t)
-+ manage_files_pattern($1_t, $1_file_t, $1_file_t)
-+ manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t)
-+ manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
-+ manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
+')
+
+########################################
@@ -7799,7 +7794,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ type sandbox_xserver_t;
+ type sandbox_exec_t;
+ attribute sandbox_domain, sandbox_x_domain;
-+ attribute sandbox_file_type, sandbox_tmpfs_type;
++ attribute sandbox_tmpfs_type;
+ attribute sandbox_type;
+ ')
+
@@ -7807,16 +7802,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ application_type($1_t)
+ mcs_untrusted_proc($1_t)
+
-+ type $1_file_t, sandbox_file_type;
-+ files_type($1_file_t)
-+
-+ can_exec($1_t, $1_file_t)
-+ manage_dirs_pattern($1_t, $1_file_t, $1_file_t)
-+ manage_files_pattern($1_t, $1_file_t, $1_file_t)
-+ manage_lnk_files_pattern($1_t, $1_file_t, $1_file_t)
-+ manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
-+ manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
-+
+ # window manager
+ miscfiles_setattr_fonts_cache_dirs($1_t)
+ allow $1_t self:capability setuid;
@@ -7834,34 +7819,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ fs_tmpfs_filetrans($1_t, $1_client_tmpfs_t, file )
+ # Pulseaudio tmpfs files with different MCS labels
+ dontaudit $1_client_t $1_client_tmpfs_t:file { read write };
++ dontaudit $1_t $1_client_tmpfs_t:file { read write };
+ allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
+
+ domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
+ allow $1_t sandbox_xserver_t:process signal_perms;
+
-+ domtrans_pattern($1_t, $1_file_t, $1_client_t)
-+ domain_entry_file($1_client_t, $1_file_t)
++ domtrans_pattern($1_t, sandbox_exec_t, $1_client_t)
++ domain_entry_file($1_client_t, sandbox_exec_t)
+
+ # Random tmpfs_t that gets created when you run X.
+ fs_rw_tmpfs_files($1_t)
+
-+ manage_dirs_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
-+ manage_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
-+ manage_sock_files_pattern(sandbox_xserver_t, $1_file_t, $1_file_t)
-+ allow sandbox_xserver_t $1_file_t:sock_file create_sock_file_perms;
+ ps_process_pattern(sandbox_xserver_t, $1_client_t)
+ ps_process_pattern(sandbox_xserver_t, $1_t)
+ allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
+ allow sandbox_xserver_t $1_t:shm rw_shm_perms;
+ allow $1_client_t $1_t:unix_stream_socket connectto;
+ allow $1_t $1_client_t:unix_stream_socket connectto;
-+
-+ can_exec($1_client_t, $1_file_t)
-+ manage_dirs_pattern($1_client_t, $1_file_t, $1_file_t)
-+ manage_files_pattern($1_client_t, $1_file_t, $1_file_t)
-+ manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t)
-+ manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t)
-+ manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t)
+')
+
+########################################
@@ -7883,26 +7858,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
+')
+
-+#######################################
++########################################
+## <summary>
-+## allow domain to read
-+## sandbox tmpfs files
++## allow domain to read
++## sandbox tmpfs files
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access
-+## </summary>
++## <summary>
++## Domain allowed access
++## </summary>
+## </param>
+#
+interface(`sandbox_read_tmpfs_files',`
-+ gen_require(`
-+ attribute sandbox_tmpfs_type;
-+ ')
++ gen_require(`
++ attribute sandbox_tmpfs_type;
++ ')
+
-+ allow $1 sandbox_tmpfs_type:file read_file_perms;
++ allow $1 sandbox_tmpfs_type:file read_file_perms;
+')
+
-+#########################################
++########################################
+## <summary>
+## allow domain to manage
+## sandbox tmpfs files
@@ -7933,10 +7908,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+#
+interface(`sandbox_delete_files',`
+ gen_require(`
-+ attribute sandbox_file_type;
++ type sandbox_file_t;
+ ')
+
-+ delete_files_pattern($1, sandbox_file_type, sandbox_file_type)
++ delete_files_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
@@ -7951,10 +7926,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+#
+interface(`sandbox_delete_sock_files',`
+ gen_require(`
-+ attribute sandbox_file_type;
++ type sandbox_file_t;
+ ')
+
-+ delete_sock_files_pattern($1, sandbox_file_type, sandbox_file_type)
++ delete_sock_files_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
@@ -7970,10 +7945,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+#
+interface(`sandbox_setattr_dirs',`
+ gen_require(`
-+ attribute sandbox_file_type;
++ type sandbox_file_t;
+ ')
+
-+ allow $1 sandbox_file_type:dir setattr;
++ allow $1 sandbox_file_t:dir setattr;
+')
+
+########################################
@@ -7988,10 +7963,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+#
+interface(`sandbox_delete_dirs',`
+ gen_require(`
-+ attribute sandbox_file_type;
++ type sandbox_file_t;
+ ')
+
-+ delete_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
++ delete_dirs_pattern($1, sandbox_file_t, sandbox_file_t)
+')
+
+########################################
@@ -8006,28 +7981,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+#
+interface(`sandbox_list',`
+ gen_require(`
-+ attribute sandbox_file_type;
++ type sandbox_file_t;
+ ')
+
-+ allow $1 sandbox_file_type:dir list_dir_perms;
++ allow $1 sandbox_file_t:dir list_dir_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2011-02-17 09:39:15.596796002 +0000
-@@ -0,0 +1,458 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2011-03-04 14:39:39.566413002 +0000
+@@ -0,0 +1,475 @@
+policy_module(sandbox,1.0.0)
-+
+dbus_stub()
+attribute sandbox_domain;
+attribute sandbox_x_domain;
-+attribute sandbox_file_type;
+attribute sandbox_web_type;
++attribute sandbox_file_type;
+attribute sandbox_tmpfs_type;
+attribute sandbox_type;
+
+type sandbox_exec_t;
+files_type(sandbox_exec_t)
+
++type sandbox_file_t, sandbox_file_type;
++files_type(sandbox_file_t)
++typealias sandbox_file_t alias { sandbox_x_file_t sandbox_web_file_t sandbox_net_file_t sandbox_min_file_t };
++
+########################################
+#
+# Declarations
@@ -8059,6 +8037,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+allow sandbox_xserver_t self:shm create_shm_perms;
+allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
+
++manage_dirs_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
++manage_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
++manage_sock_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
++allow sandbox_xserver_t sandbox_file_t:sock_file create_sock_file_perms;
++
+manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
+manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
@@ -8136,6 +8119,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+dev_rw_all_inherited_chr_files(sandbox_domain)
+dev_rw_all_inherited_blk_files(sandbox_domain)
+
++can_exec(sandbox_domain, sandbox_file_t)
++allow sandbox_domain sandbox_file_t:filesystem getattr;
++manage_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
++manage_dirs_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
++manage_sock_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
++manage_fifo_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
++manage_lnk_files_pattern(sandbox_domain, sandbox_file_t, sandbox_file_t);
++
+gen_require(`
+ type usr_t, lib_t, locale_t;
+ type var_t, var_run_t, rpm_log_t, locale_t;
@@ -8172,7 +8163,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
+
-+allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem };
++allow sandbox_x_domain self:process { signal_perms getsched setsched setpgid execstack execmem };
+dontaudit sandbox_x_domain sandbox_x_domain:process signal;
+dontaudit sandbox_x_domain sandbox_xserver_t:process signal;
+
@@ -8185,6 +8176,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+allow sandbox_x_domain sandbox_devpts_t:chr_file { rw_term_perms setattr };
+term_create_pty(sandbox_x_domain,sandbox_devpts_t)
+
++can_exec(sandbox_x_domain, sandbox_file_t)
++allow sandbox_x_domain sandbox_file_t:filesystem getattr;
++manage_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
++manage_dirs_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
++manage_sock_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
++manage_fifo_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
++manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
++
+domain_dontaudit_read_all_domains_state(sandbox_x_domain)
+
+files_search_home(sandbox_x_domain)
@@ -8209,8 +8208,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+fs_getattr_xattr_fs(sandbox_x_domain)
+fs_list_inotifyfs(sandbox_x_domain)
+
-+storage_dontaudit_rw_fuse(sandbox_x_domain)
-+
+auth_dontaudit_read_login_records(sandbox_x_domain)
+auth_dontaudit_write_login_records(sandbox_x_domain)
+auth_use_nsswitch(sandbox_x_domain)
@@ -8222,6 +8219,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+miscfiles_read_localization(sandbox_x_domain)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain)
+
++mta_dontaudit_read_spool_symlinks(sandbox_x_domain)
++
+selinux_get_fs_mount(sandbox_x_domain)
+selinux_validate_context(sandbox_x_domain)
+selinux_compute_access_vector(sandbox_x_domain)
@@ -8242,6 +8241,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+miscfiles_read_fonts(sandbox_x_domain)
+
++storage_dontaudit_rw_fuse(sandbox_x_domain)
++
+optional_policy(`
+ consolekit_dbus_chat(sandbox_x_domain)
+')
@@ -8275,6 +8276,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+userdom_read_user_home_content_symlinks(sandbox_x_domain)
+userdom_search_user_home_content(sandbox_x_domain)
+
++fs_search_auto_mountpoints(sandbox_x_domain)
++
+tunable_policy(`use_nfs_home_dirs',`
+ fs_search_auto_mountpoints(sandbox_x_domain)
+ fs_search_nfs(sandbox_xserver_t)
@@ -8318,22 +8321,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+auth_use_nsswitch(sandbox_x_client_t)
+
-+selinux_get_fs_mount(sandbox_x_client_t)
-+selinux_validate_context(sandbox_x_client_t)
-+selinux_compute_access_vector(sandbox_x_client_t)
-+selinux_compute_create_context(sandbox_x_client_t)
-+selinux_compute_relabel_context(sandbox_x_client_t)
-+selinux_compute_user_contexts(sandbox_x_client_t)
-+seutil_read_default_contexts(sandbox_x_client_t)
-+
+optional_policy(`
+ hal_dbus_chat(sandbox_x_client_t)
+')
+
-+allow sandbox_web_t self:process setsched;
-+
+optional_policy(`
-+ nsplugin_read_rw_files(sandbox_web_t)
++ nsplugin_read_rw_files(sandbox_x_client_t)
+')
+
+########################################
@@ -8344,7 +8337,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+allow sandbox_web_type self:capability { setuid setgid };
+allow sandbox_web_type self:netlink_audit_socket nlmsg_relay;
-+allow sandbox_web_type self:process setsched;
+dontaudit sandbox_web_type self:process setrlimit;
+
+allow sandbox_web_type self:tcp_socket create_stream_socket_perms;
@@ -8395,8 +8387,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+files_dontaudit_getattr_all_dirs(sandbox_web_type)
+files_dontaudit_list_mnt(sandbox_web_type)
+
-+# the bug in pulseaudiot, needed by fedora13
++# the bug in pulseaudio, needed by fedora13
+fs_rw_anon_inodefs_files(sandbox_web_type)
++#fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type)
+fs_dontaudit_getattr_all_fs(sandbox_web_type)
+
+storage_dontaudit_getattr_fixed_disk_dev(sandbox_web_type)
@@ -8472,7 +8465,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
+')
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.7.19/policy/modules/apps/screen.fc
--- nsaserefpolicy/policy/modules/apps/screen.fc 2010-04-13 18:44:37.000000000 +0000
+++ serefpolicy-3.7.19/policy/modules/apps/screen.fc 2011-01-24 17:04:52.066455001 +0000
@@ -8510,76 +8502,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.i
files_search_home($1_screen_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.19/policy/modules/apps/seunshare.if
--- nsaserefpolicy/policy/modules/apps/seunshare.if 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/apps/seunshare.if 2010-05-28 07:42:00.000000000 +0000
-@@ -2,30 +2,12 @@
++++ serefpolicy-3.7.19/policy/modules/apps/seunshare.if 2011-03-04 14:38:26.802413002 +0000
+@@ -25,7 +25,7 @@
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain allowed to transition.
+ ## </summary>
+ ## </param>
+ ## <param name="role">
+@@ -53,8 +53,14 @@
########################################
## <summary>
--## Execute a domain transition to run seunshare.
+-## Role access for seunshare
+## The role template for the seunshare module.
## </summary>
--## <param name="domain">
--## <summary>
--## Domain allowed to transition.
--## </summary>
--## </param>
--#
--interface(`seunshare_domtrans',`
-- gen_require(`
-- type seunshare_t, seunshare_exec_t;
-- ')
--
-- domtrans_pattern($1, seunshare_exec_t, seunshare_t)
--')
--
--########################################
--## <summary>
--## Execute seunshare in the seunshare domain, and
--## allow the specified role the seunshare domain.
--## </summary>
--## <param name="domain">
+## <param name="role_prefix">
- ## <summary>
--## Domain allowed access.
++## <summary>
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
- ## </summary>
- ## </param>
++## </summary>
++## </param>
## <param name="role">
-@@ -33,48 +15,34 @@
- ## Role allowed access.
- ## </summary>
- ## </param>
--#
--interface(`seunshare_run',`
-- gen_require(`
-- type seunshare_t;
-- ')
--
-- seunshare_domtrans($1)
-- role $2 types seunshare_t;
--
-- allow $1 seunshare_t:process signal_perms;
--
-- ifdef(`hide_broken_symptoms', `
-- dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
-- dontaudit seunshare_t $1:udp_socket rw_socket_perms;
-- dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms;
-- ')
--')
--
--########################################
--## <summary>
--## Role access for seunshare
--## </summary>
--## <param name="role">
--## <summary>
--## Role allowed access.
--## </summary>
--## </param>
- ## <param name="domain">
## <summary>
- ## User domain for the role.
+ ## Role allowed access.
+@@ -66,15 +72,31 @@
## </summary>
## </param>
#
@@ -8595,29 +8544,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
+ type $1_seunshare_t, seunshare_domain;
+ application_domain($1_seunshare_t, seunshare_exec_t)
+ role $2 types $1_seunshare_t;
-+
-+ mls_process_set_level($1_seunshare_t)
- seunshare_domtrans($1)
-+ domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t)
-+ sandbox_transition($1_seunshare_t, $2)
++ mls_process_set_level($1_seunshare_t)
- ps_process_pattern($2, seunshare_t)
- allow $2 seunshare_t:process signal;
++ domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t)
++ sandbox_transition($1_seunshare_t, $2)
++
+ ps_process_pattern($3, $1_seunshare_t)
+ allow $3 $1_seunshare_t:process signal_perms;
+
+ allow $1_seunshare_t $3:process transition;
+ dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh };
+
++ corecmd_bin_domtrans($1_seunshare_t, $1_t)
++ corecmd_shell_domtrans($1_seunshare_t, $1_t)
++
+ ifdef(`hide_broken_symptoms', `
+ dontaudit $1_seunshare_t $3:socket_class_set { read write };
+ ')
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.19/policy/modules/apps/seunshare.te
--- nsaserefpolicy/policy/modules/apps/seunshare.te 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/apps/seunshare.te 2010-08-25 14:06:59.000000000 +0000
-@@ -6,40 +6,45 @@
++++ serefpolicy-3.7.19/policy/modules/apps/seunshare.te 2011-03-04 14:39:51.781413002 +0000
+@@ -1,45 +1,52 @@
+-
+-policy_module(seunshare, 1.0.1)
++policy_module(seunshare, 1.1.0)
+
+ ########################################
+ #
# Declarations
#
@@ -8631,43 +8589,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
#
# seunshare local policy
#
-+allow seunshare_domain self:capability { fowner setuid dac_override setpcap sys_admin sys_nice };
++allow seunshare_domain self:capability { fowner setgid setuid dac_override setpcap sys_admin sys_nice };
+allow seunshare_domain self:process { fork setexec signal getcap setcap setsched };
++
++allow seunshare_domain self:fifo_file rw_file_perms;
++allow seunshare_domain self:unix_stream_socket create_stream_socket_perms;
-allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
-allow seunshare_t self:process { setexec signal getcap setcap };
-+allow seunshare_domain self:fifo_file rw_file_perms;
-+allow seunshare_domain self:unix_stream_socket create_stream_socket_perms;
++kernel_read_system_state(seunshare_domain)
-allow seunshare_t self:fifo_file rw_file_perms;
-allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
-+kernel_read_system_state(seunshare_domain)
-
--corecmd_exec_shell(seunshare_t)
--corecmd_exec_bin(seunshare_t)
+corecmd_exec_shell(seunshare_domain)
+corecmd_exec_bin(seunshare_domain)
--files_read_etc_files(seunshare_t)
--files_mounton_all_poly_members(seunshare_t)
+-corecmd_exec_shell(seunshare_t)
+-corecmd_exec_bin(seunshare_t)
+files_search_all(seunshare_domain)
+files_read_etc_files(seunshare_domain)
+files_mounton_all_poly_members(seunshare_domain)
++files_manage_generic_tmp_dirs(seunshare_domain)
++files_relabelfrom_tmp_dirs(seunshare_domain)
--auth_use_nsswitch(seunshare_t)
+-files_read_etc_files(seunshare_t)
+-files_mounton_all_poly_members(seunshare_t)
+fs_manage_cgroup_dirs(seunshare_domain)
+fs_manage_cgroup_files(seunshare_domain)
--logging_send_syslog_msg(seunshare_t)
+-auth_use_nsswitch(seunshare_t)
+auth_use_nsswitch(seunshare_domain)
--miscfiles_read_localization(seunshare_t)
+-logging_send_syslog_msg(seunshare_t)
+logging_send_syslog_msg(seunshare_domain)
--userdom_use_user_terminals(seunshare_t)
+-miscfiles_read_localization(seunshare_t)
+miscfiles_read_localization(seunshare_domain)
-+
+
+-userdom_use_user_terminals(seunshare_t)
+userdom_use_user_terminals(seunshare_domain)
++userdom_list_user_home_content(seunshare_domain)
ifdef(`hide_broken_symptoms', `
- fs_dontaudit_rw_anon_inodefs_files(seunshare_t)
@@ -10904,7 +10865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.19/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2011-01-24 18:04:53.791455000 +0000
++++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2011-03-04 14:14:25.595413001 +0000
@@ -1053,10 +1053,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -11535,7 +11496,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -3918,6 +4356,13 @@
+@@ -3757,6 +4195,24 @@
+ rw_sock_files_pattern($1, tmp_t, tmp_t)
+ ')
+
++#######################################
++## <summary>
++## Relabel a dir from the type used in /tmp.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_relabelfrom_tmp_dirs',`
++ gen_require(`
++ type tmp_t;
++ ')
++
++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Set the attributes of all tmp directories.
+@@ -3918,6 +4374,13 @@
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -11549,7 +11535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -4013,6 +4458,24 @@
+@@ -4013,6 +4476,24 @@
########################################
## <summary>
@@ -11574,7 +11560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Delete generic files in /usr in the caller domain.
## </summary>
## <param name="domain">
-@@ -4026,7 +4489,7 @@
+@@ -4026,7 +4507,7 @@
type usr_t;
')
@@ -11583,7 +11569,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -4107,6 +4570,24 @@
+@@ -4107,6 +4588,24 @@
########################################
## <summary>
@@ -11608,7 +11594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## dontaudit write of /usr files
## </summary>
## <param name="domain">
-@@ -5032,6 +5513,43 @@
+@@ -5032,6 +5531,43 @@
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -11652,7 +11638,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
########################################
## <summary>
## Do not audit attempts to search
-@@ -5091,6 +5609,24 @@
+@@ -5091,6 +5627,24 @@
########################################
## <summary>
@@ -11677,7 +11663,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Create an object in the process ID directory, with a private type.
## </summary>
## <desc>
-@@ -5238,6 +5774,7 @@
+@@ -5238,6 +5792,7 @@
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -11685,7 +11671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
########################################
-@@ -5306,6 +5843,24 @@
+@@ -5306,6 +5861,24 @@
########################################
## <summary>
@@ -11710,7 +11696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
-@@ -5494,12 +6049,15 @@
+@@ -5494,12 +6067,15 @@
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -11727,7 +11713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
')
')
-@@ -5520,3 +6078,229 @@
+@@ -5520,3 +6096,229 @@
typeattribute $1 files_unconfined_type;
')
@@ -19081,8 +19067,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.19/policy/modules/services/certmonger.te
--- nsaserefpolicy/policy/modules/services/certmonger.te 1970-01-01 00:00:00.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/services/certmonger.te 2011-02-25 17:14:37.956974505 +0000
-@@ -0,0 +1,93 @@
++++ serefpolicy-3.7.19/policy/modules/services/certmonger.te 2011-03-04 14:00:18.904413000 +0000
+@@ -0,0 +1,95 @@
+policy_module(certmonger,1.0.0)
+
+########################################
@@ -19125,7 +19111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
+files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir } )
+
-+domain_use_interactive_fds(certmonger_t)
++corecmd_exec_bin(certmonger_t)
+
+corenet_tcp_sendrecv_generic_if(certmonger_t)
+corenet_tcp_sendrecv_generic_node(certmonger_t)
@@ -19134,17 +19120,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+
+dev_read_urand(certmonger_t)
+
++domain_use_interactive_fds(certmonger_t)
++
+files_read_etc_files(certmonger_t)
+files_read_usr_files(certmonger_t)
+files_list_tmp(certmonger_t)
+
+auth_rw_cache(certmonger_t)
+
++logging_send_syslog_msg(certmonger_t)
++
+miscfiles_read_localization(certmonger_t)
+miscfiles_manage_cert_files(certmonger_t)
+
-+logging_send_syslog_msg(certmonger_t)
-+
+sysnet_dns_name_resolve(certmonger_t)
+
+userdom_search_user_home_content(certmonger_t)
@@ -44699,8 +44687,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.7.19/policy/modules/system/lvm.fc
--- nsaserefpolicy/policy/modules/system/lvm.fc 2010-04-13 18:44:37.000000000 +0000
-+++ serefpolicy-3.7.19/policy/modules/system/lvm.fc 2010-12-07 13:22:23.000000000 +0000
-@@ -28,10 +28,12 @@
++++ serefpolicy-3.7.19/policy/modules/system/lvm.fc 2011-03-04 14:01:31.072413000 +0000
+@@ -28,15 +28,18 @@
#
/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -44713,7 +44701,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc
/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
-@@ -98,4 +100,6 @@
+ /sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/sbin/kpartx -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
+@@ -98,4 +101,6 @@
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
/var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c6534f9..d3b69cf 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 97%{?dist}
+Release: 98%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,10 @@ exit 0
%endif
%changelog
+* Fri Mar 4 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-98
+- Backport sandbox and seunshare policy from F15
+- Allow rpm setfcap capability
+
* Fri Mar 4 2011 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-97
- Allow svirt to manage sock_file in ~/.libvirt directory
- Allow sysamd to run udev in udev_t domain
More information about the scm-commits
mailing list